IETF Logo Mail Archive

Re: [TLS] PSK in 1.3?

"Dan Harkins" <dharkins@lounge.org> Mon, 20 October 2014 20:34 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6665A1ACE33 for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 13:34:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Level:
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u2eoZNWgPkdu for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 13:34:38 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id DDCC31ACE31 for <tls@ietf.org>; Mon, 20 Oct 2014 13:34:38 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 6129910224008; Mon, 20 Oct 2014 13:34:37 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Mon, 20 Oct 2014 13:34:38 -0700 (PDT)
Message-ID: <96b88d73f776e16e3f5487643fb59a31.squirrel@www.trepanning.net>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C739B9D3EAE@uxcn10-5.UoA.auckland.ac.nz>
References: <9A043F3CF02CD34C8E74AC1594475C739B9D3EAE@uxcn10-5.UoA.auckland.ac.nz>
Date: Mon, 20 Oct 2014 13:34:38 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/IP6s3t0W-b5MViVJsnbnyXiL-N0
Cc: tls@ietf.org
Subject: Re: [TLS] PSK in 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 20:34:42 -0000


On Mon, October 20, 2014 1:00 pm, Peter Gutmann wrote:
> Dan Harkins <dharkins@lounge.org> writes:
>
>>There is nothing to flesh out because you seem to not understand what a
>>dictionary attack is-- but you're in company because neither did the
>> editors
>>of that RFC.
>>
>>Protocols that use a static, symmetric credential like a PSK (or a
>> password,
>>the difference is semantic) are all flawed because the adversary is
>> always
>>assumed to have access to a pool from which the PSK (or password is
>> drawn.
>
> As Watson has already pointed out, the protocol name is "preshared key",
> not
> "preshared password" as you seem to think.  I've been party to the
> deployment
> of several PSK-based devices/systems, for which the pool from which the
> PSK is
> drawn is well-known to an attacker, it ranges from 00 00 00 00 00 00 00 00
> 00
> 00 00 00 00 00 00 to FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF.
> Since
> I've now given you what you need to know, I'll let you go away and
> brute-force
> the system.  Let us know when you're done.

  Is that the "royal we"?

  And, you need to supply a bit more than that information to enable
a dictionary attack (such as the data that contains a hash of the PSK plus
other information known to the attacker). But you were making a sarcastic
point, not a technical point weren't you?

  The issue is not so much the range, it's which values in that range are
going to be valid PSKs and which are not. But, again, you were being
sarcastic so a technical response is somewhat unnecessary.

  And, yes, I did notice that Watson said that the RFC is "pre-shared key"
and not "pre-shared password" but, as I said (did you notice?), that is
merely a semantic difference. The ciphersuites are _completely oblivious_
to the type and quality of the credential they use. You can't claim the
_protocol_ is resistent to dictionary attack if the protocol can be used
in a manner that makes it susceptible to dictionary attack.

  I have witnessed, and sadly been party to, many deployments of PSK-based
devices/systems for which the pool that the PSK is drawn from is the same
pool as you describe above. Unfortunately, they did something like
PBKDF2(easy-to-enter-keystream) to generate this PSK, which is not a
"password", in this huge range. And I encourage you to search the
Internet for "coWPAtty" to get a nice tool to attack them. Of course, you
will need to also supply a tcpdump of the exchange but that's easy to
capture.

  regards,

  Dan.

v2.39.1 | Report a Bug | By Email | System Status