[TLS] PSK has no security? ... was Re: I-D Action: draft-ietf-tls-pwd-04.txt

Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 02 April 2014 07:12 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE0E41A0022 for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 00:12:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qjLS7RTVXqte for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 00:12:29 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by ietfa.amsl.com (Postfix) with ESMTP id 2A5491A0013 for <tls@ietf.org>; Wed, 2 Apr 2014 00:12:29 -0700 (PDT)
Received: from [192.168.131.137] ([80.92.119.215]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0M8MyE-1XH0fl0hsI-00vv5Y; Wed, 02 Apr 2014 09:12:23 +0200
Message-ID: <533BB7E1.9060400@gmx.net>
Date: Wed, 02 Apr 2014 09:10:25 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Dan Harkins <dharkins@lounge.org>, Nico Williams <nico@cryptonector.com>
References: <20140328195334.19328.19928.idtracker@ietfa.amsl.com> <CACsn0c==pRzDKd7G=eAhds=o9qexqe9Jb3DgNC9gzh-6xaKcAQ@mail.gmail.com> <dd67ab76dee19a82a0dfcdaa6512b905.squirrel@www.trepanning.net> <CACsn0ckQiNODB9DLj5XpcQDH2ykfD76CoV11-R4JJL+1_Vogfw@mail.gmail.com> <f8dc8cec46f6126146a7afa2421e43de.squirrel@www.trepanning.net> <CACsn0cmRRygPPk8=iU536-TK9mDFVcMOrYw_1tNV3=LZ02_9Hw@mail.gmail.com> <CAK3OfOjPyk2abEL-jqMk7ZujrF287yZnYJpr3xLs0yboFJX_6w@mail.gmail.com> <5db2aa46715b8f0b115b005b0abfbf58.squirrel@www.trepanning.net> <20140401211637.GA21606@localhost> <c086306b2881a34c9f3823afbd0e72d3.squirrel@www.trepanning.net>
In-Reply-To: <c086306b2881a34c9f3823afbd0e72d3.squirrel@www.trepanning.net>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="ojXmX6bdkRNVqh9QVudxo8hWBE4i1r8DE"
X-Provags-ID: V03:K0:BmlpvAmhKmOe5yp2Plb7lX/UxtMp+C0LqdjmlG0CzTPnjRdHDG3 cSTM97EYHLJ3dbkDwgESOw2+nulHds7k0IfneiC7D1TTBVRwhlohdYIO+u6F0Lm2L7H6049 s4NZZ7IjIm6jRKJBua/BpvzR9YWuwN92tzda7Fm+56RGoFAGNocivi8tAC57MQ+AuXQx2Xq GWT1a0J9I4YgBkMtN5uww==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/xDZJVIurRS9tIIme6fol3ZDGHak
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: [TLS] PSK has no security? ... was Re: I-D Action: draft-ietf-tls-pwd-04.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 07:12:34 -0000

I just noticed this one sentence "PSK has no security?" and it caught my
attention.

I believe you guys are trying to misinterpet the TLS-PSK document. Maybe
you are thinking about use cases we did not envision.

TLS-PSK is not a password-based authentication mechanism for TLS!
It was never meant to be one either.

On the Web, already at that time, everyone was using passwords in forms
rather than at a lower layer in the stack. This has not changed.
(So, there was no need to standardize a password-based mechanism in TLS
at that time.)

There are very few people who are interested in using passwords in TLS
and I don't think this is the direction where deployments are going.
(Have a look at FIDO for a more promising approach of improving
authentication on the Web.)
[FWIW, I believe the strong password-based authentication and key
exchange in TLS will not lead to an improvement in password practices on
the Web.]

As a co-author of the TLS-PSK RFC I can tell you that the work was
motivated by activities in the 3GPP. The 3GPP had developed a Kerberos
alike key management protocol. The fresh and unique session key (not
password) would then be used as input to the TLS-PSK protocol.

Now, it turns out that that 3GPP work didn't really go anywhere. What we
hadn't anticipated at that time was the development on Internet of
Things where it makes sense to provision symmetric keys (not passwords)
on sensors for use with the TLS-PSK protocol. This is useful because of
(a) the excellent performance of symmetric key cryptography and (b) the
small code size.

