Re: [TLS] PSK in 1.3?
Manuel Pégourié-Gonnard <mpg@polarssl.org> Mon, 20 October 2014 18:07 UTC
Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E504B1A87A9 for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 11:07:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.397
X-Spam-Level:
X-Spam-Status: No, score=0.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N__bFxtVlADI for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 11:07:04 -0700 (PDT)
Received: from vps2.offspark.com (vps2.brainspark.nl [141.138.204.106]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 046BE1A8A86 for <tls@ietf.org>; Mon, 20 Oct 2014 11:06:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:CC:To:MIME-Version:From:Date:Message-ID; bh=0aZuJZUwZLFESJcs8RnCcoLBgZyEioDMZXWeSEJ0xF0=; b=lB2sRs4qDE0jE9nLF+hj3TtsVW9yIGYuxJ815OuC1vuj7vty8UmTo+Y/6wEMt7no4a+aKxtLCQwTZTeNRxQuOk8KabjdPCCiBHUrPtne90AvCmuA+dbduiXZPk+yfi8gVp+OmQopwUMk9zmPMtejhU7vor13MIlo26nzwx9Z3rs=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.offspark.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1XgHM0-0003xF-MK; Mon, 20 Oct 2014 20:06:49 +0200
Message-ID: <54454F3C.7010305@polarssl.org>
Date: Mon, 20 Oct 2014 20:06:52 +0200
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Dan Harkins <dharkins@lounge.org>, Watson Ladd <watsonbladd@gmail.com>
References: <544384C7.9030002@polarssl.org> <78795A6D-3DFA-41C6-A380-C63DDF4C0285@gmail.com> <5443BF11.3090505@polarssl.org> <1D875BD8-2727-4895-842A-FC4FAA482E15@gmail.com> <5e587b4474939cad09c12cbf3625dd98.squirrel@www.trepanning.net> <CACsn0ck0FRHFek59A5+jxDkDGEtXPT8HejO3wO4HnYfHCw6hYg@mail.gmail.com> <74986741b83a76277b2fcfd1e74a75d4.squirrel@www.trepanning.net>
In-Reply-To: <74986741b83a76277b2fcfd1e74a75d4.squirrel@www.trepanning.net>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.offspark.com)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/TKInHIFbyKkAdTifT6e_JsCDrC8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PSK in 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 18:07:08 -0000
On 20/10/2014 19:06, Dan Harkins wrote: > There is nothing to flesh out because you seem to not understand > what a dictionary attack is-- but you're in company because neither > did the editors of that RFC. > > Protocols that use a static, symmetric credential like a PSK (or a > password, the difference is semantic) are all flawed because the > adversary is always assumed to have access to a pool from which > the PSK (or password is drawn. Resistance against dictionary attack > is then a demonstration that the advantage gained by the adversary > is due to _interaction_ and not _computation_. > > Merely making the pool from which the PSK is drawn, for instance > by making it a bigger or including mixed case, etc, does not make > the protocol resistant to dictionary attack. >From a theoretical standpoint, the PSK key exchange is indeed vulnerable to a dictionary attack with this definition. In practice, if your keys are 128-bit long and chosen uniformly at random using a good source of entropy, I doubt any real-world adversary is able to gain a non-negligible advantage in the foreseeable future. Also, it should be noted that with this definition, the TLS session keys are vulnerable to a dictionary attack too. In practice, it's not a problem either for the same reason. Obviously the difference between the pre-shared key and the TLS session keys is that the later is short-term while the former is long-term. Which basically boils down to the point that PSK lacks FS. Are you sure you have point besides: - pre-shared key must be chosen with sufficient entropy and - PSK does not offer FS? Manuel. PS: by the way, it seems to me RSA key exchange as it exists in TLS 1.2 is also vulnerable to dictionary attack with the above definition. (Obviously there are more efficient attacks here.)
- Re: [TLS] PSK in 1.3? Yoav Nir
- [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Yoav Nir
- Re: [TLS] PSK in 1.3? Hauke Mehrtens
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Hauke Mehrtens
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Jeffrey Walton
- Re: [TLS] PSK in 1.3? Paul Bakker
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Mohamad Badra
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Yoav Nir
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Sven Schäge
- Re: [TLS] PSK in 1.3? Christian Kahlo
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? John Mattsson
- Re: [TLS] PSK in 1.3? Alex Elsayed
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Watson Ladd