IETF Logo Mail Archive

Re: [Cfrg] Wi-Fi Alliance Device Provisioning Protocol (DPP) - Draft Released for Public Review and Comments

Paul Lambert <paul@marvell.com> Wed, 31 August 2016 00:47 UTC

Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9631812B051; Tue, 30 Aug 2016 17:47:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yhsYxojHAb2m; Tue, 30 Aug 2016 17:47:00 -0700 (PDT)
Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C4C112B00A; Tue, 30 Aug 2016 17:47:00 -0700 (PDT)
Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id u7V0j1tm016807; Tue, 30 Aug 2016 17:46:58 -0700
Received: from sc-exch02.marvell.com ([199.233.58.182]) by mx0a-0016f401.pphosted.com with ESMTP id 255mxtg0x9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 30 Aug 2016 17:46:57 -0700
Received: from SC-EXCH03.marvell.com (10.93.176.83) by SC-EXCH02.marvell.com (10.93.176.82) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, 30 Aug 2016 17:46:55 -0700
Received: from SC-EXCH03.marvell.com ([fe80::6cb0:4dfa:f3f3:b8b6]) by SC-EXCH03.marvell.com ([fe80::6cb0:4dfa:f3f3:b8b6%21]) with mapi id 15.00.1104.000; Tue, 30 Aug 2016 17:46:55 -0700
From: Paul Lambert <paul@marvell.com>
To: Andy Lutomirski <luto@amacapital.net>
Thread-Topic: [Cfrg] Wi-Fi Alliance Device Provisioning Protocol (DPP) - Draft Released for Public Review and Comments
Thread-Index: AQHSAxd8feDlzRT1DkO/Rm6efoKJcaBiPCcA
Date: Wed, 31 Aug 2016 00:46:55 +0000
Message-ID: <D3EB69B5.9C1EE%paul@marvell.com>
References: <b6b2e03faf504238b8681284fc72a1dd@SC-EXCH03.marvell.com> <CALCETrVmSHv9=aNZYudU012UhuSNSJJaZX2CFa++o4nYA=WtPg@mail.gmail.com>
In-Reply-To: <CALCETrVmSHv9=aNZYudU012UhuSNSJJaZX2CFa++o4nYA=WtPg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.5.160527
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.94.250.30]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <91832E2F1D32DA4CA7B1B3AEA3FA5FDC@marvell.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-08-30_10:, , signatures=0
X-Proofpoint-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 impostorscore=0 lowpriorityscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1608310008
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/0_ldzVp_WQ2JJoSeu4KwsfVKInQ>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "t2trg@irtf.org" <t2trg@irtf.org>, "adrian.p.stephens@ieee.org" <adrian.p.stephens@ieee.org>, "lear@cisco.com" <lear@cisco.com>
Subject: Re: [Cfrg] Wi-Fi Alliance Device Provisioning Protocol (DPP) - Draft Released for Public Review and Comments
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2016 00:47:02 -0000

Hi Andy,

Thank you very much for taking the time to look at the DPP specification.

On 8/30/16, 4:37 PM, "Andy Lutomirski" <luto@amacapital.net> wrote:

>On Fri, Jul 29, 2016 at 6:27 PM, Paul Lambert <paul@marvell.com> wrote:
>> The Wi-Fi Alliance (WFA) has posted a draft version of a new Œsetup
>> protocol¹:
>>
>> 
>>https://www.wi-fi.org/downloads-registered-guest/Wi-Fi_DPP_Tech_Spec_v0_0
>>_23.pdf
Note - this download site is off-line today Š may be back soon.

>>
>>
>> The WFA is looking for review and comments on this specification.
>>
>
>A few comments on a cursory reading:
>
>Section 3.2 specifies a particular point format.  Is this actually
>compatible with Curve 25519, etc?
No it is not.

>Wouldn't it be more sensible to use
>the point format recommended by each individual curve?

Yes - I would think we should always consider such values to be opaque
octet strings and the interpretation should be based on the algorithm
suite. Curve 25519 may not be able to be integrated because of:
 - big versus little endian
 - the ³curve" identification method

The hash algorithms are also locked down to SHAxxx and encryption to
AES-SIV so algorithm flexibility is limited.

>
>Section 5.5: Is the PKEX protocol publicly documented anywhere?  I'm
>concerned that the crypto here is highly suboptimal.

Yes, I¹m not a fan of PKEX in DPP and tried to have it removed. It¹s not
been well reviewed, it¹s really hard to review (due to embedding in
802.11) and it¹s just the wrong mechanism (PAKE) for the desired user
experience.
However,it an interesting design where a PAKE has been extended to provide
both peers with authenticated public keys.  The shared passphrase
effectively introduces two longer term pubic keys. It¹s a significant
design improvement over a typical PAKE that only establishes a shared
symmetric key. PKEX should get some review and get used where appropriate
or we should be working on similar extensions to PAKEs to authenticate
long term public keys.

The specification for PKEX is available in two parts:
1) the base SAE protocol is described in IEEE 802.11
	http://www.ieee802.org/11/private/Draft_Standards/11mc/Draft%20P802.11REVm
c_D8.0.pdf 
	This is a IEEE 802.11 member private site, but I¹ve gotten agreement from
the chair that he will provide access to "security researchers²
	You¹ll have to contact Adrian Stevens (IEEE 802.11 Chair -
adrian.p.stephens@ieee.org) to get the private area password
2) the extension to create PKIX is in IEEE 802.11ai (fragments of text
that will later be incorporated into 802.11)
	This is also on the private site:
http://www.ieee802.org/11/private/index.shtml

IEEE 802.11 keeps draft specifications private, but the contribution
archive is open: https://mentor.ieee.org/802.11/documents
You can see some of it¹s structure by looking at:
https://mentor.ieee.org/802.11/documents?is_dcn=PKEX


> For example, the
>text mentions that:
>
>> Using this bootstrapping technique more than once with a different code
>>but the same bootstrapping key can enable a dictionary attack (to
>>recover the code) by the entity that obtained the bootstrapping key the
>>first time.
>
>A well designed short authentication string system (e.g. ZRTP's)
>should have no such issues.
Interesting Š yes, a short authentication string is good idea for some
user cases (Rich-UI device to Rich-UI device). I¹ll look at it some more Š

Paul


>

v2.23.0 | Report a Bug | By Email