Re: [TLS] The PAKE question and PSK
Watson Ladd <watsonbladd@gmail.com> Wed, 02 April 2014 16:46 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 271B91A0242 for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 09:46:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.999
X-Spam-Level:
X-Spam-Status: No, score=-3.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GvsqNaeXSIXW for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 09:45:56 -0700 (PDT)
Received: from mail-yk0-x22e.google.com (mail-yk0-x22e.google.com [IPv6:2607:f8b0:4002:c07::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 969F81A0232 for <tls@ietf.org>; Wed, 2 Apr 2014 09:45:56 -0700 (PDT)
Received: by mail-yk0-f174.google.com with SMTP id 20so429025yks.19 for <tls@ietf.org>; Wed, 02 Apr 2014 09:45:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=kDhdcthnKDHjSCJoHSmnM1b/eE0vygMVN0LouIlIudo=; b=g+GF1rxmSuB3j4eyX7LxGz7vGIM6bysGsCBXIliICRixuQFxb/wM1wF+Qco+je8HxG yHqPDoFCog573JLWAozdJYIRvINag6b2oVV9JA+v+NUavL4OS2QccFu50jhuXSHDl/Ub oQvKFkjBUeHD0DOIzuSN4ecMM7rnf8ahqYOqyPlhySOLS1//Sp5IMmy0p0rgn2Hr8Pd7 TVUP95XCkCzcrYsRT6omDqlWo0U0ubHJ43uzPC7wEluPZ8zDgvZgRkx7p6RBwttjcMsi vvHZzqNawMXCJV3E3tj81kPu72OsP3iNIpFKLQ4vVzbYqVCtFsPgt3Gpa2QPQZD3K97+ ALcQ==
MIME-Version: 1.0
X-Received: by 10.236.198.243 with SMTP id v79mr1933477yhn.87.1396457152568; Wed, 02 Apr 2014 09:45:52 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Wed, 2 Apr 2014 09:45:52 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Wed, 2 Apr 2014 09:45:52 -0700 (PDT)
In-Reply-To: <7a41ee191d22df1f5924a68034c74a49.squirrel@www.trepanning.net>
References: <CACsn0cnBXvjo4cCN8htKvmakzhneqq4nXN9WfPdgkqjgBTNpGA@mail.gmail.com> <533BBC3C.6000704@gmx.net> <7a41ee191d22df1f5924a68034c74a49.squirrel@www.trepanning.net>
Date: Wed, 02 Apr 2014 09:45:52 -0700
Message-ID: <CACsn0cnYUy9Xm4Ed9DPYi8uWHoj=bR--gq+2jb17CFNmYQnNVQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: multipart/alternative; boundary="089e0160bea685ff0304f6120440"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/KGKmeBoyZOBJcUmAPMmUsmL7e5g
Cc: tls@ietf.org
Subject: Re: [TLS] The PAKE question and PSK
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 16:46:01 -0000
On Apr 2, 2014 9:39 AM, "Dan Harkins" <dharkins@lounge.org> wrote: > > > Hi Hannes, > > On Wed, April 2, 2014 12:29 am, Hannes Tschofenig wrote: > > Hi Watson, > > > > I believe there are several aspects that need to be untangled here: > > > > a) Is there a problem where a strong password-based authentication and > > key exchange protocol can help? > > > > b) Since there are various protocol variants available, which one is the > > best for the job? > > > > Item (a) is about use cases and clearly the Web is not the use case. > > There are use cases documented in > > http://tools.ietf.org/html/draft-ietf-tls-pwd-04#section-1.1 but I > > personally don't quite buy them. > > > > The constrained device use case is, however, one that I ran into myself > > as well. It requires a bit more description since constrained device are > > used in various different ways. There are at least three different cases > > I have seen: > > > > 1) Device talks to the cloud infrastructure. For this case it is not a > > problem to use long symmetric keys since the is nothing for the user to > > type. > > From what authenticated source does this long symmetric key come? The manufacturer. > > > 2) Device talks to another device. There are two variants to this: > > > > 2a) Pairing / Imprinting > > > > Here the pairing protocol typically runs a Diffie-Hellman and then you > > might have to confirm the initial set-up to avoid MITM attacks (via an > > out-of-band channel, such as a human entering something). > > The "something" the user enters is a simple, low-entropy, easy-to-enter > key. That key authenticates a PAKE exchange. > > > There are obviously many ways to do this pairing procedures and I am > > sure you have used many of them already yourself. > > > > Ekr provided a good overview for a workshop: > > http://www.lix.polytechnique.fr/hipercom/SmartObjectSecurity/papers/EricRescorla.pdf > > And the use of PAKEs is mentioned there. The downside to PAKEs, according > to Eric, is use of public key cryptography with a constrained device that is > assumed to have limited CPU power. And that's why ECC support in a PAKE > is so crucial. > > > 2b) Key printed on the device itself > > > > I believe that this is the case you are talking about where you want to > > avoid having users enter too many numbers. Today, user's are often only > > required to scan a QR code instead of entering something but maybe there > > is something to standardize here. > > Putting a