Re: [lamps] [EXTERNAL] draft-ietf-lamps-lightweight-cmp-profile-05 concern
Nick Lamb <njl@tlrmx.org> Wed, 17 March 2021 16:53 UTC
Return-Path: <njl@tlrmx.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58BDB3A0A3E for <spasm@ietfa.amsl.com>; Wed, 17 Mar 2021 09:53:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tlrmx.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u4Kd8ZUrnnxe for <spasm@ietfa.amsl.com>; Wed, 17 Mar 2021 09:53:37 -0700 (PDT)
Received: from aye.elm.relay.mailchannels.net (aye.elm.relay.mailchannels.net [23.83.212.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 548183A0A38 for <spasm@ietf.org>; Wed, 17 Mar 2021 09:53:37 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|njl@tlrmx.org
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id DF738402FE4; Wed, 17 Mar 2021 16:53:35 +0000 (UTC)
Received: from pdx1-sub0-mail-a4.g.dreamhost.com (100-96-18-57.trex.outbound.svc.cluster.local [100.96.18.57]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 4CB8C401E61; Wed, 17 Mar 2021 16:53:34 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|njl@tlrmx.org
Received: from pdx1-sub0-mail-a4.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.18.57 (trex/6.1.1); Wed, 17 Mar 2021 16:53:35 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|njl@tlrmx.org
X-MailChannels-Auth-Id: dreamhost
X-Spill-Keen: 14763c376b9a908f_1616000015596_1963046081
X-MC-Loop-Signature: 1616000015595:3086637381
X-MC-Ingress-Time: 1616000015595
Received: from pdx1-sub0-mail-a4.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a4.g.dreamhost.com (Postfix) with ESMTP id 10B098A56B; Wed, 17 Mar 2021 09:53:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=tlrmx.org; h=date:from:to :cc:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=tlrmx.org; bh=4f1SBQk zgLCaPB8+w1Sc9HwN0vw=; b=dTOrZHVlhaedRNg6YmtBkzd/6Uo8pqpTkLGeNS+ jDP8Xi3/yoVhcUSTrEK48Zgk4vWM8w/SA5OBrNP6Bh8FESPmlUOWcbmTls2+y634 5g4QE9C2xNXU6mwMJgguC61YDdCZ2gzDKeybcRZQh1FCGrtu1tztXypFrPKHOn/r Pf88=
Received: from totoro.tlrmx.org (124.89.2.81.in-addr.arpa [81.2.89.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: njl@tlrmx.org) by pdx1-sub0-mail-a4.g.dreamhost.com (Postfix) with ESMTPSA id 702068A5B3; Wed, 17 Mar 2021 09:53:30 -0700 (PDT)
Date: Wed, 17 Mar 2021 16:53:26 +0000
X-DH-BACKEND: pdx1-sub0-mail-a4
From: Nick Lamb <njl@tlrmx.org>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: "hendrik.brockhaus@siemens.com" <hendrik.brockhaus@siemens.com>, "spasm@ietf.org" <spasm@ietf.org>
Message-ID: <20210317165326.157d948b@totoro.tlrmx.org>
In-Reply-To: <DM6PR11MB43807A80242CC755A6AE06BF9F6A9@DM6PR11MB4380.namprd11.prod.outlook.com>
References: <20210316161932.6e2d2075@totoro.tlrmx.org> <DM6PR11MB43807A80242CC755A6AE06BF9F6A9@DM6PR11MB4380.namprd11.prod.outlook.com>
X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/SIQOIZlR8GqDShhOnFK33B-dAdY>
Subject: Re: [lamps] [EXTERNAL] draft-ietf-lamps-lightweight-cmp-profile-05 concern
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Mar 2021 16:53:39 -0000
On Wed, 17 Mar 2021 15:42:40 +0000 Mike Ounsworth <Mike.Ounsworth@entrust.com> wrote: > Hi Nick, > > That's what PAKEs are for, right? If I'm following the TLS WG > properly, the TLS 1.3 PAKE draft (draft-barnes-tls-pake) expired in > 2019 and PAKEs did not make it into 1.3. Is that right? I have replied (and I see someone else also replied) mentioning the work to integrate OPAQUE. This may be too complicated for a "lightweight" profile or it might delay publication unacceptably but others will know better. > Looking at Hendrik's slides and I-D, I see proposals for specifying > TLS 1.2 and 1.3 PSK cipher suites. I also see in the draft: > > * The client MUST use its shared secret information for > authentication. > * The server MUST use a suitable shared secret information for > authentication. > > Nowhere does it refer to this shared secret as a "password". When I examine these slides https://datatracker.ietf.org/meeting/110/materials/slides-110-lamps-lightweight-cmp-profile-updates-cmp-and-cmp-algorithms-00 Or I review the video on which I was commenting: https://youtu.be/DQQ4h_M1XYM?t=4453 I see that page 9 explicitly refers to passwords - writing "We would like to specify suitable TLS cipher suite for use with pre-shared secret information, e.g., passwords" So it seems to me that in fact it does exactly what you've said it does not. It is a problem that so often a value envisioned as a 128-bit PSK - which would be safe for many purposes ends up implemented in real systems as a human readable password - which is much too fragile; and then actually used as a boilerplate value (ie users don't know why it's supposed to be a high entropy secret so they write the name of the company or something) and as a result a cast iron security guarantee in the design becomes so flimsy as to have no value in real usage. Nick.
- [lamps] draft-ietf-lamps-lightweight-cmp-profile-… Nick Lamb
- Re: [lamps] [EXTERNAL] draft-ietf-lamps-lightweig… Mike Ounsworth
- Re: [lamps] [EXTERNAL] draft-ietf-lamps-lightweig… Scott Fluhrer (sfluhrer)
- Re: [lamps] draft-ietf-lamps-lightweight-cmp-prof… Nick Lamb
- Re: [lamps] [EXTERNAL] draft-ietf-lamps-lightweig… Nick Lamb
- Re: [lamps] [EXTERNAL] Re: draft-ietf-lamps-light… Mike Ounsworth
- Re: [lamps] [EXTERNAL] draft-ietf-lamps-lightweig… Mike Ounsworth