[TLS] The PAKE question and PSK
Watson Ladd <watsonbladd@gmail.com> Wed, 02 April 2014 04:28 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80CA21A0120 for <tls@ietfa.amsl.com>; Tue, 1 Apr 2014 21:28:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4
X-Spam-Level:
X-Spam-Status: No, score=-4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U_Ma7IADwqhM for <tls@ietfa.amsl.com>; Tue, 1 Apr 2014 21:28:44 -0700 (PDT)
Received: from mail-yh0-x22c.google.com (mail-yh0-x22c.google.com [IPv6:2607:f8b0:4002:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 3372A1A011D for <tls@ietf.org>; Tue, 1 Apr 2014 21:28:44 -0700 (PDT)
Received: by mail-yh0-f44.google.com with SMTP id f10so10068596yha.31 for <tls@ietf.org>; Tue, 01 Apr 2014 21:28:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=Yfutz/3stomzToBD9Tb06icCLPqLyMdIy+Az9uJLm5I=; b=xJoghtNxIVKopcJyF/O12xoXDeT3KTaUwsEJUWwkJ5w69MC2+ctf73EFgriTA7edH8 KAkPmM07CNeqV+fPVeBsTq4wqln2i1WZ1Jlt4TBvzUHZL5AIs2WHOnOqC/+nvzQHahnh 1oLZTNR0FtJ7A8w2x0r9JZMbnDlM5SNFFw+dGm2oNqg5MoTRW0gwoBm7FeQjHuiek0eI t0y3+0h5LG7Q+eIy8tKPptmSswKOL4pyOXSCaL5YMqbrSciRc4+2h1xzcRNpg2s9JwTv wogDpDDJhxPLdSod30R1rlgO+fzfW9cxpYzXmledNOOC7P72naakUU087nuKG3ug9ALG SlGA==
MIME-Version: 1.0
X-Received: by 10.236.140.16 with SMTP id d16mr50973863yhj.55.1396412920395; Tue, 01 Apr 2014 21:28:40 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Tue, 1 Apr 2014 21:28:40 -0700 (PDT)
Date: Tue, 01 Apr 2014 21:28:40 -0700
Message-ID: <CACsn0cnBXvjo4cCN8htKvmakzhneqq4nXN9WfPdgkqjgBTNpGA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ZWivv4Ssc6QJiANFeEQFIoX0LgY
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: [TLS] The PAKE question and PSK
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 04:28:45 -0000
Dear all, I'm afraid that several important points and quite a bit of history has been missing from the recent exchange concerning Dragonfly in TLS. Dragonfly is a modified SPEKE. SPEKE was introduced in 2001. SPEKE has a patent that expires in 2016, and a security proof in the ROM under a DH style assumption and a reasonable ideal/real attack model. Dragonfly was created by Dan Harkins, and adopted in IEEE 802.11s to authenticate nodes in a mesh network. It has no security proof despite efforts to try and find one. The intended usecase is provisioning of constrained devices. While one could include a 128 bit key on each device and have users type it in (as they do for Xbox Live and Windows verification: 25 letters and numbers from a 32 bit alphabet) it was felt that this was a bit much. PSK will not work with anything that isn't a key, because offline attack works beautifully. Nico's concerns about key database compromise, etc, are ignoring the realities of this setting: the password is the least valuable thing on the device, and since it was not entered by the user (as the device has no user interaction capability) unlikely to be reused. Dragonfly was presented at IETF 83. AugPAKE was proven secure in 2010. There is currently a draft for AugPAKE in TLS. Unfortunately AugPAKE is not specified on ECC groups, but this is easy to fix. (It's also ugly to shoehorn into TLS, but the draft seems to do it) PAKEs are not on the agenda because of a rather heated controversy about how Dragonfly got (seeming) CFRG approval, but there is a good case for including them. On the web we have more of a problem due to the UI issues that made client certificates a nonstarter. Sincerely, Watson Ladd
- [TLS] The PAKE question and PSK Watson Ladd
- Re: [TLS] The PAKE question and PSK Hannes Tschofenig
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Watson Ladd
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Hannes Tschofenig
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Watson Ladd
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK SeongHan Shin