Hi Richard, I work in the IoT space and am interested in handshakes that involve little computation but offer better protection than symmetric PSK in the event of server breach.
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Richard Barnes Sent: 11 April 2018 15:54 […] We would love to hear any feedback on the approach proposed here, and on whether other people here would be interested in working on a PAKE mechanism for TLS in this working group. […] I was interested in this draft as it seemed to tick some boxes, and I offer some comments below. But in the end I don't think it offers what I'm looking for, so I can't offer to help with it in its current form. My main comment is that I disagree with the assertion in section 3 that "w" is effectively a salted password hash. An attacker who obtains "w" can impersonate the client to the server, so it is equivalent to a password. The only advantage is that a server breach cannot be extended to other servers where the user uses the same password, but different salts are used. It seems to me that SPAKE2+ prevents this, so perhaps this should be used instead. Secondly, SPAKE2 is fitted to the TLS 1.3 handshake by forcing the client to know the salt. This seems unreasonable to me unless there is also some mechanism to retrieve the salt from the server. Could the salt be a hash of client identity and server identity? (I suspect there is not enough entropy in this). But in any case I think this is an issue which must be addressed in the draft. Why does the draft need to specify what the identity of the server is? It doesn't seem to be used. Would it be helpful to send a list of SPAKE2Shares in ClientHello? For example, if the application layer protocol is being negotiated, would it be necessary to supply shares for multiple protocols? Alternatively, if the client and/or server support multiple pre-provisioned values (G, M, N, H), how would this be signalled/managed? And would there be associated security concerns? It is worth noting explicitly somewhere that x and y should have the same ephemeral characteristics as are used by the key_share elements, and that if this is followed then forward secrecy is provided by SPAKE2. IMHO "w" should not be used as the PSK input. If somebody gets hold of a derived key (e.g. early_exporter_master_secret) then the low entropy of "w" may allow it to be recovered. "K" provides all that's needed for key derivation. The draft should recommend somewhere (security section?) that H should be suitable for password hashing (e.g. Argon2) and not a standard hash function. This is particularly true if my earlier suggestion to use SPAKE2+ is followed. Regards, Tony Dyson Technology Limited, company number 01959090, Tetbury Hill, Malmesbury, SN16 0RP, UK. This message is intended solely for the addressee and may contain confidential information. If you have received this message in error, please immediately and permanently delete it, and do not use, copy or disclose the information contained in this message or in any attachment. Dyson may monitor email traffic data and content for security & training.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls