IETF Logo Mail Archive

Re: [TLS] Fwd: New Version Notification for draft-barnes-tls-pake-00.txt

Jonathan Hoyland <jonathan.hoyland@gmail.com> Mon, 16 April 2018 18:59 UTC

Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3772A126CD6 for <tls@ietfa.amsl.com>; Mon, 16 Apr 2018 11:59:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZWrU0WqA9Pwn for <tls@ietfa.amsl.com>; Mon, 16 Apr 2018 11:59:30 -0700 (PDT)
Received: from mail-ua0-x22f.google.com (mail-ua0-x22f.google.com [IPv6:2607:f8b0:400c:c08::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36565126CC4 for <tls@ietf.org>; Mon, 16 Apr 2018 11:59:30 -0700 (PDT)
Received: by mail-ua0-x22f.google.com with SMTP id q38so10820203uad.5 for <tls@ietf.org>; Mon, 16 Apr 2018 11:59:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KA7jbWpOQcElQatOAqRVyanVR6x4TFQdA9xw5oaG56w=; b=gHO9Cp3DQ50yXPYJsAyfxaAGJbAxuJyE6BQkHH7R0QkLK3oUp54P/5EWVG9tr7tO/S 7pulpOMNf8qBLDT8/VV6WCaUQDW00FTiabmTe9e7Z8+RJ+fTXKGPMJHuX8/NOlbld1Zk zOH2rBFOUh/zw+sMzk+2Zw9UP8PzZgj+RTYTWzXe+fRi7IxNwjaW3nNmkLAD52oSqHzO 5A2mwszAdxJdh8XiiL5ZBqmVm3gCROAsw2u9P6rrpPqBsLAtI/h2YSQXJ5HKmDtILuFP gANAVtSDNtfCcTOCOLOPNKZ3C4qF68ucjQJC5inspf/mIQLk/ABPOynMpVQNgu0N10i3 PaPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KA7jbWpOQcElQatOAqRVyanVR6x4TFQdA9xw5oaG56w=; b=OPqyeheNqQn5NMEsJc/owmaCo4UtDDOl2xFDqAWjjgMIHqcV/k6jnnZKbrVEcN9I/I ovNecDzVSEGZwH2sslf4QE43qnYSCicQdfosNL8Pdu4Pp2tSNI3Soy5dHRS18ZUoIeUA D2j4JP7+8o2RRw7Lobr697mSn8/LuR2cwitTJB/JWIzSfclyrl1lCswD3/Tj0PmXxu/9 enpEz7MGdfnoG1Oq9MI1HQEUEoIqxxBbyevzyPA3uoLb4X2TcuMoi3AudbyEeokLk0k/ z2gAxTGsW9cxjFUoEJhLpqDq/Y4yAmiksCu16ZWMiSEW1tUaoFEC2G079tb0n9yTD9Al JuDg==
X-Gm-Message-State: ALQs6tBIHb0T8rdCl9SFIT5aB/T4m9ghiqCZ7eSG97016FUYFZb/sxjX o1/y9q/bsscHeeEKkGyqdzvsGrsxNVsD63McKew=
X-Google-Smtp-Source: AIpwx4+HrC68FIClCYyzepvPip/BcI0Mr69j56+q4hRzO6rRcgMLed+sWtkuIP4nMd2zvsza2LF3n9tIKT1uVv3IfnM=
X-Received: by 10.176.23.11 with SMTP id j11mr12366958uaf.133.1523905169144; Mon, 16 Apr 2018 11:59:29 -0700 (PDT)
MIME-Version: 1.0
References: <152345795593.1972.17855870949078823595.idtracker@ietfa.amsl.com> <CAL02cgSOA-asdvyFNLLpcN59qeVjwQU9F2f=mgM9Y_B0Xv4rmg@mail.gmail.com> <140080C241BAA1419B58F093108F9EDC1DBF718C@UK-MAL-MBOX-01.dyson.global.corp> <CAL02cgS7dJVrMwiE9UrJKmaxW1v876et0Qg_S8MKf5FbSZjekg@mail.gmail.com> <140080C241BAA1419B58F093108F9EDC1DBFD7C7@UK-MAL-MBOX-02.dyson.global.corp> <CACykbs355twK=y8t6zmUgvSqAVndYb_+fG2DOOyYPTz+-+vwOw@mail.gmail.com> <CAL02cgSdeR4JJH-ROheS60z0hiGkoZVgk6Um=K3ohd5oh9261w@mail.gmail.com>
In-Reply-To: <CAL02cgSdeR4JJH-ROheS60z0hiGkoZVgk6Um=K3ohd5oh9261w@mail.gmail.com>
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Mon, 16 Apr 2018 18:59:18 +0000
Message-ID: <CACykbs0by3HLAHT-Fss+ZU9S+5PW-Y4XdgYQYEthG0hhr6sKMg@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: Tony Putman <Tony.Putman@dyson.com>, "<tls@ietf.org>" <tls@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>
Content-Type: multipart/alternative; boundary="f40304361bea4742710569fbd214"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/0ki0u0vfvu9oBU39NFAOY90w-hw>
Subject: Re: [TLS] Fwd: New Version Notification for draft-barnes-tls-pake-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2018 18:59:33 -0000

