< draft-ietf-tls-external-psk-guidance-03.txt   draft-ietf-tls-external-psk-guidance-04.txt >
tls R. Housley tls R. Housley
Internet-Draft Vigil Security Internet-Draft Vigil Security
Intended status: Informational J. Hoyland Intended status: Informational J. Hoyland
Expires: 16 April 2022 Cloudflare Ltd. Expires: 12 June 2022 Cloudflare Ltd.
M. Sethi M. Sethi
Ericsson Ericsson
C.A. Wood C.A. Wood
Cloudflare Cloudflare
13 October 2021 9 December 2021
Guidance for External PSK Usage in TLS Guidance for External PSK Usage in TLS
draft-ietf-tls-external-psk-guidance-03 draft-ietf-tls-external-psk-guidance-04
Abstract Abstract
This document provides usage guidance for external Pre-Shared Keys This document provides usage guidance for external Pre-Shared Keys
(PSKs) in Transport Layer Security (TLS) 1.3 as defined in RFC 8446. (PSKs) in Transport Layer Security (TLS) 1.3 as defined in RFC 8446.
This document lists TLS security properties provided by PSKs under This document lists TLS security properties provided by PSKs under
certain assumptions, and then demonstrates how violations of these certain assumptions, and then demonstrates how violations of these
assumptions lead to attacks. This document discusses PSK use cases assumptions lead to attacks. This document discusses PSK use cases
and provisioning processes. This document provides advice for and provisioning processes. This document provides advice for
applications to help meet these assumptions. This document also applications to help meet these assumptions. This document also
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 16 April 2022. This Internet-Draft will expire on 12 June 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Revised BSD License text as
as described in Section 4.e of the Trust Legal Provisions and are described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3
3. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. PSK Security Properties . . . . . . . . . . . . . . . . . . . 3 4. PSK Security Properties . . . . . . . . . . . . . . . . . . . 4
4.1. Shared PSKs . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. Shared PSKs . . . . . . . . . . . . . . . . . . . . . . . 4
4.2. PSK Entropy . . . . . . . . . . . . . . . . . . . . . . . 5 4.2. PSK Entropy . . . . . . . . . . . . . . . . . . . . . . . 5
5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 5 5. External PSKs in Practice . . . . . . . . . . . . . . . . . . 6
6. External PSK Use Cases and Provisioning Processes . . . . . . 6 5.1. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1. Provisioning Examples . . . . . . . . . . . . . . . . . . 7 5.2. Provisioning Examples . . . . . . . . . . . . . . . . . . 7
6.2. Provisioning Constraints . . . . . . . . . . . . . . . . 8 5.3. Provisioning Constraints . . . . . . . . . . . . . . . . 8
7. Recommendations for External PSK Usage . . . . . . . . . . . 8 6. Recommendations for External PSK Usage . . . . . . . . . . . 8
7.1. Stack Interfaces . . . . . . . . . . . . . . . . . . . . 9 6.1. Stack Interfaces . . . . . . . . . . . . . . . . . . . . 9
7.1.1. PSK Identity Encoding and Comparison . . . . . . . . 10 6.1.1. PSK Identity Encoding and Comparison . . . . . . . . 10
7.1.2. PSK Identity Collisions . . . . . . . . . . . . . . . 10 6.1.2. PSK Identity Collisions . . . . . . . . . . . . . . . 11
8. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 11
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 8. Security Considerations . . . . . . . . . . . . . . . . . . . 12
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
10.1. Normative References . . . . . . . . . . . . . . . . . . 11 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
10.2. Informative References . . . . . . . . . . . . . . . . . 12 10.1. Normative References . . . . . . . . . . . . . . . . . . 12
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 14 10.2. Informative References . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
This document provides guidance on the use of external Pre-Shared This document provides guidance on the use of external Pre-Shared
Keys (PSKs) in Transport Layer Security (TLS) 1.3 [RFC8446]. This Keys (PSKs) in Transport Layer Security (TLS) 1.3 [RFC8446]. This
guidance also applies to Datagram TLS (DTLS) 1.3 guidance also applies to Datagram TLS (DTLS) 1.3
[I-D.ietf-tls-dtls13] and Compact TLS 1.3 [I-D.ietf-tls-ctls]. For [I-D.ietf-tls-dtls13] and Compact TLS 1.3 [I-D.ietf-tls-ctls]. For
readability, this document uses the term TLS to refer to all such readability, this document uses the term TLS to refer to all such
versions. External PSKs are symmetric secret keys provided to the versions.
TLS protocol implementation as external inputs. External PSKs are
provisioned out-of-band. This document lists TLS security properties External PSKs are symmetric secret keys provided to the TLS protocol
provided by PSKs under certain assumptions and demonstrates how implementation as external inputs. External PSKs are provisioned
violations of these assumptions lead to attacks. This document out-of-band.
discusses PSK use cases, provisioning processes, and TLS stack
implementation support in the context of these assumptions. This This document lists TLS security properties provided by PSKs under
document also provides advice for applications in various use cases certain assumptions and demonstrates how violations of these
to help meet these assumptions. assumptions lead to attacks. This document discusses PSK use cases,
provisioning processes, and TLS stack implementation support in the
context of these assumptions. This document also provides advice for
applications in various use cases to help meet these assumptions.
