IETF Logo Mail Archive

Re: [TLS] PSK in 1.3?

Watson Ladd <watsonbladd@gmail.com> Mon, 20 October 2014 19:31 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E797D1AC41B for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 12:31:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lz0TNrETvmIx for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 12:31:47 -0700 (PDT)
Received: from mail-yh0-x22c.google.com (mail-yh0-x22c.google.com [IPv6:2607:f8b0:4002:c01::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40ED91AC412 for <tls@ietf.org>; Mon, 20 Oct 2014 12:31:47 -0700 (PDT)
Received: by mail-yh0-f44.google.com with SMTP id i57so3815544yha.3 for <tls@ietf.org>; Mon, 20 Oct 2014 12:31:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=tUvvk09NBB20Tm0RsgKaMkRHMqgNLThIj1MGK/fX0MU=; b=ML3dNVHw7h8/YwFJIjx74qcYQVTJN462STevLv6aHKkdZnr3pJgcrWGJ0ZXWMqxzs6 oVdD7zEnzig/kUCOORNYjBhp0+op7qc+eJYr7Q0w2CI6iXVcY2+JqZW/417Y3QWNVDI5 2G0KNCvdrbSQAmOIaJx1k26E33DpFtD0NueMjh1Kuqt0rX4t4dMeWegt/79tMNlKx7t2 qYhBng8vLj1poCJvngSThqPvb4b1mLTwNN6brsHwTSsFWEg+hzlP+xQ0lf+vgtuc+kJv InBmxXljNss20zWr5ww0/qZ7CAc95ukd4WaxHnhgIk6dAM8LZWgdYvdTFX6x1EF2b2tN 7fJA==
MIME-Version: 1.0
X-Received: by 10.236.30.197 with SMTP id k45mr5662084yha.163.1413833506472; Mon, 20 Oct 2014 12:31:46 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Mon, 20 Oct 2014 12:31:45 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Mon, 20 Oct 2014 12:31:45 -0700 (PDT)
In-Reply-To: <CACsn0ckMNKOFzFcW4SvZFRKNAhwiAZBWd5qXw4ADSsRXKpv0ZQ@mail.gmail.com>
References: <544384C7.9030002@polarssl.org> <78795A6D-3DFA-41C6-A380-C63DDF4C0285@gmail.com> <5443BF11.3090505@polarssl.org> <1D875BD8-2727-4895-842A-FC4FAA482E15@gmail.com> <5e587b4474939cad09c12cbf3625dd98.squirrel@www.trepanning.net> <CACsn0ck0FRHFek59A5+jxDkDGEtXPT8HejO3wO4HnYfHCw6hYg@mail.gmail.com> <74986741b83a76277b2fcfd1e74a75d4.squirrel@www.trepanning.net> <54454F3C.7010305@polarssl.org> <e1137dfbb54785a52e18b22a31b45357.squirrel@www.trepanning.net> <CACsn0ckMNKOFzFcW4SvZFRKNAhwiAZBWd5qXw4ADSsRXKpv0ZQ@mail.gmail.com>
Date: Mon, 20 Oct 2014 12:31:45 -0700
Message-ID: <CACsn0cni65yLJYCxTRtv+JhF5fTreXeGjMYew8EgBfQToc443A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: multipart/alternative; boundary="089e01634d34eccb9e0505dfc389"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/q0342OFkkFlhpTr240YZ3pg0Pag
Cc: Manuel Pégourié-Gonnard <mpg@polarssl.org>, tls@ietf.org
Subject: Re: [TLS] PSK in 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 19:31:50 -0000

On Oct 20, 2014 12:20 PM, "Dan Harkins" <dharkins@lounge.org> wrote:
>
>
> On Mon, October 20, 2014 11:06 am, Manuel Pégourié-Gonnard wrote:
> > On 20/10/2014 19:06, Dan Harkins wrote:
> >>   There is nothing to flesh out because you seem to not understand
> >> what a dictionary attack is-- but you're in company because neither
> >> did the editors of that RFC.
> >>
> >>   Protocols that use a static, symmetric credential like a PSK (or a
> >> password, the difference is semantic) are all flawed because the
> >> adversary is always assumed to have access to a pool from which
> >> the PSK (or password is drawn. Resistance against dictionary attack
> >> is then a demonstration that the advantage gained by the adversary
> >> is due to _interaction_ and not _computation_.
> >>
> >>   Merely making the pool from which the PSK is drawn, for instance
> >> by making it a bigger or including mixed case, etc, does not make
> >> the protocol resistant to dictionary attack.
> >
> > From a theoretical standpoint, the PSK key exchange is indeed vulnerable
> > to a
> > dictionary attack with this definition. In practice, if your keys are
> > 128-bit
> > long and chosen uniformly at random using a good source of entropy, I
> > doubt any
> > real-world adversary is able to gain a non-negligible advantage in the
> > foreseeable future.
>
>   The justification for these ciphersuites is some constrained device that
> has a small data and code size. But if you can not only generate 128-bit
> long uniformly random keys from a good source of entropy and also
> securely provision them on 2 (or more) devices then you don't need TLS.
> Just do static keyed symmetric crypto and you save even more data
> and code by eliminating TLS!
>
>   In practice, these things are deployed by people who probably do not
> read the RFC in question, are in a hurry, and don't understand the
> security implications of their use of TLS. The PSKs that get provisioned
> are the ones that are easy to enter with a low probability of error-- i.e.
> something considerably less than uniformly random 128-bit key
> generated from a good source of entropy.
>
>   This is not (only) a theoretical issue. It's practical reality.

I dissent here: interoperability and firewall traversal are good reasons
not to homebake something, and if this WG had done it's job, security would
likely be better then a home brewed protocol.
>
> > Also, it should be noted that with this definition, the TLS session keys
> > are
> > vulnerable to a dictionary attack too. In practice, it's not a problem
> > either
> > for the same reason. Obviously the difference between the pre-shared key
> > and the
> > TLS session keys is that the later is short-term while the former is
> > long-term.
> > Which basically boils down to the point that PSK lacks FS.
> >
> > Are you sure you have point besides:
> > - pre-shared key must be chosen with sufficient entropy and
> > - PSK does not offer FS?
>
>   Yes, I'm absolutely sure. It's:
>
>   - you can't ensure security with MUSTs and SHALLs; and,
>   - the use case that you say compels PSK ciphersuites actually argues
>      against you.
>
> TLS should be as misuse resistant as possible. That is, it should be as
> hard as possible to use improperly and that means no PSK ciphersuites.

I concurr.
>
>   regards,
>
>   Dan.
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email