IETF Logo Mail Archive

Re: [IPsec] replacing PSKs: CFRG and PAKE

Nico Williams <nico@cryptonector.com> Tue, 11 December 2018 03:01 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00EE9130DE0 for <ipsec@ietfa.amsl.com>; Mon, 10 Dec 2018 19:01:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c63AYB1sGjEz for <ipsec@ietfa.amsl.com>; Mon, 10 Dec 2018 19:01:10 -0800 (PST)
Received: from ladybird.maple.relay.mailchannels.net (ladybird.maple.relay.mailchannels.net [23.83.214.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1907C130DE2 for <ipsec@ietf.org>; Mon, 10 Dec 2018 19:01:09 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id D1EB01242B5; Tue, 11 Dec 2018 03:01:08 +0000 (UTC)
Received: from pdx1-sub0-mail-a1.g.dreamhost.com (unknown [100.96.19.74]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 6B8951244EC; Tue, 11 Dec 2018 03:01:08 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a1.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.16.2); Tue, 11 Dec 2018 03:01:08 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Shelf-Sponge: 2cfe19b6352e942a_1544497268651_1576223876
X-MC-Loop-Signature: 1544497268651:1589321050
X-MC-Ingress-Time: 1544497268651
Received: from pdx1-sub0-mail-a1.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a1.g.dreamhost.com (Postfix) with ESMTP id 25C0B8029C; Mon, 10 Dec 2018 19:01:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=qoVja/OCXs3b48 VWZhzPw/EajmU=; b=jmaXhXXsj+sV0vo4a3mMZuQejpEwiiF8G0o1fG4W13F/qe InXPYtR5UDs0ac+mgv4UdzF8vFj99Fru8J0Jof+eOKdxzd9bGqPC90Wc1FC3SsB4 Ne30N8GBSJW0tCYRS/Fe+vHS65PdlTm817Wo111OcIhdR7RFs4in6M4DmElZg=
Received: from localhost (rrcs-172-254-26-194.nyc.biz.rr.com [172.254.26.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a1.g.dreamhost.com (Postfix) with ESMTPSA id 3DBA380249; Mon, 10 Dec 2018 19:01:04 -0800 (PST)
Date: Mon, 10 Dec 2018 21:01:02 -0600
X-DH-BACKEND: pdx1-sub0-mail-a1
From: Nico Williams <nico@cryptonector.com>
To: Paul Wouters <paul@nohats.ca>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, ipsec@ietf.org, Valery Smyslov <smyslov.ietf@gmail.com>
Message-ID: <20181211030100.GE15561@localhost>
References: <25207.1544136532@localhost> <026601d49061$8809ad30$981d0790$@gmail.com> <29587.1544482818@localhost> <20181210231958.GC15561@localhost> <alpine.LRH.2.21.1812101846010.29141@bofh.nohats.ca> <20181211001622.GD15561@localhost> <alpine.LRH.2.21.1812102042330.22448@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LRH.2.21.1812102042330.22448@bofh.nohats.ca>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedtkedrudegiedgheehucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucfkphepudejvddrvdehgedrvdeirdduleegnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepudejvddrvdehgedrvdeirdduleegpdhrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhenucevlhhushhtvghrufhiiigvpedt
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/OLLp7RziLlHGp_AdNnbhvfsbOfs>
Subject: Re: [IPsec] replacing PSKs: CFRG and PAKE
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Dec 2018 03:01:19 -0000

On Mon, Dec 10, 2018 at 08:58:15PM -0500, Paul Wouters wrote:
> On Mon, 10 Dec 2018, Nico Williams wrote:
> >>That is still missing OTP support :(
> >
> >If you have the private keys locked unextractably in a hardware token
> >that requires a PIN to unlock, then you have two factors right there.
> >That's not generic two-factor authentication though, and it certainly
> >isn't OTP.
> 
> Right. So I guess what I'd like PSK-replacement-PAKE to support is using
> OTP, without EAP. But I guess that's not really possible if I understand
> things correctly.

No you very much can get PAKE + OTP.  We'll get into the details of what
is difficult later.

> If we are going to basically obsolete/deprecate RFC 6628 and 6467, it
> would be nice if we did it in such a way that we can still have OTP
> support.

Sure.

> >A balanced PAKE is symmetric as to initiator/responder roles.  An
> >augmented PAKE is not quite.
> 
> In that case, the gain of augmented PAKE seems small. If the server is

No, the gain of an augmented PAKE is very large.

> compromised, they can just pretend the AUTH payload is OK if they _want_

They can do that in both cases, but in the balanced PAKE case the
attacker who has the shared secret can not only impersonate the server
to the user, but vice-versa, and they can MITM the two.

In the augmented case the attacker who has the verifier can impersonate
the server to the user, but NOT the user to the server (not without
first successfully mounting a dictionary attack on the verifier).

> you to connect to them and get all your traffic. And the client needs to
> know the password, and not just the verifier.

The client is always expected to know the password.  The verifier can
always be computed from the password (and salt).

> For the case where a VPN gateway should not have the password
> credentials itself, it would (should?) be using some kind of EAP
> mechanism anyway? So we don't need an augmented PAKE for that?

EAP has its use: federation.

Augmented PAKE is better than augmented in all cases when dealing with a
username and password as a credential.

Balanced PAKE is only useful (IMO) as a transition tool so that you can
start using the PSK secrets you already have as PAKE secrets then change
passwords to switch to secret/verifier augmented PAKE from that point
forward.

> >The asymmetry in roles in augmented PAKEs means that in order to
> >function as an IKE responder (and thus maintain IKE initiator/responder
> >role symmetry), the IKE PAKE extension would have to permit one side to
> >request that the other initiate the augmented PAKE exchange.
> 
> that feels the wrong method for a site-to-site VPN connecting two
> enterprises. One would have a better security after compromise than
> the other side?

It just means that when the SG/whatever wants to initiate an IKE
exchange with the user it needs an extra message: "Hey yo, start
augmented PAKE with me", followed by the rest of an IKE exchange as if
the now-resonder client had initiated.

> So it seems to me one balanced PAKE would be enough, but I'll go reread
> some older messages again.

Please opt for both.  Balanced so you can start using existing PSKs,
augmented so you can better secure the password database on the server
side.

Nico
--

v2.37.1 | Report a Bug | By Email | System Status