There are many resources that provide guidance for password There are many resources that provide guidance for password
generation and verification aimed towards improving security. generation and verification aimed towards improving security.
However, there is no such equivalent for external Pre-Shared Keys However, there is no such equivalent for external Pre-Shared Keys
(PSKs) in TLS. This document aims to reduce that gap. (PSKs) in TLS. This document aims to reduce that gap.
2. Conventions and Definitions 2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
skipping to change at page 3, line 37 skipping to change at page 4, line 7
For purposes of this document, a "logical node" is a computing For purposes of this document, a "logical node" is a computing
presence that other parties can interact with via the TLS protocol. presence that other parties can interact with via the TLS protocol.
A logical node could potentially be realized with multiple physical A logical node could potentially be realized with multiple physical
instances operating under common administrative control, e.g., a instances operating under common administrative control, e.g., a
server farm. An "endpoint" is a client or server participating in a server farm. An "endpoint" is a client or server participating in a
connection. connection.
4. PSK Security Properties 4. PSK Security Properties
When using external PSK authentication, the use of previously The use of a previously established PSK allows TLS nodes to
established PSKs allows TLS endpoints to authenticate the endpoint authenticate the endpoint identities. It also offers other benefits,
identities. However, these keys do not provide privacy protection of including resistance to attacks in presence of quantum computes; see
endpoint identities (see Section 5), nor do they provide non- Section 4.2 for related discussion. However, these keys do not
repudiation (one endpoint in a connection can deny the conversation). provide privacy protection of endpoint identities, nor do they
provide non-repudiation (one endpoint in a connection can deny the
conversation); see Section 7 for related discussion.
PSK authentication security implicitly assumes one fundamental PSK authentication security implicitly assumes one fundamental
property: each PSK is known to exactly one client and one server, and property: each PSK is known to exactly one client and one server, and
that these never switch roles. If this assumption is violated, then that these never switch roles. If this assumption is violated, then
the security properties of TLS are severely weakened as discussed the security properties of TLS are severely weakened as discussed
below. below.
4.1. Shared PSKs 4.1. Shared PSKs
As discussed in Section 6, there are use cases where it is desirable As discussed in Section 5.1, to demonstrate their attack, [AASS19]
for multiple clients or multiple servers to share a PSK. If this is describes scenarios where multiple clients or multiple servers share
done naively by having all members share a common key, then TLS a PSK. If this is done naively by having all members share a common
authenticates only group membership, and the security of the overall key, then TLS authenticates only group membership, and the security
system is inherently rather brittle. There are a number of obvious of the overall system is inherently rather brittle. There are a
weaknesses here: number of obvious weaknesses here:
1. Any group member can impersonate any other group member. 1. Any group member can impersonate any other group member.
2. If PSK is combined with DH, then compromise of a group member 2. If PSK is combined with a fresh ephemeral key exchange, then
that knows the resulting DH shared secret will enable the compromise of a group member that knows the resulting shared
attacker to read (and modify) traffic. secret will enable the attacker to passively read (and actively
modify) traffic.
3. If PSK is not combined with DH, then compromise of any group 3. If PSK is not combined with fresh ephemeral key exchange, then
member allows the attacker to passively read (and actively compromise of any group member allows the attacker to passively
modify) all traffic. read (and actively modify) all traffic.
Additionally, a malicious non-member can reroute handshakes between Additionally, a malicious non-member can reroute handshakes between
honest group members to connect them in unintended ways, as described honest group members to connect them in unintended ways, as described
below. Note that a partial mitigiation against this class of attack below. Note that a partial mitigiation against this class of attack
is available: each group member includes the SNI extension [RFC6066] is available: each group member includes the SNI extension [RFC6066]
and terminates the connection on mismatch between the presented SNI and terminates the connection on mismatch between the presented SNI
value and the receiving member's known identity. See [Selfie] for value and the receiving member's known identity. See [Selfie] for
details. details.
To illustrate the rerouting attack, consider the group of peers who To illustrate the rerouting attack, consider the group of peers who
skipping to change at page 5, line 22 skipping to change at page 5, line 32
to the server on the same endpoint. to the server on the same endpoint.
Finally, in addition to these weaknesses, sharing a PSK across nodes Finally, in addition to these weaknesses, sharing a PSK across nodes
may negatively affect deployments. For example, revocation of may negatively affect deployments. For example, revocation of
individual group members is not possible without establishing a new individual group members is not possible without establishing a new
PSK for all of the non-revoked members. PSK for all of the non-revoked members.
4.2. PSK Entropy 4.2. PSK Entropy
Entropy properties of external PSKs may also affect TLS security Entropy properties of external PSKs may also affect TLS security
properties. In particular, if a high entropy PSK is used, then PSK- properties. For example, if a high entropy PSK is used, then PSK-
only key establishment modes are secure against both active and only key establishment modes provide expected security properties for
passive attack. However, they lack forward security. Forward TLS, including, for example, including establishing the same session
security may be achieved by using a PSK-DH mode. keys between peers, secrecy of session keys, peer authentication, and
downgrade protection. See [RFC8446], Appendix E.1 for an explanation
of these properties. However, these modes lack forward security.
