Re: [TLS] PSK in 1.3?

["Dan Harkins" <dharkins@lounge.org>]

On Mon, February 23, 2015 5:15 pm, Stephen Checkoway wrote:
>
> On Feb 23, 2015, at 7:06 PM, Dan Harkins <dharkins@lounge.org> wrote:
>
>>
>> On Mon, February 23, 2015 12:55 pm, Stephen Checkoway wrote:
>>>
>>> On Feb 23, 2015, at 12:34 PM, Dan Harkins <dharkins@lounge.org> wrote:
>>>
>>>> On Sat, February 21, 2015 12:45 am, Alex Elsayed wrote:
>>>>> No, its model is "For shared keys drawn uniformly from {0,1}^n, this
>>>>> is
>>>>> secure".
>>>>
>>>> No, it's not. If n=8 then the attack is trivial and succeeds almost
>>>> instantaneously. If n=128 then with high probability a dictionary
>>>> attack
>>>> will not be successful. But in neither case is that "secure".
>>>
>>> What is your definition of secure then?
>>
>>  I meant _the protocol_ is not secure in either case. The protocol
>> doesn't
>> magically become secure because it gets used differently. I gave a
>> definition in this thread already.
>
> I must be missing something here. You're saying that since an adversary
> can, in theory, enumerate 2^n possible pre-shared keys for any n, the
> protocol is insecure.

  I'm saying that since the security of the protocol depends on it being
used right, _the protocol_ cannot be said to be secure.

> I don't see how to square that with Bellare-Pointcheval-Rogaway's
> definitions (which I think is what you're using as your definition of
> security). You write,
>
>> Namely, "In a protocol we deem 'good' the adversary's chance to defeat
>> protocol goals will depend on how much she interacts with protocol
>> participants-- it won't significantly depend on her off-line computing
>> time." By that criteria, TLS-PSK is not good.
>
> But that seems to misunderstand the quoted sentence. It's the adversaries
> chance to defeat the protocol goals which is deemed to be good, not the
> protocol itself. More to the point, the security of a protocol is defined
> in terms of an adversary running in time t and making q queries. If the
> passwords are drawn from a space of size N, then the fact that an
> adversary which runs in time N or makes N queries can have advantage 1
> doesn't really tell us anything. See, for example, Theorem 1 of the BPR
> paper. If q_se = N, then the advantage is bounded by 1, but of course it
> is. That doesn't make the protocol under consideration insecure due to
> dictionary attacks. Indeed, see remark 9 just below noting that making N
> larger makes dictionary attacks moot.

  No, I don't think you understand the quoted sentence.  Note how they say,
"In a protocol we deem 'good'…" That right there means they're talking about
the protocol being good or not, and not the adversary's chance to defeat
protocol goals. The adversary's chance of defeating protocol goals will grow
(by exploiting the flaw in all protocols that authenticate using a symmetric
key/code/word/phrase), it's a matter of how. The _protocol_ is deemed
"good" if the adversary's advantage grows as a function of computing, not
as a function of interaction with protocol participants.

  As Remark 8 notes, "The resistance to dictionary attacks is captured
by the first term which is the number of send queries divided by the size
of the password space." Making q_se = N means that the number of
interactions is equal to the size of the password space and that does
not capture resistance to dictionary attack.

 It is obvious that a making n large enough can make a dictionary attack
moot. I have not said otherwise. It just doesn't make _the protocol_
resistant to dictionary attack.

  Dan.