Re: [TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs

Tue, 24 Sep 2019 07:08:40 -0700 


On 23/09/2019, 18:50, "TLS on behalf of Mohit Sethi M" <tls-boun...@ietf.org on 
behalf of mohit.m.sethi=40ericsson....@dmarc.ietf.org> wrote:

    Hi all,
    
    On the topic of external PSKs in TLS 1.3, I found a publication on the 
    Selfie attack: https://eprint.iacr.org/2019/347
    
    Perhaps this was already discussed on the list. I thought that sharing 
    it again wouldn't hurt while we discuss how servers distinguish between 
    external and resumption PSKs.
    
I just read the paper with interest. It occurs to me that the selfie attack is 
consistent with the "impersonation attack" that we reported on SPEKE in 2014; 
see Sec 4.1 [1] and the updated version with details on how SPEKE is revised in 
ISO/IEC 11770-4 [2]. The same attack can be traced back to 2010 in [3] where a 
"worm-hole attack" (Fig. 5, [3]) is reported on the self-communication mode of 
HMQV. The essence of these attacks is the same: Bob tricks Alice into thinking 
that she is talking to authenticated Bob, but she is actually talking to 
herself. In [3], we explained that the attack was missed from the "security 
proofs" as the proofs didn't consider multiple sessions. 

The countermeasure we proposed in [1-3] was to ensure the user identity is 
unique in key exchange processes: in case of multiple sessions that may cause 
confusion in the user identity, an extension should be added to the user 
identity to distinguish the instances. The underlying intuition is that one 
should know "unambiguously" whom they are communicating with, and perform 
authentication based on that. The discovery of this type of attacks and the 
proposed solution are inspired by the "explicitness principle" (Ross Anderson 
and Roger Needham, Crypto'95), which states the importance of being explicit on 
user identities and other attributes in a public key protocol; also see [3]. I 
hope it might be useful to people who work on TLS PSK.

[1] https://eprint.iacr.org/2014/585.pdf
[2] https://arxiv.org/abs/1802.04900
[3] https://eprint.iacr.org/2010/136.pdf 


_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to