Forward security may be achieved by using a PSK-DH mode, or,
alternatively, by using PSKs with short lifetimes.
In contrast, if a low entropy PSK is used, then PSK-only key In contrast, if a low entropy PSK is used, then PSK-only key
establishment modes are subject to passive exhaustive search passive establishment modes are subject to passive exhaustive search attacks
attacks which will reveal the traffic keys. PSK-DH modes are subject which will reveal the traffic keys. PSK-DH modes are subject to
to active attacks in which the attacker impersonates one side. The active attacks in which the attacker impersonates one side. The
exhaustive search phase of these attacks can be mounted offline if exhaustive search phase of these attacks can be mounted offline if
the attacker captures a single handshake using the PSK, but those the attacker captures a single handshake using the PSK, but those
attacks will not lead to compromise of the traffic keys for that attacks will not lead to compromise of the traffic keys for that
connection because those also depend on the Diffie-Hellman (DH) connection because those also depend on the Diffie-Hellman (DH)
exchange. Low entropy keys are only secure against active attack if exchange. Low entropy keys are only secure against active attack if
a PAKE is used with TLS. The Crypto Forum Research Group (CFRG) is a password-authenticated key exchange (PAKE) is used with TLS. The
currently working on specifying recommended PAKEs (see Crypto Forum Research Group (CFRG) is currently working on specifying
[I-D.irtf-cfrg-cpace] and [I-D.irtf-cfrg-opaque], for the symmetric recommended PAKEs (see [I-D.irtf-cfrg-cpace] and
and asymmetric cases, respectively). [I-D.irtf-cfrg-opaque], for the symmetric and asymmetric cases,
respectively).
5. Privacy Considerations
PSK privacy properties are orthogonal to security properties
described in Section 4. TLS does little to keep PSK identity
information private. For example, an adversary learns information
about the external PSK or its identifier by virtue of it appearing in
cleartext in a ClientHello. As a result, a passive adversary can
link two or more connections together that use the same external PSK
on the wire. Depending on the PSK identity, a passive attacker may
also be able to identify the device, person, or enterprise running
the TLS client or TLS server. An active attacker can also use the
PSK identity to suppress handshakes or application data from a
specific device by blocking, delaying, or rate-limiting traffic.
Techniques for mitigating these risks require further analysis and
are out of scope for this document.
In addition to linkability in the network, external PSKs are
intrinsically linkable by PSK receivers. Specifically, servers can
link successive connections that use the same external PSK together.
Preventing this type of linkability is out of scope.
6. External PSK Use Cases and Provisioning Processes 5. External PSKs in Practice
PSK ciphersuites were first specified for TLS in 2005. Now, PSKs are PSK ciphersuites were first specified for TLS in 2005. PSKs are now
an integral part of the TLS version 1.3 specification [RFC8446]. TLS an integral part of the TLS version 1.3 specification [RFC8446]. TLS
1.3 also uses PSKs for session resumption. It distinguishes these 1.3 also uses PSKs for session resumption. It distinguishes these
resumption PSKs from external PSKs which have been provisioned out- resumption PSKs from external PSKs which have been provisioned out-
of-band (OOB). Below, we list some example use-cases where pair-wise of-band. This section describes known use cases and provisioning
external PSKs (i.e., external PSKs that are shared between only one processes for external PSKs with TLS.
server and one client) have been used for authentication in TLS.
5.1. Use Cases
This section lists some example use-cases where pair-wise external
PSKs, i.e., external PSKs that are shared between only one server and
one client, have been used for authentication in TLS.
* Device-to-device communication with out-of-band synchronized keys. * Device-to-device communication with out-of-band synchronized keys.
PSKs provisioned out-of-band for communicating with known PSKs provisioned out-of-band for communicating with known
identities, wherein the identity to use is discovered via a identities, wherein the identity to use is discovered via a
different online protocol. different online protocol.
* Intra-data-center communication. Machine-to-machine communication * Intra-data-center communication. Machine-to-machine communication
within a single data center or PoP may use externally provisioned within a single data center or PoP may use externally provisioned
PSKs, primarily for the purposes of supporting TLS connections PSKs, primarily for the purposes of supporting TLS connections
with early data. with early data; see Section 8 for considerations when using early
data with external PSKs.
* Certificateless server-to-server communication. Machine-to- * Certificateless server-to-server communication. Machine-to-
machine communication may use externally provisioned PSKs, machine communication may use externally provisioned PSKs,
primarily for the purposes of establishing TLS connections without primarily for the purposes of establishing TLS connections without
requiring the overhead of provisioning and managing PKI requiring the overhead of provisioning and managing PKI
certificates. certificates.
