Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt

Nico Williams <nico@cryptonector.com> Tue, 01 April 2014 21:16 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7FD41A09F2 for <tls@ietfa.amsl.com>; Tue, 1 Apr 2014 14:16:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.319
X-Spam-Level:
X-Spam-Status: No, score=-0.319 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_BL_SPAMCOP_NET=1.347] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QB0KPvhpvuIU for <tls@ietfa.amsl.com>; Tue, 1 Apr 2014 14:16:45 -0700 (PDT)
Received: from homiemail-a66.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 7137D1A08C1 for <tls@ietf.org>; Tue, 1 Apr 2014 14:16:45 -0700 (PDT)
Received: from homiemail-a66.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a66.g.dreamhost.com (Postfix) with ESMTP id AA34F350084; Tue, 1 Apr 2014 14:16:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=QYOgbcg5/J2vm7 KU1S1nPi8XmE0=; b=s2TSa0hJ1KVAi5+VOj7W+hfDnxUR/mySg4g6GSIFJon4MW 0VkWTURYGWZkBD+E+8WBs9CnykSEisH2KMIPW6JpvvBTEdTx9/A2x6WLLa2v/KEr edgTLKq7Fc/HSnLeQxqYQ47Nu1rUI6xT1bG/1jj1jjyoCHoxnAbvYV1pepNfY=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a66.g.dreamhost.com (Postfix) with ESMTPA id 50D5335007A; Tue, 1 Apr 2014 14:16:41 -0700 (PDT)
Date: Tue, 01 Apr 2014 16:16:40 -0500
From: Nico Williams <nico@cryptonector.com>
To: Dan Harkins <dharkins@lounge.org>
Message-ID: <20140401211637.GA21606@localhost>
References: <20140328195334.19328.19928.idtracker@ietfa.amsl.com> <CACsn0c==pRzDKd7G=eAhds=o9qexqe9Jb3DgNC9gzh-6xaKcAQ@mail.gmail.com> <dd67ab76dee19a82a0dfcdaa6512b905.squirrel@www.trepanning.net> <CACsn0ckQiNODB9DLj5XpcQDH2ykfD76CoV11-R4JJL+1_Vogfw@mail.gmail.com> <f8dc8cec46f6126146a7afa2421e43de.squirrel@www.trepanning.net> <CACsn0cmRRygPPk8=iU536-TK9mDFVcMOrYw_1tNV3=LZ02_9Hw@mail.gmail.com> <CAK3OfOjPyk2abEL-jqMk7ZujrF287yZnYJpr3xLs0yboFJX_6w@mail.gmail.com> <5db2aa46715b8f0b115b005b0abfbf58.squirrel@www.trepanning.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5db2aa46715b8f0b115b005b0abfbf58.squirrel@www.trepanning.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/jUjgSvxioPwjUJiclQghmwzxYa0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-pwd-04.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Apr 2014 21:16:47 -0000

On Tue, Apr 01, 2014 at 01:59:09PM -0700, Dan Harkins wrote:
> On Tue, April 1, 2014 12:30 pm, Nico Williams wrote:
> > On Fri, Mar 28, 2014 at 8:40 PM, Watson Ladd <watsonbladd@gmail.com>
> > wrote:
> >> PSK has no security? That's ridiculous: if high-entropy keys are used
> >> it is fairly easy to see it is secure.
> >
> > TLS-PSK did not specify a PBKDF either, so it can't be used with
> > passwords, therefore we might as well assume high-quality keys for
> > TLS-PSK.  Therefore you're quite right.
> 
>   There is nothing in the protocol that prevents it from being used with
> passwords. You're not only assuming something about the nature of the
> PSK, you're assuming something about the people that use the protocol
> and that is quite naive.

PSK requires pre-sharing the secret key.  If such presharing involves a
password then the secret key must be derived from said password.  How?
Well, the two peers have to agree.  How?  Well, it's not specified!

If there interoperable TLS-PSK w/ password implementations, then there's
a missing standard.  I have no knowledge of such implementations.

Without any further input the only reasonable conclusion is that TLS-PSK
does not support passwords.  Evidence to the contrary would be welcomed.

>   Furthermore making assumptions about the nature of the PSK does not
> change the fact that TLS-PSK has a defect: the advantage an attacker
> gains is through computation and not interaction. And for the non-DHE
> ciphersuites, that defect can be exploited through passive attack!

Only if they are password-derived keys, otherwise no.

> > Even if the server must store a password-equivalent I'd still want a
> > decent PBKDF to be used for any protocol that derives keying material
> > from passwords!
> 
>   Why? Deterministically hashing a secret 1000 times or 4000 times
> does not increase the entropy in the secret. A PBKDF is just supposed
> to increase the work factor of the attacker, it does nothing to the
> resulting keying material.

Because verifier databases get compromised regularly.  Just point your
browser to your favorite news site and wait a few weeks, you'll see.

>   Wi-Fi specifies a PBKDF when using a PSK and the exchange is
> essentially the same as the non-DHE TLS-PSK ciphersuites. That
> protocol is horribly broken and tools exist on the Internet to attack
> it. And guess what? People still use it with weak, low-entropy PSKs
> in spite of assumptions to the contrary.

My concern is not eavesdroppers in this case.  See above.

Nico
--