IETF Logo Mail Archive

Re: [TLS] draft on new TLS key exchange

Martin Rex <mrex@sap.com> Thu, 06 October 2011 19:03 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D47411F0C5D for <tls@ietfa.amsl.com>; Thu, 6 Oct 2011 12:03:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.07
X-Spam-Level:
X-Spam-Status: No, score=-10.07 tagged_above=-999 required=5 tests=[AWL=0.179, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ggPP1KCXnyPa for <tls@ietfa.amsl.com>; Thu, 6 Oct 2011 12:03:45 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 1281B1F0C3B for <tls@ietf.org>; Thu, 6 Oct 2011 12:03:44 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id p96J6qiE005416 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 6 Oct 2011 21:06:52 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201110061906.p96J6qKa003260@fs4113.wdf.sap.corp>
To: dharkins@lounge.org
Date: Thu, 06 Oct 2011 21:06:52 +0200
In-Reply-To: <63ad01d6fca38d4d44979254d6b48178.squirrel@www.trepanning.net> from "Dan Harkins" at Oct 6, 11 09:38:58 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: dhalasz@intwineenergy.com, tls@ietf.org
Subject: Re: [TLS] draft on new TLS key exchange
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2011 19:03:45 -0000

Dan Harkins wrote:
> 
> Marsh Ray wrote:
> >
> > Comment 4:
> >
> > The hunting and pecking loops for both the ECC and FFC password elements
> > look like a timing oracle to me. They seem to require a large
> > exponentiation or sqrt on every iteration and the number of iterations
> > is data-dependent. If I'm not mistaken, every input to the loop except
> > the password itself is transmitted in cleartext during the handshake.
> >
> > Couldn't an attacker observe the timings of a sufficient number of
> > failed handshakes to enable an offline brute force attack on the
> > low-entropy password?

I agree with Marsh, it is difficult to conceive how to implement
this without being a timing oracle.

The question is, how much does it help you.

If you already have an account or could create one, then the timing
would help you sort out unlikely passwords, I assume, because you
know the algorithm and can determine "off-line" whether a computation
for a newly guessed password is faster or slower than your own password
and you can measure the servers response times for your password and
for the unknown password and therefore know their relation.


> 
>   This is a very good point. I think the attacker would have to observe
> successful handshakes though. It's the number of times through the loop
> until the PE is determined that the attacker wants to know and a failed
> guess will not provide any useful information.

I don't find it very attractive if an authentication protocol gives
an attacker a huge advantage at guessing an unknown account credential
if he can create or obtain a valid account credential.



I also feel very uncomforable with the extremely vague term
"low-entropy password" and the idea that this could be secure.


"low-entropy" to me means something like a 4-digit numeric PIN,
e.g. a complexity of 10^4 or 2^13.28

The only means to retain a meaningful security margin against
brute-force attacks is a very low lockout counter (e.g 2^4 or less).

If the whole handshake takes 1 second to complete (or fail), then
a brute force of the entire 2^13.28 entropy universe completes
in less than 3 hours.  Without a lockout, there just is not any
meaningful security possible.


-Martin

v2.23.0 | Report a Bug | By Email