Hi Richard,

That's correct, however if I have a guess of the password can I not just
try and connect using that password?
If my guess is correct then the connection will succeed, whereas if my
guess is incorrect then the connection will fail.
I'm assuming here that the salt is public, because salts in general do not
have confidentiality guarantees (otherwise they stretch the metaphor and
become pepper).
(I also assume that the client identity can be derived from observing a
previous session, and that the server identity can be identified through
probing.)

Regards,

Jonathan



On Mon, 16 Apr 2018 at 19:43 Richard Barnes <rlb@ipv.sx> wrote:

> Hey Jonathan,
>
> Thanks for the comments.  I've implemented them in my working copy of the
> draft, and in my implementation in mint.  I have also changed it over to
> use SPAKE2+; I agree with Tony that this is necessary to guard against
> server compromise.
>
>
> https://github.com/bifurcation/tls-pake/commit/a9f097c3bfe43cf50001e1a340c7e2e693850d4b
> https://github.com/bifurcation/mint/pull/193
>
> With regard to security properties: I don't think it's correct that an
> active attacker can do online password guessing.  Everything that is
> revealed on the wire is blinded with fresh, per-connection entropy, and
> thus doesn't reveal anything about the password.
>
> --Richard
>
>
> On Mon, Apr 16, 2018 at 7:52 AM, Jonathan Hoyland <
> jonathan.hoyland@gmail.com> wrote:
>
>> Hi Richard,
>>
>> A few nits.
>>
>> * In the introduction you have the sentence
>> > DISCLAIMER: This is a work-in-progress draft of MLS and has not yet
>>
>>    seen significant security analysis.
>>
>> Iiuc this draft has no connection to MLS, and this is a typo.
>>
>>  * In the setup you define
>>
>> > o  A DH group "G" of order "p*h", with "p" a large prime
>>
>> and
>>
>> > o  A password "p"
>>
>>
>> The variable "p" has two different meanings, which is a bit confusing,
>> especially later on.
>>
>>  * The document doesn't explicitly state that X and Y need to be
>> non-zero.
>> The requirement is in "I-D.irtf-cfrg-spake2", but it would be nice if the
>> warning was carried through.
>>
>> * In terms of security properties, iiuc an active adversary can do online
>> password guessing attacks, but a passive adversary cannot derive the
>> password from observing the messages. If that is the case perhaps a warning
>> about rate-limiting connection attempts is appropriate.
>>
>> Regards,
>>
>> Jonathan
>>
>> On Mon, 16 Apr 2018 at 10:50 Tony Putman <Tony.Putman@dyson.com> wrote:
>>
>>> Hi Richard,
>>>
>>> I don't think that you can protect against server compromise with
>>> SPAKE2. The server can store w*N as you suggest, but it also has to store
>>> w*M because it must calculate y*(T-w*M). An attacker that learns w*M and
>>> w*N from a compromised server can then impersonate a client.
>>>
>>> The rest of your comments I agree with (though they are not all
>>> addressed in the updated draft).
>>>
>>> Tony
>>>
>>> > From: Richard Barnes [mailto:rlb@ipv.sx]
>>> > Sent: 13 April 2018 19:50
>>> >
>>> > Hey Tony,
>>> >
>>> > Thanks for the comments.  Hopefully we can adapt this document to tick
>>> more boxes for you :)
>>> > Since I had noticed some other errors in the document (e.g., figures
>>> not rendering properly),
>>> > I went ahead and submitted a new version that takes these comments
>>> into account.
>>> >
>>> > https://tools.ietf.org/html/draft-barnes-tls-pake-01
>>> >
>>> > Some responses inline below.
>>>
>>> Dyson Technology Limited, company number 01959090, Tetbury Hill,
>>> Malmesbury, SN16 0RP, UK.
>>> This message is intended solely for the addressee and may contain
>>> confidential information. If you have received this message in error,
>>> please immediately and permanently delete it, and do not use, copy or
>>> disclose the information contained in this message or in any attachment.
>>> Dyson may monitor email traffic data and content for security & training.
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>
>

v2.23.0 | Report a Bug | By Email