IETF Logo Mail Archive

Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-cfrg-dragonfly document status)

Andy Lutomirski <luto@amacapital.net> Thu, 09 October 2014 17:24 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43AEE1A8BB7 for <cfrg@ietfa.amsl.com>; Thu, 9 Oct 2014 10:24:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ldH7ycxPVLDX for <cfrg@ietfa.amsl.com>; Thu, 9 Oct 2014 10:24:43 -0700 (PDT)
Received: from mail-lb0-f177.google.com (mail-lb0-f177.google.com [209.85.217.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D80F1A88AC for <cfrg@irtf.org>; Thu, 9 Oct 2014 10:21:22 -0700 (PDT)
Received: by mail-lb0-f177.google.com with SMTP id w7so1570954lbi.8 for <cfrg@irtf.org>; Thu, 09 Oct 2014 10:21:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=EUqVBWPQSOa2Hzh6/9zlSXR0cnCCKBkluC9YQVDn3yo=; b=Dbzfz213ZDgZ1oAsVZ943lgmBPCWWybwBI2k2GJ9aWicSEH4Au9kax0zrRj2Xr+N8T ExGnCcenRosexdL2XKSOkslCHDMUIHSsg+jmhjJTABGDPWztp7tW4nwD2Jt/wM4rK4lB szV90sVEcmKkYSpecA7x0Vfl1ocvEML8XcW4VSb4tYvJtDWgnOUZjq6rA+drfNDtNk+1 GerbNS1GYgqt2x/hdPeKXCouapf0tis7P58y3JY3LIiQ0zI47/GAk/Wb+tNTbt5gZ1/k N9f4FhQHlnIhxoVmMXJwGLVVIgm9DKq4GBjIp2Egg5NZHjUGJxbr4jZSZfNuMDAEs3Hd s1iQ==
X-Gm-Message-State: ALoCoQmlDrWFZeC+SWEP5zQAt2mZg/4NQfeXmM8OloKrUfBBTT52a8VZMQ4LPZZo4M7NmsmjaWUJ
X-Received: by 10.152.87.146 with SMTP id ay18mr8659683lab.72.1412875280334; Thu, 09 Oct 2014 10:21:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.36.106 with HTTP; Thu, 9 Oct 2014 10:21:00 -0700 (PDT)
In-Reply-To: <D05BF8A4.50927%paul@marvell.com>
References: <54357A2A.2010800@isode.com> <38634A9C401D714A92BB13BBA9CCD34F13E26818@mail-essen-01.secunet.de> <54366BA1.1010603@cs.tcd.ie> <D05BF8A4.50927%paul@marvell.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Thu, 09 Oct 2014 10:21:00 -0700
Message-ID: <CALCETrUTkHixj-3yJdV2ASOmkD0recy983jBGmwVZkFfGfgaxQ@mail.gmail.com>
To: Paul Lambert <paul@marvell.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/-mqbDqAf4jfjWBiEjuXiiDkKgfU
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-cfrg-dragonfly document status)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Oct 2014 17:24:45 -0000

On Thu, Oct 9, 2014 at 9:55 AM, Paul Lambert <paul@marvell.com> wrote:
>
> The Œmostly' is that the Dragonfly draft should be published
> so it can be used a little better in a couple of specific
> environments where it is already being wired into systems.
> Specifically, IEEE 802.11 has the SAE protocol which uses
> the Dragonfly exchange for mesh networks.  There are other
> peer-to-peer wireless applications that could use Dragonfly
> soon. In particular, the Wi-Fi industry also has a long
> standing issue with password based authentication
> being subject to brute-force attacks in the
> WPA2=Personal authentication (aka 4-way handshake).
> Dragonfly in the form of SAE will potentially
> be dropped in as a replacement for the current
> hash based exchange.

I believe that this is exactly why quite a few people (myself
included) think that CFRG should think long and hard before publishing
Dragonfly.  To the extent that CFRG's imprimatur will enourage
IEEE802.11 adoption of Dragonfly, CFRG should *not* bless Dragonfly.

Let's review:

IEEE802.11 adopted WEP despite best practices suggesting that the
protocol, as designed, should not be used.  As far as I know, no one
knew how to break it when it was adopted, but no one had a compelling
argument that it couldn't be broken.

WEP was later upgraded to WPA2 (I'm ignoring TKIP and friends).  There
was no security proof for WPA2, but it seemed good enough, especially
given the contraints at the time.  IIRC it ended up being considerably
weaker than hoped.

Now apparently Dragonfly is being proposed.  At least Dragonfly claims
to have the right security properties.  But, from reading all the
discussion here, it seems that Dragonfly is only unbroken because the
issues in early drafts were fixed and the known attempts to attack it
don't work.

But this is ridiculous for a new protocol.  There are multiple simple
protocols with security proofs, *especially* for balanced PAKEs.
There are the various SPAKE flavors, J-PAKE, and (my favorite because
it's so simple) DH-EKE.

If CFRG wants to publish the Dragonfly draft with a statement that
Dragonfly is not recommended for new designs, that's one thing.  But
publishing it as is, especially if that will be seen as a sign that it
is appropriate to use in new designs, seems dangerous.

--Andy

v2.23.0 | Report a Bug | By Email