Re: [secdir] secdir review of draft-kuegler-ipsecme-pace-ikev2
Nico Williams <nico@cryptonector.com> Thu, 14 April 2011 16:54 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: secdir@ietfc.amsl.com
Delivered-To: secdir@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 8DD1AE0800 for <secdir@ietfc.amsl.com>; Thu, 14 Apr 2011 09:54:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.23
X-Spam-Level:
X-Spam-Status: No, score=-1.23 tagged_above=-999 required=5 tests=[AWL=-0.553, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_BACKHAIR_11=1, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id La4W7TOEt0Nh for <secdir@ietfc.amsl.com>; Thu, 14 Apr 2011 09:54:21 -0700 (PDT)
Received: from homiemail-a26.g.dreamhost.com (caiajhbdcagg.dreamhost.com [208.97.132.66]) by ietfc.amsl.com (Postfix) with ESMTP id 87519E078C for <secdir@ietf.org>; Thu, 14 Apr 2011 09:54:21 -0700 (PDT)
Received: from homiemail-a26.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a26.g.dreamhost.com (Postfix) with ESMTP id A68D5B8058 for <secdir@ietf.org>; Thu, 14 Apr 2011 09:54:20 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=gWQMtzQZWvK7eAD5kWGJeZo9qDRdTt9FDjlHdmdS0W/Z s8oKq7GqzMWvYEOgjbw+UoAwphhEyRZafj3SBSB752LejrARB4IZrejWV6ZglR42 yT5awPUqgejlQie4MYoMVT8R8VxQthF/8NipGYR+kReF+g0kUI7BGujOSeVvNc0=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=XcCAj7momQ+W+wtq4JeXamP/hJA=; b=RNkOgva2N3r QP7oJP5VKxgVZD8xFsA/sZ35RJNtVmqftmsjCqCaQOAA6GXXbd9OzJ8f+GrgCY6V C++a/ZwKrtB5xX/BHz1QZeYfAKbA0li88kumOlhmFCRzj5Jiir09Dj64ZcrHfzyi YUHA35pFeyQty9VWGnyxkeO3AueglF1s=
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a26.g.dreamhost.com (Postfix) with ESMTPSA id 7331BB8056 for <secdir@ietf.org>; Thu, 14 Apr 2011 09:54:20 -0700 (PDT)
Received: by vws12 with SMTP id 12so1840139vws.31 for <secdir@ietf.org>; Thu, 14 Apr 2011 09:54:19 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.112.69 with SMTP id io5mr1405656vdb.94.1302800059876; Thu, 14 Apr 2011 09:54:19 -0700 (PDT)
Received: by 10.52.163.228 with HTTP; Thu, 14 Apr 2011 09:54:19 -0700 (PDT)
In-Reply-To: <201104141839.13739.dennis.kuegler@bsi.bund.de>
References: <AC6674AB7BC78549BB231821ABF7A9AEB530189991@EMBX01-WF.jnpr.net> <4DA69C8A.7000305@gmail.com> <BANLkTi=3WCvUgtLdNknDog--UniYM1G9Bg@mail.gmail.com> <201104141839.13739.dennis.kuegler@bsi.bund.de>
Date: Thu, 14 Apr 2011 11:54:19 -0500
Message-ID: <BANLkTi=sAg3NZoaCab3eyz=JE=m9_bmE7Q@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Dennis Kügler <dennis.kuegler@bsi.bund.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "draft-kuegler-ipsecme-pace-ikev2@tools.ietf.org" <draft-kuegler-ipsecme-pace-ikev2@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-kuegler-ipsecme-pace-ikev2
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2011 16:54:22 -0000
On Thu, Apr 14, 2011 at 11:39 AM, Dennis Kügler <dennis.kuegler@bsi.bund.de> wrote: >> PACE does not use a standard PBKDF. That's not necessarily a problem, >> of course, but it could be. There's no iteration count, for example, >> in the SPwd nor KPwd derivations (an iteration count belongs in the >> SPwd derivation, if anything). Nor is there any password salting(!), >> nor any discussion regarding the absence of salting. The lack of >> salting should be considered fatal, IMO. The lack of an iteration >> count is less significant, but I'd still rather see an iteration >> count. Note that negotiating a salt and iteration count requires an >> extra round-trip. And note that iteration count negotiation has >> security considerations. > > "Standard" PBKDF are used to artifically enhance the entopy of the password, > because low-entropy passwords are easy targets for dictionary attacks. PACE > is a cryptographic protocol that is designed to (mathematically) withstand > (passive) dictionary attacks independent of the strength of the password