Re: [secdir] secdir review of draft-kuegler-ipsecme-pace-ikev2
Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 14 April 2011 19:46 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietfc.amsl.com
Delivered-To: secdir@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 36D29E0712 for <secdir@ietfc.amsl.com>; Thu, 14 Apr 2011 12:46:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yq8f-QeUJa1h for <secdir@ietfc.amsl.com>; Thu, 14 Apr 2011 12:46:53 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfc.amsl.com (Postfix) with ESMTP id 592A2E0687 for <secdir@ietf.org>; Thu, 14 Apr 2011 12:46:53 -0700 (PDT)
Received: by wyb29 with SMTP id 29so1909570wyb.31 for <secdir@ietf.org>; Thu, 14 Apr 2011 12:46:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=UeahZt0KHePx2uFuQOlyBlQ4rawEPY1/BPZtqJCzxEk=; b=f2Tk/Vs1Hy3qzkc8JVFgaMueJw2aZIyWBRnbPiYqaUCp/YfAQnE+tnuwZu1+pMhJ2a OD+g6ySFJgltRydHL6FrB1qUH/853SqgjHGlAx8s7VXNoRhY7qJSv3mgj9TOa8jGo5HF 1V6vkFnd0CCaHDA5o9KI/drYyGnCMBGF1PUFY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=BplY6domssUCDhIb8KZHIsxz78E2T69KoKVhrqnmfpZuLxoI9srwjlfvjsV7N+J6V2 p7Us34aBwdtKy98HkwU5tb4DqHIukoZtPh/0nTjgk4fXo+GsVwSR2MlWmfCcpZICGzMS kuChIdLr5r06vG7rHM0GSWWZLPi2q2u0MJTqA=
Received: by 10.227.172.7 with SMTP id j7mr1208252wbz.60.1302810412685; Thu, 14 Apr 2011 12:46:52 -0700 (PDT)
Received: from [10.0.0.5] (bzq-79-177-21-107.red.bezeqint.net [79.177.21.107]) by mx.google.com with ESMTPS id bd8sm1194850wbb.31.2011.04.14.12.46.51 (version=SSLv3 cipher=OTHER); Thu, 14 Apr 2011 12:46:52 -0700 (PDT)
Message-ID: <4DA74F2A.2060504@gmail.com>
Date: Thu, 14 Apr 2011 22:46:50 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Lightning/1.0b2 Thunderbird/3.1.8
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
References: <AC6674AB7BC78549BB231821ABF7A9AEB530189991@EMBX01-WF.jnpr.net> <4DA69C8A.7000305@gmail.com> <BANLkTi=3WCvUgtLdNknDog--UniYM1G9Bg@mail.gmail.com> <4DA72605.10506@gmail.com> <BANLkTikXF=S3NugNBErZZGLngyCECh=jTw@mail.gmail.com> <ced915e87f60e86c5db6f21f7e94d1a3.squirrel@www.trepanning.net> <BANLkTimqGh84igi5iVJop6O2reG8WF8s-Q@mail.gmail.com> <9c05d036d0e99a053cf977d3f2c441db.squirrel@www.trepanning.net> <BANLkTikF_eG3-CfoJi+6fthvt0gg6D=kwQ@mail.gmail.com> <4DA73C26.5070407@gmail.com> <BANLkTin7tZwKX5zK6Qq2HOtWH17k0omtMA@mail.gmail.com>
In-Reply-To: <BANLkTin7tZwKX5zK6Qq2HOtWH17k0omtMA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "draft-kuegler-ipsecme-pace-ikev2@tools.ietf.org" <draft-kuegler-ipsecme-pace-ikev2@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-kuegler-ipsecme-pace-ikev2
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2011 19:46:54 -0000
Yes, PACE is a ZKPP, and the AUTH payloads depend on values that the attacker cannot compute (PACESharedSecret). Again, this assertion is based on the mathematical proof of the protocol. We have tried for many years to educate people to use better passwords. This has not worked. So we'd better assume that passwords are weak by default, and if they're good, all the better. Thanks, Yaron On 04/14/2011 09:44 PM, Nico Williams wrote: > On Thu, Apr 14, 2011 at 1:25 PM, Yaron Sheffer<yaronf.ietf@gmail.com> wrote: >> ENONCE in and of itself is not vulnerable to an off-line dictionary attack >> because the password encrypts a random bit string, and we take care that >> there is no stray entropy (padding, MAC) that such an attacker could use. > > But the ENONCE paired with the AUTH payloads is subject to off-line > dictionary attacks (the attacker will have to have impersonated the > responder in order to obtain the necessary material). > >> As to the bigger question of why the protocol as a whole is not vulnerable >> to the attack, you will have to follow the proof in the paper (or maybe just >> ask my coauthor). > > It sounds like you're asserting that PACE is a ZKPP. Is that right? > >> And regarding the usage scenario: the primary scenario is password-based >> machine-to-machine authentication. Yes, sysadmins are human (in most cases >> :-) and they tend to use short passwords for machine auth, much more often >> than we would have liked. > > You might want to clarify this in the abstract and introduction then. > But even so, as long as the passwords are human memorable and the > mechanism is not a ZKPP, then my other comments stand. However, if > this is really for machine authentication then I'll be happy with text > exhorting admins to pick good passwords. > >> There is a secondary use case that's the usual human-to-server auth, where >> the peers are too lazy to use EAP. I'm questioning whether this scenario is >> interesting enough to add a salted "mode" into the protocol. > > Fair enough.
- [secdir] secdir review of draft-kuegler-ipsecme-p… Stephen Hanna
- Re: [secdir] secdir review of draft-kuegler-ipsec… Yaron Sheffer
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Paul Hoffman
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Yaron Sheffer
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Paul Hoffman
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Dan Harkins
- Re: [secdir] secdir review of draft-kuegler-ipsec… Yaron Sheffer
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Dan Harkins
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Dan Harkins
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Yaron Sheffer
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Yaron Sheffer
- Re: [secdir] secdir review of draft-kuegler-ipsec… Tom Yu
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Glen Zorn
- Re: [secdir] secdir review of draft-kuegler-ipsec… Dennis Kügler