Re: [TLS] PSK in 1.3?
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Tue, 21 October 2014 21:35 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C57C81A874B for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 14:35:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f0AiDl1qwgCh for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 14:35:52 -0700 (PDT)
Received: from emh06.mail.saunalahti.fi (emh06.mail.saunalahti.fi [62.142.5.116]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4F141A8761 for <tls@ietf.org>; Tue, 21 Oct 2014 14:35:51 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh06.mail.saunalahti.fi (Postfix) with ESMTP id 35036699E8; Wed, 22 Oct 2014 00:35:47 +0300 (EEST)
Date: Wed, 22 Oct 2014 00:35:47 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Dan Harkins <dharkins@lounge.org>
Message-ID: <20141021213547.GA31199@LK-Perkele-VII>
References: <9A043F3CF02CD34C8E74AC1594475C739B9D3EAE@uxcn10-5.UoA.auckland.ac.nz> <96b88d73f776e16e3f5487643fb59a31.squirrel@www.trepanning.net> <20141021160247.GP19158@mournblade.imrryr.org> <3653ffe169c72f3302d605a4bc24bb0d.squirrel@www.trepanning.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <3653ffe169c72f3302d605a4bc24bb0d.squirrel@www.trepanning.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ZdcEret6Fw-gJcf1UjEcua848Q4
Cc: tls@ietf.org
Subject: Re: [TLS] PSK in 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 21:35:54 -0000
On Tue, Oct 21, 2014 at 11:45:48AM -0700, Dan Harkins wrote: > > On Tue, October 21, 2014 9:02 am, Viktor Dukhovni wrote: > > On Mon, Oct 20, 2014 at 01:34:38PM -0700, Dan Harkins wrote: > > > >> The ciphersuites are _completely oblivious_ > >> to the type and quality of the credential they use. You can't claim the > >> _protocol_ is resistent to dictionary attack if the protocol can be used > >> in a manner that makes it susceptible to dictionary attack. > > > > No protocol is resistant to dictionary attack under the above > > definition. > > The point is that increasing the size of the PSK does not make the > _protocol_ resistant to dictionary attack. It just makes the attack > harder to successfully conclude. > And there are protocols that are resistant to dictionary attack under > that definition. There's one in the paper. Or look at your favorite PAKE. There is a difference between collecting enough information to break the protocol (which is quite little with _any_ practical protocol) and collecting enough information to "easily" break the protocol. Whole practical cryptography is based on the assumption that it doesn't matter if attacker has enough information to break it, if the computation is just too titanic. However, if you have things like long-term passwords involved, that are easily breakable (due to insufficient entropy) given some information, one wants to make collecting that information hard. This is what PAKEs are about. However, proper PSKs have high entropy, so even with enough information, it is very difficult to break one. -Ilari
- Re: [TLS] PSK in 1.3? Yoav Nir
- [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Yoav Nir
- Re: [TLS] PSK in 1.3? Hauke Mehrtens
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Hauke Mehrtens
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Jeffrey Walton
- Re: [TLS] PSK in 1.3? Paul Bakker
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Mohamad Badra
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Yoav Nir
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Sven Schäge
- Re: [TLS] PSK in 1.3? Christian Kahlo
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? John Mattsson
- Re: [TLS] PSK in 1.3? Alex Elsayed
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Watson Ladd