Re: [IPsec] Call for independent experts (IKEv2) for Stage 4 of the PAKE selection process
Dan Harkins <dharkins@lounge.org> Fri, 30 August 2019 20:02 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C235120922 for <ipsec@ietfa.amsl.com>; Fri, 30 Aug 2019 13:02:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BSjFLhURrw3b for <ipsec@ietfa.amsl.com>; Fri, 30 Aug 2019 13:02:02 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86AB4120879 for <ipsec@ietf.org>; Fri, 30 Aug 2019 13:02:02 -0700 (PDT)
Received: from trixy.bergandi.net (cpe-76-93-158-174.san.res.rr.com [76.93.158.174]) by wwwlocal.goatley.com (PMDF V6.8-0 #1001) with ESMTP id <0PX2006KVFNCTX@wwwlocal.goatley.com> for ipsec@ietf.org; Fri, 30 Aug 2019 15:02:00 -0500 (CDT)
Received: from Dans-MacBook-Pro.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #1001) with ESMTPSA id <0PX2004BTFN839@trixy.bergandi.net> for ipsec@ietf.org; Fri, 30 Aug 2019 13:01:57 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO Dans-MacBook-Pro.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Fri, 30 Aug 2019 13:01:57 -0700
Date: Fri, 30 Aug 2019 13:01:58 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <alpine.LRH.2.21.1908301346160.14173@bofh.nohats.ca>
To: Paul Wouters <paul@nohats.ca>
Cc: ipsec@ietf.org, Tero Kivinen <kivinen@iki.fi>
Message-id: <dc33cc30-7005-a8fa-0209-c1afd8ad62f5@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"; format="flowed"
Content-language: en-US
Content-transfer-encoding: 8bit
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO Dans-MacBook-Pro.local)
References: <CAMr0u6mVev6HmaV259FP8=bcSj89o9xhzAu_81A5VOfR1NiPRA@mail.gmail.com> <7538495e-258d-1927-cbba-eb783675c83f@lounge.org> <23912.27054.796487.391930@fireball.acr.fi> <58d82a8c-d789-17ee-12b0-f935d7d2037e@lounge.org> <23912.60438.716153.761077@fireball.acr.fi> <dcb51327-3a66-ba8c-431e-ee640ed7cdca@lounge.org> <alpine.LRH.2.21.1908301154530.23965@bofh.nohats.ca> <d1462c55-57a0-403d-ac3c-e24d481d9398@lounge.org> <alpine.LRH.2.21.1908301346160.14173@bofh.nohats.ca>
X-PMAS-Software: PreciseMail V3.3 [190830] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/4-JxlqQNMTdoxOiA7PH-WkXIJUs>
Subject: Re: [IPsec] Call for independent experts (IKEv2) for Stage 4 of the PAKE selection process
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2019 20:02:05 -0000
On 8/30/19 10:51 AM, Paul Wouters wrote: > On Fri, 30 Aug 2019, Dan Harkins wrote: > >>> Administrators doing site-to-site VPNs are better of using a true >>> random >>> strong PSK instead of a weaker PAKE. >> >> Well how many administrators generate a nice string of 256-bits of >> "true >> random strong PSK"? Seriously, if administrators followed such advice >> then >> we would not continually adding another "die" on the "die die die IKEv1" >> routine we seem to do every 9 months. How many "dies" are we up to now? > > I did not add killing PSKs to that draft, precisely because some > objected because strong PSK's are stronger than PAKEs. Strong PSKs are not stronger than PAKEs. A PAKE will offer you the added protection of resistance to dictionary attack against the symmetric credential (which could, in fact, be a PSK). The definition of dictionary attack is one in which the adversary gains an advantage through computation and not interaction. So even with a strong PSK you are still susceptible to a dictionary attack since it is the protocol that is susceptible to attack and not the credential. With a strong PSK it just makes the dictionary attack use much more time to be successful (and yes the "true random strong PSK" that's 256 bits could make the attack computationally infeasible but then managing such a credential is similarly infeasible). Think of it this way, if your strong PSK has 64 bits of good randomness it will take around 2^32 offline computations after A SINGLE ACTIVE ATTACK to get a probability of 0.5 of success while if you used that same thing with a PAKE it would take around 2^32 ACTIVE ATTACKS to get a probability of 0.5. What a PAKE allows you to do is retain security even in the presence of a not-so strong PSK. It does not mean the PAKE is weak. We should not be standardizing a weak PAKE and I don't think any of the candidates that CFRG is considering are weak. If you can manage a "strong PSK" then using it with a PAKE makes it stronger. If you can't manage a "strong PSK" then a PAKE still increases security. There's really no reason to use a PSK exchange susceptible to dictionary attack when something like SPEKE is available. regards, Dan.
- [IPsec] Call for independent experts (IKEv2) for … Stanislav V. Smyshlyaev
- Re: [IPsec] Call for independent experts (IKEv2) … Dan Harkins
- Re: [IPsec] Call for independent experts (IKEv2) … Michael Richardson
- Re: [IPsec] Call for independent experts (IKEv2) … Tero Kivinen
- Re: [IPsec] Call for independent experts (IKEv2) … Dan Harkins
- Re: [IPsec] Call for independent experts (IKEv2) … Dan Harkins
- Re: [IPsec] Call for independent experts (IKEv2) … Tero Kivinen
- Re: [IPsec] Call for independent experts (IKEv2) … Paul Wouters
- Re: [IPsec] Call for independent experts (IKEv2) … Dan Harkins
- Re: [IPsec] Call for independent experts (IKEv2) … Paul Wouters
- Re: [IPsec] Call for independent experts (IKEv2) … Dan Harkins
- Re: [IPsec] Call for independent experts (IKEv2) … Paul Wouters
- Re: [IPsec] Call for independent experts (IKEv2) … Dan Harkins
- Re: [IPsec] Call for independent experts (IKEv2) … Valery Smyslov