IETF Logo Mail Archive

Re: [IPsec] replacing PSKs: CFRG and PAKE

"Valery Smyslov" <smyslov.ietf@gmail.com> Wed, 12 December 2018 09:02 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B3BA131128 for <ipsec@ietfa.amsl.com>; Wed, 12 Dec 2018 01:02:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2MXDTWn7PJ4x for <ipsec@ietfa.amsl.com>; Wed, 12 Dec 2018 01:02:53 -0800 (PST)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DD1F12F295 for <ipsec@ietf.org>; Wed, 12 Dec 2018 01:02:53 -0800 (PST)
Received: by mail-lj1-x229.google.com with SMTP id e5-v6so15583258lja.4 for <ipsec@ietf.org>; Wed, 12 Dec 2018 01:02:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:content-language :thread-index; bh=Hz3+nN2bzmpYB9TPNqNDItmHoadurmoXS2Fun8ymlzQ=; b=J9RC17af5NQMY9rbRKHAt0PNE88N5nRs0sln6KkpXKJIxzMA1JctBr6uTZd5VJV83w LGxW/adVFAjx4LrZSWnh8AURTNUSLfkmkg4D+h9zcDsX4Dk+ZQXQ9VjDw5aF6oPdG/m1 1OtlnUwNIaGtkOLMdIZKYfeADBulAMcnceYC8TqxlPoG4VTkY6oS250vAX7QZxOpl3Xz OYGqNhiFRw4OH0sp9hg9iWja52354F2wN1XAnnAQ9ik4Jme1Hehlr4WMjcV8HhvT3/QT ME03WxtQsfI9pjlaqa8KT5XLjT/+jp/+wHjZ3lw/FFwKq7Q7PPG7wQMxd26z0/PEpmaO djfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:content-language :thread-index; bh=Hz3+nN2bzmpYB9TPNqNDItmHoadurmoXS2Fun8ymlzQ=; b=O26mcaYfhresjur2M2R3qt5G4/QBhx8PbAStumrEzlIFY0VsVlQazxPJdFCMeLCjfY SHr3HvE+sKtCstII2sJuyplNk6ZlXYSr1DhyToONHWpDmesTQ7FCABVDhUURDM8BV2T+ 9Le8q6MCTn6umXKqBzBA0MIwit5LOBb3ddiDSzRaNuO8Wwglt6+cEYbVMx+JjsnlyRbe Ya3wH71bmv3j0vafR4vcDblAmsfpRBkgRTNkMblPTDfVQtwH7SB1ewhQEw1uPsebHD73 xX7U2S5dhvjgVNsVH1yqcmNrUPTpQAxCphp+sRQqJAWXw5fFmODS6ag8ktk+/dB+iJT+ idXg==
X-Gm-Message-State: AA+aEWZ99lmS03r6lnmJyHbBqYAiB1t8XxGdnMoHPYbruEadIGSuuKd9 /lKU85A+fhUnSMd/m9ZDhF5eo54b
X-Google-Smtp-Source: AFSGD/VdcCb3mrusIz+EM0IPF4MmZltDwcq8B+ciFvg4lL4Wan7l8Jr2zWeRhHLXi5ymSgIZwl/guA==
X-Received: by 2002:a2e:9e03:: with SMTP id e3-v6mr11893534ljk.4.1544605371294; Wed, 12 Dec 2018 01:02:51 -0800 (PST)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id g17sm3298223lfj.36.2018.12.12.01.02.49 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 12 Dec 2018 01:02:50 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Paul Wouters' <paul@nohats.ca>
Cc: 'Michael Richardson' <mcr+ietf@sandelman.ca>, 'Nico Williams' <nico@cryptonector.com>, ipsec@ietf.org
References: <25207.1544136532@localhost> <026601d49061$8809ad30$981d0790$@gmail.com> <29587.1544482818@localhost> <20181210231958.GC15561@localhost> <alpine.LRH.2.21.1812101846010.29141@bofh.nohats.ca> <20181211001622.GD15561@localhost> <alpine.LRH.2.21.1812102042330.22448@bofh.nohats.ca> <035701d49149$71640f10$542c2d30$@gmail.com> <2503.1544530985@localhost> <037201d4914f$dee01ba0$9ca052e0$@gmail.com> <alpine.LRH.2.21.1812112033200.2103@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1812112033200.2103@bofh.nohats.ca>
Date: Wed, 12 Dec 2018 12:02:44 +0300
Message-ID: <048601d491f9$72824050$5786c0f0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-Language: ru
Thread-Index: AQJjEIcGzPEj/22sYW2hroPcukYuWAIvYqvHAie7eo0BeQS8egHtaQHgAjk9efMBSdV9YgFBY3HbAUinL/IBgnxSZwIoiFHNo9Ie7/A=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/FY-HJI2EEPJvrSFJEpno5hb4fYM>
Subject: Re: [IPsec] replacing PSKs: CFRG and PAKE
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Dec 2018 09:02:56 -0000

> > I see this as a social issue, not a technical one. We can't prevent
> > administrators from being careless, either with PSKs or with passwords.
> 
> We can make more secure deployments easier.
> 
> If the only change on the site-to-site config is to change the keyword
> "psk" to "pake" and that prevents offline dictionary attacks, that's an
> easy win.

I'm not so sure. Replacing PSK with password+PAKE could in fact decrease security.
Properly chosen PSK provides high level of protection against both passive
and active attacks. On the other hand, PAKE, as far as I know,
only makes it difficult for passive eavesdropper to perform offline
dictionary attack. But an active attacker may still try out all possible
password values (due to small search space). Yes, you can easier
detect active attackers and block them (and site-to-site VPNs
usually have fixed IPs, that simplifies the task), but I still feel a bit uncomfortable
by the idea of replacing perfectly secure crypto mechanism with a weaker one. 
I'd rather educate administrators :-) And note, that no PAKE will
save you if administrators will select passwords like "foobar" or "12345".

I think that PAKE is a very good mechanism for remote access
in situation when certificates (or raw public keys) cannot be used
for various reasons. E.g. f simple CPE that has no memory
to securely store private key.

Regards,
Valery.

> I care a little less for group psk's because well, it is a group so even
> a pake won't buy us that much extra if dozens or thousands of people
> have the pake secret.
>
> Paul

v2.23.0 | Report a Bug | By Email