Re: [TLS] OT: WPA2-PSK vs. TLS-PSK (was about the PWD Proposal)
"Dan Harkins" <dharkins@lounge.org> Tue, 13 December 2011 02:46 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22E9921F8783 for <tls@ietfa.amsl.com>; Mon, 12 Dec 2011 18:46:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.19
X-Spam-Level:
X-Spam-Status: No, score=-6.19 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tDtShT0SNAN6 for <tls@ietfa.amsl.com>; Mon, 12 Dec 2011 18:46:16 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 6080721F8753 for <tls@ietf.org>; Mon, 12 Dec 2011 18:46:16 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id E740DA88810C; Mon, 12 Dec 2011 18:46:14 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Mon, 12 Dec 2011 18:46:15 -0800 (PST)
Message-ID: <33d911044702574740e3bc9d63cc8e0a.squirrel@www.trepanning.net>
In-Reply-To: <201112130201.pBD21inR017744@fs4113.wdf.sap.corp>
References: <201112130201.pBD21inR017744@fs4113.wdf.sap.corp>
Date: Mon, 12 Dec 2011 18:46:15 -0800
From: Dan Harkins <dharkins@lounge.org>
To: mrex@sap.com
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: yaronf.ietf@gmail.com, tls@ietf.org
Subject: Re: [TLS] OT: WPA2-PSK vs. TLS-PSK (was about the PWD Proposal)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Dec 2011 02:46:17 -0000
On Mon, December 12, 2011 6:01 pm, Martin Rex wrote: > Off-topic: Indeed! :-) > Dan Harkins wrote: >> >> Below it's noted that if one has access to database of 10,000 salted >> passwords and a dictionary of 100,000 of the most popular passwords >> (assume that quite a few of them will be in the 10,000) that it's >> possible to do a dictionary attack quite easily. Adding PBKDF2 would >> slow that down but not much: >> >> http://www.theregister.co.uk/2011/01/11/amazon_cloud_wifi_cracking/ >> >> It's futile to throw more iterations at this problem. The solution is >> using a protocol based on a zero knowledge proof-- like the protocol in >> question-- an get away from broken things like Wifi-Protected Access, >> or any of the TLS-PSK ciphersuites, using passwords. If an adversary >> gets >> access to a database of passwords then the contents of that database >> should be assumed to be compromised even if they're salted and even if >> they've been PBKDF2'd with 10,000 iterations. > > WPA2-PSK is quite different from TLS-PSK in that one should *NOT* > use a memorizable password for WPA2-PSK, but instead a very long and > garbled one that is saved and automatically used. Actually the spec (-2007 version) provides for "an alternative manner of setting the PSK [which] uses the password-to-key algorithm defined [by PBKDF2]". It expressly says how to use a password. There isn't any normative language around it's use-- like "should not"-- but it does, informally, give a use case which is: "PSK-based authentication, typically managed by the pass-phrase hash method as described in [PBKDF2]." > If you're using WPA2-PSK with an short or memorizable passwort, > then you're not using the technology in the fashion that it is > intended to be used. Yes, you should not use a memorizable password but given the fact that your average human's ability to enter a large pseudo-random character string repeatedly (or have multiple average humans enter it once) in an error-free fashion is quite low that is exactly how it is used. > What WPA2-PSK does not provide (and where it differs from WPA2-Enterprise) > is confidentiality from other rightful WPA2-PSK clients. AFAIK, only > for WPA2-Enterprise every communication link will use a seperate > set of keys, while WPA2-PSK clients will all use the same keys > (and therefore can watch each others traffic). There is nothing in the protocol that prevents a single and unique PSK being assigned to a MAC address, it's just that that's not really how it's used. Again, that's because it's easier to just have a single PSK for everyone and make that PSK be easy to enter. Protocols that lose security when deployed in the easiest and most straightforward manner (i.e. the way everyone's gonna deploy it!) are extremely fragile. To tie it all back to what this thread used to be, when one uses a password with a protocol based on a zero knowledge proof there's a certain amount of robustness and misuse resistance. You should not share a password but if you do it will not give an adversary an advantage in determining the password because it still takes 1 active attack to some other protocol participant to check each candidate password in the dictionary-- do 50 attacks against a single device or 1 attack against 50 devices, it's no different. (By the way, the upcoming -2012 version of the 802.11 standard will have a secure replacement for WPA2-PSK that is based on a zero knowledge proof...coming soon to an 802.11 implementation near you!) regards, Dan.
- [TLS] about the PWD Proposal zhou.sujing
- Re: [TLS] about the PWD Proposal Yoav Nir
- Re: [TLS] about the PWD Proposal Dan Harkins
- Re: [TLS] about the PWD Proposal Yaron Sheffer
- Re: [TLS] about the PWD Proposal SeongHan Shin
- Re: [TLS] about the PWD Proposal Matt DeMoss
- Re: [TLS] about the PWD Proposal Dan Harkins
- Re: [TLS] about the PWD Proposal Nico Williams
- [TLS] OT: WPA2-PSK vs. TLS-PSK (was about the PWD… Martin Rex
- Re: [TLS] OT: WPA2-PSK vs. TLS-PSK (was about the… Dan Harkins
- Re: [TLS] about the PWD Proposal Dan Brown
- Re: [TLS] about the PWD Proposal Dan Harkins