and > therefore there is no need for additional countermeasures like salting the > password. Salting is still useful regarding password verifier security. Recall that salting was originally invented for that purpose, long before the first challenge/response password protocols were invented. >> Of course, PACE is targeting Experimental... do we care about >> cryptographic issues in Experimental RFCs? I'd say we should, though >> less so than for Standards Track RFCs since we can only spare so much >> energy. >> >> I'm rather disappointed to see this wheel reinvented. SCRAM (RFC5802) >> would fit right in instead of PACE, for example, and has the same >> kinds of properties as PACE, but with a number of advantages over PACE >> (SCRAM is on the Standards Track, received much more review, uses a >> PBKDF with salt and iteration count, is implemented, is reusable in >> many contexts, does channel binding, there's an LDAP schema for >> storing SCRAM password verifiers, ...). > > Actually, the protocols have very different properties. SCRAM (more or less) > requires a public key infrastucture in place, while PACE provides an > authenticated and encrypted channel without any additional security layer. As far as I can tell PACE provides a secure but not authenticated channel. In Figure 1 I don't see anything that would authenticate the channel other than the shared secret (derived from a password). There is a KE exchange however, which protects PACE against passive attacks, but not against active attacks. Did I miss something else? If not then iteration counts add some value, no? Also, regarding SCRAM, yes, it's intended to be used, ideally, with a secure, authenticated channel and channel binding to that channel. This is not unlike what PACE does, actually, except that PACE builds that channel itself -- but why do that when IKE can already do that anyways? Or, another way to phrase that: you could have done the same thing with SCRAM, something like: I->R: HDR, SAi1, KEi, Ni, <password mech negotiation> R->I: HDR, SAr1, KEr, Nr, <password mech negotiation> I<->R: <SCRAM with channel binding to the channel setup above> You get the same properties this way as in PACE, plus salting, plus iteration counts. Plus a Standards Track solution. Plus specification and code reuse. Plus less reviewing to do because the security analysis becomes simpler because the security analysis for SCRAM has been done. >> We, secdir, should be encouraging wheel reuse wherever possible over >> wheel reinvention. > > Once you decide to abandon those simple and insecure password-based > challenge/response protocols, feel free to make use of PACE instead of > reinventing the wheel :-) SCRAM is no less secure than PACE when used as intended: with channel binding to a secure channel, and arguably (that is, I'm arguing this) it's more secure than PACE. Nico --
- [secdir] secdir review of draft-kuegler-ipsecme-p… Stephen Hanna
- Re: [secdir] secdir review of draft-kuegler-ipsec… Yaron Sheffer
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Paul Hoffman
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Yaron Sheffer
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Paul Hoffman
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Dan Harkins
- Re: [secdir] secdir review of draft-kuegler-ipsec… Yaron Sheffer
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Dan Harkins
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Dan Harkins
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Yaron Sheffer
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Yaron Sheffer
- Re: [secdir] secdir review of draft-kuegler-ipsec… Tom Yu
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Nico Williams
- Re: [secdir] secdir review of draft-kuegler-ipsec… Glen Zorn
- Re: [secdir] secdir review of draft-kuegler-ipsec… Dennis Kügler