* Internet of Things (IoT) and devices with limited computational * Internet of Things (IoT) and devices with limited computational
capabilities. [RFC7925] defines TLS and DTLS profiles for capabilities. [RFC7925] defines TLS and DTLS profiles for
resource-constrained devices and suggests the use of PSK resource-constrained devices and suggests the use of PSK
ciphersuites for compliant devices. The Open Mobile Alliance ciphersuites for compliant devices. The Open Mobile Alliance
Lightweight Machine to Machine Technical Specification [LwM2M] Lightweight Machine to Machine Technical Specification [LwM2M]
states that LwM2M servers MUST support the PSK mode of DTLS. states that LwM2M servers MUST support the PSK mode of DTLS.
* Use of PSK ciphersuites are optional when securing RADIUS * Securing RADIUS [RFC2865] with TLS. PSK ciphersuites are optional
[RFC2865] with TLS as specified in [RFC6614]. for this use case, as specified in [RFC6614].
* The Generic Authentication Architecture (GAA) defined by 3GGP * 3GPP server to user equipment authentication. The Generic
mentions that TLS-PSK can be used between a server and user Authentication Architecture (GAA) defined by 3GGP mentions that
equipment for authentication [GAA]. TLS-PSK ciphersuites can be used between server and user equipment
for authentication [GAA].
* Smart Cards. The electronic German ID (eID) card supports * Smart Cards. The electronic German ID (eID) card supports
authentication of a card holder to online services with TLS-PSK authentication of a card holder to online services with TLS-PSK
[SmartCard]. [SmartCard].
* Quantum resistance: Some deployments may use PSKs (or combine them * Quantum resistance. Some deployments may use PSKs (or combine
with certificate-based authentication as described in [RFC8773]) them with certificate-based authentication as described in
because of the protection they provide against quantum computers. [RFC8773]) because of the protection they provide against quantum
computers.
There are also use cases where PSKs are shared between more than two There are also use cases where PSKs are shared between more than two
entities. Some examples below (as noted by Akhmetzyanova et entities. Some examples below (as noted by Akhmetzyanova et al.
al.[Akhmetzyanova]): [AASS19]):
* Group chats. In this use-case, group participants may be * Group chats. In this use-case, group participants may be
provisioned an external PSK out-of-band for establishing provisioned an external PSK out-of-band for establishing
authenticated connections with other members of the group. authenticated connections with other members of the group.
* Internet of Things (IoT) and devices with limited computational * Internet of Things (IoT) and devices with limited computational
capabilities. Many PSK provisioning examples are possible in this capabilities. Many PSK provisioning examples are possible in this
use-case. For example, in a given setting, IoT devices may all use-case. For example, in a given setting, IoT devices may all
share the same PSK and use it to communicate with a central server share the same PSK and use it to communicate with a central server
(one key for n devices), have their own key for communicating with (one key for n devices), have their own key for communicating with
a central server (n keys for n devices), or have pairwise keys for a central server (n keys for n devices), or have pairwise keys for
communicating with each other (n^2 keys for n devices). communicating with each other (n^2 keys for n devices).
5.2. Provisioning Examples
The exact provisioning process depends on the system requirements and The exact provisioning process depends on the system requirements and
threat model. Whenever possible, avoid sharing a PSK between nodes; threat model. Whenever possible, avoid sharing a PSK between nodes;
however, sharing a PSK among several node is sometimes unavoidable. however, sharing a PSK among several node is sometimes unavoidable.
When PSK sharing happens, other accommodations SHOULD be used as When PSK sharing happens, other accommodations SHOULD be used as
discussed in Section 7. discussed in Section 6.
6.1. Provisioning Examples Examples of PSK provisioning processes are included below.
* Many industrial protocols assume that PSKs are distributed and * Many industrial protocols assume that PSKs are distributed and
assigned manually via one of the following approaches: typing the assigned manually via one of the following approaches: typing the
PSK into the devices, or using a Trust On First Use (TOFU) PSK into the devices, or using a Trust On First Use (TOFU)
approach with a device completely unprotected before the first approach with a device completely unprotected before the first
login did take place. Many devices have very limited UI. For login did take place. Many devices have very limited UI. For
example, they may only have a numeric keypad or even less number example, they may only have a numeric keypad or even less number
of buttons. When the TOFU approach is not suitable, entering the of buttons. When the TOFU approach is not suitable, entering the
key would require typing it on a constrained UI. key would require typing it on a constrained UI.
* Some devices provision PSKs via an out-of-band, cloud-based * Some devices provision PSKs via an out-of-band, cloud-based
syncing protocol. syncing protocol.
* Some secrets may be baked into or hardware or software device * Some secrets may be baked into or hardware or software device
components. Moreover, when this is done at manufacturing time, components. Moreover, when this is done at manufacturing time,
secrets may be printed on labels or included in a Bill of secrets may be printed on labels or included in a Bill of
Materials for ease of scanning or import. Materials for ease of scanning or import.
