IETF Logo Mail Archive

Re: [secdir] secdir review of draft-kuegler-ipsecme-pace-ikev2

Dennis Kügler <dennis.kuegler@bsi.bund.de> Thu, 14 April 2011 16:39 UTC

Return-Path: <dennis.kuegler@bsi.bund.de>
X-Original-To: secdir@ietfc.amsl.com
Delivered-To: secdir@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id F2758E079C for <secdir@ietfc.amsl.com>; Thu, 14 Apr 2011 09:39:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.948
X-Spam-Level:
X-Spam-Status: No, score=-5.948 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d0PiZMQI4siZ for <secdir@ietfc.amsl.com>; Thu, 14 Apr 2011 09:39:39 -0700 (PDT)
Received: from m4.mfw.bn.ivbb.bund.de (m4-bn.bund.de [77.87.228.76]) by ietfc.amsl.com (Postfix) with ESMTP id ECC1EE0716 for <secdir@ietf.org>; Thu, 14 Apr 2011 09:39:37 -0700 (PDT)
Received: from m4.mfw.bn.ivbb.bund.de (localhost [127.0.0.1]) by m4.mfw.bn.ivbb.bund.de (8.14.3/8.14.3) with ESMTP id p3EGdVBL007429; Thu, 14 Apr 2011 18:39:31 +0200 (CEST)
Received: (from localhost) by m4.mfw.bn.ivbb.bund.de (MSCAN) id 5/m4.mfw.bn.ivbb.bund.de/smtp-gw/mscan; Thu Apr 14 18:39:31 2011
X-P350-Id: 6d3919f233c3d5e0
X-Virus-Scanned: by amavisd-new at bsi.bund.de
From: Dennis Kügler <dennis.kuegler@bsi.bund.de>
Organization: BSI Bonn
To: Nico Williams <nico@cryptonector.com>
Date: Thu, 14 Apr 2011 18:39:13 +0200
User-Agent: KMail/1.9.10 (enterprise35 20110321.6842210)
References: <AC6674AB7BC78549BB231821ABF7A9AEB530189991@EMBX01-WF.jnpr.net> <4DA69C8A.7000305@gmail.com> <BANLkTi=3WCvUgtLdNknDog--UniYM1G9Bg@mail.gmail.com>
In-Reply-To: <BANLkTi=3WCvUgtLdNknDog--UniYM1G9Bg@mail.gmail.com>
X-KMail-QuotePrefix: >
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-ID: <201104141839.13739.dennis.kuegler@bsi.bund.de>
X-AntiVirus: checked by Avira MailGate (version: 3.1.2; AVE: 8.2.4.206; VDF: 7.11.6.109; host: sgasmtp2.bsi.de); id=24706-Ta81yY
X-Mailman-Approved-At: Tue, 19 Apr 2011 10:19:34 -0700
Cc: "draft-kuegler-ipsecme-pace-ikev2@tools.ietf.org" <draft-kuegler-ipsecme-pace-ikev2@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-kuegler-ipsecme-pace-ikev2
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2011 16:39:40 -0000

Nico,

> PACE does not use a standard PBKDF.  That's not necessarily a problem,
> of course, but it could be.  There's no iteration count, for example,
> in the SPwd nor KPwd derivations (an iteration count belongs in the
> SPwd derivation, if anything).  Nor is there any password salting(!),
> nor any discussion regarding the absence of salting.  The lack of
> salting should be considered fatal, IMO.  The lack of an iteration
> count is less significant, but I'd still rather see an iteration
> count.  Note that negotiating a salt and iteration count requires an
> extra round-trip.  And note that iteration count negotiation has
> security considerations.

"Standard" PBKDF are used to artifically enhance the entopy of the password, 
because low-entropy passwords are easy targets for dictionary attacks. PACE 
is a cryptographic protocol that is designed to (mathematically) withstand 
(passive) dictionary attacks independent of the strength of the password and 
therefore there is no need for additional countermeasures like salting the 
password.

>
> Of course, PACE is targeting Experimental... do we care about
> cryptographic issues in Experimental RFCs?  I'd say we should, though
> less so than for Standards Track RFCs since we can only spare so much
> energy.
>
> I'm rather disappointed to see this wheel reinvented.  SCRAM (RFC5802)
> would fit right in instead of PACE, for example, and has the same
> kinds of properties as PACE, but with a number of advantages over PACE
> (SCRAM is on the Standards Track, received much more review, uses a
> PBKDF with salt and iteration count, is implemented, is reusable in
> many contexts, does channel binding, there's an LDAP schema for
> storing SCRAM password verifiers, ...).

Actually, the protocols have very different properties. SCRAM (more or less) 
requires a public key infrastucture in place, while PACE provides an 
authenticated and encrypted channel without any additional security layer.

>
> We, secdir, should be encouraging wheel reuse wherever possible over
> wheel reinvention.

Once you decide to abandon those simple and insecure password-based 
challenge/response protocols, feel free to make use of PACE instead of 
reinventing the wheel :-)

Dennis

v2.23.0 | Report a Bug | By Email