Re: [Cfrg] Wi-Fi Alliance Device Provisioning Protocol (DPP) - Draft Released for Public Review and Comments
Dan Harkins <dharkins@lounge.org> Wed, 31 August 2016 23:38 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6D5C12D513; Wed, 31 Aug 2016 16:38:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xmFHLQLyg2lJ; Wed, 31 Aug 2016 16:38:49 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 2094412D1A4; Wed, 31 Aug 2016 16:38:49 -0700 (PDT)
Received: from thinny.local (69-12-173-8.static.dsltransport.net [69.12.173.8]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by colo.trepanning.net (Postfix) with ESMTPSA id 15C1710224008; Wed, 31 Aug 2016 16:38:48 -0700 (PDT)
To: Andy Lutomirski <luto@amacapital.net>
References: <b6b2e03faf504238b8681284fc72a1dd@SC-EXCH03.marvell.com> <CALCETrVmSHv9=aNZYudU012UhuSNSJJaZX2CFa++o4nYA=WtPg@mail.gmail.com> <D3EB69B5.9C1EE%paul@marvell.com> <a120d8fb-c493-c6ea-fdd8-8ab9ebb7e5f4@lounge.org> <CALCETrXatKzPCqrbefbO9S1=orPEvOTNtRz1XsfDB691mDiuGg@mail.gmail.com> <f6d272f3-5eaa-1d13-bf81-12e14ec20a3d@lounge.org> <CALCETrVdQ2+rw62bFh+G8rTk19yzb543V1eD0ig6YMMO_hM6Kw@mail.gmail.com> <09ffc37d-da23-3955-e4fe-4bd4e08be55f@lounge.org> <CALCETrU5A6cDc5VwTQisVu1iptGz5x5fcann897rJKGCBfhs4Q@mail.gmail.com>
From: Dan Harkins <dharkins@lounge.org>
Message-ID: <22777767-fea4-9922-47c8-09aa00325271@lounge.org>
Date: Wed, 31 Aug 2016 16:38:47 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CALCETrU5A6cDc5VwTQisVu1iptGz5x5fcann897rJKGCBfhs4Q@mail.gmail.com>
Content-Type: multipart/mixed; boundary="------------36030D7D3F234F5DB1F87457"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/npDHPvjwyNYRSbD6XJHCjtOq-tc>
X-Mailman-Approved-At: Thu, 01 Sep 2016 08:01:14 -0700
Cc: "t2trg@irtf.org" <t2trg@irtf.org>, "cfrg@irtf.org" <cfrg@irtf.org>, "adrian.p.stephens@ieee.org" <adrian.p.stephens@ieee.org>, "lear@cisco.com" <lear@cisco.com>
Subject: Re: [Cfrg] Wi-Fi Alliance Device Provisioning Protocol (DPP) - Draft Released for Public Review and Comments
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2016 23:38:51 -0000
On 8/31/16 3:50 PM, Andy Lutomirski wrote: > On Wed, Aug 31, 2016 at 2:27 PM, Dan Harkins <dharkins@lounge.org> wrote: >> What is the security flaw in PKEX that makes other protocols "much >> more secure"? > Since I still haven't read a full description of PKEX, here are my > guesses. None of them depend on the details of the mapping from > (passphrase, cleartext group element) -> (ciphertext). If that > mapping were biased, then additional attacks would be possible. Oh, I didn't realize you were making these statements without actually having seen the protocol. See the attached. Dan. > 1. An attacker who has once legitimately paired with one of the > devices in question and thus knows the public key can apparently > passively capture a PKEX exchange and brute-force the password. This > seems like a rather serious weakness. > > 2. I think there's a quadratic brute-force attack if passwords are not > reused. Suppose there are N possible passwords. An attacker can wait > for a PKEX exchange attempt, capture the messages, and also block the > messages so it fails. Then the attacker captures a second PKEX > attempt between the same two parties. There are N^2 possible pairs of > passwords for the first and second attempts. Since, in general, we > can expect N^2 << sqrt(2^256) or so (especially if the passwords are, > say, six-digit numbers, and using six-digit or even four-digit numbers > for an exchange like this is entirely reasonable if the crypto is > good), the attacker can simply try all N^2 possibilities to find one > for which the recovered public keys match. With high probability, the > attacker will have recovered both keys and the public key. You seem > to be treating the public key as somewhat secret, this already breaks > it. If the attacker has full MITM capabilities, the attacker can now > edit the exchanged messages in the second exchange to substitute his > or her own keys. > > This attack seems complicated, but I can imagine it being fast enough > to run in real time and hijack a connection. > > 3. You have no forward protection against brute-forcing. A leak of a > potential long-term secret (the *public bootstrapping key*, since this > protocol really does seem to think that the public key is secret) > allows brute-forcing the exchange after the fact. Real PAKE protocols > don't have this problem -- the information that needs to be protected > is ephemeral. > > 4. I suspect that, once a PKEX exchange succeeds in the context of > DPP, a passive eavesdropper will be able to capture enough information > to be able to evaluate whether a given guess of a party's public key > is correct. This enables a full off-line attack on the password. > > 5. The really, really easy attack: in the real world, I suspect that a > lot of PKEX-supporting devices will be things like APs and will also > have QR codes. So an attacker can simply read the QR code, learn the > AP's public key, and then brute force all subsequent PKEX exchanges. > > This whole protocol doesn't have a coherent description of exactly who > does what and