Re: [TLS] PSK in 1.3?

Stephen Checkoway <s@pahtak.org> Mon, 23 February 2015 20:56 UTC

Mime-Version: 1.0 (Mac OS X Mail 7.3 $1878.6$)
Content-Type: text/plain; charset="iso-8859-1"
From: Stephen Checkoway <s@pahtak.org>
In-Reply-To: <5f40f09f6b0268a455f281297c971708.squirrel@www.trepanning.net>
Date: Mon, 23 Feb 2015 15:55:42 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <AA125A16-FD73-42C2-B196-89FFC6E9ED92@pahtak.org>
References: <544384C7.9030002@polarssl.org> <78795A6D-3DFA-41C6-A380-C63DDF4C0285@gmail.com> <5443BF11.3090505@polarssl.org> <1D875BD8-2727-4895-842A-FC4FAA482E15@gmail.com> <5e587b4474939cad09c12cbf3625dd98.squirrel@www.trepanning.net> <CAO9bm2mQzjiLpMgB-mh-bRca-A2gkTZiBd9c3CsFq4kekBGxUw@mail.gmail.com> <07df9eeefbc1738ea645d72d0afb35b5.squirrel@www.trepanning.net> <mc9gjp$7nv$1@ger.gmane.org> <5f40f09f6b0268a455f281297c971708.squirrel@www.trepanning.net>
To: Dan Harkins <dharkins@lounge.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/lnF9Ac2LCdOdmcBbbgGG3TaCTgU>
Cc: Alex Elsayed <eternaleye@gmail.com>, tls@ietf.org
Subject: Re: [TLS] PSK in 1.3?
Precedence: list

On Feb 23, 2015, at 12:34 PM, Dan Harkins <dharkins@lounge.org> wrote:

> On Sat, February 21, 2015 12:45 am, Alex Elsayed wrote:
>> No, its model is "For shared keys drawn uniformly from {0,1}^n, this is
>> secure".
> 
>  No, it's not. If n=8 then the attack is trivial and succeeds almost
> instantaneously. If n=128 then with high probability a dictionary attack
> will not be successful. But in neither case is that "secure".

What is your definition of secure then?

If drawing uniformly at random from {0,1}^n is not secure for any n, then doesn't that say that there is no way to use TLS securely? The master secret is merely a number in {0,1}^384, after all. And common (EC)DHE key exchanges involve a secret in {0,1}^n for n in [160, 256].

-- 
Stephen Checkoway

Re: [TLS] PSK in 1.3? Yoav Nir
[TLS] PSK in 1.3? Manuel Pégourié-Gonnard
Re: [TLS] PSK in 1.3? Ilari Liusvaara
Re: [TLS] PSK in 1.3? Eric Rescorla
Re: [TLS] PSK in 1.3? Ilari Liusvaara
Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
Re: [TLS] PSK in 1.3? Yoav Nir
Re: [TLS] PSK in 1.3? Hauke Mehrtens
Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
Re: [TLS] PSK in 1.3? Hauke Mehrtens
Re: [TLS] PSK in 1.3? Watson Ladd
Re: [TLS] PSK in 1.3? Jeffrey Walton
Re: [TLS] PSK in 1.3? Paul Bakker
Re: [TLS] PSK in 1.3? Eric Rescorla
Re: [TLS] PSK in 1.3? Eric Rescorla
Re: [TLS] PSK in 1.3? Dan Harkins
Re: [TLS] PSK in 1.3? Watson Ladd
Re: [TLS] PSK in 1.3? Dan Harkins
Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
Re: [TLS] PSK in 1.3? Dan Harkins
Re: [TLS] PSK in 1.3? Watson Ladd
Re: [TLS] PSK in 1.3? Peter Gutmann
Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
Re: [TLS] PSK in 1.3? Dan Harkins
Re: [TLS] PSK in 1.3? Mohamad Badra
Re: [TLS] PSK in 1.3? Peter Gutmann
Re: [TLS] PSK in 1.3? Peter Gutmann
Re: [TLS] PSK in 1.3? Yoav Nir
Re: [TLS] PSK in 1.3? Viktor Dukhovni
Re: [TLS] PSK in 1.3? Dan Harkins
Re: [TLS] PSK in 1.3? Ilari Liusvaara
Re: [TLS] PSK in 1.3? Sven Schäge
Re: [TLS] PSK in 1.3? Christian Kahlo
Re: [TLS] PSK in 1.3? Dan Harkins
Re: [TLS] PSK in 1.3? John Mattsson
Re: [TLS] PSK in 1.3? Alex Elsayed
Re: [TLS] PSK in 1.3? Dan Harkins
Re: [TLS] PSK in 1.3? Dan Harkins
Re: [TLS] PSK in 1.3? Viktor Dukhovni
Re: [TLS] PSK in 1.3? Stephen Checkoway
Re: [TLS] PSK in 1.3? Dan Harkins
Re: [TLS] PSK in 1.3? Stephen Checkoway
Re: [TLS] PSK in 1.3? Dan Harkins
Re: [TLS] PSK in 1.3? Stephen Checkoway
Re: [TLS] PSK in 1.3? Viktor Dukhovni
Re: [TLS] PSK in 1.3? Watson Ladd