On Thu, 2018-07-19 at 18:00 -0500, Benjamin Kaduk wrote: > Hi all, > > As I mentioned at the mic today, there is a question that has been > raised about whether it's wise to reuse an existing (TLS 1.2) PSK > directly in the TLS 1.3 key ladder. At a high level, the reason why > one > might want to restrict this is that the security proofs for TLS 1.3 > rely > on the pre-shared key being only used with a single key-derivation > function (our HKDF-using Derive-Secret), and TLS 1.2 uses a different > key-derivation function, so formally the proofs do not hold. We > don't > currently know of a specifc attack against such reuse, of course, but > perhaps it is prudent to restrict our usage to adhere to the verified > scenarios. > > This is somewhat timely, as if we do want to introduce a restriction, > it > would ideally be in the form of some text in the TLS 1.3 > specification, > which is very nearly done. > > It would be good to hear more opinions on this question, particularly > from those who have worked on the formal verification directly. > > If I can attempt to summarize some discussion that occurred in the > mic > line today, Hannes was surprised that we would care, likening this > case > to the regular version negotiation, where we are happy to use the > same > certificate to sign messages for both TLS 1.2 and 1.3. David > Benjamin > points out that we explicitly go to the trouble of putting 64 bytes > of > 0x20 padding at the front of the content that gets signed for > CertificateVerify, to enforce separation between the TLS versions. > > My own personal opinion is that we should enforce a domain separation > between TLS 1.2 PSKs and TLS 1.3 PSKs; David Benjamin's "Universal > PSKs" > proposal seems like a potential mechanism by which to do so without > doubling the provisioning needs.
I think the same rules should apply for PSK and RSA/ECDSA/EdDSA keys. There is no inherent difference between the two keys types. I could have deployed TLS with PKI or TLS with PSK. I should be able to upgrade protocols the same way. If RSA keys can be re-used between TLS1.2 and TLS1.3, then so should PSK keys. The current document specifically allows that re-use, and if you fear that the current document did not take cross-protocol attacks in mind during design, then let's fix that instead. regards, Nikos _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
