Hi Richard,

I work in the IoT space and am interested in handshakes that involve little 
computation but offer better protection than symmetric PSK in the event of 
server breach.

From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Richard Barnes
Sent: 11 April 2018 15:54

We would love to hear any feedback on the approach proposed here, and on 
whether other people here would be interested in working on a PAKE mechanism 
for TLS in this working group.

I was interested in this draft as it seemed to tick some boxes, and I offer 
some comments below. But in the end I don't think it offers what I'm looking 
for, so I can't offer to help with it in its current form.

My main comment is that I disagree with the assertion in section 3 that "w" is 
effectively a salted password hash. An attacker who obtains "w" can impersonate 
the client to the server, so it is equivalent to a password. The only advantage 
is that a server breach cannot be extended to other servers where the user uses 
the same password, but different salts are used. It seems to me that SPAKE2+ 
prevents this, so perhaps this should be used instead.

Secondly, SPAKE2 is fitted to the TLS 1.3 handshake by forcing the client to 
know the salt. This seems unreasonable to me unless there is also some 
mechanism to retrieve the salt from the server. Could the salt be a hash of 
client identity and server identity? (I suspect there is not enough entropy in 
this). But in any case I think this is an issue which must be addressed in the 

Why does the draft need to specify what the identity of the server is? It 
doesn't seem to be used.

Would it be helpful to send a list of SPAKE2Shares in ClientHello? For example, 
if the application layer protocol is being negotiated, would it be necessary to 
supply shares for multiple protocols? Alternatively, if the client and/or 
server support multiple pre-provisioned values (G, M, N, H), how would this be 
signalled/managed? And would there be associated security concerns?

It is worth noting explicitly somewhere that x and y should have the same 
ephemeral characteristics as are used by the key_share elements, and that if 
this is followed then forward secrecy is provided by SPAKE2.

IMHO "w" should not be used as the PSK input. If somebody gets hold of a 
derived key (e.g. early_exporter_master_secret) then the low entropy of "w" may 
allow it to be recovered. "K" provides all that's needed for key derivation.

The draft should recommend somewhere (security section?) that H should be 
suitable for password hashing (e.g. Argon2) and not a standard hash function. 
This is particularly true if my earlier suggestion to use SPAKE2+ is followed.


Dyson Technology Limited, company number 01959090, Tetbury Hill, Malmesbury, 
SN16 0RP, UK.
This message is intended solely for the addressee and may contain confidential 
information. If you have received this message in error, please immediately and 
permanently delete it, and do not use, copy or disclose the information 
contained in this message or in any attachment.
Dyson may monitor email traffic data and content for security & training.
TLS mailing list

Reply via email to