(fixing missed ietf@xxxxxxxx) On Friday, 16 February 2018 18:06:41 CET The IESG wrote: > The IESG has received a request from the Transport Layer Security WG (tls) > to consider the following document: - 'The Transport Layer Security (TLS) > Protocol Version 1.3' > <draft-ietf-tls-tls13-24.txt> as Proposed Standard The current draft states that if the server recognises an identity but is unable to verify corresponding binder, it "MUST abort the handshake" at the same time, they "SHOULD select as single PSK and validate solely the binder that corresponds to that PSK" (Page 60, draft-ietf-tls-tls13-24). That allows for trivial enumeration of externally established identities - the attacker just needs to send to the server a list of identity guesses, with random data as binders, if the server recognises any identity it will abort connection, if it doesn't, it will continue to a non-PSK handshake. Behaviour like this is generally considered a vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229 I was wondering if the document shouldn't recommend ignoring any and all identities for which binders do not verify to prevent this kind of attack. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
Attachment:
signature.asc
Description: This is a digitally signed message part.
