IETF Logo Mail Archive

Re: [Cfrg] Wi-Fi Alliance Device Provisioning Protocol (DPP) - Draft Released for Public Review and Comments

Andy Lutomirski <luto@amacapital.net> Wed, 31 August 2016 20:34 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E99C512D731 for <cfrg@ietfa.amsl.com>; Wed, 31 Aug 2016 13:34:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=amacapital-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id He6SIte2mi5s for <cfrg@ietfa.amsl.com>; Wed, 31 Aug 2016 13:34:49 -0700 (PDT)
Received: from mail-ua0-x231.google.com (mail-ua0-x231.google.com [IPv6:2607:f8b0:400c:c08::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D1C012D780 for <cfrg@irtf.org>; Wed, 31 Aug 2016 13:34:49 -0700 (PDT)
Received: by mail-ua0-x231.google.com with SMTP id i32so109747994uai.2 for <cfrg@irtf.org>; Wed, 31 Aug 2016 13:34:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=KJRE8ZlDTEE37hadEhckxDhhk1D13pfyB6TCVuN6ZkM=; b=0N0P9yYn05lxgaWs6XBm+zZW2mhV/j+p+Zy1QvocYG46aSwNyufiiM0Q8RfElq2UJ0 7zZjQ0KjYkTxdc5vgiAygOAM/Y+86fXaMOhLDE5b37mXOgLTm8jg+m9Kv0XOBRybGkCX XK4jHndev69kKXcZTUGE0VXYF7bCDHN3DzrwVyTqnmRx6FjQbBvcLe+oeMbqkecXR8dT vzCqIjB8Ay5nwsYwtxQGHs+cayihZnwJrrMPjW80euwg2JzIS/NU9ZEYy6sBEGe+b538 n/yU58NN95A+B3cG5p8w/NYPbG3EFNpUq0Vivi4Yt6XrPCFVDWPXef9/BOFGRxZcOWB8 bEIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=KJRE8ZlDTEE37hadEhckxDhhk1D13pfyB6TCVuN6ZkM=; b=TsRbHggS1FnfV8kaasvRqnad0QWKf49wP2UexX4lunqtT4LPRHl+tDkpOh1JyBF31+ b8uqqcifgG1PgNlcoaAA6SVichlcinCAs/MV0byosTnA5lCCYQ/CQDVGxxeTwsGcf5Jz sMvmw4geHo6WGfUhTNuEwuUGAIPL8HFqd75rMKNYKKYpRzIZ4fBxhvSH/3/MQ8AcRCuK VFplQ1FUpu3A3MWFpxQmDj6MNNVFzs/pYzoAELjtfm0tXxKyBMSF4t4uqODYLMrhQP32 i5C93auYR5kTWSJPBU/DghYrrinA/gZWBRR/3i6u+3eybyjMCaYYZYu3Wzv9Hnjuo/ua YRXA==
X-Gm-Message-State: AE9vXwPKW1sq3osv2cArw0bEivNHvThuI7NlspzqjBGBFv5YyeI1TuOdqk3q5B/kDPV6fSmRiox9PLv6kGm1Ehui
X-Received: by 10.31.21.79 with SMTP id 76mr6845861vkv.135.1472675688573; Wed, 31 Aug 2016 13:34:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.76.146 with HTTP; Wed, 31 Aug 2016 13:34:28 -0700 (PDT)
In-Reply-To: <f6d272f3-5eaa-1d13-bf81-12e14ec20a3d@lounge.org>
References: <b6b2e03faf504238b8681284fc72a1dd@SC-EXCH03.marvell.com> <CALCETrVmSHv9=aNZYudU012UhuSNSJJaZX2CFa++o4nYA=WtPg@mail.gmail.com> <D3EB69B5.9C1EE%paul@marvell.com> <a120d8fb-c493-c6ea-fdd8-8ab9ebb7e5f4@lounge.org> <CALCETrXatKzPCqrbefbO9S1=orPEvOTNtRz1XsfDB691mDiuGg@mail.gmail.com> <f6d272f3-5eaa-1d13-bf81-12e14ec20a3d@lounge.org>
From: Andy Lutomirski <luto@amacapital.net>
Date: Wed, 31 Aug 2016 13:34:28 -0700
Message-ID: <CALCETrVdQ2+rw62bFh+G8rTk19yzb543V1eD0ig6YMMO_hM6Kw@mail.gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/RVYxallL_ohq0mQ9LhF6ITl5xko>
Cc: "t2trg@irtf.org" <t2trg@irtf.org>, "cfrg@irtf.org" <cfrg@irtf.org>, "adrian.p.stephens@ieee.org" <adrian.p.stephens@ieee.org>, "lear@cisco.com" <lear@cisco.com>
Subject: Re: [Cfrg] Wi-Fi Alliance Device Provisioning Protocol (DPP) - Draft Released for Public Review and Comments
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2016 20:34:52 -0000

