IETF Logo Mail Archive

Re: [IPsec] replacing PSKs: CFRG and PAKE

Yoav Nir <ynir.ietf@gmail.com> Wed, 12 December 2018 20:52 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14950130F4A for <ipsec@ietfa.amsl.com>; Wed, 12 Dec 2018 12:52:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Z3hCuYZxs8D for <ipsec@ietfa.amsl.com>; Wed, 12 Dec 2018 12:52:26 -0800 (PST)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D3911276D0 for <ipsec@ietf.org>; Wed, 12 Dec 2018 12:52:26 -0800 (PST)
Received: by mail-wm1-x330.google.com with SMTP id m1so230429wml.2 for <ipsec@ietf.org>; Wed, 12 Dec 2018 12:52:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=OJebqFurKZKV//30nfhSCJe61w1x2b8ndtKPOFa5hNY=; b=gR64hMevpQafMCuA/rg6ezspYSjnkeGbov6+XU5u6G7oIK7dvZwkQo6lCtB7OlgOGz Y/F4366nZyfjaeSbtJsWKZ5wRDljrUhWH8trUPygZMO9DTW49rZbWArFeDMSUIG4sdRk Ft8NjqDcW5uZEUOLDrsiMSxhbOAfkx8C0TiZE8c5Q4sa8GyAqNqLxzyaFOziEYWYC1B0 E5wNaUAh46DAttm1zs3j4T0kFTlwAxmv7loHkpjFsROqUROZL2Dsf8KsQM3dxhItg60s tEM1mUM5DgXopqNNxMofntWG7yTP43ZVIiATtUnG8wcz5SXRdQTSfx83TKNr0tDmXzXy +6PQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=OJebqFurKZKV//30nfhSCJe61w1x2b8ndtKPOFa5hNY=; b=DRU1jP9YGx51dB3Ie+UFFHe8sd92DjjJXOdjpt0TC4LllvRal1+iyk1PviWtnmkOTK 57/Qo8hThlub3y+eU1E+JbwTlTeNdjg4pYFIf5HhURtqlnsP1mOXPsmlAD5f1b+L2db4 /9FsB3N1tuTKWSF2x909by58T8YMP4FriBiBZHFjW/fL5aKAg+LPLkgkOM4eTthAg9bJ 8rYTyTcWkvqCgaQpkU9gSuGgDLs5XcilVloNlxYHBWa02e3WUjmf2y7c0nxk6t8Ums2V ZfmJnN5F75Ar5jhTQZPxWQjpHZULJVQdsC3RciaDPsFFPjFBbekW4TROwdIpLUQHYW3B MocQ==
X-Gm-Message-State: AA+aEWYkyhqpWQqjms/mx07zRRr6F68L04bQRicAmXFKAoJEsHRSVDxi r0Tz3j5Nsf8/ZQfelYF4vkw=
X-Google-Smtp-Source: AFSGD/VFqptHZhVpFM2ZaCJ47q2Ocd4NcOov9kcUycVFEuoWwnvRWYAB/kk8Z5ZL/2wwuY8uNI/kWQ==
X-Received: by 2002:a1c:f518:: with SMTP id t24mr7324885wmh.26.1544647944835; Wed, 12 Dec 2018 12:52:24 -0800 (PST)
Received: from [192.168.1.12] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id c77sm265797wmh.12.2018.12.12.12.52.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Dec 2018 12:52:23 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <048601d491f9$72824050$5786c0f0$@gmail.com>
Date: Wed, 12 Dec 2018 22:52:20 +0200
Cc: Paul Wouters <paul@nohats.ca>, "ipsec@ietf.org WG" <ipsec@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, Nico Williams <nico@cryptonector.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <201C4873-318D-4AD1-A469-2F8854CAE623@gmail.com>
References: <25207.1544136532@localhost> <026601d49061$8809ad30$981d0790$@gmail.com> <29587.1544482818@localhost> <20181210231958.GC15561@localhost> <alpine.LRH.2.21.1812101846010.29141@bofh.nohats.ca> <20181211001622.GD15561@localhost> <alpine.LRH.2.21.1812102042330.22448@bofh.nohats.ca> <035701d49149$71640f10$542c2d30$@gmail.com> <2503.1544530985@localhost> <037201d4914f$dee01ba0$9ca052e0$@gmail.com> <alpine.LRH.2.21.1812112033200.2103@bofh.nohats.ca> <048601d491f9$72824050$5786c0f0$@gmail.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/8_qRU_is6MSG6ZBCTWyipIzt3WE>
Subject: Re: [IPsec] replacing PSKs: CFRG and PAKE
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Dec 2018 20:52:29 -0000

Hi, Valery

> On 12 Dec 2018, at 11:02, Valery Smyslov <smyslov.ietf@gmail.com> wrote:
> 
>>> I see this as a social issue, not a technical one. We can't prevent
>>> administrators from being careless, either with PSKs or with passwords.
>> 
>> We can make more secure deployments easier.
>> 
>> If the only change on the site-to-site config is to change the keyword
>> "psk" to "pake" and that prevents offline dictionary attacks, that's an
>> easy win.
> 
> I'm not so sure. Replacing PSK with password+PAKE could in fact decrease security.
> Properly chosen PSK provides high level of protection against both passive
> and active attacks. On the other hand, PAKE, as far as I know,
> only makes it difficult for passive eavesdropper to perform offline
> dictionary attack. But an active attacker may still try out all possible
> password values (due to small search space). Yes, you can easier
> detect active attackers and block them (and site-to-site VPNs
> usually have fixed IPs, that simplifies the task), but I still feel a bit uncomfortable
> by the idea of replacing perfectly secure crypto mechanism with a weaker one. 
> I'd rather educate administrators :-) And note, that no PAKE will
> save you if administrators will select passwords like "foobar" or "12345".
> 
> I think that PAKE is a very good mechanism for remote access
> in situation when certificates (or raw public keys) cannot be used
> for various reasons. E.g. f simple CPE that has no memory
> to securely store private key.

I don’t think the idea is to replace a 128-bit PSK derived from a properly seeded DRBG with “ip5ecmeRockz!” using a PAKE.

I think we’re assuming the administrator will configure “ip5ecmeRockz!” (or “foobar”) regardless of what we call it, so we might as well give them a better mechanism to use this value.

Yoav

v2.37.1 | Report a Bug | By Email | System Status