Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt
"Dan Harkins" <dharkins@lounge.org> Sat, 29 March 2014 00:07 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69BF81A03F7 for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 17:07:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Level:
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G2xvxwJca4v4 for <tls@ietfa.amsl.com>; Fri, 28 Mar 2014 17:07:43 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 862A41A03EB for <tls@ietf.org>; Fri, 28 Mar 2014 17:07:43 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 0A037A888012; Fri, 28 Mar 2014 17:07:41 -0700 (PDT)
Received: from 199.127.104.10 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Fri, 28 Mar 2014 17:07:41 -0700 (PDT)
Message-ID: <f8dc8cec46f6126146a7afa2421e43de.squirrel@www.trepanning.net>
In-Reply-To: <CACsn0ckQiNODB9DLj5XpcQDH2ykfD76CoV11-R4JJL+1_Vogfw@mail.gmail.com>
References: <20140328195334.19328.19928.idtracker@ietfa.amsl.com> <CACsn0c==pRzDKd7G=eAhds=o9qexqe9Jb3DgNC9gzh-6xaKcAQ@mail.gmail.com> <dd67ab76dee19a82a0dfcdaa6512b905.squirrel@www.trepanning.net> <CACsn0ckQiNODB9DLj5XpcQDH2ykfD76CoV11-R4JJL+1_Vogfw@mail.gmail.com>
Date: Fri, 28 Mar 2014 17:07:41 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Watson Ladd <watsonbladd@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/F9I9lySRGUvr-nVU7ywT2u9hmDA
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Mar 2014 00:07:47 -0000
On Fri, March 28, 2014 4:35 pm, Watson Ladd wrote: > On Fri, Mar 28, 2014 at 6:55 PM, Dan Harkins <dharkins@lounge.org> wrote: >> >> On Fri, March 28, 2014 2:49 pm, Watson Ladd wrote: >>> On Fri, Mar 28, 2014 at 3:53 PM, <internet-drafts@ietf.org> wrote: >>>> >>>> A New Internet-Draft is available from the on-line Internet-Drafts >>>> directories. >>>> This draft is a work item of the Transport Layer Security Working >>>> Group >>>> of the IETF. >>>> >>>> Title : Secure Password Ciphersuites for Transport >>>> Layer Security (TLS) >>>> Authors : Dan Harkins >>>> Dave Halasz >>>> Filename : draft-ietf-tls-pwd-04.txt >>>> Pages : 35 >>>> Date : 2014-03-28 >>> >>> Why should we trust this PAKE? I've got only partial results in this >>> direction, but they are not sufficient for me to adopt it when better >>> validated alternatives exist like those based on distrustful MPC. >> >> I'm not sure what you mean by "we" but it got quite a bit of review >> in CFRG and that resulted in fixing the only real technical issue >> brought >> up: potential for a side-channel attack. Scott Fluhrer came up with a >> way to do a random blinding of a value when checking whether its a >> quadratic residue that effectively addresses that concern. > > "We didn't break it in the four months we've looked at it" is not a > good enough reason. > Given that the experts you have consulted have expressed doubts about > ever determining its security, I'm inclined to be rather more > suspicious of it. It's been more like 2 years, but nevertheless, your complaint is a lack of formal security proof. But that has never been a requirement for a draft in a WG in the Security Area, or any area for that matter, of the IETF. > During the last half of those two months I was trying to show it would > work. The best I can do is reduce it to the two person case, but I > can't get it to anything computational. What a drag, I was hoping you'd come up with something. >> These ciphersuites are drop-in replacements for things like PSK >> ciphersuites, not for popular ones used in browsers. In fact, I agree >> with several on this list who are pointing out that using a PAKE in a >> browser is not a good idea. > > Why is a multi-party computation ala Socialist Millionaire's protocol > in OTR not feasible? That establishes a secure channel based on a > password shared on both ends in a way that is provably secure. > Aug-PAKE can easily be made to work symmetrically: why can't you use > that? There is no draft specifying a multi-party computation ala the Socialist Millionaire's protocol in TLS, much less one that is as mature as TLS-pwd. Aug-PAKE doesn't work in TLS, as shown by draft-shin-tls-augpake-- what's conveyed in the ClientKeyExchange structure since the client's contribution has been overloaded into the ClientHello? Basically, the client must initiate in Aug-PAKE and that forces a square peg into a round hole, or introduces extra rounds. We have gone over this before, but it takes years to get a draft in the state necessary to become an RFC. You said it took more like 30 minutes, but I'm sure you'd like to reevaluate that after your experience with the CFRG I-D you have been writing. In any event, the only draft _right now_ that satisfies the requirements is TLS-pwd. > There are standard models for PAKE security. Does Dragonfly work in > them? It clearly requires the ROM: is that enough? > > You're asking this WG to approve adding a new cryptographic protocol > to TLS with dubious justifications, in fact nonexistent, of security, > when a well-studied body of knowledge on this problem exists. There is > a compelling case for a PAKE: there is not a compelling case for > Dragonfly. The same WG that approved of RFC 4279, a Standards Track RFC that did not have a proof in the ROM because it has no security. Yes, that same WG. I'm proposing a set of robust and misuse-resistant replacements for the RFC 4279 ciphersuites. regards, Dan. > Sincerely, > Watson Ladd >> >> If you're happy doing cert-based TLS, or happy with HTTP Digest >> authentication (or whatever) then these are not for you. But the >> entirety >> of networking is not "the web" and these ciphersuites work well with >> some specific use cases (see the draft). >> >> regards, >> >> Dan. >> >> > > > > -- > "Those who would give up Essential Liberty to purchase a little > Temporary Safety deserve neither Liberty nor Safety." > -- Benjamin Franklin >
- [TLS] I-D Action: draft-ietf-tls-pwd-04.txt internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Dan Harkins
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Dan Harkins
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Cullen Jennings
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Nico Williams
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Nico Williams
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Nico Williams
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Dan Harkins
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Nico Williams
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Dan Harkins
- [TLS] PSK has no security? ... was Re: I-D Action… Hannes Tschofenig