Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt
Nico Williams <nico@cryptonector.com> Tue, 01 April 2014 21:16 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7FD41A09F2 for <tls@ietfa.amsl.com>; Tue, 1 Apr 2014 14:16:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.319
X-Spam-Level:
X-Spam-Status: No, score=-0.319 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_BL_SPAMCOP_NET=1.347] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QB0KPvhpvuIU for <tls@ietfa.amsl.com>; Tue, 1 Apr 2014 14:16:45 -0700 (PDT)
Received: from homiemail-a66.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 7137D1A08C1 for <tls@ietf.org>; Tue, 1 Apr 2014 14:16:45 -0700 (PDT)
Received: from homiemail-a66.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a66.g.dreamhost.com (Postfix) with ESMTP id AA34F350084; Tue, 1 Apr 2014 14:16:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=QYOgbcg5/J2vm7 KU1S1nPi8XmE0=; b=s2TSa0hJ1KVAi5+VOj7W+hfDnxUR/mySg4g6GSIFJon4MW 0VkWTURYGWZkBD+E+8WBs9CnykSEisH2KMIPW6JpvvBTEdTx9/A2x6WLLa2v/KEr edgTLKq7Fc/HSnLeQxqYQ47Nu1rUI6xT1bG/1jj1jjyoCHoxnAbvYV1pepNfY=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a66.g.dreamhost.com (Postfix) with ESMTPA id 50D5335007A; Tue, 1 Apr 2014 14:16:41 -0700 (PDT)
Date: Tue, 01 Apr 2014 16:16:40 -0500
From: Nico Williams <nico@cryptonector.com>
To: Dan Harkins <dharkins@lounge.org>
Message-ID: <20140401211637.GA21606@localhost>
References: <20140328195334.19328.19928.idtracker@ietfa.amsl.com> <CACsn0c==pRzDKd7G=eAhds=o9qexqe9Jb3DgNC9gzh-6xaKcAQ@mail.gmail.com> <dd67ab76dee19a82a0dfcdaa6512b905.squirrel@www.trepanning.net> <CACsn0ckQiNODB9DLj5XpcQDH2ykfD76CoV11-R4JJL+1_Vogfw@mail.gmail.com> <f8dc8cec46f6126146a7afa2421e43de.squirrel@www.trepanning.net> <CACsn0cmRRygPPk8=iU536-TK9mDFVcMOrYw_1tNV3=LZ02_9Hw@mail.gmail.com> <CAK3OfOjPyk2abEL-jqMk7ZujrF287yZnYJpr3xLs0yboFJX_6w@mail.gmail.com> <5db2aa46715b8f0b115b005b0abfbf58.squirrel@www.trepanning.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5db2aa46715b8f0b115b005b0abfbf58.squirrel@www.trepanning.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/jUjgSvxioPwjUJiclQghmwzxYa0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Apr 2014 21:16:47 -0000
On Tue, Apr 01, 2014 at 01:59:09PM -0700, Dan Harkins wrote: > On Tue, April 1, 2014 12:30 pm, Nico Williams wrote: > > On Fri, Mar 28, 2014 at 8:40 PM, Watson Ladd <watsonbladd@gmail.com> > > wrote: > >> PSK has no security? That's ridiculous: if high-entropy keys are used > >> it is fairly easy to see it is secure. > > > > TLS-PSK did not specify a PBKDF either, so it can't be used with > > passwords, therefore we might as well assume high-quality keys for > > TLS-PSK. Therefore you're quite right. > > There is nothing in the protocol that prevents it from being used with > passwords. You're not only assuming something about the nature of the > PSK, you're assuming something about the people that use the protocol > and that is quite naive. PSK requires pre-sharing the secret key. If such presharing involves a password then the secret key must be derived from said password. How? Well, the two peers have to agree. How? Well, it's not specified! If there interoperable TLS-PSK w/ password implementations, then there's a missing standard. I have no knowledge of such implementations. Without any further input the only reasonable conclusion is that TLS-PSK does not support passwords. Evidence to the contrary would be welcomed. > Furthermore making assumptions about the nature of the PSK does not > change the fact that TLS-PSK has a defect: the advantage an attacker > gains is through computation and not interaction. And for the non-DHE > ciphersuites, that defect can be exploited through passive attack! Only if they are password-derived keys, otherwise no. > > Even if the server must store a password-equivalent I'd still want a > > decent PBKDF to be used for any protocol that derives keying material > > from passwords! > > Why? Deterministically hashing a secret 1000 times or 4000 times > does not increase the entropy in the secret. A PBKDF is just supposed > to increase the work factor of the attacker, it does nothing to the > resulting keying material. Because verifier databases get compromised regularly. Just point your browser to your favorite news site and wait a few weeks, you'll see. > Wi-Fi specifies a PBKDF when using a PSK and the exchange is > essentially the same as the non-DHE TLS-PSK ciphersuites. That > protocol is horribly broken and tools exist on the Internet to attack > it. And guess what? People still use it with weak, low-entropy PSKs > in spite of assumptions to the contrary. My concern is not eavesdroppers in this case. See above. Nico --
- [TLS] I-D Action: draft-ietf-tls-pwd-04.txt internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Dan Harkins
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Dan Harkins
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Cullen Jennings
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Nico Williams
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Nico Williams
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Nico Williams
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Dan Harkins
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Nico Williams
- Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt Dan Harkins
- [TLS] PSK has no security? ... was Re: I-D Action… Hannes Tschofenig