Re: [TLS] The PAKE question and PSK
Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 02 April 2014 16:51 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66AD71A02CB for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 09:51:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.91
X-Spam-Level:
X-Spam-Status: No, score=-3.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i9Ua4LktloqL for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 09:51:34 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by ietfa.amsl.com (Postfix) with ESMTP id CC66F1A0254 for <tls@ietf.org>; Wed, 2 Apr 2014 09:51:33 -0700 (PDT)
Received: from [192.168.131.137] ([80.92.119.215]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0LtmK9-1XCfqf1T65-011Cao; Wed, 02 Apr 2014 18:51:28 +0200
Message-ID: <533C3D12.7040802@gmx.net>
Date: Wed, 02 Apr 2014 18:38:42 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Dan Harkins <dharkins@lounge.org>
References: <CACsn0cnBXvjo4cCN8htKvmakzhneqq4nXN9WfPdgkqjgBTNpGA@mail.gmail.com> <533BBC3C.6000704@gmx.net> <7a41ee191d22df1f5924a68034c74a49.squirrel@www.trepanning.net>
In-Reply-To: <7a41ee191d22df1f5924a68034c74a49.squirrel@www.trepanning.net>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="iMP4C3a7SHHRucdD66L3hU86pPnHN57ob"
X-Provags-ID: V03:K0:F+T74XR/7S4mQjUggtdUc34d8vPVajDDzHB1tv6VH8K3Qee6/Lm hryeIetem6Su8maFmzgyI+OHnBhzkxEULVfxaef4Q+mzuhGdVm1lPgmSiykhl/FaL5WnkpL qKN/Q+4aau0Ww1+uc1+zrvE0YwmFu0K8GO//xH8nNOK52rb+UBuMpT6gFFPX7hf+gjokgNP yrfXoKoq1Won+enOBlKvw==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/opk-qawRr9_ycxTtsWw1lBg2h6U
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] The PAKE question and PSK
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 16:51:38 -0000
Hi Dan, comments inline. On 04/02/2014 06:38 PM, Dan Harkins wrote: > > Hi Hannes, > > On Wed, April 2, 2014 12:29 am, Hannes Tschofenig wrote: >> Hi Watson, >> >> I believe there are several aspects that need to be untangled here: >> >> a) Is there a problem where a strong password-based authentication and >> key exchange protocol can help? >> >> b) Since there are various protocol variants available, which one is the >> best for the job? >> >> Item (a) is about use cases and clearly the Web is not the use case. >> There are use cases documented in >> http://tools.ietf.org/html/draft-ietf-tls-pwd-04#section-1.1 but I >> personally don't quite buy them. >> >> The constrained device use case is, however, one that I ran into myself >> as well. It requires a bit more description since constrained device are >> used in various different ways. There are at least three different cases >> I have seen: >> >> 1) Device talks to the cloud infrastructure. For this case it is not a >> problem to use long symmetric keys since the is nothing for the user to >> type. > > From what authenticated source does this long symmetric key come? > This secret is pre-provisioned by the manufacturer of the device. If you buy any IoT device today this is most likely the model they are using. >> 2) Device talks to another device. There are two variants to this: >> >> 2a) Pairing / Imprinting >> >> Here the pairing protocol typically runs a Diffie-Hellman and then you >> might have to confirm the initial set-up to avoid MITM attacks (via an >> out-of-band channel, such as a human entering something). > > The "something" the user enters is a simple, low-entropy, easy-to-enter > key. That key authenticates a PAKE exchange. Nope, this is not necessarily PAKE and the if you, fo rexample, use Bluetooth it is not PAKE. > >> There are obviously many ways to do this pairing procedures and I am >> sure you have used many of them already yourself. >> >> Ekr provided a good overview for a workshop: >> http://www.lix.polytechnique.fr/hipercom/SmartObjectSecurity/papers/EricRescorla.pdf > > And the use of PAKEs is mentioned there. The downside to PAKEs, according > to Eric, is use of public key cryptography with a constrained device that is > assumed to have limited CPU power. And that's why ECC support in a PAKE > is so crucial. + patents on ECC and patents on PAKE to worry about... > >> 2b) Key printed on the device itself >> >> I believe that this is the case you are talking about where you want to >> avoid having users enter too many numbers. Today, user's are often only >> required to scan a QR code instead of entering something but maybe there >> is something to standardize here. > > Putting a symmetric key in a QR code is a bad idea. Anybody who > sees the QR code can determine the secret. This is the model that many embedded devices use. Look at your embedded router, for example. I doubt that someone breaks into your home and then has nothing better to do than to read the secret from your home router... > As