Re: [Cfrg] [T2TRG] Wi-Fi Alliance Device Provisioning Protocol (DPP) - Draft Released for Public Review and Comments
Paul Lambert <paul@marvell.com> Wed, 31 August 2016 23:55 UTC
Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B37812D7BF; Wed, 31 Aug 2016 16:55:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0uLrM93lDLFU; Wed, 31 Aug 2016 16:55:50 -0700 (PDT)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7D8412B044; Wed, 31 Aug 2016 16:55:49 -0700 (PDT)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id u7VNsmOC031840; Wed, 31 Aug 2016 16:55:47 -0700
Received: from sc-exch03.marvell.com ([199.233.58.183]) by mx0b-0016f401.pphosted.com with ESMTP id 2567f497es-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 31 Aug 2016 16:55:47 -0700
Received: from SC-EXCH03.marvell.com (10.93.176.83) by SC-EXCH03.marvell.com (10.93.176.83) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 31 Aug 2016 16:55:44 -0700
Received: from SC-EXCH03.marvell.com ([fe80::6cb0:4dfa:f3f3:b8b6]) by SC-EXCH03.marvell.com ([fe80::6cb0:4dfa:f3f3:b8b6%21]) with mapi id 15.00.1104.000; Wed, 31 Aug 2016 16:55:44 -0700
From: Paul Lambert <paul@marvell.com>
To: Dan Harkins <dharkins@lounge.org>, Andy Lutomirski <luto@amacapital.net>
Thread-Topic: [T2TRG] [Cfrg] Wi-Fi Alliance Device Provisioning Protocol (DPP) - Draft Released for Public Review and Comments
Thread-Index: AQHSA+MvfeDlzRT1DkO/Rm6efoKJcQ==
Date: Wed, 31 Aug 2016 23:55:44 +0000
Message-ID: <D3ECA739.9C587%paul@marvell.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.5.160527
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.94.250.30]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <FEC9F87DAEFB4F4A83A2C52A0A81649A@marvell.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-08-31_06:, , signatures=0
X-Proofpoint-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 impostorscore=0 lowpriorityscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1608310276
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/O8jJCw4eVNU0GFMcxp627Uo6GWQ>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "t2trg@irtf.org" <t2trg@irtf.org>, "adrian.p.stephens@ieee.org" <adrian.p.stephens@ieee.org>, "lear@cisco.com" <lear@cisco.com>
Subject: Re: [Cfrg] [T2TRG] Wi-Fi Alliance Device Provisioning Protocol (DPP) - Draft Released for Public Review and Comments
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2016 23:55:51 -0000
I¹ve made a short summary of the PKEX protocol below. Comments and corrections would be appreciated. Assuming my summary is correct ... If a third party Carol with P_c knows the MAC address and public key of Alice (MAC_a and P_a) a MiTM attack is possible. 1) Alice and Bob share a one-time passphrase to bootstrap connectivity and learn each others associated public keys. 2) Alice - calculates Pwe_ab = huntandpeck(passphrase_ab) # passphrase between Alice and Bob - calculates Q_a = H( MAC_a ) * Pwe_a - sends Commit with nonce_a and C_a = P_a + Q_a 3) Carol intercepts Alice¹s Commit and having met Alice, know¹s P_a and MAC_a - calculates Q_a = (C_a - P_a) - creates spoofed commit as C¹_a = P_c + Q_a - send spoofed commit with nonce_c and C¹_a 4) Carol continues PKEX exchange with Bob using MAC_a 5) At end Bob thinks P_c belongs to MAC_a Paul - - - PKEX Summary - - - For two entities Alice and Bob: - subscripts indicate entity (e.g. P_a for Alice public key) - operating on additive group - with generator G on a 'curve' - with hash H() - and huntandpeck(Point,curve) as defined in 802.11mc - scalars are lower case group element (Points) in upper case Each peer has a long term public key: P_a = s_a * G P_b = s_b * G and MAC addresses MAC_a MAC_b Each peer shares by out-of-band a string 'passphrase' The following is a view of PKEX processing from Alice's perspective: Pwe_a = huntandpeck( passphrase, curve ) # a point on the curve m_a = H( MAC_a ) Q_a = m_a * Pwe_a C_a = P_a + Q_a nonce_a = random() Alice ---> Bob sendCommit( nonce_a, C_a ) from MAC_a Alice <--- Bob sendCommit( nonce_b, C_b ) from MAC_b m_b = H(MAC_b) Q'_b = m_b * Pwe P'_b = C_b - Q'_b k = KDF(s_a*P'_b', nonce_a, nonce_b) Alice ---> Bob sendCommit( HMAC-Hash(k, P_a || P'_b || MAC_a || MAC_b) ) Alice <--- Bob sendCommit( HMAC-Hash(k, P_b || P'_a || MAC_b || MAC_b) ) Alice validates that Bob¹s commit message is correct and if so: - Alice has demonstrated ownership of P_a to Bob - Bob has demonstrated ownership of P_b to Alice - no pair-wise shared key is available > >> >>On 8/31/16 12:03 PM, Paul Lambert wrote: >>> Yes, PKEX is not SAE, but they share the same underlying PAKE >>> cryptographic processing >> >> That is not true. They both use a secret group element that is derived >>from a password but the exchanges are completely different. > >Yes - the protocols are very different. > >My original point was that it is difficult to fully evaluate PKEX without >having the text for SAE that includes field definitions and important >aspects of the cryptographic processing. > >Both PKEX and SAE use the identical textual specification that describes >the hunt-and-peek mapping of a passphrase to a group element. This >mapping is a fundamental aspect of the PAKE processing and makes SAE and >PKEX both members of the class of PAKE algorithms that operate by the >mapping of a passphrase to a group element (point on ECC curve). > >The demonstration of knowledge of this group element is very different for >the two protocols. > >Paul > >> >> Dan. >> >> > >_______________________________________________ >T2TRG mailing list >T2TRG@irtf.org >https://www.irtf.org/mailman/listinfo/t2trg
- [Cfrg] Wi-Fi Alliance Device Provisioning Protoco… Paul Lambert
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Andy Lutomirski
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Paul Lambert
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Dan Harkins
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Paul Lambert
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Andy Lutomirski
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Dan Harkins
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Dan Harkins
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Andy Lutomirski
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Dan Harkins
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Paul Lambert
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Andy Lutomirski
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Andy Lutomirski
- Re: [Cfrg] [T2TRG] Wi-Fi Alliance Device Provisio… Paul Lambert
- Re: [Cfrg] [T2TRG] Wi-Fi Alliance Device Provisio… Andy Lutomirski
- Re: [Cfrg] [T2TRG] Wi-Fi Alliance Device Provisio… Dan Harkins
- Re: [Cfrg] [T2TRG] Wi-Fi Alliance Device Provisio… Andy Lutomirski
- Re: [Cfrg] [T2TRG] Wi-Fi Alliance Device Provisio… Paul Lambert
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Dan Harkins