On Tue, Apr 18, 2017 at 3:41 PM, Ilari Liusvaara <ilariliusva...@welho.com> wrote:
> On Tue, Apr 18, 2017 at 09:48:33AM -0400, Eric Rescorla wrote: > > https://github.com/tlswg/tls13-spec/pull/962 > > Target merge date: Thursday > > > > In reviewing the specification, I noticed that we seem to have banned the > > use of CertificateRequest with PSK both in the main handshake and in the > > post-handshake phase. I don't believe that this was intentional and it > > makes it very hard to use client auth with resumption. Accordingly I have > > filed the above PR to remove that restriction (while retaining it for the > > main handshake). As I understand it, several of the analyses we have > > already assumed this case and covered it, so no additional work is needed > > there. > > On topic of PSKs, I noticed that TLS 1.3 makes it very easy to mount > dictionary attacks against PSK, regardless of DHE-PSK (especially to > recover the client PSK). I assumed that the document already documents > this, but I couldn't find any remark that using low-entropy PSKs is very > bad idea. > Good point. As far as I can tell... 1. You can search the binder. 2. Because we forbid PSK with server authentication, you can also impersonate the server and then mount a dictionary attack (even w/o the binder). I agree that this should be documented. I filed https://github.com/tlswg/tls13-spec/issues/965 so we don't forget this. I'll take a PR if you have one. IIRC, the TLS 1.0-1.2 PSK RFC does discuss dictionary attacks a bit. Yes, it does. Someone could crib from that.... -Ekr > > -Ilari >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
