On 12/6/2023 10:59 AM, Russ Housley wrote:
Christian:
Thanks. I am not 100% sure that we actually have an attack against the
[EC]DH+PSK combination, but I am confident than if the PSK secret is weak, the
attacker can get to the early data. If only for that, it is prudent to use long
enough PSK.
As stated in draft-ietf-tls-8773bis, some people are interested in using the
external PSK with a certificate to protect against the future invention of a
Cryptographically Relevant Quantum Computer (CRQC). Others want to use of a
public key with a factory-provisioned secret value for the initial enrollment
of a device in an enterprise network (for example
draft-ietf-emu-bootstrapped-tls).
For the security consideration, I suggest an additional paragraph:
Implementations must use sufficiently large external PSKs. For
protection
against the future invention of a CRQC, the external PSK needs to be at
least 256 bits.
Does that resolve your concern?
Yes.
-- Christian Huitema
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
