IETF Logo Mail Archive

Re: [IPsec] replacing PSKs: CFRG and PAKE

"Valery Smyslov" <smyslov.ietf@gmail.com> Tue, 11 December 2018 12:03 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9006E130DDC for <ipsec@ietfa.amsl.com>; Tue, 11 Dec 2018 04:03:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OQguI0--CB7x for <ipsec@ietfa.amsl.com>; Tue, 11 Dec 2018 04:03:00 -0800 (PST)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 808C4130DD0 for <ipsec@ietf.org>; Tue, 11 Dec 2018 04:03:00 -0800 (PST)
Received: by mail-lj1-x229.google.com with SMTP id l15-v6so12695463lja.9 for <ipsec@ietf.org>; Tue, 11 Dec 2018 04:03:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:content-language :thread-index; bh=krTFbLBJCE6LDZBftOebrndYi5ed0hA5gQ+7+aQb3Ik=; b=KNjdpBhkajDck38mRbLg48Hv84vmALmEE4m5Q2BnGRiYamaomE24uPijdigCz5j7V6 srzhcNOzku2gFxAeONUg5n92fdHtt0uBMuaGB5kLxGUJ7ijFSVTqeX5A3clgzVdB45Sv BcgccxFG+I+ZOh4gEyV0eeowy9RSEEvm73Hd/VVbKJ/Af6+QBLx2L03RqJXYGmmXUHUw 5cI37omiUw8NPri9hulglzzJpeSJD95Pnf+pgwurRpHnnklETTLR6lbS+geZhewlOzRK 8hx/7wHodMqmYm/TcFzL3e175U/cvmP1T1LXPRY6zNgTjRe2qmCBY4mLXgfRzkPiUbK3 /sVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:content-language :thread-index; bh=krTFbLBJCE6LDZBftOebrndYi5ed0hA5gQ+7+aQb3Ik=; b=CViBwpoFfbLBvjr6ibbIbuDLeH3t1mDAs2lDLl5WrRybGz4ToIxl7EuVo/jjs2N+nc d2haiGQOgvPkArBA/Ty8rFlCa9q6O+dCILayO+of2lWR7b7WpAhEUegrBkR7LgTRs2V3 5w8bfsbve4ZWbGclJbPi7M5xD8DqV+BiBDuoW1+hKl7nkzw1ZbZTOMYV5SWuLm/bT5Z7 0OwrGy6q0oeyQOjSBy6ziYdcNfWE6AjiboGwEmcAGa4CKNl68/d03Ibcqib7lgp6VxyD KDzm4L3weRRjvqbOZBWolXcvZqHxXUPHCgwgkxALWEXSg1aAILwsTwR+Qc3m9hOX0jXt Nrtg==
X-Gm-Message-State: AA+aEWYzakiNIuhvijWu63bhjnma+r98ai9qF8eSj9zUvCVadBVB/2aO CK9eGqiSGGNlEuWvYdan1mgW1Yw1
X-Google-Smtp-Source: AFSGD/XIQ8X4osySWEKUC2uDe9Ne5UKuspKgJgY0B9WIV6Qu3fnhdLf0kpLJ6h6VwwyCbTJnaFgdcA==
X-Received: by 2002:a2e:2f15:: with SMTP id v21-v6mr9650591ljv.56.1544529778301; Tue, 11 Dec 2018 04:02:58 -0800 (PST)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id u15-v6sm2901818lja.63.2018.12.11.04.02.57 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 11 Dec 2018 04:02:57 -0800 (PST)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Paul Wouters' <paul@nohats.ca>, 'Nico Williams' <nico@cryptonector.com>
Cc: 'Michael Richardson' <mcr+ietf@sandelman.ca>, ipsec@ietf.org
References: <25207.1544136532@localhost> <026601d49061$8809ad30$981d0790$@gmail.com> <29587.1544482818@localhost> <20181210231958.GC15561@localhost> <alpine.LRH.2.21.1812101846010.29141@bofh.nohats.ca> <20181211001622.GD15561@localhost> <alpine.LRH.2.21.1812102042330.22448@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1812102042330.22448@bofh.nohats.ca>
Date: Tue, 11 Dec 2018 15:02:51 +0300
Message-ID: <035701d49149$71640f10$542c2d30$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-Language: ru
Thread-Index: AQJjEIcGzPEj/22sYW2hroPcukYuWAIvYqvHAie7eo0BeQS8egHtaQHgAjk9efMBSdV9YqQCaPYw
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/uojMH5n9DyViNdCijcaf7xfBERI>
Subject: Re: [IPsec] replacing PSKs: CFRG and PAKE
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Dec 2018 12:03:02 -0000

Hi Paul,

I think that using PAKE for road warriors is more important than for 
site-to-site VPNs. In the latter case the SGWs are usually administered
by (presumably :-)) experienced administrators, who can select a high-entropy
PSK, and these PSKs need not to be memorable by users. So, generally speaking,
it is more secure to use good PSK than passwords (since any PAKE defends only 
against passive attacks, an attacker can still perform active probes and the search
space is limited for passwords).