Eric said in the paper > you referred to above, "The primary concern with a secret value system > is that the value must be kept secret or an attacker can impersonate the > base station to the device and vice versa." Indeed. > > Putting a public key in a QR code is a much better idea (and, again, > ECC support is crucial because the x-coordinate of a point on a 256-bit > curve produces a usable QR code while a 4096-bit RSA key does not-- too > big, too dense, hard-to-impossible to scan). For many devices, though, this > only provides one way authentication (not mutual) because the device that > scanned the QR code knows definitely it is talking to the device whose QR > code was scanned, but the device with the QR code has no idea who it is > communicating with. Using a short, easy-to-enter key with a PAKE > provides good mutual authentication. > > Also not every constrained device has a camera interface to scan QR > codes with, while many of them do have some limited UI from which > the user can enter a short key. Understand that argument but nothing of it can be found in your draft. > >> Regarding item (b) about the protocol choice. Given the use cases >> previously described I doubt that the "database leaking secrets" is a >> bit concern here in these environments. The database in most cases >> contains a single key (or a small number of them). > > Yes, that is correct. A large password database is not envisioned by > this use case. In fact, as The whole benefit of an augmented PAKE-- > a protected password database-- is not applicable to this use case. Yes. > >> A few years ago Yaron, Glen, Scott and myself co-authored EAP-EKE (RFC >> 6124) and we picked EKE because the publications reached their 20 year >> anniversary. > > I remember it well. I wrote EAP-pwd (dragonfly) and Yaron followed > with EAP-EKE, I proposed a dragonfly exchange in IKE and Yaron followed > with an EKE exchange (which was later abandoned). > > One of the problems with EKE is that using it with ECC opens the > exchange up to a partitioning attack. Given that this initial exchange happens very infrequently additional delay with RSA does not matter that much (+ you don't have to worry about the IPRs). Ciao Hannes > > regards, > > Dan. > >> Just something to think about. >> >> Ciao >> Hannes >> >> >> On 04/02/2014 06:28 AM, Watson Ladd wrote: >>> Dear all, >>> >>> I'm afraid that several important points and quite a bit of history >>> has been missing from the recent exchange concerning Dragonfly in TLS. >>> >>> Dragonfly is a modified SPEKE. SPEKE was introduced in 2001. SPEKE has >>> a patent that expires in 2016, and a security proof in the ROM under a >>> DH style assumption and a reasonable ideal/real attack model. >>> Dragonfly was created by Dan Harkins, and adopted in IEEE 802.11s to >>> authenticate nodes in a mesh network. It has no security proof despite >>> efforts to try and find one. >>> >>> The intended usecase is provisioning of constrained devices. While one >>> could include a 128 bit key on each device and have users type it in >>> (as they do for Xbox Live and Windows verification: 25 letters and >>> numbers from a 32 bit alphabet) it was felt that this was a bit much. >>> PSK will not work with anything that isn't a key, because offline >>> attack works beautifully. Nico's concerns about key database >>> compromise, etc, are ignoring the realities of this setting: the >>> password is the least valuable thing on the device, and since it was >>> not entered by the user (as the device has no user interaction >>> capability) unlikely to be reused. >>> >>> Dragonfly was presented at IETF 83. AugPAKE was proven secure in 2010. >>> There is currently a draft for AugPAKE in TLS. Unfortunately AugPAKE >>> is not specified on ECC groups, but this is easy to fix. (It's also >>> ugly to shoehorn into TLS, but the draft seems to do it) PAKEs are not >>> on the agenda because of a rather heated controversy about how >>> Dragonfly got (seeming) CFRG approval, but there is a good case for >>> including them. On the web we have more of a problem due to the UI >>> issues that made client certificates a nonstarter. >>> >>> Sincerely, >>> Watson Ladd >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >>> >> >> >
- [TLS] The PAKE question and PSK Watson Ladd
- Re: [TLS] The PAKE question and PSK Hannes Tschofenig
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Watson Ladd
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Hannes Tschofenig
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Watson Ladd
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Dan Harkins
- Re: [TLS] The PAKE question and PSK Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK Nico Williams
- Re: [TLS] The PAKE question and PSK SeongHan Shin