Universal PSKs for TLS
draft-davidben-tls-universal-psk-00

Document Type Active Internet-Draft (individual)
Last updated 2018-06-14
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                        D. Benjamin
Internet-Draft                                                    Google
Updates: draft-ietf-tls-tls13 (if                          June 14, 2018
         approved)
Intended status: Informational
Expires: December 16, 2018

                         Universal PSKs for TLS
                  draft-davidben-tls-universal-psk-00

Abstract

   This document describes universal PSKs (Pre-Shared Keys) for TLS.
   Universal PSKs abstract the TLS 1.3 requirement that each PSK can
   only be used with a single hash function.  This allows PSKs to be
   provisioned without depending on details of the TLS negotiation,
   which may change as TLS evolves.  Additionally, this document
   describes a compatibility profile for using TLS 1.3 with PSKs
   provisioned for the TLS 1.2 PSK mechanism.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 16, 2018.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect

Benjamin                Expires December 16, 2018               [Page 1]
Internet-Draft           Universal PSKs for TLS                June 2018

   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
   2.  Universal PSKs  . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Compatibility with TLS 1.2 PSKs . . . . . . . . . . . . . . .   4
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   6
   7.  Normative References  . . . . . . . . . . . . . . . . . . . .   6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   TLS 1.3 [I-D.ietf-tls-tls13] provides a PSK mechanism to authenticate
   connections with symmetric keys provisioned externally to TLS.
   However, unlike the analogous mechanism in earlier versions of TLS
   [RFC4279], TLS 1.3 PSKs must be constrained to a single hash
   function.

   While this constraint simplifies the analysis and does not hinder the
   resumption use case, it is cumbersome for external PSKs.  It ties the
   PSK provisioning process to details of TLS.  The application protocol
   configuring TLS is usually abstracted from TLS's details.  In some
   cases, the underlying TLS implementation may even be updated without
   changes to the calling application.

   Additionally, applications using TLS with PSKs typically require some
   PSK be negotiated, so parameter selection must follow the hash
   constraint.  In contrast, applications using resumption typically
   allow the session to be declined in favor of a full handshake, so
   parameter selection may complete independently of this constraint.
   Switching the order of the selections for external PSKs adds
   implementation complexity and complicates analysis of the server's
   configuration.

   This document resolves these issues by adding an extra key derivation
   step to reuse the same secret for all TLS 1.3 KDF hashes, including
   hashes to be defined in the future.

Benjamin                Expires December 16, 2018               [Page 2]
Internet-Draft           Universal PSKs for TLS                June 2018

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.  Universal PSKs

   A universal PSK consists of the following:

   o  An identity.  This is a public opaque byte string.
Show full document text