what the security properties are supposed to be, which > makes it very unlikely that provable security is possible. I wouldn't > be terribly surprised if I or others could break it further if anyone > cared to. > > If an implementation really never reuses a bootstrapping public key, > then #1, #2, and #5 don't work. I find it implausible that devices > will actually use ephemeral bootstrapping keys, if for no other reason > than that it would significantly complicate the rest of the protocol. > And if devices do use ephemeral bootstrapping keys, then evaluating > whether #4 is a problem cannot be done by simply analyzing PKEX. One > would also need to analyze the DPP Authentication protocol to > determine whether it leaked enough information (to a passive or active > attacker) to allow checking whether a guess of the bootstrap key is > correct. This is, in my book, sufficient reason to reject the entire > PKEX primitive. A primitive should be secure on its own without > regard to the context in which it's used. > > 6.2.3 says: The Responder receives the DPP Authentication Request > message and checks whether a SHA256 hash of the DER encoded ASN.1 > SubjectPublicKeyInfo of its public bootstrapping key is in the > message. If not, it discards the message and returns to its quiescent > state. If a hash of its key is in the message, ... > > That looks like it could give a clear indication of whether a guessed > bootstrap key is correct. > > > On another note, this looks like a potential vulnerability; > > 6.2.3 further says: If a hash of its key is in the message, it next > checks whether it has a copy of the Initiator’s public bootstrapping > key (whose SHA256 hash matches that in the message). If so, and the > Responder wishes to do mutual authentication, it will perform mutual > authentication, otherwise it will not perform mutual authentication. > > This looks like it might be a way to force a downgrade that prevents > mutual authentication. > >>> >>> The 802.11 folks already screwed up WPA Personal by failing to use a >>> real PAKE for silly reasons. Please don't screw up DPP as well. >> >> SAE is the PAKE in 802.11. But as I said to Paul, PKEX is not SAE. >> >> I would like to understand what you mean by "screw up DPP as well." >> How is DPP being screwed up by the inclusion of PKEX? >>>> The properties listed in in the 802.11ai amendment for PKEX are: >>>> >>>> - the protocol will result in the exchange of trusted public >>>> keys or it will fail; >>>> - a passive adversary is unable to subvert the exchange, insert >>>> any different public keys, learn the public keys, or learn the >>>> key/code/word/phrase shared by the two peers; >>>> - an active adversary that does not know the shared key/code/word/ >>>> phrase cannot successfully complete the exchange; and, >>>> - an attacker is not able to perform an off-line dictionary attack >>>> against PKEX in order to determine wither the public keys or >>>> determine the shared key/code/word/phrase. >>> You aren't actually providing this last property AFAICT. >> >> Why not? If you mean that reusing the same public key with a different >> key/code/word/phrase then see the quote at the top of this email that >> started this thread. That is an acknowledged security consideration already. > Saying it's "an acknowledged security consideration" doesn't make it > magically stop being a violation of the intended security properties. > >> Please explain how the _protocol_ itself is not providing this property >> because it's not clear to me what you mean. > A protocol with a big nasty gotcha like this that's already known when > the protocol is proposed is unacceptable in my book. Also, it seems > considerably more broken than just this gotcha -- see above. > > But why oh why is the 802.11 group inventing its own crypto? It's not > the 1990s any more. Use a real primitive. > > --Andy
- [Cfrg] Wi-Fi Alliance Device Provisioning Protoco… Paul Lambert
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Andy Lutomirski
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Paul Lambert
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Dan Harkins
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Paul Lambert
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Andy Lutomirski
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Dan Harkins
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Dan Harkins
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Andy Lutomirski
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Dan Harkins
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Paul Lambert
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Andy Lutomirski
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Andy Lutomirski
- Re: [Cfrg] [T2TRG] Wi-Fi Alliance Device Provisio… Paul Lambert
- Re: [Cfrg] [T2TRG] Wi-Fi Alliance Device Provisio… Andy Lutomirski
- Re: [Cfrg] [T2TRG] Wi-Fi Alliance Device Provisio… Dan Harkins
- Re: [Cfrg] [T2TRG] Wi-Fi Alliance Device Provisio… Andy Lutomirski
- Re: [Cfrg] [T2TRG] Wi-Fi Alliance Device Provisio… Paul Lambert
- Re: [Cfrg] Wi-Fi Alliance Device Provisioning Pro… Dan Harkins