120 likes | 426 Views
Regarding TLS-DHE-PSK. Phil Hawkes, QUALCOMM phawkes@qualcomm.com. Introduction. Previous document (S40-20050620-023).. Showed attack, proposed using TLS-DHE-PSK Note: TLS-DHE-PSK is part of TLS-PSK IETF draft. This document (S40-20050620-0xx)....
E N D
Regarding TLS-DHE-PSK Phil Hawkes, QUALCOMM phawkes@qualcomm.com
Introduction Previous document (S40-20050620-023).. • Showed attack, proposed using TLS-DHE-PSK • Note: TLS-DHE-PSK is part of TLS-PSK IETF draft. This document (S40-20050620-0xx).... • Does the attack warrants countermeasure? (Yes!) • Slightly different Proposal • ME • TLS-PSK mandatory • TLS-DHE-PSK optional • H-PS, PDE • TLS-PSK and TLS-DHE-PSK mandatory
Is Attack Relevant? Criteria • An adversary can decrypt all of a subscriber’s past sessions if the adversary can connect UIM to a malicious ME. • My criteria • If attack only affects those sessions that occur while malicious ME is connected to UIM, then attack is not relevant because the malicious ME already has control over those sessions anyway. • If attack also affects sessions that occur when the malicious ME is not connected to UIM, then attack is relevant, and should be prevented.
Is Attack Relevant? Conclusion • This attack can affect sessions that have occurred before the malicious ME is connected to the UIM. • Consequently, attack is relevant. • Conclusion • This attack warrants a countermeasure. • There are other countermeasures that we have built into the location security framework that were considered relevant because of the same argument. • Furthermore, WG4 fails in its duty if WG4 submits a specification for publication when WG4 was aware of significant attacks that it could prevent.
New Proposal: Requirements • ME • TLS-PSK mandatory • TLS-DHE-PSK optional • H-PS, PDE • TLS-PSK and TLS-DHE-PSK mandatory • This way the H-PS and PDE can provide the level of security required by the ME, and ME can use TLS-PSK is desired. • Note: UIM requirements and ME-UIM interface requirements remain as for TLS-PSK
Proposal: TLS Handshake • ME indicates TLS-DHE-PSK or TLS-PSK in ClientHello • Server uses the indicated key exchange algorithm • Some steps then depend on that choice: • TLS-DHE-PSK: Server & ME exchange DH public key parameters in ServerKeyExchange & ClientKeyExchange messages. The ME and server compute a shared DH key. This shared DH key becomes the other_secret parameter. • TLS-PSK: other_secret contains zeroes • Otherwise, TLS handshake is as before. • other_secret values must be erased from UIM & ME on power-up, power-down, etc.
Some Comments • Why must ME and Server use TLS-DHE-PSK if supported by ME? • Suppose Attacker pays employee to ensure that server uses TLS-PSK even if TLS-DHE-PSK is supported on the ME. The MS will then use TLS-PSK which has no forward secrecy. • At a later time, the attacker accesses UIM to access TLS sessions performed which server is using TLS-PSK. • The cost of this attack is quite low compared to what it achieves. • Note: ME provides randomness for • client_random values • DH secret key (if required) • Note: ME may erase other_secret at end of non-resume-able session
Changes to S.P0110 • The S.P0110 text already exists (see attached). • Thus far, other standards groups have shown willingness to accept what WG4 sees as the best solution. The only changes to X.P0024 (if any) will be in example call flows, so TSG-X is unlikely to find the proposal objectionable.
Conclusion • We have addresses concerns raised in [2]. • We have shown that the attack deserves a countermeasure • We have altered the proposal (making TLS-DHE-PSK optional) in order to allow ME that contain TLS-PSK only. • We have shown that the proposal will be standards compliant once the TLS-PSK IEFT draft is standardized • This solution has minimal effect on other standards • The other proposal (generating client_random in the UIM) has no proposed text and involves significant effort to standardize (See following slide if desired) • This proposal should be acceptable to all parties
Notes on the other proposal Ref [1] also included a proposal generating & storing client_random in UIM. There are problems. • This is not a standardized solution • This is not as simple as it sounds: • New ME-UIM interface messages required • request client_random • manage client_random list stored in UIM • New standardized UIM capabilities required • generating client_random values • managing client_random list • deleting list on power up/ power down, etc. • There simply isn’t time to devise new standards
References 1. S40-20050620023__QC_Location_TLS_Forward_Security 2. S40-20050620-027__Lucent_Comments on S40-20050620-023