Hi,
I created a pull request for the draft to improve the section on
addressing selfie attacks. For the benefit of the list, here is the
proposed text:
> The TLS external PSK authentication makes the implicit assumption that
> each PSK is known only to one client and one server, which do not
> switch roles with the same PSK.
>
> If multiple clients or multiple servers share a PSK, TLS only
> authenticates the entire group. Not only can a compromised group
> member impersonate another group member, but a malicious non-member
> can reroute handshakes between honest group members to connect them in
> unintended ways. This rerouting is a type of identity misbinding
> attack [Krawczyk][Sethi].
>
> Selfie attack [Selfie] is a special case of the rerouting attack
> against a group member that can act both as TLS server and client. In
> the selfie attack, a malicious non-member reroutes a connection from
> the client to the server on the same endpoint.
>
> Rerouting and selfie attacks can be detected by binding the TLS
> handshake to globally unique node identifiers using the following
> context string:
>
> struct {
> opaque client_id<0..2^16-1>;
> opaque server_id<0..2^16-1>;
> } Context;
>
> When the PSK is shared by only two endpoints, it is not necessary to
> know the identifier(s) of the other endpoint. Instead, it is
> sufficient to check that the identifier of the other endpoint in
> context is not equal to any of one’s own identifiers. To simplify
> implementation of this check, it is RECOMMENDED that each endpoint
> selects one globally unique identifier and uses it in all PSK
> handshakes. The unique identifier can, for example, be one of its MAC
> addresses or a 32-byte random number.
>
> When the PSK is a group key, the comparison with one’s own identifiers
> will only prevent selfie attacks but not malicious rerouting of the
> connection to another group member. To prevent malicious rerouting in
> groups, each endpoint needs to know the identifier of the other
> endpoint with which they want to connect and compare it with the other
> endpoint’s identifier in context. Of course, this only prevents
> attacks by non-members; the endpoints that share the group key can
> always impersonate each other.
--Mohit
On 10/8/19 7:46 PM, Christopher Wood wrote:
> On Tue, Oct 8, 2019, at 2:55 AM, Mohit Sethi M wrote:
>>
>> Hi Chris,
>>
>> For the benefit of the list, let me summarize that the selfie attack is
>> only relevant where multiple parties share the same PSK and use the
>> same PSK for outgoing and incoming connections. These situations are
>> rather rare, but I accept that TLS is widely used (and sometimes
>> misused) in many places.
>>
>> The Selfie attack only happens when an entity with the PSK acts
>> maliciously. So I think the fact that you write in the draft: "each
>> node must be trusted not to impersonate another node's role" does not
>> take into account that there must be a malicious node for the selfie
>> attack to happen in the first place.
>>
>> Drucker and Gueron's paper recommends that "every participating party
>> gets (during the setup of the network) a unique identity" and "the
>> client and the server must verify the validity of the claimed
>> identities.". The reality however is that in most group PSK scenarios,
>> the nodes don't have any strong identities that can be verified.
>>
>> What you should instead (or additionally) say in the text is that a
>> node should check that the client_mac and server_mac (or any other
>> identities used) *are never the same*.
> This seems implicit in the text as written. Could I ask you to submit a PR
> against [1] to clarify?
>
> Thanks,
> Chris
>
> [1] https://github.com/tlswg/draft-ietf-tls-external-psk-importer
>
>> Without this check, the selfie
>> attack would still be possible. And at least this does not require
>> strong identity verification for preventing selfie attacks.
>>
>> --Mohit
>>
>> On 10/5/19 2:41 PM, Christopher Wood wrote:
>>> Hi Feng,
>> For what it's worth, the latest version of the PSK importers draft
>> includes a "context" field into which identity information can be fed:
>>
>>
>> https://tools.ietf.org/html/draft-ietf-tls-external-psk-importer-01#appendix-B
>>
>> Best,
>> Chris
>>
>> On Tue, Sep 24, 2019, at 9:19 AM, Hao, Feng wrote:
>>>> Hi John,
>> Reflection attacks are indeed older, but the selfie attack is a bit
>> different. It's actually a variant of the unknown key share attack. A
>> typical example of the UKS attack is the one reported on MQV by Kaliski
>> in 2001 (see "An unknown key-share attack on the MQV key agreement
>> protocol" in ACM TISSEC 2001). In that example, the adversary plays
>> message between two users to cause confusion in the identity, but in
>> Selfie, the adversary plays message with only one user and uses another
>> instance of the user to cause confusion in the identity. When we
>> reported this variant of UKS in [3], we were not aware of anything like
>> that in the literature.