6.2. Provisioning Constraints 5.3. Provisioning Constraints
PSK provisioning systems are often constrained in application- PSK provisioning systems are often constrained in application-
specific ways. For example, although one goal of provisioning is to specific ways. For example, although one goal of provisioning is to
ensure that each pair of nodes has a unique key pair, some systems do ensure that each pair of nodes has a unique key pair, some systems do
not want to distribute pair-wise shared keys to achieve this. As not want to distribute pair-wise shared keys to achieve this. As
another example, some systems require the provisioning process to another example, some systems require the provisioning process to
embed application-specific information in either PSKs or their embed application-specific information in either PSKs or their
identities. Identities may sometimes need to be routable, as is identities. Identities may sometimes need to be routable, as is
currently under discussion for EAP-TLS-PSK currently under discussion for EAP-TLS-PSK
[I-D.mattsson-emu-eap-tls-psk]. [I-D.mattsson-emu-eap-tls-psk].
7. Recommendations for External PSK Usage 6. Recommendations for External PSK Usage
If an application uses external PSKs, the external PSKs MUST adhere Recommended requirements for applications using external PSKs are as
to the following requirements: follows:
1. Each PSK SHOULD be derived from at least 128 bits of entropy, 1. Each PSK SHOULD be derived from at least 128 bits of entropy,
MUST be at least 128 bits long, and SHOULD be combined with a DH MUST be at least 128 bits long, and SHOULD be combined with an
exchange, e.g., by using the "psk_dhe_ke" Pre-Shared Key Exchange ephemeral key exchange exchange, e.g., by using the "psk_dhe_ke"
Mode in TLS 1.3, for forward secrecy. As discussed in Section 4, Pre-Shared Key Exchange Mode in TLS 1.3, for forward secrecy. As
low entropy PSKs, i.e., those derived from less than 128 bits of discussed in Section 4, low entropy PSKs, i.e., those derived
entropy, are subject to attack and SHOULD be avoided. If only from less than 128 bits of entropy, are subject to attack and
low-entropy keys are available, then key establishment mechanisms SHOULD be avoided. If only low-entropy keys are available, then
such as Password Authenticated Key Exchange (PAKE) that mitigate key establishment mechanisms such as Password Authenticated Key
the risk of offline dictionary attacks SHOULD be employed. Note Exchange (PAKE) that mitigate the risk of offline dictionary
that no such mechanisms have yet been standardised, and further attacks SHOULD be employed. Note that no such mechanisms have
that these mechanisms will not necessarily follow the same yet been standardised, and further that these mechanisms will not
architecture as the process for incorporating EPSKs described in necessarily follow the same architecture as the process for
incorporating external PSKs described in
[I-D.ietf-tls-external-psk-importer]. [I-D.ietf-tls-external-psk-importer].
2. Unless other accommodations are made to mitigate the risks of 2. Unless other accommodations are made to mitigate the risks of
PSKs know to a group, each PSK MUST be restricted in its use to PSKs known to a group, each PSK MUST be restricted in its use to
at most two logical nodes: one logical node in a TLS client role at most two logical nodes: one logical node in a TLS client role
and one logical node in a TLS server role. (The two logical and one logical node in a TLS server role. (The two logical
nodes MAY be the same, in different roles.) Two acceptable nodes MAY be the same, in different roles.) Two acceptable
accommodations are described in accommodations are described in
[I-D.ietf-tls-external-psk-importer]: (1) exchanging client and [I-D.ietf-tls-external-psk-importer]: (1) exchanging client and
server identifiers over the TLS connection after the handshake, server identifiers over the TLS connection after the handshake,
and (2) incorporating identifiers for both the client and the and (2) incorporating identifiers for both the client and the
server into the context string for an EPSK importer. server into the context string for an external PSK importer.
3. Nodes SHOULD use external PSK importers 3. Nodes SHOULD use external PSK importers
[I-D.ietf-tls-external-psk-importer] when configuring PSKs for a [I-D.ietf-tls-external-psk-importer] when configuring PSKs for a
client-server pair when applicable. Importers make provisioning client-server pair when applicable. Importers make provisioning
external PSKs easier and less error prone by deriving a unique, external PSKs easier and less error prone by deriving a unique,
imported PSK from the external PSK for each key derivation imported PSK from the external PSK for each key derivation
function a node supports. See the Security Considerations in function a node supports. See the Security Considerations in
[I-D.ietf-tls-external-psk-importer] for more information. [I-D.ietf-tls-external-psk-importer] for more information.
4. Where possible the main PSK (that which is fed into the importer) 4. Where possible the main PSK (that which is fed into the importer)
SHOULD be deleted after the imported keys have been generated. SHOULD be deleted after the imported keys have been generated.
This prevents an attacker from bootstrapping a compromise of one This prevents an attacker from bootstrapping a compromise of one
node into the ability to attack connections between any node; node into the ability to attack connections between any node;
otherwise the attacker can recover the main key and then re-run otherwise the attacker can recover the main key and then re-run
the importer itself. the importer itself.
7.1. Stack Interfaces 6.1. Stack Interfaces
Most major TLS implementations support external PSKs. Stacks Most major TLS implementations support external PSKs. Stacks
supporting external PSKs provide interfaces that applications may use supporting external PSKs provide interfaces that applications may use
when configuring PSKs for individual connections. Details about some when configuring PSKs for individual connections. Details about some
existing stacks at the time of writing are below. existing stacks at the time of writing are below.
