IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd

"Dan Harkins" <dharkins@lounge.org> Wed, 27 November 2013 22:21 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7206D1AE133 for <tls@ietfa.amsl.com>; Wed, 27 Nov 2013 14:21:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Level:
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6MbM6DHaBk6F for <tls@ietfa.amsl.com>; Wed, 27 Nov 2013 14:21:07 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 513B21ADFE0 for <tls@ietf.org>; Wed, 27 Nov 2013 14:21:07 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 8336B10224008; Wed, 27 Nov 2013 14:21:06 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Wed, 27 Nov 2013 14:21:06 -0800 (PST)
Message-ID: <e2d8d4a17842e828a3325665a2e5e348.squirrel@www.trepanning.net>
In-Reply-To: <CADMpkc+YAhDNwTk-6XsnUAscPnb7byStTE09e86L-gYhqn6L9Q@mail.gmail.com>
References: <3065D910-832C-47B6-9E0B-2F8DCD2657D2@cisco.com> <9CD5611C-2742-435D-8832-9F85448591BA@qut.edu.au> <CADMpkcJ3wO_GMsSH33B8fQKnnr=nAUdU58bwSkks4ERF9ccAJw@mail.gmail.com> <CADMpkc+YAhDNwTk-6XsnUAscPnb7byStTE09e86L-gYhqn6L9Q@mail.gmail.com>
Date: Wed, 27 Nov 2013 14:21:06 -0800
From: Dan Harkins <dharkins@lounge.org>
To: Bodo Moeller <bmoeller@acm.org>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: tls@ietf.org
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2013 22:21:09 -0000

  Hi Bodo,

On Wed, November 27, 2013 9:09 am, Bodo Moeller wrote:
> 2013/11/19 Bodo Moeller <bmoeller@acm.org>
>
>> 2013/11/8 Douglas Stebila <stebila@qut.edu.au>
>>
>>> I believe that where possible the IETF should aim to standardize
>>> cryptographic protocols that have provable security results.  Such
>>> proofs
>>> of course don't guarantee the protocol is secure in all scenarios, but
>>> at
>>> least rule out some classes of attacks.  In the field of password
>>> authenticated key exchange, there are many provably secure protocols,
>>> and
>>> so it would be preferable to see one such protocol adopted.
>>
>>
>
>> Right.  So there's already an RFC for using SRP in TLS, but it's
>> Informational.  Many other such protocols can be found in the research
>> literature (and, sometimes, in Internet-Drafts).  If we're picking a
>> password-based key exchange for Standards Track, why this one?  What are
>> the advantages of this specific protocol over the others?
>>
>> From a brief look, one drawback of draft-ietf-tls-pwd-01 besides lack of
>> formal security arguments appears to be that it's presumably less
>> efficient
>> than some other such protocols ("hunt-and-peck" loop).
>>
>
> Besides the *general* security concerns about this protocol (cursory
> review
> by CFRG doesn't make up for a lack of formal security arguments), here's a
> *specific* concern.  (This should be considered "pars pro toto": for all
> we
> know, the protocol could have countless other problems, as isn't uncommon
> for cryptographic protocols not justified by format security arguments.)
>
> Given how draft-ietf-tls-pwd-02 specifies negotiation of domain
> parameters,
> I think that a trapdoor-prime attack similar to the one I previously
> described for SRP applies (
> https://groups.google.com/forum/#!msg/sci.crypt/JMcCA6FhTDk/e3BKt-CnvQkJ).
>  It makes more sense to standardize domain parameters (allowing a
> selection
> of "named groups").  Full flexibility sounds nice at first, until you
> realize that it couldn't only be used by legitimate protocol participants
> to select groups that they might deem more secure than whatever is
> specified, but could also used by an attacker to select particularly bad
> groups (in particular if the scenario doesn't provide for any
> authentication other than the password-based authentication the protocol
> is meant to provide).

  TLS-pwd does allow for a selection of "named groups". If you look at
the example exchange in appendix A of -02 you'll see that that is how
an elliptic curve is agreed upon (a whole slew of named curves are offered
by the client in the ClientHello and they end up using brainpoolP256r1:
curve_id = 26).

  That said, the issue you bring up remains since it is also possible to
just send the complete domain parameter set. But this is how TLS handles
discrete logarithm-style cryptographic parameter negotiation. So this
issue applies to every TLS cipher suite that provides for some kind of
exchange using discrete logarithm cryptography, including all of the
ones with DH in the key exchange-- i.e. DHE, ECDH, ECDHE, etc. This
"full flexibility" issue sounds more like something for TLSv1.3  than for
TLS-pwd.

  regards,

  Dan.

v2.23.0 | Report a Bug | By Email