Re: [TLS] PSK in 1.3?
Alex Elsayed <eternaleye@gmail.com> Sat, 21 February 2015 08:46 UTC
Return-Path: <ietf-ietf-tls@m.gmane.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71D7B1A0318 for <tls@ietfa.amsl.com>; Sat, 21 Feb 2015 00:46:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.709
X-Spam-Level:
X-Spam-Status: No, score=-1.709 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pZF53oLcShMP for <tls@ietfa.amsl.com>; Sat, 21 Feb 2015 00:46:00 -0800 (PST)
Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3546C1A0282 for <tls@ietf.org>; Sat, 21 Feb 2015 00:46:00 -0800 (PST)
Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from <ietf-ietf-tls@m.gmane.org>) id 1YP5hD-0006De-E3 for tls@ietf.org; Sat, 21 Feb 2015 09:45:55 +0100
Received: from 66-87-139-69.pools.spcsdns.net ([66-87-139-69.pools.spcsdns.net]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <tls@ietf.org>; Sat, 21 Feb 2015 09:45:55 +0100
Received: from eternaleye by 66-87-139-69.pools.spcsdns.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <tls@ietf.org>; Sat, 21 Feb 2015 09:45:55 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: tls@ietf.org
From: Alex Elsayed <eternaleye@gmail.com>
Date: Sat, 21 Feb 2015 00:45:45 -0800
Lines: 137
Message-ID: <mc9gjp$7nv$1@ger.gmane.org>
References: <544384C7.9030002@polarssl.org> <78795A6D-3DFA-41C6-A380-C63DDF4C0285@gmail.com> <5443BF11.3090505@polarssl.org> <1D875BD8-2727-4895-842A-FC4FAA482E15@gmail.com> <5e587b4474939cad09c12cbf3625dd98.squirrel@www.trepanning.net> <CAO9bm2mQzjiLpMgB-mh-bRca-A2gkTZiBd9c3CsFq4kekBGxUw@mail.gmail.com> <07df9eeefbc1738ea645d72d0afb35b5.squirrel@www.trepanning.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: 66-87-139-69.pools.spcsdns.net
User-Agent: KNode/4.14.3
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/gJBP7lpDx43DgIbkkQFj1xpTYCI>
X-Mailman-Approved-At: Mon, 23 Feb 2015 08:03:02 -0800
Subject: Re: [TLS] PSK in 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Feb 2015 08:46:02 -0000
Dan Harkins wrote: > > Hi Sven, > > On Thu, February 19, 2015 7:41 am, Sven Schäge wrote: >> I was just reading through the TLS-PSK related discussions so far and >> came across your post... >> >> 2014-10-20 14:13 GMT+02:00 Dan Harkins <dharkins@lounge.org>: >> >>> >>> On Sun, October 19, 2014 7:35 am, Yoav Nir wrote: >>> > >>> > I also understand that in practice, PSK ciphersuites are used only by >>> > small devices, whereas the web and SMTP and other things never went >>> for >>> > it. But the standards donââ¬â¢t say that. They donââ¬â¢t say >>> that PSK >>> > ciphersuites are especially for constrained devices. So if we insist >>> that >>> > the same TLS 1.3 be used for both, and we donââ¬â¢t want to say >>> that PSK is >>> > for weak security, then we should have a good story of why PFS is not >>> > needed for PSK uses, whereas itââ¬â¢s essential for all RSA uses. >>> If I >>> > understand the mechanism correctly, PSKs tend to be long-lived, and a >>> > subsequent compromise of a PSK (even if it is expired at the time of >>> > compromise) allows an attacker to decrypt the content of a TLS >>> session. >>> >>> The non-PFS PSK ciphersuites are no different than the widely >>> discredited, and easily cracked, WPA-PSK mode of WiFi security. It would >>> be a really bad idea to continue with these ciphersuites in TLS 1.3. But >>> the >>> issue is not just PFS (or the lack of it), it's that PSK ciphersuites >>> are >>> susceptible to dictionary attack. >>> >>> > So either we believe that PSK compromise is unlikely, or we believe >>> that >>> > the data in a connection with a PSK ciphersuite is not >>> future-sensitive. >>> > If we donââ¬â¢t, weââ¬â¢re saying that weââ¬â¢re just piling >>> on security >>> > nice-to-haves because we think the users can handle them. >>> >>> There's no way that the protocol can be defined to justify that >>> belief. >>> What you're talking about is how people end up using the protocol and >>> that is entirely out of the power of this WG. What we can do is to make >>> TLS be as _misuse resistant_ as possible. And to do that we should not >>> allow PSKs in TLS 1.3 unless they