Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-cfrg-dragonfly document status)
Andy Lutomirski <luto@amacapital.net> Thu, 09 October 2014 17:24 UTC
Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43AEE1A8BB7 for <cfrg@ietfa.amsl.com>; Thu, 9 Oct 2014 10:24:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ldH7ycxPVLDX for <cfrg@ietfa.amsl.com>; Thu, 9 Oct 2014 10:24:43 -0700 (PDT)
Received: from mail-lb0-f177.google.com (mail-lb0-f177.google.com [209.85.217.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D80F1A88AC for <cfrg@irtf.org>; Thu, 9 Oct 2014 10:21:22 -0700 (PDT)
Received: by mail-lb0-f177.google.com with SMTP id w7so1570954lbi.8 for <cfrg@irtf.org>; Thu, 09 Oct 2014 10:21:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=EUqVBWPQSOa2Hzh6/9zlSXR0cnCCKBkluC9YQVDn3yo=; b=Dbzfz213ZDgZ1oAsVZ943lgmBPCWWybwBI2k2GJ9aWicSEH4Au9kax0zrRj2Xr+N8T ExGnCcenRosexdL2XKSOkslCHDMUIHSsg+jmhjJTABGDPWztp7tW4nwD2Jt/wM4rK4lB szV90sVEcmKkYSpecA7x0Vfl1ocvEML8XcW4VSb4tYvJtDWgnOUZjq6rA+drfNDtNk+1 GerbNS1GYgqt2x/hdPeKXCouapf0tis7P58y3JY3LIiQ0zI47/GAk/Wb+tNTbt5gZ1/k N9f4FhQHlnIhxoVmMXJwGLVVIgm9DKq4GBjIp2Egg5NZHjUGJxbr4jZSZfNuMDAEs3Hd s1iQ==
X-Gm-Message-State: ALoCoQmlDrWFZeC+SWEP5zQAt2mZg/4NQfeXmM8OloKrUfBBTT52a8VZMQ4LPZZo4M7NmsmjaWUJ
X-Received: by 10.152.87.146 with SMTP id ay18mr8659683lab.72.1412875280334; Thu, 09 Oct 2014 10:21:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.36.106 with HTTP; Thu, 9 Oct 2014 10:21:00 -0700 (PDT)
In-Reply-To: <D05BF8A4.50927%paul@marvell.com>
References: <54357A2A.2010800@isode.com> <38634A9C401D714A92BB13BBA9CCD34F13E26818@mail-essen-01.secunet.de> <54366BA1.1010603@cs.tcd.ie> <D05BF8A4.50927%paul@marvell.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Thu, 09 Oct 2014 10:21:00 -0700
Message-ID: <CALCETrUTkHixj-3yJdV2ASOmkD0recy983jBGmwVZkFfGfgaxQ@mail.gmail.com>
To: Paul Lambert <paul@marvell.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/-mqbDqAf4jfjWBiEjuXiiDkKgfU
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-cfrg-dragonfly document status)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Oct 2014 17:24:45 -0000
On Thu, Oct 9, 2014 at 9:55 AM, Paul Lambert <paul@marvell.com> wrote: > > The Œmostly' is that the Dragonfly draft should be published > so it can be used a little better in a couple of specific > environments where it is already being wired into systems. > Specifically, IEEE 802.11 has the SAE protocol which uses > the Dragonfly exchange for mesh networks. There are other > peer-to-peer wireless applications that could use Dragonfly > soon. In particular, the Wi-Fi industry also has a long > standing issue with password based authentication > being subject to brute-force attacks in the > WPA2=Personal authentication (aka 4-way handshake). > Dragonfly in the form of SAE will potentially > be dropped in as a replacement for the current > hash based exchange. I believe that this is exactly why quite a few people (myself included) think that CFRG should think long and hard before publishing Dragonfly. To the extent that CFRG's imprimatur will enourage IEEE802.11 adoption of Dragonfly, CFRG should *not* bless Dragonfly. Let's review: IEEE802.11 adopted WEP despite best practices suggesting that the protocol, as designed, should not be used. As far as I know, no one knew how to break it when it was adopted, but no one had a compelling argument that it couldn't be broken. WEP was later upgraded to WPA2 (I'm ignoring TKIP and friends). There was no security proof for WPA2, but it seemed good enough, especially given the contraints at the time. IIRC it ended up being considerably weaker than hoped. Now apparently Dragonfly is being proposed. At least Dragonfly claims to have the right security properties. But, from reading all the discussion here, it seems that Dragonfly is only unbroken because the issues in early drafts were fixed and the known attempts to attack it don't work. But this is ridiculous for a new protocol. There are multiple simple protocols with security proofs, *especially* for balanced PAKEs. There are the various SPAKE flavors, J-PAKE, and (my favorite because it's so simple) DH-EKE. If CFRG wants to publish the Dragonfly draft with a statement that Dragonfly is not recommended for new designs, that's one thing. But publishing it as is, especially if that will be seen as a sign that it is appropriate to use in new designs, seems dangerous. --Andy
- [Cfrg] draft-irtf-cfrg-dragonfly document status Alexey Melnikov
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Paul Lambert
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Paul Lambert
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Dan Harkins
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Peter Gutmann
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Dan Harkins
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Schmidt
- [Cfrg] PAKEs in general (was; Re: draft-irtf-cfrg… Stephen Farrell
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Paul Lambert
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Andy Lutomirski
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Mike Hamburg
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Alexey Melnikov
- [Cfrg] JPAKE and a few other things (was Re: draf… Alexey Melnikov
- [Cfrg] Writing proposals as drafts first (was Re:… Alexey Melnikov
- [Cfrg] PAKE requirements Alexey Melnikov
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Yoav Nir
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Dan Harkins