Ciao
Hannes

On 04/02/2014 12:30 AM, Dan Harkins wrote:
> 
> On Tue, April 1, 2014 2:16 pm, Nico Williams wrote:
>> On Tue, Apr 01, 2014 at 01:59:09PM -0700, Dan Harkins wrote:
>>> On Tue, April 1, 2014 12:30 pm, Nico Williams wrote:
>>>> On Fri, Mar 28, 2014 at 8:40 PM, Watson Ladd <watsonbladd@gmail.com>
>>>> wrote:
>>>>> PSK has no security? That's ridiculous: if high-entropy keys are used
>>>>> it is fairly easy to see it is secure.
>>>>
>>>> TLS-PSK did not specify a PBKDF either, so it can't be used with
>>>> passwords, therefore we might as well assume high-quality keys for
>>>> TLS-PSK.  Therefore you're quite right.
>>>
>>>   There is nothing in the protocol that prevents it from being used with
>>> passwords. You're not only assuming something about the nature of the
>>> PSK, you're assuming something about the people that use the protocol
>>> and that is quite naive.
>>
>> PSK requires pre-sharing the secret key.  If such presharing involves a
>> password then the secret key must be derived from said password.  How?
>> Well, the two peers have to agree.  How?  Well, it's not specified!
> 
>   No, the secret key IS the password, it's not derived from the password.
> 
>> If there interoperable TLS-PSK w/ password implementations, then there's
>> a missing standard.  I have no knowledge of such implementations.
>>
>> Without any further input the only reasonable conclusion is that TLS-PSK
>> does not support passwords.  Evidence to the contrary would be welcomed.
> 
>   Try openssl. It has an artificial hex checker for PSK inputs but make
> your PSK be "bad" without the quotes. Works just fine.
> 
>   The presence of implementations is somewhat irrelevant since the point is
> that the _specification_ allows for a PSK to be anything, it just needs to be
> identical on both sides.
> 
>>>   Furthermore making assumptions about the nature of the PSK does not
>>> change the fact that TLS-PSK has a defect: the advantage an attacker
>>> gains is through computation and not interaction. And for the non-DHE
>>> ciphersuites, that defect can be exploited through passive attack!
>>
>> Only if they are password-derived keys, otherwise no.
> 
>   No, that is wrong. Just because something is a number, or is taken
> from a large space of numbers does not change the fact that the adversary
> gains advantage through computation. It either passively observes a
> single TLS-PSK exchange (if non-DHE) or it performs a single active attack
> on a TLS-PSK user (if DHE) and then goes offline and crunches numbers
> until it determines the PSK.
> 
>   Using a "high quality key" just makes that number crunching take more
> time, it does not change the fundamental nature of the number crunching.
> And therein lies the flaw of the TLS-PSK ciphersuites.
> 
>   A protocol that requires the adversary to gain advantage through
> interaction and not through computation is vastly superior because
> excessive unsuccessful interaction can be detected.
> 
>>>> Even if the server must store a password-equivalent I'd still want a
>>>> decent PBKDF to be used for any protocol that derives keying material
>>>> from passwords!
>>>
>>>   Why? Deterministically hashing a secret 1000 times or 4000 times
>>> does not increase the entropy in the secret. A PBKDF is just supposed
>>> to increase the work factor of the attacker, it does nothing to the
>>> resulting keying material.
>>
>> Because verifier databases get compromised regularly.  Just point your
>> browser to your favorite news site and wait a few weeks, you'll see.
> 
>   But that has nothing to do with how a protocol derives keying material.
> 
>>>   Wi-Fi specifies a PBKDF when using a PSK and the exchange is
>>> essentially the same as the non-DHE TLS-PSK ciphersuites. That
>>> protocol is horribly broken and tools exist on the Internet to attack
>>> it. And guess what? People still use it with weak, low-entropy PSKs
>>> in spite of assumptions to the contrary.
>>
>> My concern is not eavesdroppers in this case.  See above.
> 
>   So what? It's an example of a protocol that uses a PBKDF being
> trivially and successfully attacked. The result of the attack is that
> the PSK. If the attacker chooses to use that knowledge to further
> eavesdrop it's up to him. Regardless of your concern, your belief in
> the power of a PBKDF seems a bit misplaced.
> 
>   Dan.
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>