are used in a PAKE. >>> >>> By the way, I'm surprised that no one is expressing outrageous outrage >>> at the lack of a security proof for PSK ciphersuites. >>> >> >> Perhaps you might find >> >> http://eprint.iacr.org/2014/037 >> >> useful. > > No, I don't find that particularly useful. It doesn't assume a powerful > active attacker that is able to enumerate, off-line, from a database of > secrets that the PSK is likely drawn from. Sure, if they draw them from a database. Which would be about as stupid as choosing an RSA key from the Debian weak-keys bug, or doing ECDSA signatures with the same nonce every time, or similar boneheaded maneuvers that invalidate the protocol guarantees. It's not the "pre-shared password" protocol, or even "pre-shared passphrase." It's "pre-shared key," and as such it should be used with a _proper key_ - that is to say, a string chosen uniformly at random from {0,1}^n where 'n' is the key size. > It's saying that if only the client and server know the PSK then the > resulting secret will be known only to them too Yes. That is the guarantee the protocol gives. > which is not useful at all. It places the security of the > protocol in the hands of the people using it and that means the protocol > can be really secure or not secure at all. But this is specious, because it's just as true of any number of other protocols - ECDSA's nonces being a particularly notable example. Reuse them, and you're leaking key bits like a firehose full of porcupines. Sony learned that the hard way. Sure, I think easily-misused APIs are better avoided - but I also feel you are drastically overstating your case, and weakening it by doing so. When faced with people having said multiple times that 'drawing from a database' is user error and an invalid use of the protocol, it comes across as either obtuse or intellectually dishonest - neither of which I believe you are. > And therefore it's not secure at all. Then we really ought to stop using ECDSA... pretty much anywhere, since its nonces require much the same care. > It's model is basically, "in an ideal world where no one misuses > anything and does nothing wrong and there are no active adversaries > trying to subvert anything ." which is not particularly useful. No, its model is "For shared keys drawn uniformly from {0,1}^n, this is secure". Active adversaries have nothing to do with it, so long as the user fulfils their side of the API contract. > Protocols that use a shared symmetric key/code/word/phrase as a > credential should be judged by the criteria set forth here: > > http://www.iacr.org/archive/eurocrypt2000/1807/18070140-new.pdf > > Namely, "In a protocol we deem 'good' the adversary's chance to defeat > protocol goals will depend on how much she interacts with protocol > participants-- it won't significantly depend on her off-line computing > time." By that criteria, TLS-PSK is not good. ...no, if the user isn't screwing up in much the same kind of way as would lead them to horrific misuse of ECDSA, TLS-PSK is just fine. I'm not saying PSK is ideal - it's patently not. A misuse-resistant protocol *that meets the needs of the people using PSK* would be wonderful to have. But claiming it's worse than it is just makes people who see it as their only option feel more pressed to defend it, rather than actually helping to move the discussion forward on finding a viable alternative. > regards, > > Dan.
- Re: [TLS] PSK in 1.3? Yoav Nir
- [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Yoav Nir
- Re: [TLS] PSK in 1.3? Hauke Mehrtens
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Hauke Mehrtens
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Jeffrey Walton
- Re: [TLS] PSK in 1.3? Paul Bakker
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Mohamad Badra
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Yoav Nir
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Sven Schäge
- Re: [TLS] PSK in 1.3? Christian Kahlo
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? John Mattsson
- Re: [TLS] PSK in 1.3? Alex Elsayed
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Watson Ladd