symmetric key in a QR code is a bad idea. Anybody who > sees the QR code can determine the secret. As Eric said in the paper > you referred to above, "The primary concern with a secret value system > is that the value must be kept secret or an attacker can impersonate the > base station to the device and vice versa." Indeed. > > Putting a public key in a QR code is a much better idea (and, again, > ECC support is crucial because the x-coordinate of a point on a 256-bit > curve produces a usable QR code while a 4096-bit RSA key does not-- too > big, too dense, hard-to-impossible to scan). For many devices, though, this > only provides one way authentication (not mutual) because the device that > scanned the QR code knows definitely it is talking to the device whose QR > code was scanned, but the device with the QR code has no idea who it is > communicating with. Using a short, easy-to-enter key with a PAKE > provides good mutual authentication. > > Also not every constrained device has a camera interface to scan QR > codes with, while many of them do have some limited UI from which > the user can enter a short key. > > > Regarding item (b) about the protocol choice. Given the use cases > > previously described I doubt that the "database leaking secrets" is a > > bit concern here in these environments. The database in most cases > > contains a single key (or a small number of them). > > Yes, that is correct. A large password database is not envisioned by > this use case. In fact, as The whole benefit of an augmented PAKE-- > a protected password database-- is not applicable to this use case. > > > A few years ago Yaron, Glen, Scott and myself co-authored EAP-EKE (RFC > > 6124) and we picked EKE because the publications reached their 20 year > > anniversary. > > I remember it well. I wrote EAP-pwd (dragonfly) and Yaron followed > with EAP-EKE, I proposed a dragonfly exchange in IKE and Yaron followed > with an EKE exchange (which was later abandoned). > > One of the problems with EKE is that using it with ECC opens the > exchange up to a partitioning attack. Not if you use a uniform representation like Elligator. > > regards, > > Dan. > > > Just something to think about. > > > > Ciao > > Hannes > > > > > > On 04/02/2014 06:28 AM, Watson Ladd wrote: > >> Dear all, > >> > >> I'm afraid that several important points and quite a bit of history > >> has been missing from the recent exchange concerning Dragonfly in TLS. > >> > >> Dragonfly is a modified SPEKE. SPEKE was introduced in 2001. SPEKE has > >> a patent that expires in 2016, and a security proof in the ROM under a > >> DH style assumption and a reasonable ideal/real attack model. > >> Dragonfly was created by Dan Harkins, and adopted in IEEE 802.11s to > >> authenticate nodes in a mesh network. It has no security proof despite > >> efforts to try and find one. > >> > >> The intended usecase is provisioning of constrained devices. While one > >> could include a 128 bit key on each device and have users type it in > >> (as they do for Xbox Live and Windows verification: 25 letters and > >> numbers from a 32 bit alphabet) it was felt that this was a bit much. > >> PSK will not work with anything that isn't a key, because offline > >> attack works beautifully. Nico's concerns about key database > >> compromise, etc, are ignoring the realities of this setting: the > >> password is the least valuable thing on the device, and since it was > >> not entered by the user (as the device has no user interaction > >> capability) unlikely to be reused. > >> > >> Dragonfly was presented at IETF 83. AugPAKE was proven secure in 2010. > >> There is currently a draft for AugPAKE in TLS. Unfortunately AugPAKE > >> is not specified on ECC groups, but this is easy to fix. (It's also > >> ugly to shoehorn into TLS, but the draft seems to do it) PAKEs are not > >> on the agenda because of a rather heated controversy about how > >> Dragonfly got (seeming) CFRG approval, but there is a good case for > >> including them. On the web we have more of a problem due to the UI > >> issues that made client certificates a nonstarter. > >> > >> Sincerely, > >> Watson Ladd > >> > >> _______________________________________________ > >> TLS mailing list > >> TLS@ietf.org > >> https://www.ietf.org/mailman/listinfo/tls > >> > > > > >
- [TLS] The PAKE question and PSK Watson Ladd
- Re: [TLS] The PAKE question and PSK Hannes Tschofenig
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Watson Ladd
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Hannes Tschofenig
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Watson Ladd
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK SeongHan Shin