1. Pairing Protocol (for DNS SD privacy)
Christian Huitema, Daniel Kaiser
IETF 97, Seoul, November 17, 2016
draft-ietf-dnssd-pairing-00
draft-ietf-dnssd-pairing-00

2. Three-phase protocol, to establish PSK
Discovery (risk of divulging pairing relation)
Two parties find each other before establishing a connection
DNS-SD variant: server advertises “pairing service”
Server uses random instance name, host name for better privacy.
QR code variant: server displays QR code, encoding URL + IP address
Agreement (vulnerable to MITM)
Set up TLS connection using Anonymous Diffie-Hellman in TLS
Export PSK as per RFC 5705
Authentication (removes MITM vulnerability)
Use Short Authentication String (SAS)
Establish SAS through “commit before disclosure” protocol
Display on 2 devices + Visual verification
If verified, store PSK on each device
draft-ietf-dnssd-pairing-00

3. SAS: TLS extension or Application protocol?
The SAS exchange
Alice: Here is HASH(Nonce1) – this commits the value before disclosure
Bob: Here is Nonce2 – cannot predict the value of nonce 1 yet
Alice: Here is Nonce1 – disclose now, too late for MITM games
Both: compute SAS = SHORT HASH(Nonce1|Nonce2|ProposedSecret)
E.g., first 20 bits of HMAC/SHA256, presented as 6-7 digits decimal number
Display, compare, verify
Could be implemented as TLS extension
Is there appetite for that from TLS implementers?
draft-ietf-dnssd-pairing-00

4. draft-ietf-dnssd-pairing-00
Process and Next steps
Adoption call passed
Draft is now: draft-ietf-dnssd-pairing-00
Really need review and feedback
Need to formulate the TLS option
TLS WG draft, scheduled post Seoul IETF
Need implementation experience
Working on it with Get DNS team
Anybody else?
Report on implementation and last call around IETF 98?
draft-ietf-dnssd-pairing-00