IETF Logo Mail Archive

Re: [TLS] The PAKE question and PSK

Watson Ladd <watsonbladd@gmail.com> Wed, 02 April 2014 16:46 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 271B91A0242 for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 09:46:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.999
X-Spam-Level:
X-Spam-Status: No, score=-3.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GvsqNaeXSIXW for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 09:45:56 -0700 (PDT)
Received: from mail-yk0-x22e.google.com (mail-yk0-x22e.google.com [IPv6:2607:f8b0:4002:c07::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 969F81A0232 for <tls@ietf.org>; Wed, 2 Apr 2014 09:45:56 -0700 (PDT)
Received: by mail-yk0-f174.google.com with SMTP id 20so429025yks.19 for <tls@ietf.org>; Wed, 02 Apr 2014 09:45:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=kDhdcthnKDHjSCJoHSmnM1b/eE0vygMVN0LouIlIudo=; b=g+GF1rxmSuB3j4eyX7LxGz7vGIM6bysGsCBXIliICRixuQFxb/wM1wF+Qco+je8HxG yHqPDoFCog573JLWAozdJYIRvINag6b2oVV9JA+v+NUavL4OS2QccFu50jhuXSHDl/Ub oQvKFkjBUeHD0DOIzuSN4ecMM7rnf8ahqYOqyPlhySOLS1//Sp5IMmy0p0rgn2Hr8Pd7 TVUP95XCkCzcrYsRT6omDqlWo0U0ubHJ43uzPC7wEluPZ8zDgvZgRkx7p6RBwttjcMsi vvHZzqNawMXCJV3E3tj81kPu72OsP3iNIpFKLQ4vVzbYqVCtFsPgt3Gpa2QPQZD3K97+ ALcQ==
MIME-Version: 1.0
X-Received: by 10.236.198.243 with SMTP id v79mr1933477yhn.87.1396457152568; Wed, 02 Apr 2014 09:45:52 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Wed, 2 Apr 2014 09:45:52 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Wed, 2 Apr 2014 09:45:52 -0700 (PDT)
In-Reply-To: <7a41ee191d22df1f5924a68034c74a49.squirrel@www.trepanning.net>
References: <CACsn0cnBXvjo4cCN8htKvmakzhneqq4nXN9WfPdgkqjgBTNpGA@mail.gmail.com> <533BBC3C.6000704@gmx.net> <7a41ee191d22df1f5924a68034c74a49.squirrel@www.trepanning.net>
Date: Wed, 02 Apr 2014 09:45:52 -0700
Message-ID: <CACsn0cnYUy9Xm4Ed9DPYi8uWHoj=bR--gq+2jb17CFNmYQnNVQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: multipart/alternative; boundary="089e0160bea685ff0304f6120440"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/KGKmeBoyZOBJcUmAPMmUsmL7e5g
Cc: tls@ietf.org
Subject: Re: [TLS] The PAKE question and PSK
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 16:46:01 -0000

On Apr 2, 2014 9:39 AM, "Dan Harkins" <dharkins@lounge.org> wrote:
>
>
>   Hi Hannes,
>
> On Wed, April 2, 2014 12:29 am, Hannes Tschofenig wrote:
> > Hi Watson,
> >
> > I believe there are several aspects that need to be untangled here:
> >
> > a) Is there a problem where a strong password-based authentication and
> > key exchange protocol can help?
> >
> > b) Since there are various protocol variants available, which one is the
> > best for the job?
> >
> > Item (a) is about use cases and clearly the Web is not the use case.
> > There are use cases documented in
> > http://tools.ietf.org/html/draft-ietf-tls-pwd-04#section-1.1 but I
> > personally don't quite buy them.
> >
> > The constrained device use case is, however, one that I ran into myself
> > as well. It requires a bit more description since constrained device are
> > used in various different ways. There are at least three different cases
> > I have seen:
> >
> > 1) Device talks to the cloud infrastructure. For this case it is not a
> > problem to use long symmetric keys since the is nothing for the user to
> > type.
>
>   From what authenticated source does this long symmetric key come?

