Internet-Draft | Extensible Pre-Shared Key Types for TLS | July 2020 |
Rescorla & Wood | Expires 21 January 2021 | [Page] |
This document specifies support for extensible Pre-Shared Keys (PSKs) in TLS 1.3. It defines a new extension mechanism for arbitrary types of PSKs. It also specifies two new types of PSKs, "Ratcheted" and "KEM". "Ratcheted" PSKs improve forward secrecy properties of existing external PSKs. "KEM" PSKs enable 0-RTT bootstrapping using authenticated Key Encapsulation Mechanism (KEM) public keys without having first negotiated a connection with a server.¶
This note is to be removed before publishing as an RFC.¶
Source for this draft and an issue tracker can be found at https://github.com/chris-wood/draft-tls-extensible-psks.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 21 January 2021.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
TLS 1.3 [RFC8446] currently supports two "types" of Pre-Shared Keys (PSKs): resumption and external PSKs. Resumption PSKs carry state from previous connections, typically in the form of tickets, for PSK-based authentication. External PSKs are opaque to TLS and defined by applications.¶
There is no signal on the wire that indicates the type of PSK offered in a ClientHello. Rather, endpoints differentiate these PSKs by augmenting the TLS key schedule with a domain-separation label depending on the type negotiated. Since these labels are fixed, this makes integration of new PSK types difficult.¶
There are several reasons why one might want alternative PSK types. Below are three examples:¶
Pre-distributed keys for 0-RTT priming also have positive privacy implications, as servers cannot tie these keys to past connections using TLS-layer state. (Resumption PSKs allow servers to track clients across connection attempts.)¶
Given these shortcomings, this document defines the Extended PSK Identity extension, to support these emerging use cases. This extension allows for new types of PSKs. This document also specifies two new PSK types, referred to as "ratcheted" and "kem" PSKs, which address the use cases described above.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Endpoints identify extended PSKs by their type. The following enumeration specifies a preliminary set of extended PSK types.¶
enum { ratcheted(0), kem(1), (255) } ExtendedPskIdentityType;¶
The following sections describe the "ratcheted" and "kem" PSK types in more detail.¶
Ratcheted PSKs are a variant of external PSKs with improved forward secrecy properties. Informally, a ratcheted PSK is an external PSK that is hashed forward to produce a new value after each successful use. The old ratcheted PSK value is forgotten after this ratchet step completes. As a result, clients and servers use any given ratcheted PSK in at most one in TLS connection.¶
A ratcheted PSK is associated with a tuple of PSK identity, ratchet generation, and value, i.e., (pskID, N, psk_N). The update function for a tuple (pskID, N, psk_N) produces a new tuple (pskID, N+1, psk_(N+1) = HKDF(salt="", psk_N, "ratchet-psk")).¶
With ratcheted PSKs, both clients and servers start with generation 0 and some initial PSK identity ID and value k, e.g., (ID, 0, k_0). When starting a connection using a ratcheted PSK, the PskIdentity is encoded with the PSK identity and current generation using the following structure:¶
struct { opaque identity<1..2^16-1>; uint32 generation; } RachetedPSKIdentity;¶
The corresponding PSK binder is computed using the current ratchet PSK key k_n. Upon receipt of a ClientHello with a ratcheted PSK binder, a compliant server performs the following checks before accepting and verifying the PSK binder:¶
Upon completion of a connection that used a ratcheted PSK with tuple (ID, n, k), both client and server update their local PSK state and discard the old tuple.¶
MLS [I-D.ietf-mls-protocol] encapsulate public information about a particular entity in KeyPackage structures, defined below:¶
struct { ProtocolVersion version; CipherSuite cipher_suite; HPKEPublicKey hpke_init_key; Credential credential; Extension extensions<0..2^16-1>; opaque signature<0..2^16-1>; } KeyPackage;¶
Each KeyPackage has a public key (HPKEPublicKey), authenticating credential (X.509 certificate), and wrapping signature. Servers may publish KeyPackages containing information corresponding to their private KEM keys. One publication mechanism is via the DNS using the [HTTPSSVC] record, as is done for TLS ECH [I-D.ietf-tls-esni].¶
Upon receipt of a KeyPackage, a client can use it to establish a pre-shared key kem_psk
of length L
as follows:¶
pkR = HPKE.KEM.Unmarshal(KeyPackage.hpke_init_key) enc, context = SetupBaseS(pkR, "RFCXXXX-psk-kem") kem_psk = context.Export("tls13-extended-psk-kem", L)¶
[[RFC editor: please change "RFCXXXX" to the correct number before publication.]]¶
The KEM PSK identity then references this KeyPackage and carries the HPKE state necessary to derive the same PSK. It is encoded as follows:¶
struct { opaque package_digest<0..2^16-1>; opaque enc<1..2^16-1>; } KEMPSKIdentity;¶
suite
, i.e., the corresponding HPKE KDF algorithm hash.¶
Clients may signal possession of an extended PSK via the "extended_psk" extension:¶
enum { extended_psk(TBD), (65535) } ExtensionType;¶
Clients MAY send this extension in ClientHello. It contains the following ExtendedPreSharedKeyExtension structure:¶
struct { ExtendedPSKIdentityType type; switch (PskIdentity.type) { external: opaque identity<1..2^16-1>; case resumption: opaque identity<1..2^16-1>; uint32 obfuscated_ticket_age; case ratcheted: RachetedPSKIdentity ratcheted_identity; case package: KeyPackage key_package; } ExtendedPskIdentityInner; } ExtendedPskIdentity; struct { ExtendedPskIdentity identities<2..2^16-1>; PskBinderEntry binders<33..2^16-1>; } ExtendedOfferedPsks; struct { select (Handshake.msg_type) { case client_hello: ExtendedOfferedPsks; case server_hello: uint16 selected_identity; }; } ExtendedPreSharedKeyExtension;¶
[[OPEN ISSUE: should clients be allowed to send both regular and extended PSK identities?]]¶
Servers which support the "extended_psk" structure MUST parse its ExtendedPskIdentity types according to their type. Servers MUST use the resulting identity as they would the PskIdentity extension in [RFC8446]. While parsing ExtendedPskIdentity values, servers MUST ignore PSK types they do not support. Servers SHOULD ignore PSK values they do not recognize, e.g., due to loss of a corresponding key needed to process the PSK, and SHOULD NOT attempt to validate more than one PSK, per the guidance in [RFC8446], Section 4.2.11.¶
Clients MUST verify the server's selected identity in accordance with the rules outlined in [RFC8446].¶
One could extend the existing PskIdentity extension in TLS 1.3 [RFC8446], yet doing so requires additional signalling that may be unnecessary. Extended PSK types are likely only to be supported by newer stacks, which can easily add a new extension codepoint.¶
[[TODO: writeme]]¶
[[TODO: writeme]]¶
[[TODO: writeme]]¶