Re: [TLS] draft on new TLS key exchange
Martin Rex <mrex@sap.com> Thu, 06 October 2011 19:03 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D47411F0C5D for <tls@ietfa.amsl.com>; Thu, 6 Oct 2011 12:03:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.07
X-Spam-Level:
X-Spam-Status: No, score=-10.07 tagged_above=-999 required=5 tests=[AWL=0.179, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ggPP1KCXnyPa for <tls@ietfa.amsl.com>; Thu, 6 Oct 2011 12:03:45 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 1281B1F0C3B for <tls@ietf.org>; Thu, 6 Oct 2011 12:03:44 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id p96J6qiE005416 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 6 Oct 2011 21:06:52 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201110061906.p96J6qKa003260@fs4113.wdf.sap.corp>
To: dharkins@lounge.org
Date: Thu, 06 Oct 2011 21:06:52 +0200
In-Reply-To: <63ad01d6fca38d4d44979254d6b48178.squirrel@www.trepanning.net> from "Dan Harkins" at Oct 6, 11 09:38:58 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: dhalasz@intwineenergy.com, tls@ietf.org
Subject: Re: [TLS] draft on new TLS key exchange
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2011 19:03:45 -0000
Dan Harkins wrote: > > Marsh Ray wrote: > > > > Comment 4: > > > > The hunting and pecking loops for both the ECC and FFC password elements > > look like a timing oracle to me. They seem to require a large > > exponentiation or sqrt on every iteration and the number of iterations > > is data-dependent. If I'm not mistaken, every input to the loop except > > the password itself is transmitted in cleartext during the handshake. > > > > Couldn't an attacker observe the timings of a sufficient number of > > failed handshakes to enable an offline brute force attack on the > > low-entropy password? I agree with Marsh, it is difficult to conceive how to implement this without being a timing oracle. The question is, how much does it help you. If you already have an account or could create one, then the timing would help you sort out unlikely passwords, I assume, because you know the algorithm and can determine "off-line" whether a computation for a newly guessed password is faster or slower than your own password and you can measure the servers response times for your password and for the unknown password and therefore know their relation. > > This is a very good point. I think the attacker would have to observe > successful handshakes though. It's the number of times through the loop > until the PE is determined that the attacker wants to know and a failed > guess will not provide any useful information. I don't find it very attractive if an authentication protocol gives an attacker a huge advantage at guessing an unknown account credential if he can create or obtain a valid account credential. I also feel very uncomforable with the extremely vague term "low-entropy password" and the idea that this could be secure. "low-entropy" to me means something like a 4-digit numeric PIN, e.g. a complexity of 10^4 or 2^13.28 The only means to retain a meaningful security margin against brute-force attacks is a very low lockout counter (e.g 2^4 or less). If the whole handshake takes 1 second to complete (or fail), then a brute force of the entire 2^13.28 entropy universe completes in less than 3 hours. Without a lockout, there just is not any meaningful security possible. -Martin
- [TLS] draft on new TLS key exchange Dan Harkins
- Re: [TLS] draft on new TLS key exchange Geoffrey Keating
- Re: [TLS] draft on new TLS key exchange Dan Harkins
- Re: [TLS] draft on new TLS key exchange Jean-Marc Desperrier
- Re: [TLS] draft on new TLS key exchange Peter Gutmann
- Re: [TLS] draft on new TLS key exchange Dan Harkins
- Re: [TLS] draft on new TLS key exchange Peter Gutmann
- Re: [TLS] draft on new TLS key exchange Dan Harkins
- Re: [TLS] draft on new TLS key exchange Dan Harkins
- Re: [TLS] draft on new TLS key exchange Marsh Ray
- Re: [TLS] draft on new TLS key exchange Yoav Nir
- Re: [TLS] draft on new TLS key exchange Marsh Ray
- Re: [TLS] draft on new TLS key exchange Dan Harkins
- Re: [TLS] draft on new TLS key exchange Marsh Ray
- Re: [TLS] draft on new TLS key exchange Martin Rex
- [TLS] TLS-EAP. Was: draft on new TLS key exchange Anders Rundgren
- Re: [TLS] TLS-EAP. Was: draft on new TLS key exch… Marsh Ray
- Re: [TLS] draft on new TLS key exchange Marsh Ray
- Re: [TLS] draft on new TLS key exchange Dan Harkins
- Re: [TLS] draft on new TLS key exchange Philip Gladstone
- Re: [TLS] draft on new TLS key exchange Peter Gutmann
- Re: [TLS] draft on new TLS key exchange Dan Harkins
- Re: [TLS] draft on new TLS key exchange Dan Harkins
- Re: [TLS] draft on new TLS key exchange Dan Harkins
- Re: [TLS] draft on new TLS key exchange Peter Gutmann
- Re: [TLS] draft on new TLS key exchange Dan Harkins
- Re: [TLS] draft on new TLS key exchange Jean-Marc Desperrier
- Re: [TLS] draft on new TLS key exchange Martin Rex
- Re: [TLS] draft on new TLS key exchange Rene Struik
- Re: [TLS] draft on new TLS key exchange Nico Williams
- Re: [TLS] draft on new TLS key exchange Peter Gutmann
- Re: [TLS] draft on new TLS key exchange Nico Williams
- Re: [TLS] draft on new TLS key exchange Peter Gutmann
- Re: [TLS] draft on new TLS key exchange Steven Bellovin
- Re: [TLS] draft on new TLS key exchange Anders Rundgren
- Re: [TLS] draft on new TLS key exchange Steven Bellovin