Hi folks,
To address the lingering external PSK issue [1], Ekr proposed some advisory
text [2] for applications regarding how they should provision or use PSKs for
TLS 1.3 and 1.2. It reads as follows:
TLS 1.3 takes a conservative approach to PSKs by binding them to a
specific KDF. By contrast, TLS 1.2 allows PSKs to be used with any
hash function and the TLS 1.2 PRF. Thus, any PSK which is used with
both TLS 1.2 and TLS 1.3 must be used with only one hash in TLS 1.3,
which is less than optimal if users want to provision a single PSK.
In addition, while constructions in TLS 1.2 and TLS 1.3, although both
based on HMAC, are very different and there is no known way in which
reuse of the same PSK in TLS 1.3 and TLS 1.2 would produce related
output, only limited analysis has been done of the safety of this
practice. Implementations can ensure safety from cross-protocol key
collisions by not reusing PSKs between TLS 1.3 and TLS 1.2. Future
work such as [UNIVERSALPSK] or [SHAREDPSK] may result in a
construction with a higher degree of flexibility and cryptographic
assurance of key separation.
Please have a look and provide feedback on this change by the end of business
on Friday. We hope to close on this final issue by then.
Thanks,
Chris, Joe, and Sean
[1] https://www.ietf.org/mail-archive/web/tls/current/msg26693.html
[2] https://github.com/tlswg/tls13-rfc/pull/13
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
