The use of a previously established PSK allows TLS nodes to authenticate the endpoint identities. It also offers other benefits, including resistance to attacks in the presence of quantum computers; see Section 4.2
for related discussion. However, these keys do not provide privacy protection of endpoint identities, nor do they provide non-repudiation (one endpoint in a connection can deny the conversation); see Section 7
for related discussion.
PSK authentication security implicitly assumes one fundamental property: each PSK is known to exactly one client and one server and they never switch roles. If this assumption is violated, then the security properties of TLS are severely weakened as discussed below.
As discussed in Section 5.1
, to demonstrate their attack, [AASS19
] describes scenarios where multiple clients or multiple servers share a PSK. If this is done naively by having all members share a common key, then TLS authenticates only group membership, and the security of the overall system is inherently rather brittle. There are a number of obvious weaknesses here:
Any group member can impersonate any other group member.
If a PSK is combined with the result of a fresh ephemeral key exchange, then compromise of a group member that knows the resulting shared secret will enable the attacker to passively read traffic (and actively modify it).
If a PSK is not combined with the result of a fresh ephemeral key exchange, then compromise of any group member allows the attacker to passively read all traffic (and actively modify it), including past traffic.
Additionally, a malicious non-member can reroute handshakes between honest group members to connect them in unintended ways, as described below. Note that a partial mitigation for this class of attack is available: each group member includes the Server Name Indication (SNI) extension [RFC 6066
] and terminates the connection on mismatch between the presented SNI value and the receiving member's known identity. See [Selfie
] for details.
To illustrate the rerouting attack, consider three peers, A
, and C
, who all know the PSK. The attack proceeds as follows:
A sends a ClientHello to B.
The attacker intercepts the message and redirects it to C.
C responds with a second flight (ServerHello, ...) to A.
A sends a Finished message to B.A has completed the handshake, ostensibly with B.
The attacker redirects the Finished message to C. C has completed the handshake with A.
In this attack, peer authentication is not provided. Also, if C
supports a weaker set of ciphersuites than B
, cryptographic algorithm downgrade attacks might be possible. This rerouting is a type of identity misbinding attack [Krawczyk
]. Selfie attack [Selfie
] is a special case of the rerouting attack against a group member that can act as both a TLS server and a client. In the Selfie attack, a malicious non-member reroutes a connection from the client to the server on the same endpoint.
Finally, in addition to these weaknesses, sharing a PSK across nodes may negatively affect deployments. For example, revocation of individual group members is not possible without establishing a new PSK for all of the members that have not been revoked.
Entropy properties of external PSKs may also affect TLS security properties. For example, if a high-entropy PSK is used, then PSK-only key establishment modes provide expected security properties for TLS, including establishment of the same session keys between peers, secrecy of session keys, peer authentication, and downgrade protection. See Appendix E.1
of RFC 8446
for an explanation of these properties. However, these modes lack forward security. Forward security may be achieved by using a PSK-DH mode or by using PSKs with short lifetimes.
In contrast, if a low-entropy PSK is used, then PSK-only key establishment modes are subject to passive exhaustive search attacks, which will reveal the traffic keys. PSK-DH modes are subject to active attacks in which the attacker impersonates one side. The exhaustive search phase of these attacks can be mounted offline if the attacker captures a single handshake using the PSK, but those attacks will not lead to compromise of the traffic keys for that connection because those also depend on the Diffie-Hellman (DH) exchange. Low-entropy keys are only secure against active attack if a Password-Authenticated Key Exchange (PAKE) is used with TLS. At the time of writing, the Crypto Forum Research Group (CFRG) is working on specifying recommended PAKEs (see [CPACE
] and [OPAQUE
] for the symmetric and asymmetric cases, respectively).