* OpenSSL and BoringSSL: Applications can specify support for * OpenSSL and BoringSSL: Applications can specify support for
external PSKs via distinct ciphersuites in TLS 1.2 and below. external PSKs via distinct ciphersuites in TLS 1.2 and below.
They also then configure callbacks that are invoked for PSK They also then configure callbacks that are invoked for PSK
selection during the handshake. These callbacks must provide a selection during the handshake. These callbacks must provide a
skipping to change at page 10, line 5 skipping to change at page 10, line 27
Servers must implement callbacks similar to that of OpenSSL. Both Servers must implement callbacks similar to that of OpenSSL. Both
PSK identity and key lengths may be between [1, 16] bytes long. PSK identity and key lengths may be between [1, 16] bytes long.
* gnuTLS: Applications configure PSK values, either as raw byte * gnuTLS: Applications configure PSK values, either as raw byte
strings or hexadecimal strings. The PSK identity and key size are strings or hexadecimal strings. The PSK identity and key size are
not validated. not validated.
* wolfSSL: Applications configure PSKs with callbacks similar to * wolfSSL: Applications configure PSKs with callbacks similar to
OpenSSL. OpenSSL.
7.1.1. PSK Identity Encoding and Comparison 6.1.1. PSK Identity Encoding and Comparison
Section 5.1 of [RFC4279] mandates that the PSK identity should be Section 5.1 of [RFC4279] mandates that the PSK identity should be
first converted to a character string and then encoded to octets first converted to a character string and then encoded to octets
using UTF-8. This was done to avoid interoperability problems using UTF-8. This was done to avoid interoperability problems
(especially when the identity is configured by human users). On the (especially when the identity is configured by human users). On the
other hand, [RFC7925] advises implementations against assuming any other hand, [RFC7925] advises implementations against assuming any
structured format for PSK identities and recommends byte-by-byte structured format for PSK identities and recommends byte-by-byte
comparison for any operation. When PSK identities are configured comparison for any operation. When PSK identities are configured
manually it is important to be aware that due to encoding issues manually it is important to be aware that due to encoding issues
visually identical strings may, in fact, differ. visually identical strings may, in fact, differ.
skipping to change at page 10, line 37 skipping to change at page 11, line 12
protocols like Extensible Authentication Protocol (EAP) [RFC3748]. protocols like Extensible Authentication Protocol (EAP) [RFC3748].
gnuTLS for example treats PSK identities as usernames. gnuTLS for example treats PSK identities as usernames.
* PSK identities MAY have a domain name suffix for roaming and * PSK identities MAY have a domain name suffix for roaming and
federation. In applications and settings where the domain name federation. In applications and settings where the domain name
suffix is privacy sensitive, this practice is NOT RECOMMENDED. suffix is privacy sensitive, this practice is NOT RECOMMENDED.
* Deployments should take care that the length of the PSK identity * Deployments should take care that the length of the PSK identity
is sufficient to avoid collisions. is sufficient to avoid collisions.
7.1.2. PSK Identity Collisions 6.1.2. PSK Identity Collisions
It is possible, though unlikely, that an external PSK identity may It is possible, though unlikely, that an external PSK identity may
clash with a resumption PSK identity. The TLS stack implementation clash with a resumption PSK identity. The TLS stack implementation
and sequencing of PSK callbacks influences the application's behavior and sequencing of PSK callbacks influences the application's behavior
when identity collisions occur. When a server receives a PSK when identity collisions occur. When a server receives a PSK
identity in a TLS 1.3 ClientHello, some TLS stacks execute the identity in a TLS 1.3 ClientHello, some TLS stacks execute the
application's registered callback function before checking the application's registered callback function before checking the
stack's internal session resumption cache. This means that if a PSK stack's internal session resumption cache. This means that if a PSK
identity collision occurs, the application's external PSK usage will identity collision occurs, the application's external PSK usage will
typically take precedence over the internal session resumption path. typically take precedence over the internal session resumption path.
Since resumption PSK identities are assigned by the TLS stack
implementation, it is RECOMMENDED that these identifiers be assigned
in a manner that lets resumption PSKs be distinguished from external
PSKs to avoid concerns with collisions altogether.
7. Privacy Considerations
PSK privacy properties are orthogonal to security properties
described in Section 4. TLS does little to keep PSK identity
information private. For example, an adversary learns information
about the external PSK or its identifier by virtue of it appearing in
cleartext in a ClientHello. As a result, a passive adversary can
link two or more connections together that use the same external PSK
on the wire. Depending on the PSK identity, a passive attacker may
also be able to identify the device, person, or enterprise running
the TLS client or TLS server. An active attacker can also use the
PSK identity to suppress handshakes or application data from a
specific device by blocking, delaying, or rate-limiting traffic.
Techniques for mitigating these risks require further analysis and
are out of scope for this document.
In addition to linkability in the network, external PSKs are
intrinsically linkable by PSK receivers. Specifically, servers can
link successive connections that use the same external PSK together.
Preventing this type of linkability is out of scope.
