Re: [TLS] PSK in 1.3?

Stephen Checkoway <s@pahtak.org> Mon, 23 February 2015 20:56 UTC

Return-Path: <s@pahtak.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C41D61A6F03 for <tls@ietfa.amsl.com>; Mon, 23 Feb 2015 12:56:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wFRHyMncksp3 for <tls@ietfa.amsl.com>; Mon, 23 Feb 2015 12:55:53 -0800 (PST)
Received: from mail-qc0-f169.google.com (mail-qc0-f169.google.com [209.85.216.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E13131A6F01 for <tls@ietf.org>; Mon, 23 Feb 2015 12:55:52 -0800 (PST)
Received: by qcxm20 with SMTP id m20so13241206qcx.0 for <tls@ietf.org>; Mon, 23 Feb 2015 12:55:52 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=Ju29lGL7IFi1Spb9hJ5uuXDtZ/XtTTvevXRT3zeOg58=; b=gLbXPr+nsjr2ri8Sxe0tDq6FbK3EqHSik5+8bFIMDbG+xR/4c8RTTtsKRBMfRCXv2B kiGoChvLTXsHvziKZ1dk69/pA2ESuTwrLlXkROMDEPH2nAO489aM263B6X9emrs+SEdV Ie1ZeR2CKQj2VORO6hraFMUpp+3eQ9gkz4fo1+0/Y3hKGU4neSTXbxXKUbSb99q4PU/7 UtXSwseUL/PwPL+DCf56XulGHj8IQo9SEFG1hDd1ts3EWUEq8w0ZZ7+xF3Gm+zdbGDQG HnGYITNBaXX7QFgeS3TKd/+Fyk+oAdyjiy61U5AlRvBZIO6x6fEQ/CE8kIpBoHCWEAZ2 KHaw==
X-Gm-Message-State: ALoCoQlYzjdSbzkPQiMz2yiGDP1N15kGC+xlrQEvReAX4nDonC4L4W7H0ZmLPGbExf6MY3eyPUJ4
X-Received: by 10.229.4.4 with SMTP id 4mr29181504qcp.8.1424724952053; Mon, 23 Feb 2015 12:55:52 -0800 (PST)
Received: from zbox.pahtak.org (c-73-213-90-80.hsd1.md.comcast.net. [73.213.90.80]) by mx.google.com with ESMTPSA id r10sm28307267qax.31.2015.02.23.12.55.49 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Feb 2015 12:55:50 -0800 (PST)
Received: from [128.220.247.217] (unknown [128.220.247.217]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by zbox.pahtak.org (Postfix) with ESMTPSA id 1E132AC287E; Mon, 23 Feb 2015 15:55:48 -0500 (EST)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: text/plain; charset="iso-8859-1"
From: Stephen Checkoway <s@pahtak.org>
X-Priority: 3 (Normal)
In-Reply-To: <5f40f09f6b0268a455f281297c971708.squirrel@www.trepanning.net>
Date: Mon, 23 Feb 2015 15:55:42 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <AA125A16-FD73-42C2-B196-89FFC6E9ED92@pahtak.org>
References: <544384C7.9030002@polarssl.org> <78795A6D-3DFA-41C6-A380-C63DDF4C0285@gmail.com> <5443BF11.3090505@polarssl.org> <1D875BD8-2727-4895-842A-FC4FAA482E15@gmail.com> <5e587b4474939cad09c12cbf3625dd98.squirrel@www.trepanning.net> <CAO9bm2mQzjiLpMgB-mh-bRca-A2gkTZiBd9c3CsFq4kekBGxUw@mail.gmail.com> <07df9eeefbc1738ea645d72d0afb35b5.squirrel@www.trepanning.net> <mc9gjp$7nv$1@ger.gmane.org> <5f40f09f6b0268a455f281297c971708.squirrel@www.trepanning.net>
To: Dan Harkins <dharkins@lounge.org>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/lnF9Ac2LCdOdmcBbbgGG3TaCTgU>
Cc: Alex Elsayed <eternaleye@gmail.com>, tls@ietf.org
Subject: Re: [TLS] PSK in 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Feb 2015 20:56:08 -0000

On Feb 23, 2015, at 12:34 PM, Dan Harkins <dharkins@lounge.org> wrote:

> On Sat, February 21, 2015 12:45 am, Alex Elsayed wrote:
>> No, its model is "For shared keys drawn uniformly from {0,1}^n, this is
>> secure".
> 
>  No, it's not. If n=8 then the attack is trivial and succeeds almost
> instantaneously. If n=128 then with high probability a dictionary attack
> will not be successful. But in neither case is that "secure".

What is your definition of secure then?

If drawing uniformly at random from {0,1}^n is not secure for any n, then doesn't that say that there is no way to use TLS securely? The master secret is merely a number in {0,1}^384, after all. And common (EC)DHE key exchanges involve a secret in {0,1}^n for n in [160, 256].

-- 
Stephen Checkoway