Re: [Cfrg] Suggestion for open competition on PAKE -> Was Re: Dragonfly has advantages

"Dan Harkins" <> Sun, 05 January 2014 08:12 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 076A61ACCEE for <>; Sun, 5 Jan 2014 00:12:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id d5lVFUq36_bW for <>; Sun, 5 Jan 2014 00:12:31 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 38CBC1AC828 for <>; Sun, 5 Jan 2014 00:12:31 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 54DF210224008; Sun, 5 Jan 2014 00:12:23 -0800 (PST)
Received: from (SquirrelMail authenticated user by with HTTP; Sun, 5 Jan 2014 00:12:23 -0800 (PST)
Message-ID: <>
In-Reply-To: <>
References: <> <>
Date: Sun, 05 Jan 2014 00:12:23 -0800
From: Dan Harkins <>
To: David McGrew <>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: Trevor Perrin <>, "" <>
Subject: Re: [Cfrg] Suggestion for open competition on PAKE -> Was Re: Dragonfly has advantages
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 05 Jan 2014 08:12:33 -0000

  Hi David,

On Sat, January 4, 2014 8:42 am, David McGrew wrote:
> As a side note, I personally would also like to see
> guidance/documentation on how PAKEs can best be used, and I agree with
> your comment about bootstrapping authentication.  Replacing a raw
> username/password exchange inside of TLS with a PAKE would be good, and
> using a PAKE for password-based certificate enrollment would be good.
> Replacing certificate based authentication with a PAKE would be not so
> good.

  I agree with everything above.

  PAKEs are useful because they provide a certain amount of security even
in the presence of weak, low-entropy passwords. And passwords are easy
and simple to use for people who are not computer savvy much less crypto
clueful, they are intuitive to use. So PAKEs can provide a kind of misuse

  PAKEs are also useful for bootstrapping and for things like certificate
enrollment. In fact, it is securing an RFC 7030 exchange that prompted
me to push so hard for TLS-pwd. The fact is that if someone does not
have a certificate then he probably also lacks a suitable trust anchor
database with which to properly secure a certificate-based TLS exchange
to enroll with a CA (any step that populates the trust anchor database
can be used to just give the user a certificate and be done with it). And
in that case they will do is accept an unverified self-signed certificate
and use HTTP digest authentication right before they say "give me the
CA's certificate that I will trust from now on". I know this because I've
seen people deploy this nonsense.

  In addition, when someone is requesting certification of a public
key it makes sense to authenticate using a PAKE with the same group--
384 bit prime ECC for a certified public key, then 384 bit prime ECC with
the PAKE. The group used in the PAKE can't be fixed to the password.

  So we need ECC support in a balanced PAKE. And we needed it a
few months ago when RFC 7030 got published.

  No one should ever use a PAKE in lieu of a certificate-based
authentication scheme provided that the certificate can be, and is,
properly validated. I certainly was not suggesting dragonfly for that