[Cfrg] Dragonfly/RFC 7664 clarification
"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Wed, 18 November 2015 12:57 UTC
Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC4281A1ADC for <cfrg@ietfa.amsl.com>; Wed, 18 Nov 2015 04:57:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nWLjkt2p46TH for <cfrg@ietfa.amsl.com>; Wed, 18 Nov 2015 04:57:41 -0800 (PST)
Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3on0606.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe04::606]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DA891A1A90 for <cfrg@irtf.org>; Wed, 18 Nov 2015 04:57:41 -0800 (PST)
Received: from DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) by DBXPR03MB381.eurprd03.prod.outlook.com (10.141.10.11) with Microsoft SMTP Server (TLS) id 15.1.325.17; Wed, 18 Nov 2015 12:57:19 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) by DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) with mapi id 15.01.0325.019; Wed, 18 Nov 2015 12:57:19 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: Dragonfly/RFC 7664 clarification
Thread-Index: AQHRIgCoMnFGotZGGEijZ6flkA5R2w==
Date: Wed, 18 Nov 2015 12:57:18 +0000
Message-ID: <D272261F.5C7CB%kenny.paterson@rhul.ac.uk>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.7.151005
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [82.152.42.124]
x-microsoft-exchange-diagnostics: 1; DBXPR03MB381; 5:OJ3R5u3vCQVuch16X5GRgNEjT/vIFQ0vylhqsNqRLyJnlOU4WPNBdsEsq8LaIEq3P9D1F7WVapfE1zphgVgbu9jaeoLB2yEAOqpR/SOVqGAsDWsLoOH/qbKzoqN7yFbApw0kVATafiulMskbiB6Hkw==; 24:5Y2gSUlK6W0NfXIuF2eg/WIt2JtzQfoPa2tXz/5wQ6kzWRKVVcEGj7wuz5vvGOD+BHtmXaIcvYFU9fI3G6aBReWScgE/BLd+uKG+lLg/r6s=; 20:HtNavgXTSxEaVOkeeGVIbNgkvJ66pIx7TtOppbMavL+PjvlKevC/YVS/o6P2+ILwCfJKQ1QAbDeLdMUGFM0DVg==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DBXPR03MB381;
x-microsoft-antispam-prvs: <DBXPR03MB381FAD95632B29883D526B4BC1C0@DBXPR03MB381.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(10201501046)(3002001); SRVR:DBXPR03MB381; BCL:0; PCL:0; RULEID:; SRVR:DBXPR03MB381;
x-forefront-prvs: 0764C4A8CD
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(189002)(199003)(586003)(87936001)(40100003)(86362001)(83506001)(74482002)(5007970100001)(5004730100002)(50986999)(2501003)(101416001)(11100500001)(106356001)(54356999)(229853001)(105586002)(106116001)(10400500002)(97736004)(2351001)(4001350100001)(81156007)(189998001)(122556002)(110136002)(66066001)(2900100001)(77096005)(92566002)(102836002)(5008740100001)(5002640100001)(36756003)(5001960100002); DIR:OUT; SFP:1101; SCL:1; SRVR:DBXPR03MB381; H:DBXPR03MB383.eurprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-ID: <BEBEC200962EB143872EF272C5F11122@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Nov 2015 12:57:18.8584 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBXPR03MB381
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/-QH50u3EdTkoVQebWKjcN5ekKYw>
Subject: [Cfrg] Dragonfly/RFC 7664 clarification
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2015 12:57:44 -0000
Dear CFRG, There has been some discussion on the list about changes made to RFC 7664 (Dragonfly Key Exchange) at a late stage in the publication process. The chairs would like to add some clarity here. Late in the process, one of us (Kenny) noticed that a paper was due to appear at a conference, ISC 2015, which offered a security proof for a protocol close to Dragonfly. We were able to obtain a pre-publication version of the paper from the authors, Lancreon and Skrobot, and make it available to Dan Harkins, the author of RFC 7664. We agreed with Dan that the RFC should make reference to this paper if possible. It now does so, as [lanskro]. However, the paper [lanskro] does not analyse Dragonfly as specified in RFC 7664, but a variant of it in which the identities are hashed as part of the final key derivation process. The chairs had two choices at this point: - Ask the author (Dan) to change the protocol in the RFC to include identifiers, and cite [lanskro]. - Ask the author to include a reference to [lanskro] and make a careful statement about what the proof in that paper says about the Dragonfly protocol as specified in the RFC. Given that the group had extensively reviewed Dragonfly as specified, we decided that the second option here was the better one to take. The exact wording in the RFC is as follows: "[lanskro] provides a security proof of Dragonfly in the random oracle model when both identities are included in the data sent in the Confirm Exchange (see Section 3.4)." Secondary factors in forming the chairs' decision included the fact that the original intention of the work was to produce a public specification of a protocol in use in other standards and the fact that there is IPR on the idea of hashing in identifiers during key derivation (we are not lawyers, but see US patent 7627760 for example). Regards, Alexey and Kenny
- [Cfrg] Dragonfly/RFC 7664 clarification Paterson, Kenny