Internet-Draft Extensible Pre-Shared Key Types for TLS July 2020
Rescorla & Wood Expires 21 January 2021 [Page]
Workgroup:
tls
Internet-Draft:
draft-group-tls-extensible-psks-latest
Published:
Intended Status:
Standards Track
Expires:
Authors:
E. Rescorla
Mozilla
C.A. Wood
Cloudflare

Extensible Pre-Shared Key Types for TLS

Abstract

This document specifies support for extensible Pre-Shared Keys (PSKs) in TLS 1.3. It defines a new extension mechanism for arbitrary types of PSKs. It also specifies two new types of PSKs, "Ratcheted" and "KEM". "Ratcheted" PSKs improve forward secrecy properties of existing external PSKs. "KEM" PSKs enable 0-RTT bootstrapping using authenticated Key Encapsulation Mechanism (KEM) public keys without having first negotiated a connection with a server.

Discussion Venues

This note is to be removed before publishing as an RFC.

Source for this draft and an issue tracker can be found at https://github.com/chris-wood/draft-tls-extensible-psks.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 21 January 2021.

Table of Contents

1. Introduction

TLS 1.3 [RFC8446] currently supports two "types" of Pre-Shared Keys (PSKs): resumption and external PSKs. Resumption PSKs carry state from previous connections, typically in the form of tickets, for PSK-based authentication. External PSKs are opaque to TLS and defined by applications.

There is no signal on the wire that indicates the type of PSK offered in a ClientHello. Rather, endpoints differentiate these PSKs by augmenting the TLS key schedule with a domain-separation label depending on the type negotiated. Since these labels are fixed, this makes integration of new PSK types difficult.

There are several reasons why one might want alternative PSK types. Below are three examples:

Pre-distributed keys for 0-RTT priming also have positive privacy implications, as servers cannot tie these keys to past connections using TLS-layer state. (Resumption PSKs allow servers to track clients across connection attempts.)

Given these shortcomings, this document defines the Extended PSK Identity extension, to support these emerging use cases. This extension allows for new types of PSKs. This document also specifies two new PSK types, referred to as "ratcheted" and "kem" PSKs, which address the use cases described above.

2. Requirements Notation

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Extended PSKs Types

Endpoints identify extended PSKs by their type. The following enumeration specifies a preliminary set of extended PSK types.

enum {
    ratcheted(0),
    kem(1),
    (255)
} ExtendedPskIdentityType;

The following sections describe the "ratcheted" and "kem" PSK types in more detail.

3.1. Ratcheted PSKs

Ratcheted PSKs are a variant of external PSKs with improved forward secrecy properties. Informally, a ratcheted PSK is an external PSK that is hashed forward to produce a new value after each successful use. The old ratcheted PSK value is forgotten after this ratchet step completes. As a result, clients and servers use any given ratcheted PSK in at most one in TLS connection.

A ratcheted PSK is associated with a tuple of PSK identity, ratchet generation, and value, i.e., (pskID, N, psk_N). The update function for a tuple (pskID, N, psk_N) produces a new tuple (pskID, N+1, psk_(N+1) = HKDF(salt="", psk_N, "ratchet-psk")).

With ratcheted PSKs, both clients and servers start with generation 0 and some initial PSK identity ID and value k, e.g., (ID, 0, k_0). When starting a connection using a ratcheted PSK, the PskIdentity is encoded with the PSK identity and current generation using the following structure:

struct {
    opaque identity<1..2^16-1>;
    uint32 generation;
} RachetedPSKIdentity;

The corresponding PSK binder is computed using the current ratchet PSK key k_n. Upon receipt of a ClientHello with a ratcheted PSK binder, a compliant server performs the following checks before accepting and verifying the PSK binder:

  1. If RachetedPSKIdentity.identity matches a known ratcheted PSK identity with tuple (ID, m, k) and RachetedPSKIdentity.generation is less than or equal to m, it accepts the PSK.
  2. If RachetedPSKIdentity.identity matches a known ratcheted PSK identity with tuple (ID, m, k) and RachetedPSKIdentity.generation is larger than m, it sends a HelloRetryRequest with an extension indicating (ID, m). The client then retries after updating its local ratcheted PSK to match the generation m. [[TODO: what is this extension?]]
  3. Otherwise, the server rejects the PSK binder and performs a full handshake if possible as per the rules in [RFC8446].

Upon completion of a connection that used a ratcheted PSK with tuple (ID, n, k), both client and server update their local PSK state and discard the old tuple.

3.2. KEM PSKs

MLS [I-D.ietf-mls-protocol] encapsulate public information about a particular entity in KeyPackage structures, defined below:

   struct {
       ProtocolVersion version;
       CipherSuite cipher_suite;
       HPKEPublicKey hpke_init_key;
       Credential credential;
       Extension extensions<0..2^16-1>;
       opaque signature<0..2^16-1>;
   } KeyPackage;

Each KeyPackage has a public key (HPKEPublicKey), authenticating credential (X.509 certificate), and wrapping signature. Servers may publish KeyPackages containing information corresponding to their private KEM keys. One publication mechanism is via the DNS using the [HTTPSSVC] record, as is done for TLS ECH [I-D.ietf-tls-esni].

