Re: [TLS] PSK in 1.3?
Watson Ladd <watsonbladd@gmail.com> Mon, 20 October 2014 19:31 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E797D1AC41B for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 12:31:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lz0TNrETvmIx for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 12:31:47 -0700 (PDT)
Received: from mail-yh0-x22c.google.com (mail-yh0-x22c.google.com [IPv6:2607:f8b0:4002:c01::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40ED91AC412 for <tls@ietf.org>; Mon, 20 Oct 2014 12:31:47 -0700 (PDT)
Received: by mail-yh0-f44.google.com with SMTP id i57so3815544yha.3 for <tls@ietf.org>; Mon, 20 Oct 2014 12:31:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=tUvvk09NBB20Tm0RsgKaMkRHMqgNLThIj1MGK/fX0MU=; b=ML3dNVHw7h8/YwFJIjx74qcYQVTJN462STevLv6aHKkdZnr3pJgcrWGJ0ZXWMqxzs6 oVdD7zEnzig/kUCOORNYjBhp0+op7qc+eJYr7Q0w2CI6iXVcY2+JqZW/417Y3QWNVDI5 2G0KNCvdrbSQAmOIaJx1k26E33DpFtD0NueMjh1Kuqt0rX4t4dMeWegt/79tMNlKx7t2 qYhBng8vLj1poCJvngSThqPvb4b1mLTwNN6brsHwTSsFWEg+hzlP+xQ0lf+vgtuc+kJv InBmxXljNss20zWr5ww0/qZ7CAc95ukd4WaxHnhgIk6dAM8LZWgdYvdTFX6x1EF2b2tN 7fJA==
MIME-Version: 1.0
X-Received: by 10.236.30.197 with SMTP id k45mr5662084yha.163.1413833506472; Mon, 20 Oct 2014 12:31:46 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Mon, 20 Oct 2014 12:31:45 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Mon, 20 Oct 2014 12:31:45 -0700 (PDT)
In-Reply-To: <CACsn0ckMNKOFzFcW4SvZFRKNAhwiAZBWd5qXw4ADSsRXKpv0ZQ@mail.gmail.com>
References: <544384C7.9030002@polarssl.org> <78795A6D-3DFA-41C6-A380-C63DDF4C0285@gmail.com> <5443BF11.3090505@polarssl.org> <1D875BD8-2727-4895-842A-FC4FAA482E15@gmail.com> <5e587b4474939cad09c12cbf3625dd98.squirrel@www.trepanning.net> <CACsn0ck0FRHFek59A5+jxDkDGEtXPT8HejO3wO4HnYfHCw6hYg@mail.gmail.com> <74986741b83a76277b2fcfd1e74a75d4.squirrel@www.trepanning.net> <54454F3C.7010305@polarssl.org> <e1137dfbb54785a52e18b22a31b45357.squirrel@www.trepanning.net> <CACsn0ckMNKOFzFcW4SvZFRKNAhwiAZBWd5qXw4ADSsRXKpv0ZQ@mail.gmail.com>
Date: Mon, 20 Oct 2014 12:31:45 -0700
Message-ID: <CACsn0cni65yLJYCxTRtv+JhF5fTreXeGjMYew8EgBfQToc443A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: multipart/alternative; boundary="089e01634d34eccb9e0505dfc389"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/q0342OFkkFlhpTr240YZ3pg0Pag
Cc: Manuel Pégourié-Gonnard <mpg@polarssl.org>, tls@ietf.org
Subject: Re: [TLS] PSK in 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 19:31:50 -0000
On Oct 20, 2014 12:20 PM, "Dan Harkins" <dharkins@lounge.org> wrote: > > > On Mon, October 20, 2014 11:06 am, Manuel Pégourié-Gonnard wrote: > > On 20/10/2014 19:06, Dan Harkins wrote: > >> There is nothing to flesh out because you seem to not understand > >> what a dictionary attack is-- but you're in company because neither > >> did the editors of that RFC. > >> > >> Protocols that use a static, symmetric credential like a PSK (or a > >> password, the difference is semantic) are all flawed because the > >> adversary is always assumed to have access to a pool from which > >> the PSK (or password is drawn. Resistance against dictionary attack > >> is then a demonstration that the advantage gained by the adversary > >> is due to _interaction_ and not _computation_. > >> > >> Merely making the pool from which the PSK is drawn, for instance > >> by making it a bigger or including mixed case, etc, does not make > >> the protocol resistant to dictionary attack. > > > > From a theoretical standpoint, the PSK key exchange is indeed vulnerable > > to a > > dictionary attack with this definition. In practice, if your keys are > > 128-bit > > long and chosen uniformly at random using a good source of entropy, I > > doubt any > > real-world adversary is able to gain a non-negligible advantage in the > > foreseeable future. > > The justification for these ciphersuites is some constrained device that > has a small data and code size. But if you can not only generate 128-bit > long uniformly random keys from a good source of entropy and also > securely provision them on 2 (or more) devices then you don't need TLS. > Just do static keyed symmetric crypto and you save even more data > and code by eliminating TLS! > > In practice, these things are deployed by people who probably do not > read the RFC in question, are in a hurry, and don't understand the > security implications of their use of TLS. The PSKs that get provisioned > are the ones that are easy to enter with a low probability of error-- i.e. > something considerably less than uniformly random 128-bit key > generated from a good source of entropy. > > This is not (only) a theoretical issue. It's practical reality. I dissent here: interoperability and firewall traversal are good reasons not to homebake something, and if this WG had done it's job, security would likely be better then a home brewed protocol. > > > Also, it should be noted that with this definition, the TLS session keys > > are > > vulnerable to a dictionary attack too. In practice, it's not a problem > > either > > for the same reason. Obviously the difference between the pre-shared key > > and the > > TLS session keys is that the later is short-term while the former is > > long-term. > > Which basically boils down to the point that PSK lacks FS. > > > > Are you sure you have point besides: > > - pre-shared key must be chosen with sufficient entropy and > > - PSK does not offer FS? > > Yes, I'm absolutely sure. It's: > > - you can't ensure security with MUSTs and SHALLs; and, > - the use case that you say compels PSK ciphersuites actually argues > against you. > > TLS should be as misuse resistant as possible. That is, it should be as > hard as possible to use improperly and that means no PSK ciphersuites. I concurr. > > regards, > > Dan. > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] PSK in 1.3? Yoav Nir
- [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Yoav Nir
- Re: [TLS] PSK in 1.3? Hauke Mehrtens
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Hauke Mehrtens
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Jeffrey Walton
- Re: [TLS] PSK in 1.3? Paul Bakker
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Mohamad Badra
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Yoav Nir
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Sven Schäge
- Re: [TLS] PSK in 1.3? Christian Kahlo
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? John Mattsson
- Re: [TLS] PSK in 1.3? Alex Elsayed
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Watson Ladd