Re: [TLS] PSK in 1.3?
"Dan Harkins" <dharkins@lounge.org> Tue, 21 October 2014 18:45 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BDA61A8775 for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 11:45:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.968
X-Spam-Level:
X-Spam-Status: No, score=-1.968 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ib74_nZYfP2F for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 11:45:49 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id D499D1A8761 for <tls@ietf.org>; Tue, 21 Oct 2014 11:45:48 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 6511610224008; Tue, 21 Oct 2014 11:45:48 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Tue, 21 Oct 2014 11:45:48 -0700 (PDT)
Message-ID: <3653ffe169c72f3302d605a4bc24bb0d.squirrel@www.trepanning.net>
In-Reply-To: <20141021160247.GP19158@mournblade.imrryr.org>
References: <9A043F3CF02CD34C8E74AC1594475C739B9D3EAE@uxcn10-5.UoA.auckland.ac.nz> <96b88d73f776e16e3f5487643fb59a31.squirrel@www.trepanning.net> <20141021160247.GP19158@mournblade.imrryr.org>
Date: Tue, 21 Oct 2014 11:45:48 -0700
From: Dan Harkins <dharkins@lounge.org>
To: tls@ietf.org
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/LMIDjPTAFGADjBPPN_55DBMIFRA
Subject: Re: [TLS] PSK in 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 18:45:51 -0000
On Tue, October 21, 2014 9:02 am, Viktor Dukhovni wrote: > On Mon, Oct 20, 2014 at 01:34:38PM -0700, Dan Harkins wrote: > >> The ciphersuites are _completely oblivious_ >> to the type and quality of the credential they use. You can't claim the >> _protocol_ is resistent to dictionary attack if the protocol can be used >> in a manner that makes it susceptible to dictionary attack. > > No protocol is resistant to dictionary attack under the above > definition. The point is that increasing the size of the PSK does not make the _protocol_ resistant to dictionary attack. It just makes the attack harder to successfully conclude. This is not my definition by the way. But instead of paraphrasing, let me quote from "Authenticated Key Exchange Secure Against Dictionary Attacks" by Bellare, Pointcheval, and Rogaway: "A theorem asserting security of some protocol make qualitative how much _computation_ helps and just how much _interaction_ does. One sees whether or not one has security against dictionary attacks by looking to see if maximal adversarial advantage grows primarily with the ratio of interaction to the size of the password space." Increasing the size of the PSK just makes the "password space" larger but that has no effect on interaction. With the TLS PSK ciphersuites, there's one interaction and then there's a whole bunch of computation. Increasing the amount of computation necessary doesn't make the protocol resistant to dictionary attack because there's still just one interaction-- the adversarial advantage does not grow primarily with the ratio of interaction to the size of the search space. And there are protocols that are resistant to dictionary attack under that definition. There's one in the paper. Or look at your favorite PAKE. Dan.
- Re: [TLS] PSK in 1.3? Yoav Nir
- [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Yoav Nir
- Re: [TLS] PSK in 1.3? Hauke Mehrtens
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Hauke Mehrtens
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Jeffrey Walton
- Re: [TLS] PSK in 1.3? Paul Bakker
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Mohamad Badra
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Yoav Nir
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Sven Schäge
- Re: [TLS] PSK in 1.3? Christian Kahlo
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? John Mattsson
- Re: [TLS] PSK in 1.3? Alex Elsayed
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Watson Ladd