[TLS] Device Pairing - PAKEs v SAS
Dennis Jackson <ietf@dennis-jackson.uk> Wed, 30 July 2025 11:15 UTC
Return-Path: <ietf@dennis-jackson.uk>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id BBEA34D41C5B for <tls@mail2.ietf.org>; Wed, 30 Jul 2025 04:15:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=dennis-jackson.uk
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MQAMworZeeBD for <tls@mail2.ietf.org>; Wed, 30 Jul 2025 04:15:57 -0700 (PDT)
Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [80.241.56.172]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C67194D41C4C for <tls@ietf.org>; Wed, 30 Jul 2025 04:15:56 -0700 (PDT)
Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4bsV556v2dz9t9p for <tls@ietf.org>; Wed, 30 Jul 2025 13:15:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dennis-jackson.uk; s=MBO0001; t=1753874154; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=IFx2BqjHiXXh7lIJ2Jz9GxCrnlZlz/Edl25XduAgXjU=; b=qQoMloe0G5F/EdxaE3wL8N/CKpLUdswTX5oDroVUtQq+WCPlpjolsSCTLv6odVWO3qPcKt YrYbULTyeSx8nxueWEiFhqNuE+fJUGbkTxi1jVaMqkfXDuzYTkkzDtG7NKEwJWy98FNBvo UquHVARLKqed92Wzeg90mRXTgOctNHaEJmOgr+dVJPoc/1y4g19l7qukRyPsGbRYHu3AT5 YHe8krH3Mpc7TVf8RPVMZWwocZe/rxKpS39N+0tIlhv0XX+QpO94nkHpKabu7CHSSzNf6L kNLLhKSazbK9UWmkUjPN8mfsn+QM+kt2mgAluWvDseQvVjRjHfjv4QstPELRSA==
Content-Type: multipart/alternative; boundary="------------4W0lS451Nh4sldbfCiBTSSIc"
Message-ID: <c8023018-e2d5-4b2c-94e7-b063016d9a39@dennis-jackson.uk>
Date: Wed, 30 Jul 2025 12:15:52 +0100
MIME-Version: 1.0
To: tls@ietf.org
References: <538DC904-2E36-482C-9EF0-E6EB4431290B@sn3rd.com> <6e77e266-9d16-4e0f-9e59-2c8262517ee2@dennis-jackson.uk> <CAL02cgSzL=295HEdigbJVW1KJDKzczJ3NJPAsT2uKhZU3ZrhHw@mail.gmail.com>
Content-Language: en-US
From: Dennis Jackson <ietf@dennis-jackson.uk>
In-Reply-To: <CAL02cgSzL=295HEdigbJVW1KJDKzczJ3NJPAsT2uKhZU3ZrhHw@mail.gmail.com>
Message-ID-Hash: 2O3VJATJWGOW22BTJWSUES4ESNZDPMHD
X-Message-ID-Hash: 2O3VJATJWGOW22BTJWSUES4ESNZDPMHD
X-MailFrom: ietf@dennis-jackson.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Device Pairing - PAKEs v SAS
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/cxQGtCc8iA8jIiPUf-SXEQ-9nWo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
I wanted to follow up on this specific use case but don't want to pollute the PAKEs adoption thread where I already indicated support for adoption. On 29/07/2025 21:30, Richard Barnes wrote: > This is a digression, but I've heard a few people mention SAS: SAS > requires a very different UX from PAKE, worse for both users and > security. SAS is about post-hoc confirmation of a handshake-specific > value, which means: > > 1. You need a way to at least display, if not input, dynamic data on > both sides of the transaction. As opposed to say printing something > on the outside of a device and scanning it from the other. > 2. Users need to compare these dynamic values > 3. If the user skips or mis-compares the values, the handshake succeeds > > PAKE requires less capability in the devices and less work from the > user, and fails safe in the event of user error. I think this is quite a bit more nuanced than you suggest, but I do recognize there are some scenarios with low-capability devices where PAKEs provide a small benefit. If at least one device (A) has a display and the other device (B) has an input mechanism, PAKEs and SAS provide equivalent UX. You display the SAS (or PAKE key) on A and ask the user to enter it on B. B rejects if the entry doesn't match the SAS or the PAKE KEX fails. The UX and security is identical. If A and B only have displays, you can do SAS but not a PAKE. If A and B only have input mechanisms, you can do a PAKE but not SAS. If A has neither a display nor an input mechanism, then you're down to a hardcoded secret which needs to be entered on B. If you can use a PAKE, it can be a low entropy secret. Otherwise, it needs to be high entropy. In both cases, you'd want to offer it via barcode, QR code, NFC or whatever. I recognize PAKEs make for a marginally nicer UX in this scenario, but it'd be even nicer not to ship devices with hardcoded secrets. > > On Mon, Jul 28, 2025 at 1:24 AM Dennis Jackson > <ietf=40dennis-jackson.uk@dmarc.ietf.org> wrote: > > I support adoption. > > I'm somewhat skeptical there's a device pairing scenario in which > PAKEs > are worth the investment over SAS, but it seems like there's > plenty of > folks interested in deploying this and I can see the value in > getting it > right. >
- [TLS] WG Adoption Call for A PAKE Extension for T… Sean Turner
- [TLS] Re: WG Adoption Call for A PAKE Extension f… Sean Turner
- [TLS] Re: WG Adoption Call for A PAKE Extension f… Salz, Rich
- [TLS] Re: WG Adoption Call for A PAKE Extension f… Richard Barnes
- [TLS] Re: WG Adoption Call for A PAKE Extension f… David Benjamin
- [TLS] Re: WG Adoption Call for A PAKE Extension f… Laura Bauman
- [TLS] Re: WG Adoption Call for A PAKE Extension f… Eric Rescorla
- [TLS] Re: WG Adoption Call for A PAKE Extension f… Tommy Pauly
- [TLS] Re: WG Adoption Call for A PAKE Extension f… beck
- [TLS] Re: WG Adoption Call for A PAKE Extension f… Watson Ladd
- [TLS] Re: WG Adoption Call for A PAKE Extension f… Dennis Jackson
- [TLS] Re: WG Adoption Call for A PAKE Extension f… Sean Turner
- [TLS] Re: WG Adoption Call for A PAKE Extension f… Dennis Jackson
- [TLS] Re: WG Adoption Call for A PAKE Extension f… Eric Rescorla
- [TLS] Re: WG Adoption Call for A PAKE Extension f… David Adrian
- [TLS] Re: WG Adoption Call for A PAKE Extension f… Richard Barnes
- [TLS] Re: WG Adoption Call for A PAKE Extension f… Christopher Patton
- [TLS] Re: WG Adoption Call for A PAKE Extension f… Dan Harkins
- [TLS] Device Pairing - PAKEs v SAS Dennis Jackson
- [TLS] Re: WG Adoption Call for A PAKE Extension f… Scott Fluhrer (sfluhrer)
- [TLS] Re: WG Adoption Call for A PAKE Extension f… Muhammad Usama Sardar
- [TLS] Re: [EXTERNAL] Re: WG Adoption Call for A P… Andrei Popov