So I think that augmented PAKE is more important than balanced. It can be used e.g. 
in those cases when it is impossible to securely store certificate's private key on a 
user devices. I'm not against selecting balanced PAKE too, but I think it's less important.

And I agree that it's better to avoid using EAP for PAKE.

But why do you want to deprecate RFC 6467? It is just a framework that must be
suitable for any PAKE.

Regards,
Valery.


> >> That is still missing OTP support :(
> >
> > If you have the private keys locked unextractably in a hardware token
> > that requires a PIN to unlock, then you have two factors right there.
> > That's not generic two-factor authentication though, and it certainly
> > isn't OTP.
> 
> Right. So I guess what I'd like PSK-replacement-PAKE to support is using
> OTP, without EAP. But I guess that's not really possible if I understand
> things correctly.
> 
> With XAUTH, we had a way to transfer a password in an encrypted payload,
> and the password could be in the syntax of "<user_password>:<user_token>"
> 
> If we are going to basically obsolete/deprecate RFC 6628 and 6467, it
> would be nice if we did it in such a way that we can still have OTP
> support.
> 
> >> I'd want the PAKE method to support OTP.
> >
> > It's doable.
> 
> Great :)
> 
> >> Explaining these differences on this list would be useful for me and
> >> possibly others.
> 
> Thanks for these.
> 
> > A PAKE is a zero-knowledge password proof protocol (ZKPP) that also
> > provides authenticated key exchange with forward security.  A ZKPP is a
> > password-based authentication protocol where neither eavesdroppers nor
> > active attackers get to mount off-line dictionary attacks on captured
> > protocol material.
> >
> > I had never seen the word "balanced" used to refer to "not augmented",
> > but I like it.
> >
> > A "balanced" PAKE is one where both sides share a secret or secret-
> > equivalent.
> >
> > An "augmented" PAKE is a PAKE where the credentials are asymmetric so
> > that relying parties (servers, acceptors, responders, whatever you call
> > them) store "verifiers" rather than password-equivalent secrets.
> >
> > A verifier is much like a hash of a password: not password-equivalent,
> > but susceptible to off-line dictionary attack.
> >
> > Compromise of shared secrets (via server compromise) is catastrophic for
> > a balanced PAKE since until you're able to change all the secrets the
> > attacker can impersonate all the users to the server.
> >
> > Compromise of verifiers (via server compromise) is much less disastrous
> > for an augmented PAKE because you have some time in which to change all
> > the weak secrets: the time it would take the attacker to recover
> > passwords via off-line dictionary attack.  The verifiers would all be
> > salted, naturally, so if your secrets are reasonably strong then that
> > might be a lot of time to change all those passwords.
> >
> > A balanced PAKE is symmetric as to initiator/responder roles.  An
> > augmented PAKE is not quite.
> 
> In that case, the gain of augmented PAKE seems small. If the server is
> compromised, they can just pretend the AUTH payload is OK if they _want_
> you to connect to them and get all your traffic. And the client needs to
> know the password, and not just the verifier.
> 
> For the case where a VPN gateway should not have the password
> credentials itself, it would (should?) be using some kind of EAP
> mechanism anyway? So we don't need an augmented PAKE for that?
> 
> 
> > The asymmetry in roles in augmented PAKEs means that in order to
> > function as an IKE responder (and thus maintain IKE initiator/responder
> > role symmetry), the IKE PAKE extension would have to permit one side to
> > request that the other initiate the augmented PAKE exchange.
> 
> that feels the wrong method for a site-to-site VPN connecting two
> enterprises. One would have a better security after compromise than
> the other side?
> 
> So it seems to me one balanced PAKE would be enough, but I'll go reread
> some older messages again.
> 
> Paul

v2.37.1 | Report a Bug | By Email | System Status