On Wed, Aug 31, 2016 at 1:12 PM, Dan Harkins <dharkins@lounge.org> wrote:
>
>
> On 8/31/16 12:25 PM, Andy Lutomirski wrote:
>>
>> On Tue, Aug 30, 2016 at 10:49 PM, Dan Harkins <dharkins@lounge.org> wrote:
>>>
>>>
>>>>> For example, the
>>>>> text mentions that:
>>>>>
>>>>>> Using this bootstrapping technique more than once with a different
>>>>>> code
>>>>>> but the same bootstrapping key can enable a dictionary attack (to
>>>>>> recover the code) by the entity that obtained the bootstrapping key
>>>>>> the
>>>>>> first time.
>>>
>>>    Think of EKE, a password is used to encrypt a public key to peer1. Now
>>> some
>>> time later the same public key is sent to peer2 using a different
>>> password.
>>> In this case peer1 would be able to do an off-line dictionary attack to
>>> recover
>>> the password used in the exchange to peer2. That's what is intended by
>>> the
>>> text
>>> in question.
>>
>> If by EKE you mean DH-EKE, then I think this just means you're doing
>> EKE wrong.  For DH-EKE (which is actually secure), you send a brand
>> new share every time.  Given my very, very limited understanding of
>> what is proposed here (since I haven't gone and asked the editors for
>> all the relevant documents), the protocol being used doesn't really
>> achieve anything useful.
>
>
> Yes, you use a fresh share every time with EKE because the derived
> session key is the important thing, you're doing a key exchange protocol
> to derive a secure, shared session key. That's not the case with PKEX.
> In PKEX the important thing is the decrypted public key, any derived
> session key is discarded. So reusing the public key would result in
> the issue that the text addresses.

Then at the very least why not do real PAKE (DH-EKE or whatever) and
then exchange public keys over the resulting secure channel?  ISTM the
spec is inventing a new protocol that's strictly worse than the
standard protocols out there.

>
>> But from reading the draft DPP document, I can't even tell what the
>> workflow is.  Who generates a password, who types it where, and who
>> sends what?
>>
>> And can someone explain what security properties the protocol is
>> trying to achieve?
>
>
> It was added to 802.11ai to enable raw public keys to be used for
> authentication in the 802.11ai protocol. Usually raw public keys are
> exchanged "in a manner outside the scope of the standard" but that's
> kind of a cop out. So PKEX was added to allow for 2 parties to exchange
> raw public keys in a manner that would provide some modicum of trust
> to the received public key. Each device will get the peer's public key
> in a manner that guarantees the integrity of the received key, with
> proof of possession of the private key, from a someone who knows the
> shared password. Presuming no one else knows the shared password then
> you know who's public key you just received and you know to whom
> you just gave your public key.

This doesn't answer the question.  What's the workflow?  Do I, as the
user, make up an arbitrary password and type it in to both devices?
Do I, as a user, read a password generated by one device and type it
in to the other?  I'm pretty sure that, for any of these variants,
there exist much more secure protocols.  If you further clarify the
workflow, I'm sure I can name a better protocol, and the folks lurking
here who are good at provable security can probably come up with a
straightforwardly provably secure protocol for a far stronger notion
of security than you're providing.

The 802.11 folks already screwed up WPA Personal by failing to use a
real PAKE for silly reasons.  Please don't screw up DPP as well.

>
>   The properties listed in in the 802.11ai amendment for PKEX are:
>
>   - the protocol will result in the exchange of trusted public
>     keys or it will fail;
>   - a passive adversary is unable to subvert the exchange, insert
>     any different public keys, learn the public keys, or learn the
>     key/code/word/phrase shared by the two peers;
>   - an active adversary that does not know the shared key/code/word/
>     phrase cannot successfully complete the exchange; and,
>   - an attacker is not able to perform an off-line dictionary attack
>     against PKEX in order to determine wither the public keys or
>     determine the shared key/code/word/phrase.

You aren't actually providing this last property AFAICT.

>
>  DPP has decided to use PKEX because DPP uses public keys for
> authentication but does not use a PKI so it needs some way to
> get a device's public key that has some manner of "trust" without
> relying on certificates and a CA.
>
>   In DPP, public keys are bootstrapped to gain that "trust". For
> instance a base64-encoded subjectPublicKeyInfo that is further QR
> encoded. Scan the QR code on the device, get the device's key. PKEX is
> another  "bootstrapping" technique. Two devices enter the same passphrase,
> and they get each other's public keys. Now that the devices have each
> other's trusted public keys they can do DPP.
>
>>>>>> A well designed short authentication string system (e.g. ZRTP's)
>>>>>> should have no such issues.
>>>>
>>>> Interesting Š yes, a short authentication string is good idea for some
>>>> user cases (Rich-UI device to Rich-UI device). I¹ll look at it some more
>>>> Š
>>>
>>>    That is exactly the case here. A short authentication string is used
>>> to
>>> bootstrap trust in a peer's public key.
>>>
>> Properly designed short authentication strings have very nice security
>> properties.  An online attacker has a 1/N chance of spoofing an
>> authentication per actual user interaction.  An offline attacker can't
>> get anything at all (unless they're willing to brute-force the
>> underlying high-entropy crypto).  Look at ZRTP for an example.
>>
>> PKEX, as vaguely described here, doesn't sound like a properly
>> designed short authentication string.  Sorry.
>
>
> I did the secdir review for the ZRTP draft that became RFC 6189; I
> am familiar with ZRTP.
>

Which doesn't mean that PKEX has good security properties.



-- 
Andy Lutomirski
AMA Capital Management, LLC

v2.23.0 | Report a Bug | By Email