Upon receipt of a KeyPackage, a client can use it to establish a pre-shared key kem_psk of length L as follows:

pkR = HPKE.KEM.Unmarshal(KeyPackage.hpke_init_key)
enc, context = SetupBaseS(pkR, "RFCXXXX-psk-kem")
kem_psk = context.Export("tls13-extended-psk-kem", L)

[[RFC editor: please change "RFCXXXX" to the correct number before publication.]]

The KEM PSK identity then references this KeyPackage and carries the HPKE state necessary to derive the same PSK. It is encoded as follows:

struct {
    opaque package_digest<0..2^16-1>;
    opaque enc<1..2^16-1>;
} KEMPSKIdentity;
package_digest
A cryptographic hash of the KeyPackage structure from which the KEM public key was obtained, i.e., from the first byte of "version" to the end of the structure. This hash is computed using the hash function associated with suite, i.e., the corresponding HPKE KDF algorithm hash.
enc
The HPKE encapsulated key, used by servers to initialize the shared HPKE context and derive the kem_psk

4. Extended PSK Identity

Clients may signal possession of an extended PSK via the "extended_psk" extension:

   enum {
       extended_psk(TBD), (65535)
   } ExtensionType;

Clients MAY send this extension in ClientHello. It contains the following ExtendedPreSharedKeyExtension structure:

struct {
    ExtendedPSKIdentityType type;
    switch (PskIdentity.type) {
        external:
            opaque identity<1..2^16-1>;
        case resumption:
            opaque identity<1..2^16-1>;
            uint32 obfuscated_ticket_age;
        case ratcheted:
            RachetedPSKIdentity ratcheted_identity;
        case package:
            KeyPackage key_package;
    } ExtendedPskIdentityInner;
} ExtendedPskIdentity;

struct {
    ExtendedPskIdentity identities<2..2^16-1>;
    PskBinderEntry binders<33..2^16-1>;
} ExtendedOfferedPsks;

struct {
    select (Handshake.msg_type) {
        case client_hello: ExtendedOfferedPsks;
        case server_hello: uint16 selected_identity;
    };
} ExtendedPreSharedKeyExtension;

[[OPEN ISSUE: should clients be allowed to send both regular and extended PSK identities?]]

Servers which support the "extended_psk" structure MUST parse its ExtendedPskIdentity types according to their type. Servers MUST use the resulting identity as they would the PskIdentity extension in [RFC8446]. While parsing ExtendedPskIdentity values, servers MUST ignore PSK types they do not support. Servers SHOULD ignore PSK values they do not recognize, e.g., due to loss of a corresponding key needed to process the PSK, and SHOULD NOT attempt to validate more than one PSK, per the guidance in [RFC8446], Section 4.2.11.

Clients MUST verify the server's selected identity in accordance with the rules outlined in [RFC8446].

5. Design Considerations

One could extend the existing PskIdentity extension in TLS 1.3 [RFC8446], yet doing so requires additional signalling that may be unnecessary. Extended PSK types are likely only to be supported by newer stacks, which can easily add a new extension codepoint.

6. Security Considerations

[[TODO: writeme]]

7. IANA Considerations

[[TODO: writeme]]

8. References

8.1. Normative References

[HTTPSSVC]
Schwartz, B., Bishop, M., and E. Nygren, "Service binding and parameter specification via the DNS (DNS SVCB and HTTPSSVC)", Work in Progress, Internet-Draft, draft-nygren-dnsop-svcb-httpssvc-00, , <http://www.ietf.org/internet-drafts/draft-nygren-dnsop-svcb-httpssvc-00.txt>.
[I-D.ietf-mls-protocol]
Barnes, R., Beurdouche, B., Millican, J., Omara, E., Cohn-Gordon, K., and R. Robert, "The Messaging Layer Security (MLS) Protocol", Work in Progress, Internet-Draft, draft-ietf-mls-protocol-09, , <http://www.ietf.org/internet-drafts/draft-ietf-mls-protocol-09.txt>.
[I-D.ietf-tls-esni]
Rescorla, E., Oku, K., Sullivan, N., and C. Wood, "TLS Encrypted Client Hello", Work in Progress, Internet-Draft, draft-ietf-tls-esni-07, , <http://www.ietf.org/internet-drafts/draft-ietf-tls-esni-07.txt>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC8446]
Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, , <https://www.rfc-editor.org/info/rfc8446>.

8.2. Informative References

[KEMTLS]
Schwabe, P., Stebila, D., and T. Wiggers, "Post-quantum TLS without handshake signatures", , <https://eprint.iacr.org/2020/534.pdf>.
[QUICCrypto]
Langley, A. and W. Chang, "QUIC Crypto", , <https://docs.google.com/document/d/1g5nIXAIkN_Y-7XJW5K45IblHd_L2f5LTaDUDwvZ5L6g/edit>.

Appendix A. Acknowledgements

[[TODO: writeme]]

Authors' Addresses

Eric Rescorla
Mozilla
Christopher A. Wood
Cloudflare