8. Security Considerations 8. Security Considerations
Security considerations are provided throughout this document. It Security considerations are provided throughout this document. It
bears repeating that there are concerns related to the use of bears repeating that there are concerns related to the use of
external PSKs regarding proper identification of TLS 1.3 endpoints external PSKs regarding proper identification of TLS 1.3 endpoints
and additional risks when external PSKs are known to a group. and additional risks when external PSKs are known to a group.
It is NOT RECOMMENDED to share the same PSK between more than one It is NOT RECOMMENDED to share the same PSK between more than one
client and server. However, as discussed in Section 6, there are client and server. However, as discussed in Section 5.1, there are
application scenarios that may rely on sharing the same PSK among application scenarios that may rely on sharing the same PSK among
multiple nodes. [I-D.ietf-tls-external-psk-importer] helps in multiple nodes. [I-D.ietf-tls-external-psk-importer] helps in
mitigating rerouting and Selfie style reflection attacks when the PSK mitigating rerouting and Selfie style reflection attacks when the PSK
is shared among multiple nodes. This is achieved by correctly using is shared among multiple nodes. This is achieved by correctly using
the node identifiers in the ImportedIdentity.context construct the node identifiers in the ImportedIdentity.context construct
specified in [I-D.ietf-tls-external-psk-importer]. One solution specified in [I-D.ietf-tls-external-psk-importer]. One solution
would be for each endpoint to select one globally unique identifier would be for each endpoint to select one globally unique identifier
and uses it in all PSK handshakes. The unique identifier can, for and use it in all PSK handshakes. The unique identifier can, for
example, be one of its MAC addresses, a 32-byte random number, or its example, be one of its MAC addresses, a 32-byte random number, or its
Universally Unique IDentifier (UUID) [RFC4122]. Universally Unique IDentifier (UUID) [RFC4122]. Note that such
persistent, global identifiers have privacy implications; see
Section 7.
Each endpoint SHOULD know the identifier of the other endpoint with Each endpoint SHOULD know the identifier of the other endpoint with
which its wants to connect and SHOULD compare it with the other which its wants to connect and SHOULD compare it with the other
endpoint's identifier used in ImportedIdentity.context. It is endpoint's identifier used in ImportedIdentity.context. It is
however important to remember that endpoints sharing the same group however important to remember that endpoints sharing the same group
PSK can always impersonate each other. PSK can always impersonate each other.
Considerations for external PSK usage extend beynond proper
identification. When early data is used with an external PSK, the
random value in the ClientHello is the only source of entropy that
contributes to key diversity between sessions. As a result, when an
external PSK is used more than one time, the random number source on
the client has a significant role in the protection of the early
data.
9. IANA Considerations 9. IANA Considerations
This document makes no IANA requests. This document makes no IANA requests.
10. References 10. References
10.1. Normative References 10.1. Normative References
[I-D.ietf-tls-external-psk-importer] [I-D.ietf-tls-external-psk-importer]
Benjamin, D. and C. A. Wood, "Importing External PSKs for Benjamin, D. and C. A. Wood, "Importing External PSKs for
skipping to change at page 12, line 15 skipping to change at page 13, line 27
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/rfc/rfc8446>. <https://www.rfc-editor.org/rfc/rfc8446>.
10.2. Informative References 10.2. Informative References
[Akhmetzyanova] [AASS19] Akhmetzyanova, L., Alekseev, E., Smyshlyaeva, E., and A.
Akhmetzyanova, L., Alekseev, E., Smyshlyaeva, E., and A.
Sokolov, "Continuing to reflect on TLS 1.3 with external Sokolov, "Continuing to reflect on TLS 1.3 with external
PSK", 2019, <https://eprint.iacr.org/2019/421.pdf>. PSK", 2019, <https://eprint.iacr.org/2019/421.pdf>.
[GAA] "TR33.919 version 12.0.0 Release 12", n.d., [GAA] "TR33.919 version 12.0.0 Release 12", n.d.,
<https://www.etsi.org/deliver/ <https://www.etsi.org/deliver/
etsi_tr/133900_133999/133919/12.00.00_60/ etsi_tr/133900_133999/133919/12.00.00_60/
tr_133919v120000p.pdf>. tr_133919v120000p.pdf>.
[I-D.ietf-tls-ctls] [I-D.ietf-tls-ctls]
Rescorla, E., Barnes, R., and H. Tschofenig, "Compact TLS Rescorla, E., Barnes, R., and H. Tschofenig, "Compact TLS
1.3", Work in Progress, Internet-Draft, draft-ietf-tls- 1.3", Work in Progress, Internet-Draft, draft-ietf-tls-
ctls-03, 12 July 2021, ctls-04, 25 October 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-tls- <https://datatracker.ietf.org/doc/html/draft-ietf-tls-
ctls-03>. ctls-04>.
[I-D.ietf-tls-dtls13] [I-D.ietf-tls-dtls13]
Rescorla, E., Tschofenig, H., and N. Modadugu, "The Rescorla, E., Tschofenig, H., and N. Modadugu, "The
Datagram Transport Layer Security (DTLS) Protocol Version Datagram Transport Layer Security (DTLS) Protocol Version
1.3", Work in Progress, Internet-Draft, draft-ietf-tls- 1.3", Work in Progress, Internet-Draft, draft-ietf-tls-
dtls13-43, 30 April 2021, dtls13-43, 30 April 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-tls- <https://datatracker.ietf.org/doc/html/draft-ietf-tls-
dtls13-43>. dtls13-43>.
