Re: [Cfrg] Wi-Fi Alliance Device Provisioning Protocol (DPP) - Draft Released for Public Review and Comments
Paul Lambert <paul@marvell.com> Wed, 31 August 2016 00:47 UTC
Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9631812B051; Tue, 30 Aug 2016 17:47:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yhsYxojHAb2m; Tue, 30 Aug 2016 17:47:00 -0700 (PDT)
Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C4C112B00A; Tue, 30 Aug 2016 17:47:00 -0700 (PDT)
Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id u7V0j1tm016807; Tue, 30 Aug 2016 17:46:58 -0700
Received: from sc-exch02.marvell.com ([199.233.58.182]) by mx0a-0016f401.pphosted.com with ESMTP id 255mxtg0x9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 30 Aug 2016 17:46:57 -0700
Received: from SC-EXCH03.marvell.com (10.93.176.83) by SC-EXCH02.marvell.com (10.93.176.82) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, 30 Aug 2016 17:46:55 -0700
Received: from SC-EXCH03.marvell.com ([fe80::6cb0:4dfa:f3f3:b8b6]) by SC-EXCH03.marvell.com ([fe80::6cb0:4dfa:f3f3:b8b6%21]) with mapi id 15.00.1104.000; Tue, 30 Aug 2016 17:46:55 -0700
From: Paul Lambert <paul@marvell.com>
To: Andy Lutomirski <luto@amacapital.net>
Thread-Topic: [Cfrg] Wi-Fi Alliance Device Provisioning Protocol (DPP) - Draft Released for Public Review and Comments
Thread-Index: AQHSAxd8feDlzRT1DkO/Rm6efoKJcaBiPCcA
Date: Wed, 31 Aug 2016 00:46:55 +0000
Message-ID: <D3EB69B5.9C1EE%paul@marvell.com>
References: <b6b2e03faf504238b8681284fc72a1dd@SC-EXCH03.marvell.com> <CALCETrVmSHv9=aNZYudU012UhuSNSJJaZX2CFa++o4nYA=WtPg@mail.gmail.com>
In-Reply-To: <CALCETrVmSHv9=aNZYudU012UhuSNSJJaZX2CFa++o4nYA=WtPg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.5.160527
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.94.250.30]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <91832E2F1D32DA4CA7B1B3AEA3FA5FDC@marvell.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-08-30_10:, , signatures=0
X-Proofpoint-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 impostorscore=0 lowpriorityscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1608310008
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/0_ldzVp_WQ2JJoSeu4KwsfVKInQ>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "t2trg@irtf.org" <t2trg@irtf.org>, "adrian.p.stephens@ieee.org" <adrian.p.stephens@ieee.org>, "lear@cisco.com" <lear@cisco.com>
Subject: Re: [Cfrg] Wi-Fi Alliance Device Provisioning Protocol (DPP) - Draft Released for Public Review and Comments
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2016 00:47:02 -0000
Hi Andy, Thank you very much for taking the time to look at the DPP specification. On 8/30/16, 4:37 PM, "Andy Lutomirski" <luto@amacapital.net> wrote: >On Fri, Jul 29, 2016 at 6:27 PM, Paul Lambert <paul@marvell.com> wrote: >> The Wi-Fi Alliance (WFA) has posted a draft version of a new Œsetup >> protocol¹: >> >> >>https://www.wi-fi.org/downloads-registered-guest/Wi-Fi_DPP_Tech_Spec_v0_0 >>_23.pdf Note - this download site is off-line today Š may be back soon. >> >> >> The WFA is looking for review and comments on this specification. >> > >A few comments on a cursory reading: > >Section 3.2 specifies a particular point format. Is this actually >compatible with Curve 25519, etc? No it is not. >Wouldn't it be more sensible to use >the point format recommended by each individual curve? Yes - I would think we should always consider such values to be opaque octet strings and the interpretation should be based on the algorithm suite. Curve 25519 may not be able to be integrated because of: - big versus little endian - the ³curve" identification method The hash algorithms are also locked down to SHAxxx and encryption to AES-SIV so algorithm flexibility is limited. > >Section 5.5: Is the PKEX protocol publicly documented anywhere? I'm >concerned that the crypto here is highly suboptimal. Yes, I¹m not a fan of PKEX in DPP and tried to have it removed. It¹s not been well reviewed, it¹s really hard to review (due to embedding in 802.11) and it¹s just the wrong mechanism (PAKE) for the desired user experience. However,it an interesting design where a PAKE has been extended to provide both peers with authenticated public keys. The shared passphrase effectively introduces two longer term pubic keys. It¹s a significant design improvement over a typical PAKE that only establishes a shared symmetric key. PKEX should get some review and get used where appropriate or we should be working on similar extensions to PAKEs to authenticate long term public keys. The specification for PKEX is available in two parts: 1) the base SAE protocol is described in IEEE 802.11 http://www.ieee802.org/11/private/Draft_Standards/11mc/Draft%20P802.11REVm c_D8.0.pdf This is a IEEE 802.11 member private site, but I¹ve gotten agreement from the chair that he will provide access to "security researchers² You¹ll have to contact Adrian Stevens (IEEE 802.11 Chair - adrian.p.stephens@ieee.org) to get the private area password 2) the extension to create PKIX is in IEEE 802.11ai (fragments of text that will later be incorporated into 802.11) This is also on the private site: http://www.ieee802.org/11/private/index.shtml IEEE 802.11 keeps draft specifications private, but the contribution archive is open: https://mentor.ieee.org/802.11/documents You can see some of it¹s structure by looking at: https://mentor.ieee.org/802.11/documents?is_dcn=PKEX > For example, the >text mentions that: > >> Using this bootstrapping technique more than once with a different code >>but the same bootstrapping key can enable a dictionary attack (to >>recover the code) by the entity that obtained the bootstrapping key the >>first time. > >A well designed short authentication string system (e.g. ZRTP's) >should have no such issues. Interesting Š yes, a short authentication string is good idea for some user cases (Rich-UI device to Rich-UI device). I¹ll look at it some more Š Paul >
- [Cfrg] Wi-Fi Alliance Device Provisioning Protoco… Paul Lambert
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Andy Lutomirski
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Paul Lambert
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Dan Harkins
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Paul Lambert
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Andy Lutomirski
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Dan Harkins
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Dan Harkins
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Andy Lutomirski
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Dan Harkins
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Paul Lambert
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Andy Lutomirski
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Andy Lutomirski
- Re: [Cfrg] [T2TRG] Wi-Fi Alliance Device Provisio… Paul Lambert
- Re: [Cfrg] [T2TRG] Wi-Fi Alliance Device Provisio… Andy Lutomirski
- Re: [Cfrg] [T2TRG] Wi-Fi Alliance Device Provisio… Dan Harkins
- Re: [Cfrg] [T2TRG] Wi-Fi Alliance Device Provisio… Andy Lutomirski
- Re: [Cfrg] [T2TRG] Wi-Fi Alliance Device Provisio… Paul Lambert
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Dan Harkins