IETF Logo Mail Archive

Re: [Cfrg] Adoption call for draft-harkins-pkex-05

Dan Harkins <dharkins@lounge.org> Wed, 11 April 2018 15:28 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06D4F124BFA for <cfrg@ietfa.amsl.com>; Wed, 11 Apr 2018 08:28:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gK_Y1sEWqTgW for <cfrg@ietfa.amsl.com>; Wed, 11 Apr 2018 08:28:15 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id F3A481200FC for <cfrg@irtf.org>; Wed, 11 Apr 2018 08:28:14 -0700 (PDT)
Received: from thinny.local (69-12-173-8.static.dsltransport.net [69.12.173.8]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by colo.trepanning.net (Postfix) with ESMTPSA id 9321DA888018 for <cfrg@irtf.org>; Wed, 11 Apr 2018 08:28:14 -0700 (PDT)
To: cfrg@irtf.org
References: <5ACA0006.4020809@isode.com> <810C31990B57ED40B2062BA10D43FBF501C515B8@XMB116CNC.rim.net> <810C31990B57ED40B2062BA10D43FBF501C5168A@XMB116CNC.rim.net>
From: Dan Harkins <dharkins@lounge.org>
Message-ID: <8f43fa44-ee6c-c737-452f-e8cc59b52967@lounge.org>
Date: Wed, 11 Apr 2018 08:28:12 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF501C5168A@XMB116CNC.rim.net>
Content-Type: multipart/alternative; boundary="------------7732F28EFB94B1D5E2B39C65"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/9TsHNQR74VqQjf-L_oF3zOHYu40>
Subject: Re: [Cfrg] Adoption call for draft-harkins-pkex-05
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2018 15:28:18 -0000

   Hi Dan,

On 4/10/18 1:46 PM, Dan Brown wrote:
> A third very minor issue (again terminology, and arguably more pedantic):
> 3. The PKEX I-D uses the word "trust" often. It seems to me that is not an
> equivalent in strength trust to a more conventional public-key certificate
> (or a distributed web of trust either).  I think this needs clarification in
> the draft.  I expand on the difference below, in two closely related
> sub-issues.

   By trust I mean: 1) that the public key received is the public key sent;
2) that the public key is bound to an authenticated identity; and 3) that
the sender proves possession of the corresponding private key. They can
now be used in a regular key exchange protocol-- like IKE or TLS-- that is
authenticated with raw public keys. To authenticate with raw public keys
you need some sort of "trust" in the public key. That's what PKEX provides.

> 3a. First, if Bob lost his secret password, or has a bad RNG, then Eve may
> be able to impersonate Alice to Bob, even if Alice system's is entirely
> uncompromised.  In regular authenticated key exchange, this type of attack
> is called key-compromise impersonation (KCI).  I guess KCI applies to every
> PAKE, which is fair enough.  But PKEX has farther aims than a just PAKE,
> kind of a sub-PKI. (Is PKEX a play on PKIX?)  But in a PKI, relying parties
> can "trust" public keys, such as code signing keys, without having any
> secrets at all to guard.  So, in some sense there is lesser degree of trust
> provided by a PKI.

   The secret only needs to be guarded until PKEX is run, once it has
successfully concluded the secret can be exposed and it will not affect
the security of the exchange. The exchanged keys can still be trusted
when subsequently used.

   I agree that PKEX provides a lesser degree of trust provided by a 
PKI. It's
not supposed to be a replacement, just a way to gain trust in a raw 
public key
which heretofore has always been done "in a manner outside the scope of the
protocol."

   That said, when I enroll in a CA I need to authenticate myself to it
somehow. It doesn't just give out certificates to anyone who provides a
name and a public key. So whatever credential I use to prove I am who I
say I am at enrollment time is analogous to password used in PKEX.

>   
> 3b. Second, and this issue is an extension of the first (not independent of
> it), I would argue that part of "trust" in a public key includes an ability
> to trust its use in non-repudiable signed transaction.  Because of the KCI
> threat, Alice could do PKEX with Bob, sign a message with her key A, then
> try to repudiate.  Bob will not be able to prove to anybody A is Alice's
> key, because he could have generated A himself, as if Bob did a KCI attack
> on himself.  So, Bob will not be able to trust Alice as much as usual in a
> PKI.

   That's a great point. It's sort of the flip side of the anonymity that
PKEX provides to subsequent use of the public key. The keys are only known
and trusted by the two peers that ran PKEX. Anyone who views a key exchange
using a raw public key would not be able to determine who engaged in the
protocol and the whole exchange would be completely deniable.

   This is needs to be explained further in the draft.

> At the moment I don't have a concrete suggestion to correct this
> terminology.  Also, I forget if PKI spec use the word "trust" or something
> else.

   If you come up with a different word please send it to the list. I still
think "trust" is the right word, with the proviso above.

   regards,

   Dan.

> -----Original Message-----
> From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Dan Brown
> Sent: Tuesday, April 10, 2018 2:00 PM
> To: Alexey Melnikov <alexey.melnikov@isode.com>; cfrg@irtf.org
> Subject: Re: [Cfrg] Adoption call for draft-harkins-pkex-05
>
> I'm seeing two minor issues to be resolved before adoption:
> 1. "Public key exchange" is a totally non-specific name, so much so, that I
> oppose adoption under this name.  Public key exchange could mean
> Diffie-Hellman key agreement, for example.  If PKEX has been deployed in
> some places, the name should be updated retroactively.  (Sorry that this is
> merely a terminology issue (as in the color of bikeshed, not the bikeshed
> itself.)
> 2. What is the problem being solved here?  For example, I think that TLS
> will or does offer PSK authentication.  So, why not just do an out-of-band
> PAKE to establish a PSK, then use PSK-authenticated TLS.  So, to rephrase my
> question: is there some security defect with PSK-authenticated TLS that PKEX
> solves?  Maybe this was discussed already, sorry if I missed it (and am out
> of order).
> Otherwise, I do not have much of an opinion in either direction.
>
> -----Original Message-----
> From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Alexey Melnikov
> Sent: Sunday, April 8, 2018 7:42 AM
> To: cfrg@irtf.org
> Subject: [Cfrg] Adoption call for draft-harkins-pkex-05
>
> Dear CFRG participants,
> This message is starting a 2 weeks adoption call for
> draft-harkins-pkex-05 (Public Key Exchange). From the document's
> Introduction:
>
>     [RFC7250] further states that "the main security challenge [to using
>     'raw' public keys] is how to associate the public key with a specific
>     entity.  Without a secure binding between identifier and key, the
>     protocol will be vulnerable to man-in-the- middle attacks."
>
>     The Public Key Exchange (PKEX) is designed to fill that gap: it
>     establishes a secure binding between exchanged public keys and
>     identifiers, it provides proof-of-possession of the exchanged public
>     keys to each peer, and it enables the establishment of trust in
>     public keys that can subsequently be used to facilitate
>     authentication in other authentication and key exchange protocols.
>     At the end of a successful run of PKEX the two peers will have trust
>     in each others exchanged public keys and also share an authenticated
>     symmetric key which may be discarded or used for another purpose.
>
> The adoption call will last for 2 weeks and will end on April 22nd.
>
> Thank you,
> Kenny and Alexey
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email