The manufacturer.
>
> > 2) Device talks to another device. There are two variants to this:
> >
> >  2a) Pairing / Imprinting
> >
> > Here the pairing protocol typically runs a Diffie-Hellman and then you
> > might have to confirm the initial set-up to avoid MITM attacks (via an
> > out-of-band channel, such as a human entering something).
>
>   The "something" the user enters is a simple, low-entropy, easy-to-enter
> key. That key authenticates a PAKE exchange.
>
> > There are obviously many ways to do this pairing procedures and I am
> > sure you have used many of them already yourself.
> >
> > Ekr provided a good overview for a workshop:
> >
http://www.lix.polytechnique.fr/hipercom/SmartObjectSecurity/papers/EricRescorla.pdf
>
>   And the use of PAKEs is mentioned there. The downside to PAKEs,
according
> to Eric, is use of public key cryptography with a constrained device that
is
> assumed to have limited CPU power. And that's why ECC support in a PAKE
> is so crucial.
>
> >  2b) Key printed on the device itself
> >
> > I believe that this is the case you are talking about where you want to
> > avoid having users enter too many numbers. Today, user's are often only
> > required to scan a QR code instead of entering something but maybe there
> > is something to standardize here.
>
>   Putting a symmetric key in a QR code is a bad idea. Anybody who
> sees the QR code can determine the secret. As Eric said in the paper
> you referred to above, "The primary concern with a secret value system
> is that the value must be kept secret or an attacker can impersonate the
> base station to the device and vice versa." Indeed.
>
>   Putting a public key in a QR code is a much better idea (and, again,
> ECC support is crucial because the x-coordinate of a point on a 256-bit
> curve produces a usable QR code while a 4096-bit RSA key does not-- too
> big, too dense, hard-to-impossible to scan). For many devices, though,
this
> only provides one way authentication (not mutual) because the device that
> scanned the QR code knows definitely it is talking to the device whose QR
> code was scanned, but the device with the QR code has no idea who it is
> communicating with. Using a short, easy-to-enter key with a PAKE
> provides good mutual authentication.
>
>   Also not every constrained device has a camera interface to scan QR
> codes with, while many of them do have some limited UI from which
> the user can enter a short key.
>
> > Regarding item (b) about the protocol choice. Given the use cases
> > previously described I doubt that the "database leaking secrets" is a
> > bit concern here in these environments. The database in most cases
> > contains a single key (or a small number of them).
>
>   Yes, that is correct. A large password database is not envisioned by
> this use case. In fact, as The whole benefit of an augmented PAKE--
> a protected password database-- is not applicable to this use case.
>
> > A few years ago Yaron, Glen, Scott and myself co-authored EAP-EKE (RFC
> > 6124) and we picked EKE because the publications reached their 20 year
> > anniversary.
>
>   I remember it well. I wrote EAP-pwd (dragonfly) and Yaron followed
> with EAP-EKE, I proposed a dragonfly exchange in IKE and Yaron followed
> with an EKE exchange (which was later abandoned).
>
>   One of the problems with EKE is that using it with ECC opens the
> exchange up to a partitioning attack.

Not if you use a uniform representation like Elligator.

>
>   regards,
>
>   Dan.
>
> > Just something to think about.
> >
> > Ciao
> > Hannes
> >
> >
> > On 04/02/2014 06:28 AM, Watson Ladd wrote:
> >> Dear all,
> >>
> >> I'm afraid that several important points and quite a bit of history
> >> has been missing from the recent exchange concerning Dragonfly in TLS.
> >>
> >> Dragonfly is a modified SPEKE. SPEKE was introduced in 2001. SPEKE has
> >> a patent that expires in 2016, and a security proof in the ROM under a
> >> DH style assumption and a reasonable ideal/real attack model.
> >> Dragonfly was created by Dan Harkins, and adopted in IEEE 802.11s to
> >> authenticate nodes in a mesh network. It has no security proof despite
> >> efforts to try and find one.
> >>
> >> The intended usecase is provisioning of constrained devices. While one
> >> could include a 128 bit key on each device and have users type it in
> >> (as they do for Xbox Live and Windows verification: 25 letters and
> >> numbers from a 32 bit alphabet) it was felt that this was a bit much.
> >> PSK will not work with anything that isn't a key, because offline
> >> attack works beautifully. Nico's concerns about key database
> >> compromise, etc, are ignoring the realities of this setting: the
> >> password is the least valuable thing on the device, and since it was
> >> not entered by the user (as the device has no user interaction
> >> capability) unlikely to be reused.
> >>
> >> Dragonfly was presented at IETF 83. AugPAKE was proven secure in 2010.
> >> There is currently a draft for AugPAKE in TLS. Unfortunately AugPAKE
> >> is not specified on ECC groups, but this is easy to fix. (It's also
> >> ugly to shoehorn into TLS, but the draft seems to do it) PAKEs are not
> >> on the agenda because of a rather heated controversy about how
> >> Dragonfly got (seeming) CFRG approval, but there is a good case for
> >> including them. On the web we have more of a problem due to the UI
> >> issues that made client certificates a nonstarter.
> >>
> >> Sincerely,
> >> Watson Ladd
> >>
> >> _______________________________________________
> >> TLS mailing list
> >> TLS@ietf.org
> >> https://www.ietf.org/mailman/listinfo/tls
> >>
> >
> >
>

v2.23.0 | Report a Bug | By Email