Re: [Emu] I-D Action:draft-ietf-emu-eap-gpsk-09.txt
Hannes Tschofenig <Hannes.Tschofenig@gmx.net> Sat, 28 June 2008 14:25 UTC
Return-Path: <emu-bounces@ietf.org>
X-Original-To: emu-archive@megatron.ietf.org
Delivered-To: ietfarch-emu-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 383DF3A69AB; Sat, 28 Jun 2008 07:25:34 -0700 (PDT)
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE8A03A6A7B for <emu@core3.amsl.com>; Sat, 28 Jun 2008 07:25:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pF-YxRkEkhAa for <emu@core3.amsl.com>; Sat, 28 Jun 2008 07:25:31 -0700 (PDT)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id 36FAB3A6A68 for <emu@ietf.org>; Sat, 28 Jun 2008 07:25:30 -0700 (PDT)
Received: (qmail invoked by alias); 28 Jun 2008 14:25:37 -0000
Received: from a91-154-105-144.elisa-laajakaista.fi (EHLO [192.168.255.3]) [91.154.105.144] by mail.gmx.net (mp035) with SMTP; 28 Jun 2008 16:25:37 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX190jGIx9J90iDrMVX4BZ/YhjCHSQhsg3v+jAVu8qy 6+Is6++1e3rFWS
Message-ID: <486649E0.8050805@gmx.net>
Date: Sat, 28 Jun 2008 17:25:36 +0300
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: Dan Harkins <dharkins@lounge.org>
References: <20080627153001.CA9BD28C15E@core3.amsl.com> <fc3a945a71ce672633ae6fd3904b239f.squirrel@www.trepanning.net>
In-Reply-To: <fc3a945a71ce672633ae6fd3904b239f.squirrel@www.trepanning.net>
X-Y-GMX-Trusted: 0
Cc: Pasi.Eronen@nokia.com, emu@ietf.org
Subject: Re: [Emu] I-D Action:draft-ietf-emu-eap-gpsk-09.txt
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: emu-bounces@ietf.org
Errors-To: emu-bounces@ietf.org
Hi Dan, Dan Harkins wrote: > Hi, > > I just glanced over this draft. In section 12.1 each of the security > claims seems to refer to sections from the -08 version of the draft. > For instance, > > Confidentiality: No (section 11.14 and 11.16) > > where in the -08 draft sections 11.14 and 11.16 discuss ID protection > and confidentiality, respectively, but it's 12.15 and 12.17 in the -09 > version. Am I misreading this somehow? > > You are right. We should have used <xref target=".."/> in the XML text rather than hardcoding it. The structure changed but we forgot to update this text. > I also think that the security claims in 12.1 should explicitly spell > out whether they meet RFC 4017 requirements, like the charter says. > > I'm glad that my comment on non-resistance to dictionary attack > was accepted. Thanks! But I still think that section is somewhat > ambiguous. It says, "Users who use passwords as the basis of their PSK > are not protected against dictionary attacks." Well, that's true but users > who do not use passwords as the basis of their PSK are also not protected > against dictionary attacks! > > I'd like to suggest the following text for section 12.7: > > The success of a dictionary attack against EAP-GPSK depends on > the strength of the long-term shared secret (PSK) it uses. The > PSK used by EAP-GPSK SHOULD be drawn from a pool of secrets that > is at least 2^128 bits large and whose distribution is uniformly > random. Note that this does not imply resistance to dictionary > attack, only that the probability of success in such an attack > is acceptably remote. > > That is, I believe, fair, accurate, and unambiguous. > > Aren't we saying essentially the same in the previous sentences? ------------------------------------------------------------------------------------------------ 12.7. Dictionary Attacks EAP-GPSK relies on a long-term shared secret (PSK) that SHOULD be based on at least 16 octets of entropy to be fully secure. The EAP- GPSK protocol makes no special provisions to ensure keys based on passwords are used securely. Users who use passwords as the basis of their PSK are not protected against dictionary attacks. Derivation of the long-term shared secret from a password is strongly discouraged. ------------------------------------------------------------------------ If you think we haven't discouraged folks enough to use passwords with the current text then we could add your text in addition to it. Ciao Hannes > regards, > > Dan. > > On Fri, June 27, 2008 8:30 am, Internet-Drafts@ietf.org wrote: > >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> This draft is a work item of the EAP Method Update Working Group of the >> IETF. >> >> >> Title : EAP Generalized Pre-Shared Key (EAP-GPSK) Method >> Author(s) : C. Clancy, H. Tschofenig >> Filename : draft-ietf-emu-eap-gpsk-09.txt >> Pages : 38 >> Date : 2008-06-27 >> >> This Internet Draft defines an Extensible Authentication Protocol >> method called EAP Generalized Pre-Shared Key (EAP-GPSK). This method >> is a lightweight shared-key authentication protocol supporting mutual >> authentication and key derivation. >> >> A URL for this Internet-Draft is: >> http://www.ietf.org/internet-drafts/draft-ietf-emu-eap-gpsk-09.txt >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> Below is the data which will enable a MIME compliant mail reader >> implementation to automatically retrieve the ASCII version of the >> Internet-Draft. >> _______________________________________________ >> Emu mailing list >> Emu@ietf.org >> https://www.ietf.org/mailman/listinfo/emu >> >> > > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu > _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
- [Emu] I-D Action:draft-ietf-emu-eap-gpsk-09.txt Internet-Drafts
- Re: [Emu] I-D Action:draft-ietf-emu-eap-gpsk-09.t… Dan Harkins
- Re: [Emu] I-D Action:draft-ietf-emu-eap-gpsk-09.t… Hannes Tschofenig
- Re: [Emu] I-D Action:draft-ietf-emu-eap-gpsk-09.t… Dan Harkins