[I-D.irtf-cfrg-cpace] [I-D.irtf-cfrg-cpace]
Abdalla, M., Haase, B., and J. Hesse, "CPace, a balanced Abdalla, M., Haase, B., and J. Hesse, "CPace, a balanced
composable PAKE", Work in Progress, Internet-Draft, draft- composable PAKE", Work in Progress, Internet-Draft, draft-
irtf-cfrg-cpace-02, 25 July 2021, irtf-cfrg-cpace-03, 15 November 2021,
<https://datatracker.ietf.org/doc/html/draft-irtf-cfrg- <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-
cpace-02>. cpace-03>.
[I-D.irtf-cfrg-opaque] [I-D.irtf-cfrg-opaque]
Krawczyk, H., Bourdrez, D., Lewi, K., and C. A. Wood, "The Bourdrez, D., Krawczyk, H., Lewi, K., and C. A. Wood, "The
OPAQUE Asymmetric PAKE Protocol", Work in Progress, OPAQUE Asymmetric PAKE Protocol", Work in Progress,
Internet-Draft, draft-irtf-cfrg-opaque-06, 12 July 2021, Internet-Draft, draft-irtf-cfrg-opaque-07, 25 October
<https://datatracker.ietf.org/doc/html/draft-irtf-cfrg- 2021, <https://datatracker.ietf.org/doc/html/draft-irtf-
opaque-06>. cfrg-opaque-07>.
[I-D.mattsson-emu-eap-tls-psk] [I-D.mattsson-emu-eap-tls-psk]
Mattsson, J. P., Sethi, M., Aura, T., and O. Friel, "EAP- Mattsson, J. P., Sethi, M., Aura, T., and O. Friel, "EAP-
TLS with PSK Authentication (EAP-TLS-PSK)", Work in TLS with PSK Authentication (EAP-TLS-PSK)", Work in
Progress, Internet-Draft, draft-mattsson-emu-eap-tls-psk- Progress, Internet-Draft, draft-mattsson-emu-eap-tls-psk-
00, 9 March 2020, <https://datatracker.ietf.org/doc/html/ 00, 9 March 2020, <https://datatracker.ietf.org/doc/html/
draft-mattsson-emu-eap-tls-psk-00>. draft-mattsson-emu-eap-tls-psk-00>.
[Krawczyk] Krawczyk, H., "SIGMA: The ‘SIGn-and-MAc’ Approach to [Krawczyk] Krawczyk, H., "SIGMA: The ‘SIGn-and-MAc’ Approach to
Authenticated Diffie-Hellman and Its Use in the IKE Authenticated Diffie-Hellman and Its Use in the IKE
skipping to change at page 14, line 39 skipping to change at page 15, line 49
[SmartCard] [SmartCard]
"Technical Guideline TR-03112-7 eCard-API-Framework – "Technical Guideline TR-03112-7 eCard-API-Framework –
Protocols", 2015, <https://www.bsi.bund.de/SharedDocs/Down Protocols", 2015, <https://www.bsi.bund.de/SharedDocs/Down
loads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03112/ loads/DE/BSI/Publikationen/TechnischeRichtlinien/TR03112/
TR-03112-api_teil7.pdf?__blob=publicationFile&v=1>. TR-03112-api_teil7.pdf?__blob=publicationFile&v=1>.
Appendix A. Acknowledgements Appendix A. Acknowledgements
This document is the output of the TLS External PSK Design Team, This document is the output of the TLS External PSK Design Team,
comprised of the following members: Benjamin Beurdouche, Bjoern comprised of the following members: Benjamin Beurdouche, Björn Haase,
Haase, Christopher Wood, Colm MacCarthaigh, Eric Rescorla, Jonathan Christopher Wood, Colm MacCarthaigh, Eric Rescorla, Jonathan Hoyland,
Hoyland, Martin Thomson, Mohamad Badra, Mohit Sethi, Oleg Pekar, Owen Martin Thomson, Mohamad Badra, Mohit Sethi, Oleg Pekar, Owen Friel,
Friel, and Russ Housley. and Russ Housley.
This document was improved by a high quality review by Ben Kaduk. This document was improved by a high quality review by Ben Kaduk.
Authors' Addresses Authors' Addresses
Russ Housley Russ Housley
Vigil Security Vigil Security
Email: housley@vigilsec.com Email: housley@vigilsec.com
Jonathan Hoyland Jonathan Hoyland
Cloudflare Ltd. Cloudflare Ltd.
Email: jonathan.hoyland@gmail.com Email: jonathan.hoyland@gmail.com
Mohit Sethi Mohit Sethi
Ericsson Ericsson
Email: mohit@piuha.net Email: mohit@piuha.net
 End of changes. 50 change blocks. 
137 lines changed or deleted 175 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/