IETF Logo Mail Archive

Re: [IPsec] replacing PSKs: CFRG and PAKE

Nico Williams <nico@cryptonector.com> Tue, 11 December 2018 00:16 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D72AC131338 for <ipsec@ietfa.amsl.com>; Mon, 10 Dec 2018 16:16:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eu9HFAgKn8zn for <ipsec@ietfa.amsl.com>; Mon, 10 Dec 2018 16:16:30 -0800 (PST)
Received: from catfish.maple.relay.mailchannels.net (catfish.maple.relay.mailchannels.net [23.83.214.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2A16131336 for <ipsec@ietf.org>; Mon, 10 Dec 2018 16:16:30 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id D07D6503C6E; Tue, 11 Dec 2018 00:16:29 +0000 (UTC)
Received: from pdx1-sub0-mail-a45.g.dreamhost.com (unknown [100.96.29.126]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 70D2D5039AB; Tue, 11 Dec 2018 00:16:29 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a45.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.16.2); Tue, 11 Dec 2018 00:16:29 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Sponge-Robust: 1b6b6e82082f21ad_1544487389667_1358473951
X-MC-Loop-Signature: 1544487389667:3424771397
X-MC-Ingress-Time: 1544487389666
Received: from pdx1-sub0-mail-a45.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a45.g.dreamhost.com (Postfix) with ESMTP id E9989807E0; Mon, 10 Dec 2018 16:16:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=bn/pwJng8uNJHp nZYT7Sq+XGmGo=; b=HxD8wKgQq07uFUZBXmGczj/ey7qXpTGcEBzvhzXNxToosa c60IVMGI2S2V6cEcIY6Ldd0RGOISKDbtuBponhvGo+flJnRGHx6/2zfmkdooZjWy NNkgbgVCNjzE0wXxs8z0c7w9JVFJwCGUMm0Le3zLoMDUEdwUA3Nq47PxpEPz4=
Received: from localhost (unknown [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a45.g.dreamhost.com (Postfix) with ESMTPSA id 713B4807D9; Mon, 10 Dec 2018 16:16:26 -0800 (PST)
Date: Mon, 10 Dec 2018 18:16:24 -0600
X-DH-BACKEND: pdx1-sub0-mail-a45
From: Nico Williams <nico@cryptonector.com>
To: Paul Wouters <paul@nohats.ca>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, ipsec@ietf.org, Valery Smyslov <smyslov.ietf@gmail.com>
Message-ID: <20181211001622.GD15561@localhost>
References: <25207.1544136532@localhost> <026601d49061$8809ad30$981d0790$@gmail.com> <29587.1544482818@localhost> <20181210231958.GC15561@localhost> <alpine.LRH.2.21.1812101846010.29141@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LRH.2.21.1812101846010.29141@bofh.nohats.ca>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedtkedrudegiedgvddtucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucfkphepkedrvddruddthedrudejnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepkedrvddruddthedrudejpdhrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhenucevlhhushhtvghrufhiiigvpedt
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/MchmdeA2ZquXTLl15IYmdiga01U>
Subject: Re: [IPsec] replacing PSKs: CFRG and PAKE
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Dec 2018 00:16:33 -0000

On Mon, Dec 10, 2018 at 06:47:25PM -0500, Paul Wouters wrote:
> On Mon, 10 Dec 2018, Nico Williams wrote:
> 
> >There's no reason to not also add support for an augmented PAKE for road
> >warriors.  It's true that road warriors are already well-supported via
> >PKIX user certificates
> 
> That is still missing OTP support :(

If you have the private keys locked unextractably in a hardware token
that requires a PIN to unlock, then you have two factors right there.
That's not generic two-factor authentication though, and it certainly
isn't OTP.

> >, so perhaps there's no need, but it's very little
> >extra work to support both, augmented and non-augmented.
> 
> I'd want the PAKE method to support OTP.

It's doable.

> >(Should I be saying "balanced" instead of "non-augmented"?)
> 
> Explaining these differences on this list would be useful for me and
> possibly others.

A PAKE is a zero-knowledge password proof protocol (ZKPP) that also
provides authenticated key exchange with forward security.  A ZKPP is a
password-based authentication protocol where neither eavesdroppers nor
active attackers get to mount off-line dictionary attacks on captured
protocol material.

I had never seen the word "balanced" used to refer to "not augmented",
but I like it.

A "balanced" PAKE is one where both sides share a secret or secret-
equivalent.

An "augmented" PAKE is a PAKE where the credentials are asymmetric so
that relying parties (servers, acceptors, responders, whatever you call
them) store "verifiers" rather than password-equivalent secrets.

A verifier is much like a hash of a password: not password-equivalent,
but susceptible to off-line dictionary attack.

Compromise of shared secrets (via server compromise) is catastrophic for
a balanced PAKE since until you're able to change all the secrets the
attacker can impersonate all the users to the server.

Compromise of verifiers (via server compromise) is much less disastrous
for an augmented PAKE because you have some time in which to change all
the weak secrets: the time it would take the attacker to recover
passwords via off-line dictionary attack.  The verifiers would all be
salted, naturally, so if your secrets are reasonably strong then that
might be a lot of time to change all those passwords.

A balanced PAKE is symmetric as to initiator/responder roles.  An
augmented PAKE is not quite.

The asymmetry in roles in augmented PAKEs means that in order to
function as an IKE responder (and thus maintain IKE initiator/responder
role symmetry), the IKE PAKE extension would have to permit one side to
request that the other initiate the augmented PAKE exchange.

Nico
--

v2.37.1 | Report a Bug | By Email | System Status