On Mon, Jun 18, 2018 at 11:47:25AM +0200, Nikos Mavrogiannopoulos wrote: > On Fri, 2018-06-15 at 14:24 +0000, Salz, Rich wrote: > > > that's not workable. > > > > > > It's not great, however > > > > > the reason why implementations chose to use old API to provision > > > TLS 1.3 PSKs > > > > was to make the upgrade process as smooth as possible, disabling > > TLS 1.3 is > > quite antithetical to that > > > > Disabling TLS 1.3 for those using 1.2 PSK's is unlikely to affect > > most uses, and seems the only way forward. > > > > Do you have an alternative solution? > > TLS 1.3 provides a solution. These secrets under TLS1.3 are restricted > to using the SHA256 PRF. That's how we have implemented it in gnutls.
One thing to be careful with here is interoperability. In fact, with using PSKs across protocol versions and hashes in all sorts of ways the specifications say they should not, that is the prinicpal worry I have, above security implications. Specifically, one has PSK usable for TLS 1.2 and 1.3: Is that PSK the same for both protocols or is there something like universal-PSK (which causes the effective PSK not to be the same) going on? I tried to cook up attacks against using PSKs across protocol versions and and hashes. Everything I could come up with stopped at literially the first hash encountered, unless at least one of: - The hash has some pathological properties. - The hash has some other properties that cast serious doubt on its security. - The hash is outright broken (which breaks TLS 1.2 and TLS 1.3 anyway). - The ciphersuite on TLS 1.2 side uses non-conventional PRF. - PSK has insufficient entropy and is vulernable to brute-force. Of course, formally proving anything like this is extremely hard at best, and most probably impossible (the pathological hashes alone would already cause extreme trouble, or outright block any proof). And given the usefulness of proofs in finding various (subtle) mistakes, there could still be severe problems. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