>>
>> Cheers,
>> Feng
>>
>> On 24/09/2019, 16:17, "John Mattsson" <john.matts...@ericsson.com> wrote:
>>
>> Hi,
>>
>> I think these reflection attacks are much older than this. I quick
>> search for reflection attack security protocol gives a lot of old
>> results, The description of reflection attack in the following lecture
>> material from 2009 looks just like the "selfie attack" on TLS 1.3
>> http://www.cs.bham.ac.uk/~tpc/cwi/Teaching/Files/Lecture4_6up.pdf
>>
>> With multiple sections there are other things that change as well.
>> If two nodes unintentionally initiate simultaneous ClientHello to each
>> other, even if they only want a single secure connection (I have seen
>> live systems where this happens in practice), an attacker can select
>> which ClientHello to block (e.g. the one with the strongest
>> cryptographic parameters). The following security property would then
>> no longer hold :
>>
>> "Downgrade protection: The cryptographic parameters should be the
>> same on both sides and should be the same as if the peers had been
>> communicating in the absence of an attack"
>>
>> (I have not looked at what the definitions in [BBFGKZ16] say).
>>
>> Cheers,
>> John
>>
>> -----Original Message-----
>> From: TLS <tls-boun...@ietf.org> on behalf of "Hao, Feng"
>>>> <feng....@warwick.ac.uk>
>> Date: Tuesday, 24 September 2019 at 16:09
>> To: Mohit Sethi M <mohit.m.sethi=40ericsson....@dmarc.ietf.org>,
>> "Owen Friel (ofriel)" <ofr...@cisco.com>, Jonathan Hoyland
>>>> <jonathan.hoyl...@gmail.com>
>> Cc: "TLS@ietf.org" <tls@ietf.org>
>> Subject: Re: [TLS] Selfie attack was Re: Distinguishing between
>> external/resumption PSKs
>>
>>
>> On 23/09/2019, 18:50, "TLS on behalf of Mohit Sethi M"
>>>> <tls-boun...@ietf.org on behalf of
>> mohit.m.sethi=40ericsson....@dmarc.ietf.org>
>> <mailto:tls-bounces@ietf.orgonbehalfofmohit.m.sethi=40ericsson....@dmarc.ietf.org>
>> wrote:
>>
>> Hi all,
>>
>> On the topic of external PSKs in TLS 1.3, I found a
>> publication on the
>> Selfie attack:
>>>> https://protect2.fireeye.com/url?k=dd432f13-81c9e5ad-dd436f88-869a17b5b21b-dc6c6f0a5dd21faf&q=1&u=https%3A%2F%2Feprint.iacr.org%2F2019%2F347
>>
>> Perhaps this was already discussed on the list. I thought
>> that sharing
>> it again wouldn't hurt while we discuss how servers
>> distinguish between
>> external and resumption PSKs.
>>
>> I just read the paper with interest. It occurs to me that the
>> selfie attack is consistent with the "impersonation attack" that we
>> reported on SPEKE in 2014; see Sec 4.1 [1] and the updated version with
>> details on how SPEKE is revised in ISO/IEC 11770-4 [2]. The same attack
>> can be traced back to 2010 in [3] where a "worm-hole attack" (Fig. 5,
>> [3]) is reported on the self-communication mode of HMQV. The essence of
>> these attacks is the same: Bob tricks Alice into thinking that she is
>> talking to authenticated Bob, but she is actually talking to herself.
>> In [3], we explained that the attack was missed from the "security
>> proofs" as the proofs didn't consider multiple sessions.
>>
>> The countermeasure we proposed in [1-3] was to ensure the user
>> identity is unique in key exchange processes: in case of multiple
>> sessions that may cause confusion in the user identity, an extension
>> should be added to the user identity to distinguish the instances. The
>> underlying intuition is that one should know "unambiguously" whom they
>> are communicating with, and perform authentication based on that. The
>> discovery of this type of attacks and the proposed solution are
>> inspired by the "explicitness principle" (Ross Anderson and Roger
>> Needham, Crypto'95), which states the importance of being explicit on
>> user identities and other attributes in a public key protocol; also see
>> [3]. I hope it might be useful to people who work on TLS PSK.
>>
>> [1]
>>>> https://protect2.fireeye.com/url?k=5a822513-0608efad-5a826588-869a17b5b21b-eb260151f78b0718&q=1&u=https%3A%2F%2Feprint.iacr.org%2F2014%2F585.pdf
>> [2] https://arxiv.org/abs/1802.04900
>> [3]
>>>> https://protect2.fireeye.com/url?k=d5bf88ff-89354241-d5bfc864-869a17b5b21b-0e9b3bf58e104f32&q=1&u=https%3A%2F%2Feprint.iacr.org%2F2010%2F136.pdf
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>>
>>
>>
>> _______________________________________________
>> TLS mailing list
>>>> TLS@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/tls
>>> _______________________________________________
>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
