IETF Logo Mail Archive

Re: [IPsec] replacing PSKs: CFRG and PAKE

Nico Williams <nico@cryptonector.com> Mon, 10 December 2018 23:12 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30C2113130B for <ipsec@ietfa.amsl.com>; Mon, 10 Dec 2018 15:12:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nRcogw8a56Ua for <ipsec@ietfa.amsl.com>; Mon, 10 Dec 2018 15:12:46 -0800 (PST)
Received: from ostrich.birch.relay.mailchannels.net (ostrich.birch.relay.mailchannels.net [23.83.209.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C632C131309 for <ipsec@ietf.org>; Mon, 10 Dec 2018 15:12:45 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id B488B283149; Mon, 10 Dec 2018 23:12:44 +0000 (UTC)
Received: from pdx1-sub0-mail-a45.g.dreamhost.com (unknown [100.96.19.78]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 51FD42831C1; Mon, 10 Dec 2018 23:12:44 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a45.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.16.2); Mon, 10 Dec 2018 23:12:44 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Whispering-Occur: 05d634fb69f11821_1544483564554_1303147066
X-MC-Loop-Signature: 1544483564554:4113991228
X-MC-Ingress-Time: 1544483564553
Received: from pdx1-sub0-mail-a45.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a45.g.dreamhost.com (Postfix) with ESMTP id 07472807BE; Mon, 10 Dec 2018 15:12:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=NF9Ya98jWHmT2O Cok0mI6HTVvIU=; b=kMgR7w4RTmbh97MaI3vWWwVDhZ7x9RQq5ntxJPEiDDtF2q ldIlAdijVT93HArn7Tppx5KXWvYAeDlwR622PrbCC67U153tyZexcLWOF0ybadAw LyibUDTKPlUFBU8hYtaMG/lFgpfzPf1JJlYgCBb686GwzfeurYbC2v0PkL3Zc=
Received: from localhost (unknown [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a45.g.dreamhost.com (Postfix) with ESMTPSA id 46E03807C2; Mon, 10 Dec 2018 15:12:42 -0800 (PST)
Date: Mon, 10 Dec 2018 17:12:40 -0600
X-DH-BACKEND: pdx1-sub0-mail-a45
From: Nico Williams <nico@cryptonector.com>
To: Valery Smyslov <smyslov.ietf@gmail.com>
Cc: 'Michael Richardson' <mcr@sandelman.ca>, ipsec@ietf.org
Message-ID: <20181210231239.GB15561@localhost>
References: <25207.1544136532@localhost> <026601d49061$8809ad30$981d0790$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <026601d49061$8809ad30$981d0790$@gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedtkedrudegiedgtdejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucfkphepkedrvddruddthedrudejnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepkedrvddruddthedrudejpdhrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhenucevlhhushhtvghrufhiiigvpedt
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/AALcGJ9fEb-abF9bptUzS2W13IQ>
Subject: Re: [IPsec] replacing PSKs: CFRG and PAKE
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2018 23:12:47 -0000

On Mon, Dec 10, 2018 at 11:22:46AM +0300, Valery Smyslov wrote:
> > I think we should ask the CFRG to pick a single balanced PAKE for us.
> 
> Why do you think balanced PAKE is more appropriate for us than augmented?

Speaking for myself rather than Michael, I think augmented is more
appropriate when the key is based on a memorable password.

However, but transition reasons, it's desirable to support a
non-augmented PAKE with _existing_ password-derived keys.

Also, even for non-password-derived symmetric keys, a PAKE automatically
adds forward security, so it seems like a nice simplification to use a
non-balanced PAKE in all cases where the credentials are shared secret
keys.

So in fact we probably want both.

> > If the CFRG want to pick another PAKE for other purposes, that's fine.
> > I think that letting CFRG pick two PAKEs for different purposes might
> > free up the log jam?
> 
> They've just announced in Bangkok a desire to start the process of selecting
> "zero or more" recommended PAKE(s) for IETF community.
> I believe IPsec is included :-)

Oh?  I thought the CFRG SPAKE2 I-D was further along.  I'll have to ask
the I-D authors and RG chairs.

In any case, KITTEN WG is moving along with a Kerberos extension to use
the CFRG SPAKE2 protocol -- this is past WGLC and awaiting shepherding
to the IESG now.  If CFRG ultimately picks a different PAKE, or no PAKE,
that could be a problem for the KITTEN work.

> Another problem with PAKE is that it must be integrated into IKE
> somehow.  EAP definitely can be used for this, but it's a bit

Do you mean enrolment and password change protocols?  Enrolment could be
left unspecified, but a password change protocol is required.

> expensive from protocol point of view.  We also have RFC 6467, but

Oh, no, you meant a document like RFC 6467.  Yes, such a document would
be necessary -- I don't think Michael meant to imply otherwise.

> it's Informational and I'm not sure it's widely supported.  And while
> the RFC 6467 framework is flexible enough, it is still not clear for
> me if it can accommodate PAKEs like OPAQUE...

It might be possible to build a single IKE extension that can handle any
number of PAKEs, since they will generally involve a small number of
round trips of exchanges of PAKE-specific octet strings, followed by a
generic key confirmation exchange that involves binding in the PAKE's
transcripts and at least the IKE ID payloads.

There's also the opportunity to add support for second factors (e.g.,
OTPs).  The KITTEN SPAKE work does that, though it's got some issues, so
this WG might not want to copy that approach.

Note that there are all these things to negotiate:

 - PAKE
    - including whether to use a symmetric or augmented variant
 - curve/group
 - second factor

The KITTEN WG SPAKE work did not include PAKE negotiation nor augmented
vs. not-augmented negotiation :(

Nico
--

v2.23.0 | Report a Bug | By Email