On 23/09/2019, 18:50, "TLS on behalf of Mohit Sethi M" <[email protected] on
behalf of [email protected]> wrote:
Hi all,
On the topic of external PSKs in TLS 1.3, I found a publication on the
Selfie attack: https://eprint.iacr.org/2019/347
Perhaps this was already discussed on the list. I thought that sharing
it again wouldn't hurt while we discuss how servers distinguish between
external and resumption PSKs.
I just read the paper with interest. It occurs to me that the selfie attack is
consistent with the "impersonation attack" that we reported on SPEKE in 2014;
see Sec 4.1 [1] and the updated version with details on how SPEKE is revised in
ISO/IEC 11770-4 [2]. The same attack can be traced back to 2010 in [3] where a
"worm-hole attack" (Fig. 5, [3]) is reported on the self-communication mode of
HMQV. The essence of these attacks is the same: Bob tricks Alice into thinking
that she is talking to authenticated Bob, but she is actually talking to
herself. In [3], we explained that the attack was missed from the "security
proofs" as the proofs didn't consider multiple sessions.
The countermeasure we proposed in [1-3] was to ensure the user identity is
unique in key exchange processes: in case of multiple sessions that may cause
confusion in the user identity, an extension should be added to the user
identity to distinguish the instances. The underlying intuition is that one
should know "unambiguously" whom they are communicating with, and perform
authentication based on that. The discovery of this type of attacks and the
proposed solution are inspired by the "explicitness principle" (Ross Anderson
and Roger Needham, Crypto'95), which states the importance of being explicit on
user identities and other attributes in a public key protocol; also see [3]. I
hope it might be useful to people who work on TLS PSK.
[1] https://eprint.iacr.org/2014/585.pdf
[2] https://arxiv.org/abs/1802.04900
[3] https://eprint.iacr.org/2010/136.pdf
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
