[prev in list] [next in list] [prev in thread] [next in thread]
List: ietf-tls
Subject: Re: [TLS] TLS 1.3, Raw Public Keys, and Misbinding Attacks
From: "Martin Thomson" <mt () lowentropy ! net>
Date: 2024-03-29 1:43:20
Message-ID: f3f4ddcb-e852-4a1e-a32f-4f7f274d7bf0 () betaapp ! fastmail ! com
[Download RAW message or body]
Dennis beat me to making the key point about identity :)
There are cases where identity misbinding is possible in similar systems. RFC 8844 \
describes one such case. However, this is not an inherent failing in TLS, but in the \
usage context. That weakness was not the result of using raw public keys though.
What TLS *says* about this risk is really what we should be considering. It might be \
enough to say that where TLS does not carry all of the relevant identification \
information, there is a risk of identity misbinding attacks. This can be mitigated \
by including additional information about identity in the transcript and checking it \
for consistency (as RFC 8844 does).
On Fri, Mar 29, 2024, at 05:27, Dennis Jackson wrote:
> Hi John,
>
> It depends what you mean by an identity. TLS1.3 ensures the peers agree
> on the used RPKs and it doesn't rely on any external proof of
> possession to achieve that property.
>
> How the peers come to trust the RPKs or their corresponding identity is
> of necessity left to the application - not dissimilar to how the
> application has to decide which root certificates to trust and whether
> the leaf certificate is appropriate for the intended connection (e.g.
> browsers extract the valid identities from the SAN).
>
> Best,
> Dennis
>
> On 28/03/2024 15:22, John Mattsson wrote:
> > Hi,
> >
> > I looked into what RFC 8446(bis) says about Raw Public Keys. As correctly stated \
> > in RFC 8446, TLS 1.3 with signatures and certificates is an implementation of \
> > SIGMA-I:
> > SIGMA does however require that the identities of the endpoints (called A and B \
> > in [SIGMA]) are included in the messages. This is not true for TLS 1.3 with RPKs \
> > and TLS 1.3 with RPKs is therefore not SIGMA. TLS 1.3 with RPKs is vulnerable to \
> > what Krawczyk's SIGMA paper calls misbinding attacks:
> > "This attack, to which we refer as an "identity misbinding attack", applies to \
> > many seemingly natural and intuitive protocols. Avoiding this form of attack and \
> > guaranteeing a consistent binding between a session key and the peers to the \
> > session is a central element in the design of SIGMA."
> > "Even more significantly we show here that the misbinding attack applies to this \
> > protocol in any scenario where parties can register public keys without proving \
> > knowledge of the corresponding signature key."
> > As stated in Appendix E.1, at the completion of the handshake, each side outputs \
> > its view of the identities of the communicating parties. On of the TLS 1.3 \
> > security properties are "Peer Authentication", which says that the client's and \
> > server's view of the identities match. TLS 1.3 with PRKs does not fulfill this \
> > unless the out-of-band mechanism to register public keys proved knowledge of the \
> > private key. RFC 7250 does not say anything about this either.
> > I think this needs to be clarified in RFC8446bis. The only reason to ever use an \
> > RPK is in constrained IoT environments. Otherwise a self-signed certificate is a \
> > much better choice. TLS 1.3 with self-signed certificates is SIGMA-I.
> > It is worrying to find comments like this:
> >
> > "I'd like to be able to use wireguard/ssh-style authentication for my app. This \
> > is possible currently with self-signed certificates, but the proper solution is \
> > RFC 7250, which is also part of TLS 1.3." \
> > https://github.com/openssl/openssl/issues/6929
> > RPKs are not the proper solution.
> >
> > (Talking about misbinding, does RFC 8446 say anything about how to avoid selfie \
> > attacks where an entity using PSK authentication ends up talking to itself?)
> > Cheers,
> > John Preuß Mattsson
> >
> > [SIGMA] https://link.springer.com/chapter/10.1007/978-3-540-45146-4_24
> >
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic