Re: [IPsec] Call for independent experts (IKEv2) for Stage 4 of the PAKE selection process

"Valery Smyslov" <smyslov.ietf@gmail.com> Mon, 02 September 2019 12:18 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4E8C120119 for <ipsec@ietfa.amsl.com>; Mon, 2 Sep 2019 05:18:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JlY04255_Y7Y for <ipsec@ietfa.amsl.com>; Mon, 2 Sep 2019 05:18:37 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75CA1120073 for <ipsec@ietf.org>; Mon, 2 Sep 2019 05:18:37 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id j16so6497853ljg.6 for <ipsec@ietf.org>; Mon, 02 Sep 2019 05:18:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=+AHb/Uofw52vAN24Ou8I3t532F7/wECgGeaTekT6dek=; b=HF/HxkG4Y2KRszR+abbC5n80x0eKAjp/ObZId2IHFy1YGNK2njTUXMPUBlho3CXlhY Sc7vt7iAntJIUdHOlQyAgLFL0yQeD1Hp3bXQB9Mq++r1D0LW1E/NVXGWcB2EHm55TZj4 IQwjkGUCjkpEBrtpGf6vGdJJsMp+udDmZVPQldzmpnXTyCAw9trsVlfj0UzUzWMmyQyi P43I3P4Zfh4nmKWsanrr+/x2YCKzC6LSxWkb0FqNywK4XzfgFN0169WtTWKMyUk/nDSw r+UqSfKabFI2d83pOnFUQTH8KzZVMsGSftdSxi7xbrXUm0LkGZhKHUbNkP/bU9ouQT7R IymQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=+AHb/Uofw52vAN24Ou8I3t532F7/wECgGeaTekT6dek=; b=JIDrv605BlgAfWqGKFeAUuq2bfPPqVD0xau6kXRmVn4OHTtEAHClKl5hvCcThI2iBs 9uCLsEUsFmdtFUfPtkkPgsk8VXrIWyjPhe1zCBEWeGqdqFIvm4MLQcxzhkOVW0H4MCS/ vl2XCZuuyq5QCuQuZhbbNogyk6J9lnAcCCcziQD4Wzcg7ZTwZAI+ivPOwe3WVtj4ohzO +s/cbmIXGRcYrFznXBB7DOE3TDLUX+o3Wca85oZn9VoZlsDT7JyHewLqqjMYtFE8ILar 9EYsGb3VcTDEjVDpGn26X3mNQB4uebVIWtT5td7fDlIiV8qmHAQkP8JNnmdxVZkfu1rE /89g==
X-Gm-Message-State: APjAAAV7QMTbiCHNA8sUgtkHnQ3Fe8bmbGZH4EgPL5CI1TGqwI8mDpGo JBDiFwV5iQspo0XoraAmlYg=
X-Google-Smtp-Source: APXvYqwBb8jPvI6rdO4XPAi1L8XpFBMuge7ITkK/3+SEmdyjMEn/Np7z7wdv4pmju+4PQ0JEkRYiSg==
X-Received: by 2002:a2e:5418:: with SMTP id i24mr3811585ljb.126.1567426715843; Mon, 02 Sep 2019 05:18:35 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id f22sm2348498ljh.22.2019.09.02.05.18.34 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 02 Sep 2019 05:18:35 -0700 (PDT)
From: "Valery Smyslov" <smyslov.ietf@gmail.com>
To: "'Dan Harkins'" <dharkins@lounge.org>, "'Paul Wouters'" <paul@nohats.ca>
Cc: <ipsec@ietf.org>, "'Tero Kivinen'" <kivinen@iki.fi>
References: <CAMr0u6mVev6HmaV259FP8=bcSj89o9xhzAu_81A5VOfR1NiPRA@mail.gmail.com> <7538495e-258d-1927-cbba-eb783675c83f@lounge.org> <23912.27054.796487.391930@fireball.acr.fi> <58d82a8c-d789-17ee-12b0-f935d7d2037e@lounge.org> <23912.60438.716153.761077@fireball.acr.fi> <dcb51327-3a66-ba8c-431e-ee640ed7cdca@lounge.org> <alpine.LRH.2.21.1908301154530.23965@bofh.nohats.ca> <d1462c55-57a0-403d-ac3c-e24d481d9398@lounge.org> <alpine.LRH.2.21.1908301346160.14173@bofh.nohats.ca> <dc33cc30-7005-a8fa-0209-c1afd8ad62f5@lounge.org>
In-Reply-To: <dc33cc30-7005-a8fa-0209-c1afd8ad62f5@lounge.org>
Date: Mon, 2 Sep 2019 15:18:34 +0300
Message-ID: <019a01d56188$8aeef3e0$a0ccdba0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQKemzOesuU/tD3DsDoaNotpDYDw0QICH7oDAPL5BM4B5T6xKgKH0CBqAqW2A8wBf+7rcwIITlNfAa99XCwBt8NaxaT+G8gQ
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/4GD74Pzxfd6SHbQTyf6m6y9HcMA>
Subject: Re: [IPsec] Call for independent experts (IKEv2) for Stage 4 of the PAKE selection process
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Sep 2019 12:18:40 -0000

Hi Dan,

> > I did not add killing PSKs to that draft, precisely because some
> > objected because strong PSK's are stronger than PAKEs.
> 
>    Strong PSKs are not stronger than PAKEs. A PAKE will offer you the added
> protection of resistance to dictionary attack against the symmetric
> credential
> (which could, in fact, be a PSK).

That's true. 

>    The definition of dictionary attack is one in which the adversary
> gains an
> advantage through computation and not interaction. So even with a strong PSK
> you are still susceptible to a dictionary attack since it is the
> protocol that
> is susceptible to attack and not the credential. With a strong PSK it just
> makes the dictionary attack use much more time to be successful (and yes the
> "true random strong PSK" that's 256 bits could make the attack
> computationally
> infeasible but then managing such a credential is similarly infeasible).

It's a double edged sword.
PAKE provides protection against passive attacks, 
so that easy manageable low entropy secrets can be used as PSKs.
But if people get accustomed to use easily memorable low entropy 
secrets (because we say them that it's secure), then the protocol becomes 
susceptible to active attacks, and there is no an easy defense against them. 
Eventually you need to change the secrets frequently, thus making them even 
less manageable than traditional strong PSKs.

Regards,
Valery.

[...]

>    regards,
> 
>    Dan.
> 
> 
> 
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec