Thanks for the feedback, Scott! Please see inline below. On Tue, Apr 21, 2020, at 6:57 AM, Hollenbeck, Scott wrote: > 2. Technical comments. > > a. Distinct identities? Sec. 3 states "Non-imported and imported PSKs > are distinct since their identities are different on the wire." We > have two concerns about this statement. First, the statement appears > to suggest that if two EPSKs have different identities, then they must > have different secret values. But couldn't two EPSKs have the same > secret value yet employ different identities for convenience? For > example, an endpoint might identify the same EPSK with a domain name in > some cases and with an IP address in others.
This seems like a reasonable editorial improvement to make. I filed: https://github.com/tlswg/draft-ietf-tls-external-psk-importer/issues/31 > Second, and more > fundamentally, the statement assumes that a non-imported EPSK, by > definition, cannot be misinterpreted as an imported PSK. But isn't the > identifier of a non-imported EPSK just an opaque string? A > non-imported EPSK identity could therefore have the same "bits on the > wire" as an IPSK identity, if the client and server employ an > identifier system that whose encoding happens to coincide with the > ImportedIdentity structure defined in the draft. ( > Moreover, the identifier of a resumption PSK is just an opaque string > -- so couldn't this also collide with ImportedIdentity values? Perhaps > we are missing something even more fundamental in our reading.) > ([draft-dt-tls-external-psk-guidance-01] covers similar issues in its > Sec. 6.1.2, "PSK Identity Collisions.") Yes, certainly it's possible for a non-imported EPSK to have an identity which matches the constructed identity of an imported PSK. We can't do anything to prevent applications from crafting such identities, so I'm inclined to just note this as a possibility, if anything. > b. Attack impact. If it's possible for an opaque identifier for a > non-imported EPSK identity to have the same encoding as an > ImportedIdentity value, then how does the server recognize > unambiguously that the opaque identifier is intended to be an imported > identity? The server could take an optimistic approach and assume that > an identifier that meets the ImportedIdentity syntax is probably an > imported identity, and run the code path for imported identities first. Yep, that's what I envisioned servers would do. > If that path fails, however -- either because the server doesn't > accept the EPSK or associated parameters, or because the binder value > is incorrect -- then the server may need to run the code path for > non-imported identities as a fallback, checking next to see if the > opaque string is recognized as an ordinary EPSK identity. But this > practice just puts more burden on a server against an attacker who > replays (or makes up) the PSKIdentity.identity value: two code paths > are exercised for the price of one attempted handshake. I don't think this is a particularly useful attack, though I do agree that it causes more work for the server. I'm curious to hear what others think. > c. Mitigations. One way to reduce the burden is to impose a new > requirement that the opaque string can only have the ImportedIdentity > syntax if the client (or server in the case of hints) indeed intends to > use the import mechanism. An ordinary EPSK could have any other value, > just not this kind. But this may not be compatible with the installed > base, especially with implementations that allow clients and servers to > specify arbitrary EPSK identities. (Consider the case where an > application adopts the imported identity syntax for the use intended in > this draft, and then decides to reuse the syntax for other purposes, > including ordinary EPSK identities.) > > Another way to ensure distinctness is to add a flag that indicates that > the PSK identity is an imported identity. But it's not clear where this > flag would go, given that the PskIdentity syntax isn't extensible. > Perhaps there could be an overall flag indicating that _all PSK > identities are imported identities? Or a new extension for imported > PSKs? Since this draft is meant to fix an annoyance in TLS 1.3, I think anything more than a different Identity encoding is overkill. I absolutely agree that the rigidity of PskIdentity is something we might want to fix. I'm just not sure that should be done here. > d. Key separation. Note that the foregoing discussion about EPSK > identifiers potentially colliding is separate from the question about > what happens if an IPSK happens to collide with a non-imported EPSK. > The draft handles this effectively with different inputs to the binder > derivation ("ext binder" vs. "imp binder"). But this happens after the > implementation has already decided whether to interpret the identifier > as external or imported. > > e. Incremental deployment. Section 6 states that " the derived PSK > will not be the same [as the underlying EPSK] since the importer > differentiates the PSK via the identity, target protocol and target key > KDF." However, the next statement does not follow directly: "Thus, > PSKs imported for TLS 1.3 are distinct from those used in TLS 1.2, and > thereby avoid cross-protocol collisions." Rather, the statement also > depends on the requirement in Section 3 that clients (and servers) > don't deliberately use EPSKs or IPSKs for other purposes, and the > security properties of the KDF that produces the IPSK (which ensures > that collisions don't occur accidentally). But there also seems to be > an implication in Section 6 that the use of the KDF in the TLS 1.3 > importer doesn't conflict with the cryptographic functions used for > obtaining the TLS 1.2 pre-master secret. If so, this distinction > should be spelled out. Hmm, not quite. The statement intends to say that if you need EPSK k into an importer and into TLS 1.2 then the resulting keys used in TLS 1.3 and 1.2 are different. I'm not sure further clarification is needed, though I'm happy to review suggestions if you have them! > Related to this, where Section 3 states, "Clients which import external > keys MUST NOT use either the external keys or the derived keys for any > other purpose," should "Clients" be "Clients and servers" or simply > "Endpoints"? Yep, that's a good editorial improvement. I filed this issue to track it: https://github.com/tlswg/draft-ietf-tls-external-psk-importer/issues/30 Thanks again for your review and feedback! Best, Chris _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
