IETF Logo Mail Archive

Re: [Cfrg] Wi-Fi Alliance Device Provisioning Protocol (DPP) - Draft Released for Public Review and Comments

Dan Harkins <dharkins@lounge.org> Wed, 31 August 2016 20:12 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A852512D763; Wed, 31 Aug 2016 13:12:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25YvY2_IG_88; Wed, 31 Aug 2016 13:12:34 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 721E012D76D; Wed, 31 Aug 2016 13:12:34 -0700 (PDT)
Received: from thinny.local (69-12-173-8.static.dsltransport.net [69.12.173.8]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by colo.trepanning.net (Postfix) with ESMTPSA id 0A69810224008; Wed, 31 Aug 2016 13:12:34 -0700 (PDT)
To: Andy Lutomirski <luto@amacapital.net>
References: <b6b2e03faf504238b8681284fc72a1dd@SC-EXCH03.marvell.com> <CALCETrVmSHv9=aNZYudU012UhuSNSJJaZX2CFa++o4nYA=WtPg@mail.gmail.com> <D3EB69B5.9C1EE%paul@marvell.com> <a120d8fb-c493-c6ea-fdd8-8ab9ebb7e5f4@lounge.org> <CALCETrXatKzPCqrbefbO9S1=orPEvOTNtRz1XsfDB691mDiuGg@mail.gmail.com>
From: Dan Harkins <dharkins@lounge.org>
Message-ID: <f6d272f3-5eaa-1d13-bf81-12e14ec20a3d@lounge.org>
Date: Wed, 31 Aug 2016 13:12:32 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CALCETrXatKzPCqrbefbO9S1=orPEvOTNtRz1XsfDB691mDiuGg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/CAKkaxJ4PbmfLYEkDlWMRbm2gow>
Cc: "t2trg@irtf.org" <t2trg@irtf.org>, "cfrg@irtf.org" <cfrg@irtf.org>, "adrian.p.stephens@ieee.org" <adrian.p.stephens@ieee.org>, "lear@cisco.com" <lear@cisco.com>
Subject: Re: [Cfrg] Wi-Fi Alliance Device Provisioning Protocol (DPP) - Draft Released for Public Review and Comments
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2016 20:12:36 -0000


On 8/31/16 12:25 PM, Andy Lutomirski wrote:
> On Tue, Aug 30, 2016 at 10:49 PM, Dan Harkins <dharkins@lounge.org> wrote:
>>
>>>> For example, the
>>>> text mentions that:
>>>>
>>>>> Using this bootstrapping technique more than once with a different code
>>>>> but the same bootstrapping key can enable a dictionary attack (to
>>>>> recover the code) by the entity that obtained the bootstrapping key the
>>>>> first time.
>>    Think of EKE, a password is used to encrypt a public key to peer1. Now
>> some
>> time later the same public key is sent to peer2 using a different password.
>> In this case peer1 would be able to do an off-line dictionary attack to
>> recover
>> the password used in the exchange to peer2. That's what is intended by the
>> text
>> in question.
> If by EKE you mean DH-EKE, then I think this just means you're doing
> EKE wrong.  For DH-EKE (which is actually secure), you send a brand
> new share every time.  Given my very, very limited understanding of
> what is proposed here (since I haven't gone and asked the editors for
> all the relevant documents), the protocol being used doesn't really
> achieve anything useful.

Yes, you use a fresh share every time with EKE because the derived
session key is the important thing, you're doing a key exchange protocol
to derive a secure, shared session key. That's not the case with PKEX.
In PKEX the important thing is the decrypted public key, any derived
session key is discarded. So reusing the public key would result in
the issue that the text addresses.

> But from reading the draft DPP document, I can't even tell what the
> workflow is.  Who generates a password, who types it where, and who
> sends what?
>
> And can someone explain what security properties the protocol is
> trying to achieve?

It was added to 802.11ai to enable raw public keys to be used for
authentication in the 802.11ai protocol. Usually raw public keys are
exchanged "in a manner outside the scope of the standard" but that's
kind of a cop out. So PKEX was added to allow for 2 parties to exchange
raw public keys in a manner that would provide some modicum of trust
to the received public key. Each device will get the peer's public key
in a manner that guarantees the integrity of the received key, with
proof of possession of the private key, from a someone who knows the
shared password. Presuming no one else knows the shared password then
you know who's public key you just received and you know to whom
you just gave your public key.

   The properties listed in in the 802.11ai amendment for PKEX are:

   - the protocol will result in the exchange of trusted public
     keys or it will fail;
   - a passive adversary is unable to subvert the exchange, insert
     any different public keys, learn the public keys, or learn the
     key/code/word/phrase shared by the two peers;
   - an active adversary that does not know the shared key/code/word/
     phrase cannot successfully complete the exchange; and,
   - an attacker is not able to perform an off-line dictionary attack
     against PKEX in order to determine wither the public keys or
     determine the shared key/code/word/phrase.

  DPP has decided to use PKEX because DPP uses public keys for
authentication but does not use a PKI so it needs some way to
get a device's public key that has some manner of "trust" without
relying on certificates and a CA.

   In DPP, public keys are bootstrapped to gain that "trust". For
instance a base64-encoded subjectPublicKeyInfo that is further QR
encoded. Scan the QR code on the device, get the device's key. PKEX is
another  "bootstrapping" technique. Two devices enter the same passphrase,
and they get each other's public keys. Now that the devices have each
other's trusted public keys they can do DPP.

>>>>> A well designed short authentication string system (e.g. ZRTP's)
>>>>> should have no such issues.
>>> Interesting Š yes, a short authentication string is good idea for some
>>> user cases (Rich-UI device to Rich-UI device). I¹ll look at it some more Š
>>    That is exactly the case here. A short authentication string is used to
>> bootstrap trust in a peer's public key.
>>
> Properly designed short authentication strings have very nice security
> properties.  An online attacker has a 1/N chance of spoofing an
> authentication per actual user interaction.  An offline attacker can't
> get anything at all (unless they're willing to brute-force the
> underlying high-entropy crypto).  Look at ZRTP for an example.
>
> PKEX, as vaguely described here, doesn't sound like a properly
> designed short authentication string.  Sorry.

I did the secdir review for the ZRTP draft that became RFC 6189; I
am familiar with ZRTP.

   Dan.

v2.23.0 | Report a Bug | By Email