Re: [Lake] Forward Security with PSK-Only LAKE
Benjamin Beurdouche <benjamin.beurdouche@inria.fr> Sat, 18 January 2020 06:58 UTC
Return-Path: <benjamin.beurdouche@inria.fr>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29AA81200DB for <lake@ietfa.amsl.com>; Fri, 17 Jan 2020 22:58:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZzfCfKeY8i-4 for <lake@ietfa.amsl.com>; Fri, 17 Jan 2020 22:58:29 -0800 (PST)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D04711200F3 for <lake@ietf.org>; Fri, 17 Jan 2020 22:58:28 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.70,333,1574118000"; d="scan'208,217";a="336243613"
Received: from 82-64-165-115.subs.proxad.net (HELO [192.168.1.49]) ([82.64.165.115]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/AES256-GCM-SHA384; 18 Jan 2020 07:58:26 +0100
Content-Type: multipart/alternative; boundary="Apple-Mail-B1747D21-13EF-4A59-AD37-6C3753DE1BB1"
Content-Transfer-Encoding: 7bit
From: Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
Mime-Version: 1.0 (1.0)
Date: Sat, 18 Jan 2020 07:58:26 +0100
Message-Id: <E6714F08-9612-4672-BDB6-AC996A3C1EDC@inria.fr>
References: <CABcZeBNpDpMGLYCftSXFd+NNG-92VXNPtUjpTMZqkTKjm3Vvuw@mail.gmail.com>
Cc: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>, lake@ietf.org
In-Reply-To: <CABcZeBNpDpMGLYCftSXFd+NNG-92VXNPtUjpTMZqkTKjm3Vvuw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: iPhone Mail (17C54)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/sO92Hf1KarXJr3lMZ0R41axGLJc>
Subject: Re: [Lake] Forward Security with PSK-Only LAKE
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jan 2020 06:58:41 -0000
Yeah, btw, I think it is a minimal requirement to have FS but let’s not call LAKE a secure protocol if it is not gonna provide both FS and PCS for long term sessions... B. > On Jan 18, 2020, at 1:38 AM, Eric Rescorla <ekr@rtfm.com> wrote: > > > Thanks Karthik. > > Just to sharpen this point: you *do* need a new DH exchange to get PCS, but not to get PFS. > > -Ekr > > >> On Fri, Jan 17, 2020 at 2:58 AM Karthik Bhargavan <karthikeyan.bhargavan@inria.fr> wrote: >> It looks like I over-simplified the protocol. >> Some clarifications and corrections below. >> >> At the beginning of a session: >> A and B have a PSK K, associated with id I, and a session counter C >> >> --- >> A -> B: m1 = N_A, I, C, other_params >> B -> A: m2 = N_B, other_params, MAC(K_mB, m1 | m2) >> A -> B: MAC(K_mA, m1 | m2) >> A -> B: AEAD(K_eA, msg0,…) >> B -> A: AEAD(K_eB, msg1,…) >> —— >> >> At the end of a session: >> A and B set C <- C + 1, K <- HKDF(K, I, C+1) >> A and B throw away the old PSK K. >> >> Note: >> - N_A and N_B are nonces generated by A and B, respectively. >> - K_mA = HKDF(K, “mac_key A”, m1 | m2) >> - K_mB = HKDF(K, “mac_key B”, m1 | m2) >> - K_eA = HKDF(K, “ae_key A”, m1 | m2) >> - K_eB = HKDF(K, “ae_key B”, m1 | m2) >> >> >> >> > >> > -------- >> > >> > The above protocol can be generalized in several ways. >> > First, A and B need not have exactly the same counter C, instead they could negotiate the MAX of their two counters and derive the PSK corresponding to that counter. >> > Second, A and B may share both a long-term PSK K0 and an ephemeral PSK K and mix them both together in the protocol above. >> > This provides a clean separation between the PSK used for authentication and the PSK used for forward secrecy. >> > Third, we may use the protocol above as a “fast resumption” mechanism but fall back to full PSK-ECDHE whenever we want. >> > >> > To conclude, I wonder if we should explicitly consider a mechanism like the above as a requirement for LAKE. >> > It appears to meet the security goals we have set for PSK-LAKE and it is a good example of what can be achieved without an expensive DH operation.. >> > (Incidentally, the message sizes of the protocol above are very tiny.) >> > >> > -Karthik >> > >> > >> > >> > >> > -- >> > Lake mailing list >> > Lake@ietf.org >> > https://www.ietf.org/mailman/listinfo/lake >> >> -- >> Lake mailing list >> Lake@ietf.org >> https://www.ietf.org/mailman/listinfo/lake > -- > Lake mailing list > Lake@ietf.org > https://www.ietf.org/mailman/listinfo/lake
- [Lake] Forward Security with PSK-Only LAKE Karthik Bhargavan
- Re: [Lake] Forward Security with PSK-Only LAKE Karthik Bhargavan
- Re: [Lake] Forward Security with PSK-Only LAKE Eric Rescorla
- Re: [Lake] Forward Security with PSK-Only LAKE Benjamin Beurdouche
- Re: [Lake] Forward Security with PSK-Only LAKE Karthik Bhargavan
- Re: [Lake] Forward Security with PSK-Only LAKE Benjamin Beurdouche
- Re: [Lake] Forward Security with PSK-Only LAKE Benjamin Beurdouche
- Re: [Lake] Forward Security with PSK-Only LAKE Karthik Bhargavan
- Re: [Lake] Forward Security with PSK-Only LAKE John Mattsson
- Re: [Lake] Forward Security with PSK-Only LAKE Göran Selander