IETF Logo Mail Archive

Re: [TLS] PSK in 1.3?

Manuel Pégourié-Gonnard <mpg@polarssl.org> Mon, 20 October 2014 18:07 UTC

Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E504B1A87A9 for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 11:07:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.397
X-Spam-Level:
X-Spam-Status: No, score=0.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N__bFxtVlADI for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 11:07:04 -0700 (PDT)
Received: from vps2.offspark.com (vps2.brainspark.nl [141.138.204.106]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 046BE1A8A86 for <tls@ietf.org>; Mon, 20 Oct 2014 11:06:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:CC:To:MIME-Version:From:Date:Message-ID; bh=0aZuJZUwZLFESJcs8RnCcoLBgZyEioDMZXWeSEJ0xF0=; b=lB2sRs4qDE0jE9nLF+hj3TtsVW9yIGYuxJ815OuC1vuj7vty8UmTo+Y/6wEMt7no4a+aKxtLCQwTZTeNRxQuOk8KabjdPCCiBHUrPtne90AvCmuA+dbduiXZPk+yfi8gVp+OmQopwUMk9zmPMtejhU7vor13MIlo26nzwx9Z3rs=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.offspark.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1XgHM0-0003xF-MK; Mon, 20 Oct 2014 20:06:49 +0200
Message-ID: <54454F3C.7010305@polarssl.org>
Date: Mon, 20 Oct 2014 20:06:52 +0200
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Dan Harkins <dharkins@lounge.org>, Watson Ladd <watsonbladd@gmail.com>
References: <544384C7.9030002@polarssl.org> <78795A6D-3DFA-41C6-A380-C63DDF4C0285@gmail.com> <5443BF11.3090505@polarssl.org> <1D875BD8-2727-4895-842A-FC4FAA482E15@gmail.com> <5e587b4474939cad09c12cbf3625dd98.squirrel@www.trepanning.net> <CACsn0ck0FRHFek59A5+jxDkDGEtXPT8HejO3wO4HnYfHCw6hYg@mail.gmail.com> <74986741b83a76277b2fcfd1e74a75d4.squirrel@www.trepanning.net>
In-Reply-To: <74986741b83a76277b2fcfd1e74a75d4.squirrel@www.trepanning.net>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.offspark.com)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/TKInHIFbyKkAdTifT6e_JsCDrC8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] PSK in 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 18:07:08 -0000

On 20/10/2014 19:06, Dan Harkins wrote:
>   There is nothing to flesh out because you seem to not understand
> what a dictionary attack is-- but you're in company because neither
> did the editors of that RFC.
> 
>   Protocols that use a static, symmetric credential like a PSK (or a
> password, the difference is semantic) are all flawed because the
> adversary is always assumed to have access to a pool from which
> the PSK (or password is drawn. Resistance against dictionary attack
> is then a demonstration that the advantage gained by the adversary
> is due to _interaction_ and not _computation_.
> 
>   Merely making the pool from which the PSK is drawn, for instance
> by making it a bigger or including mixed case, etc, does not make
> the protocol resistant to dictionary attack.

>From a theoretical standpoint, the PSK key exchange is indeed vulnerable to a
dictionary attack with this definition. In practice, if your keys are 128-bit
long and chosen uniformly at random using a good source of entropy, I doubt any
real-world adversary is able to gain a non-negligible advantage in the
foreseeable future.

Also, it should be noted that with this definition, the TLS session keys are
vulnerable to a dictionary attack too. In practice, it's not a problem either
for the same reason. Obviously the difference between the pre-shared key and the
TLS session keys is that the later is short-term while the former is long-term.
Which basically boils down to the point that PSK lacks FS.

Are you sure you have point besides:
- pre-shared key must be chosen with sufficient entropy and
- PSK does not offer FS?

Manuel.

PS: by the way, it seems to me RSA key exchange as it exists in TLS 1.2 is also
vulnerable to dictionary attack with the above definition. (Obviously there are
more efficient attacks here.)

v2.23.0 | Report a Bug | By Email