Re: [Lake] Forward Security with PSK-Only LAKE
Benjamin Beurdouche <benjamin.beurdouche@inria.fr> Sat, 18 January 2020 11:22 UTC
Return-Path: <benjamin.beurdouche@inria.fr>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05AB8120058 for <lake@ietfa.amsl.com>; Sat, 18 Jan 2020 03:22:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8vyeyUJDNAig for <lake@ietfa.amsl.com>; Sat, 18 Jan 2020 03:22:09 -0800 (PST)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 846551200C7 for <lake@ietf.org>; Sat, 18 Jan 2020 03:22:06 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.70,334,1574118000"; d="scan'208";a="336258492"
Received: from 82-64-165-115.subs.proxad.net (HELO [192.168.1.20]) ([82.64.165.115]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jan 2020 12:22:04 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
From: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
In-Reply-To: <4829DF8E-8D73-4C9C-937F-D09F7B81C994@inria.fr>
Date: Sat, 18 Jan 2020 12:22:02 +0100
Cc: Eric Rescorla <ekr@rtfm.com>, lake@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <FE5942D6-D0AD-44A5-998A-C3B2E54B3E7C@inria.fr>
References: <CABcZeBNpDpMGLYCftSXFd+NNG-92VXNPtUjpTMZqkTKjm3Vvuw@mail.gmail.com> <E6714F08-9612-4672-BDB6-AC996A3C1EDC@inria.fr> <4829DF8E-8D73-4C9C-937F-D09F7B81C994@inria.fr>
To: Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/SuTPUITgWNVuPSrutBJ5f-bFAdY>
Subject: Re: [Lake] Forward Security with PSK-Only LAKE
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jan 2020 11:22:11 -0000
> On Jan 18, 2020, at 11:51 AM, Karthik Bhargavan <karthikeyan.bhargavan@inria.fr> wrote: > > Hi Ekr, > > Indeed, the PSK-only protocol I described does not provide post-compromise security (PCS). > But as far as I understand, PCS is not a requirement for LAKE, just as it is not a requirement for TLS 1.3. > (Benjamin, I don’t think you meant to suggest that we cannot call TLS 1.3 a secure protocol?) Ah : ) I guess it all depends on what you build on top of the AKE of course... But anyhow, TLS is short-lived and even in the case of longer sessions using session tickets, both peers can decide to start a fresh session by starting a fresh 1RTT handshake, correct ? The argument of using PSK in contrast of DH to provide FS leads to the thinking that those are equivalent, which obviously both you and Ekr point out not to be the case regarding PCS and compromise in general. So, if you tell me that LAKE will provide a mechanism <insert name> (e.g.FS) that enables us to recover secrecy from a passive compromise while most of the time using the PSK rotation for FS, I am willing to say it is ok. Otherwise, if there is no hope to introduce freshness via <insert mechanism> (e.g.FS) and that a compromised session will always remain compromised, I’ll maintain that we cannot claim this to be a secure AKE for protocols we’ll build on top... For some reason, I see the claim “DH is too costly” has having the dangerous implication “let’s do long term sessions with PSKs” and I think this is quite dangerous but I might be completely wrong here… : ) > Introducing PCS as a requirement would require a larger discussion and more justification. > In any case, we are not yet in the stage of discussing specific protocol designs. > My main motivation was to clarify that we could reuse ideas from TLS resumption to provide a forward secure LAKE without requiring DH. B.
- [Lake] Forward Security with PSK-Only LAKE Karthik Bhargavan
- Re: [Lake] Forward Security with PSK-Only LAKE Karthik Bhargavan
- Re: [Lake] Forward Security with PSK-Only LAKE Eric Rescorla
- Re: [Lake] Forward Security with PSK-Only LAKE Benjamin Beurdouche
- Re: [Lake] Forward Security with PSK-Only LAKE Karthik Bhargavan
- Re: [Lake] Forward Security with PSK-Only LAKE Benjamin Beurdouche
- Re: [Lake] Forward Security with PSK-Only LAKE Benjamin Beurdouche
- Re: [Lake] Forward Security with PSK-Only LAKE Karthik Bhargavan
- Re: [Lake] Forward Security with PSK-Only LAKE John Mattsson
- Re: [Lake] Forward Security with PSK-Only LAKE Göran Selander