Re: [TLS] The PAKE question and PSK
"Dan Harkins" <dharkins@lounge.org> Wed, 02 April 2014 16:39 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8026F1A026D for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 09:39:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.867
X-Spam-Level:
X-Spam-Status: No, score=-5.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pGRUd-c2f5qw for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 09:39:03 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 1B4FB1A0232 for <tls@ietf.org>; Wed, 2 Apr 2014 09:39:03 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 2DA51A888016; Wed, 2 Apr 2014 09:38:59 -0700 (PDT)
Received: from 24.120.218.98 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Wed, 2 Apr 2014 09:38:59 -0700 (PDT)
Message-ID: <7a41ee191d22df1f5924a68034c74a49.squirrel@www.trepanning.net>
In-Reply-To: <533BBC3C.6000704@gmx.net>
References: <CACsn0cnBXvjo4cCN8htKvmakzhneqq4nXN9WfPdgkqjgBTNpGA@mail.gmail.com> <533BBC3C.6000704@gmx.net>
Date: Wed, 02 Apr 2014 09:38:59 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Kg-59nF-owRIrh2gjBcFC8sj13s
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] The PAKE question and PSK
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 16:39:07 -0000
Hi Hannes, On Wed, April 2, 2014 12:29 am, Hannes Tschofenig wrote: > Hi Watson, > > I believe there are several aspects that need to be untangled here: > > a) Is there a problem where a strong password-based authentication and > key exchange protocol can help? > > b) Since there are various protocol variants available, which one is the > best for the job? > > Item (a) is about use cases and clearly the Web is not the use case. > There are use cases documented in > http://tools.ietf.org/html/draft-ietf-tls-pwd-04#section-1.1 but I > personally don't quite buy them. > > The constrained device use case is, however, one that I ran into myself > as well. It requires a bit more description since constrained device are > used in various different ways. There are at least three different cases > I have seen: > > 1) Device talks to the cloud infrastructure. For this case it is not a > problem to use long symmetric keys since the is nothing for the user to > type. From what authenticated source does this long symmetric key come? > 2) Device talks to another device. There are two variants to this: > > 2a) Pairing / Imprinting > > Here the pairing protocol typically runs a Diffie-Hellman and then you > might have to confirm the initial set-up to avoid MITM attacks (via an > out-of-band channel, such as a human entering something). The "something" the user enters is a simple, low-entropy, easy-to-enter key. That key authenticates a PAKE exchange. > There are obviously many ways to do this pairing procedures and I am > sure you have used many of them already yourself. > > Ekr provided a good overview for a workshop: > http://www.lix.polytechnique.fr/hipercom/SmartObjectSecurity/papers/EricRescorla.pdf And the use of PAKEs is mentioned there. The downside to PAKEs, according to Eric, is use of public key cryptography with a constrained device that is assumed to have limited CPU power. And that's why ECC support in a PAKE is so crucial. > 2b) Key printed on the device itself > > I believe that this is the case you are talking about where you want to > avoid having users enter too many numbers. Today, user's are often only > required to scan a QR code instead of entering something but maybe there > is something to standardize here. Putting a symmetric key in a QR code is a bad idea. Anybody who sees the QR code can determine the secret. As Eric said in the paper you referred to above, "The primary concern with a secret value system is that the value must be kept secret or an attacker can impersonate the base station to the device and vice versa." Indeed. Putting a public key in a QR code is a much better idea (and, again, ECC support is crucial because the x-coordinate of a point on a 256-bit curve produces a usable QR code while a 4096-bit RSA key does not-- too big, too dense, hard-to-impossible to scan). For many devices, though, this only provides one way authentication (not mutual) because the device that scanned the QR code knows definitely it is talking to the device whose QR code was scanned, but the device with the QR code has no idea who it is communicating with. Using a short, easy-to-enter key with a PAKE provides good mutual authentication. Also not every constrained device has a camera interface to scan QR codes with, while many of them do have some limited UI from which the user can enter a short key. > Regarding item (b) about the protocol choice. Given the use cases > previously described I doubt that the "database leaking secrets" is a > bit concern here in these environments. The database in most cases > contains a single key (or a small number of them). Yes, that is correct. A large password database is not envisioned by this use case. In fact, as The whole benefit of an augmented PAKE-- a protected password database-- is not applicable to this use case. > A few years ago Yaron, Glen, Scott and myself co-authored EAP-EKE (RFC > 6124) and we picked EKE because the publications reached their 20 year > anniversary. I remember it well. I wrote EAP-pwd (dragonfly) and Yaron followed with EAP-EKE, I proposed a dragonfly exchange in IKE and Yaron followed with an EKE exchange (which was later abandoned). One of the problems with EKE is that using it with ECC opens the exchange up to a partitioning attack. regards, Dan. > Just something to think about. > > Ciao > Hannes > > > On 04/02/2014 06:28 AM, Watson Ladd wrote: >> Dear all, >> >> I'm afraid that several important points and quite a bit of history >> has been missing from the recent exchange concerning Dragonfly in TLS. >> >> Dragonfly is a modified SPEKE. SPEKE was introduced in 2001. SPEKE has >> a patent that expires in 2016, and a security proof in the ROM under a >> DH style assumption and a reasonable ideal/real attack model. >> Dragonfly was created by Dan Harkins, and adopted in IEEE 802.11s to >> authenticate nodes in a mesh network. It has no security proof despite >> efforts to try and find one. >> >> The intended usecase is provisioning of constrained devices. While one >> could include a 128 bit key on each device and have users type it in >> (as they do for Xbox Live and Windows verification: 25 letters and >> numbers from a 32 bit alphabet) it was felt that this was a bit much. >> PSK will not work with anything that isn't a key, because offline >> attack works beautifully. Nico's concerns about key database >> compromise, etc, are ignoring the realities of this setting: the >> password is the least valuable thing on the device, and since it was >> not entered by the user (as the device has no user interaction >> capability) unlikely to be reused. >> >> Dragonfly was presented at IETF 83. AugPAKE was proven secure in 2010. >> There is currently a draft for AugPAKE in TLS. Unfortunately AugPAKE >> is not specified on ECC groups, but this is easy to fix. (It's also >> ugly to shoehorn into TLS, but the draft seems to do it) PAKEs are not >> on the agenda because of a rather heated controversy about how >> Dragonfly got (seeming) CFRG approval, but there is a good case for >> including them. On the web we have more of a problem due to the UI >> issues that made client certificates a nonstarter. >> >> Sincerely, >> Watson Ladd >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > >
- [TLS] The PAKE question and PSK Watson Ladd
- Re: [TLS] The PAKE question and PSK Hannes Tschofenig
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Watson Ladd
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Hannes Tschofenig
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Watson Ladd
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK SeongHan Shin