IETF Logo Mail Archive

Re: [TLS] OT: WPA2-PSK vs. TLS-PSK (was about the PWD Proposal)

"Dan Harkins" <dharkins@lounge.org> Tue, 13 December 2011 02:46 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22E9921F8783 for <tls@ietfa.amsl.com>; Mon, 12 Dec 2011 18:46:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.19
X-Spam-Level:
X-Spam-Status: No, score=-6.19 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tDtShT0SNAN6 for <tls@ietfa.amsl.com>; Mon, 12 Dec 2011 18:46:16 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 6080721F8753 for <tls@ietf.org>; Mon, 12 Dec 2011 18:46:16 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id E740DA88810C; Mon, 12 Dec 2011 18:46:14 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Mon, 12 Dec 2011 18:46:15 -0800 (PST)
Message-ID: <33d911044702574740e3bc9d63cc8e0a.squirrel@www.trepanning.net>
In-Reply-To: <201112130201.pBD21inR017744@fs4113.wdf.sap.corp>
References: <201112130201.pBD21inR017744@fs4113.wdf.sap.corp>
Date: Mon, 12 Dec 2011 18:46:15 -0800
From: Dan Harkins <dharkins@lounge.org>
To: mrex@sap.com
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: yaronf.ietf@gmail.com, tls@ietf.org
Subject: Re: [TLS] OT: WPA2-PSK vs. TLS-PSK (was about the PWD Proposal)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Dec 2011 02:46:17 -0000

On Mon, December 12, 2011 6:01 pm, Martin Rex wrote:
> Off-topic:

  Indeed! :-)

> Dan Harkins wrote:
>>
>>   Below it's noted that if one has access to database of 10,000 salted
>> passwords and a dictionary of 100,000 of the most popular passwords
>> (assume that quite a few of them will be in the 10,000) that it's
>> possible to do a dictionary attack quite easily. Adding PBKDF2 would
>> slow that down but not much:
>>
>>    http://www.theregister.co.uk/2011/01/11/amazon_cloud_wifi_cracking/
>>
>>   It's futile to throw more iterations at this problem. The solution is
>> using a protocol based on a zero knowledge proof-- like the protocol in
>> question-- an get away from broken things like Wifi-Protected Access,
>> or any of the TLS-PSK ciphersuites, using passwords. If an adversary
>> gets
>> access to a database of passwords then the contents of that database
>> should be assumed to be compromised even if they're salted and even if
>> they've been PBKDF2'd with 10,000 iterations.
>
> WPA2-PSK is quite different from TLS-PSK in that one should *NOT*
> use a memorizable password for WPA2-PSK, but instead a very long and
> garbled one that is saved and automatically used.

  Actually the spec (-2007 version) provides for "an alternative manner
of setting the PSK [which] uses the password-to-key algorithm defined
[by PBKDF2]". It expressly says how to use a password. There isn't any
normative language around it's use-- like "should not"-- but it does,
informally, give a use case which is: "PSK-based authentication, typically
managed by the pass-phrase hash method as described in [PBKDF2]."

> If you're using WPA2-PSK with an short or memorizable passwort,
> then you're not using the technology in the fashion that it is
> intended to be used.

  Yes, you should not use a memorizable password but given the fact that
your average human's ability to enter a large pseudo-random character
string repeatedly (or have multiple average humans enter it once) in an
error-free fashion is quite low that is exactly how it is used.

> What WPA2-PSK does not provide (and where it differs from WPA2-Enterprise)
> is confidentiality from other rightful WPA2-PSK clients.  AFAIK, only
> for WPA2-Enterprise every communication link will use a seperate
> set of keys, while WPA2-PSK clients will all use the same keys
> (and therefore can watch each others traffic).

  There is nothing in the protocol that prevents a single and unique
PSK being assigned to a MAC address, it's just that that's not really
how it's used. Again, that's because it's easier to just have a single
PSK for everyone and make that PSK be easy to enter.

  Protocols that lose security when deployed in the easiest and most
straightforward manner (i.e. the way everyone's gonna deploy it!) are
extremely fragile. To tie it all back to what this thread used to be,
when one uses a password with a protocol based on a zero knowledge proof
there's a certain amount of robustness and misuse resistance. You should
not share a password but if you do it will not give an adversary an
advantage in determining the password because it still takes 1 active
attack to some other protocol participant to check each candidate
password in the dictionary-- do 50 attacks against a single device or
1 attack against 50 devices, it's no different.

  (By the way, the upcoming -2012 version of the 802.11 standard will
have a secure replacement for WPA2-PSK that is based on a zero knowledge
proof...coming soon to an 802.11 implementation near you!)

  regards,

  Dan.

v2.23.0 | Report a Bug | By Email