Re: [IPsec] Beginning the PAKE selection process
Nicolas Williams <Nicolas.Williams@oracle.com> Tue, 25 May 2010 22:37 UTC
Return-Path: <Nicolas.Williams@oracle.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B27463A75FB for <ipsec@core3.amsl.com>; Tue, 25 May 2010 15:37:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.998
X-Spam-Level:
X-Spam-Status: No, score=-3.998 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8pvz4V6568VI for <ipsec@core3.amsl.com>; Tue, 25 May 2010 15:37:05 -0700 (PDT)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id 5D4FF3A7736 for <ipsec@ietf.org>; Tue, 25 May 2010 14:26:55 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o4PLQUQ5002510 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 25 May 2010 21:26:33 GMT
Received: from acsmt354.oracle.com (acsmt354.oracle.com [141.146.40.154]) by acsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o4PKmMMZ022938; Tue, 25 May 2010 21:26:28 GMT
Received: from abhmt017.oracle.com by acsmt355.oracle.com with ESMTP id 297552211274822683; Tue, 25 May 2010 14:24:43 -0700
Received: from oracle.com (/129.153.128.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 25 May 2010 14:24:43 -0700
Date: Tue, 25 May 2010 16:24:38 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Message-ID: <20100525212438.GL9605@oracle.com>
References: <p06240809c8170588347a@[10.20.30.158]>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <p06240809c8170588347a@[10.20.30.158]>
User-Agent: Mutt/1.5.20 (2010-03-02)
X-Auth-Type: Internal IP
X-Source-IP: acsinet15.oracle.com [141.146.126.227]
X-CT-RefId: str=0001.0A090208.4BFC408A.0118:SCFMA922111,ss=1,fgs=0
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] Beginning the PAKE selection process
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2010 22:37:06 -0000
A thought about PAKEs and ZKPPs... In the SASL space we pursued a DIGEST-MD5-like mechanism. Yup, SCRAM is vulnerable to off-line dictionary attacks by passive attackers. Except that SCRAM is intended to be used with channel binding to TLS, with confidentiality protection from the same TLS channel, and with TLS authenticating the server (with PSK, PKIX server certs, doesn't matter how). The only difference between the SCRAM-with-channel-binding-to-TLS approach and a ZKPP is this: with a ZKPP there's no need to separatly authenticate the server, which means there's no need to deploy a PKI or Kerberos, nor pre-share certs or keys. That's pretty nice. With the SCRAM-with-cb approach you don't really have to deploy a server authentication infrastructure nor pre-share server authentication material if you're willing to take a chance on initial attempts: you can just optimistically learn server authentication material on success. On failure you can warn the user to call a helpdesk to reset their password. Yeah, that's not as good as what you get with a ZKPP, but still pretty good. In practice most customer who'd use a ZKPP would be happy enough to deploy a server authentication infrastructure in the form of a PKI or pre-shared certs. And, they're very likely to want two-factor user authentication in the form of a user cert (possibly on a smartcard) and a password. In the latter case ZKPPs add little value: at best a round-trip optimization relative to the SCRAM-with-cb approach. The SCRAM-with-cb approach in IKEv2 would look as follows: first do an ephemeral-ephemeral DH key exchange, then authenticate the server with a CERT, then do a GSS-API context establishment with channel binding to the DH key exchange. Just a thought! Nico --
- [IPsec] Beginning the PAKE selection process Paul Hoffman
- Re: [IPsec] Beginning the PAKE selection process Yaron Sheffer
- Re: [IPsec] Beginning the PAKE selection process Dan Harkins
- Re: [IPsec] Beginning the PAKE selection process Paul Hoffman
- Re: [IPsec] Beginning the PAKE selection process Nicolas Williams
- Re: [IPsec] Beginning the PAKE selection process Dan Harkins
- Re: [IPsec] Beginning the PAKE selection process Dan Harkins
- Re: [IPsec] Beginning the PAKE selection process Nicolas Williams
- Re: [IPsec] Beginning the PAKE selection process Nicolas Williams
- Re: [IPsec] Beginning the PAKE selection process Nicolas Williams
- Re: [IPsec] Beginning the PAKE selection process Paul Hoffman