Re: [Lake] Forward Security with PSK-Only LAKE
Karthik Bhargavan <karthikeyan.bhargavan@inria.fr> Sat, 18 January 2020 13:22 UTC
Return-Path: <karthikeyan.bhargavan@inria.fr>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3E361200C1 for <lake@ietfa.amsl.com>; Sat, 18 Jan 2020 05:22:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RPBoxUgVW6oT for <lake@ietfa.amsl.com>; Sat, 18 Jan 2020 05:22:11 -0800 (PST)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 025EC120058 for <lake@ietf.org>; Sat, 18 Jan 2020 05:22:10 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.70,334,1574118000"; d="scan'208";a="432010465"
Received: from 89-156-101-160.rev.numericable.fr (HELO [192.168.0.64]) ([89.156.101.160]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jan 2020 14:22:09 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
From: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>
In-Reply-To: <FA678251-0DE3-4016-8FCF-8EE6D3F0C2E2@inria.fr>
Date: Sat, 18 Jan 2020 14:22:08 +0100
Cc: Eric Rescorla <ekr@rtfm.com>, lake@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <94A9B2D4-5C0F-403C-BCFE-937B716D3388@inria.fr>
References: <CABcZeBNpDpMGLYCftSXFd+NNG-92VXNPtUjpTMZqkTKjm3Vvuw@mail.gmail.com> <E6714F08-9612-4672-BDB6-AC996A3C1EDC@inria.fr> <4829DF8E-8D73-4C9C-937F-D09F7B81C994@inria.fr> <FE5942D6-D0AD-44A5-998A-C3B2E54B3E7C@inria.fr> <FA678251-0DE3-4016-8FCF-8EE6D3F0C2E2@inria.fr>
To: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/I3076T-J5u7iBG3eJqnQN4rMJ3U>
Subject: Re: [Lake] Forward Security with PSK-Only LAKE
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jan 2020 13:22:13 -0000
Yes, I take the point that we should be careful about security guarantees. Further expanding on Ekr’s comment, one can see that there is room for various AKE modes with different levels of guarantees. So far, we have mainly been thinking about PSK-ECDHE and SIG-ECDHE modes, since forward security was a core property. I think we should also consider a PSK-FS mode that achieves forward security via key derivation. In practice, we may want devices to e.g. bootstrap a PSK using SIG-ECDHE and then use PSK-FS for some period of time. After some period of time, we may want to throw away the PSK and do another SIG-ECDHE from scratch. -Karthik > On 18 Jan 2020, at 12:26, Benjamin Beurdouche <benjamin.beurdouche@inria.fr> wrote: > > >> So, if you tell me that LAKE will provide a mechanism <insert name> (e.g.FS) that enables us to recover secrecy from a >> passive compromise while most of the time using the PSK rotation for FS, I am willing to say it is ok. >> Otherwise, if there is no hope to introduce freshness via <insert mechanism> (e.g.FS) and that a compromised session will always >> remain compromised, I’ll maintain that we cannot claim this to be a secure AKE for protocols we’ll build on top… > > > (e.g. FS) -> (e.g. DH) obviously... >
- [Lake] Forward Security with PSK-Only LAKE Karthik Bhargavan
- Re: [Lake] Forward Security with PSK-Only LAKE Karthik Bhargavan
- Re: [Lake] Forward Security with PSK-Only LAKE Eric Rescorla
- Re: [Lake] Forward Security with PSK-Only LAKE Benjamin Beurdouche
- Re: [Lake] Forward Security with PSK-Only LAKE Karthik Bhargavan
- Re: [Lake] Forward Security with PSK-Only LAKE Benjamin Beurdouche
- Re: [Lake] Forward Security with PSK-Only LAKE Benjamin Beurdouche
- Re: [Lake] Forward Security with PSK-Only LAKE Karthik Bhargavan
- Re: [Lake] Forward Security with PSK-Only LAKE John Mattsson
- Re: [Lake] Forward Security with PSK-Only LAKE Göran Selander