Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG document
Andy Lutomirski <luto@amacapital.net> Mon, 15 December 2014 19:40 UTC
Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F60A1A87AA for <cfrg@ietfa.amsl.com>; Mon, 15 Dec 2014 11:40:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a42Kh7SL2uZl for <cfrg@ietfa.amsl.com>; Mon, 15 Dec 2014 11:40:01 -0800 (PST)
Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 318211A87BD for <cfrg@irtf.org>; Mon, 15 Dec 2014 11:39:22 -0800 (PST)
Received: by mail-lb0-f182.google.com with SMTP id f15so10394047lbj.41 for <cfrg@irtf.org>; Mon, 15 Dec 2014 11:39:20 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=m5ydTFw6oVLgORhgONWAh0d5XnF2DQsbLqY05+5FUT8=; b=ehL20QPq9koBbVdctTI8HxUSZQyUnzassqZeVFLytnMVXE4P7i8iu5E/9/m80xs7/M Vu8k+366BQNHGDCAZP+q5ZnKP9Tti8DCSBebUOVXUbQ8e7mTxpubTMh7lnXYR0hDp6GL ZN/9nVvZzBRK+2kY4lrgC5F5VB7IfZ/mXPVMBbJB3y9n4vxEonCzPDqNyKDPYYe+CHSc hTIbPy0hX/MDTEndzxc7SV/KA5VQqFsu5K8X8hmxcAWtgauyG/eibOaRBpviNdayMRz8 6WD3iwV2LtyuZXycmRqYRXUXHHnIwqW/zrkdxpYAbkHq638nXuQciLyEwjlNEPxHwKXA AzlQ==
X-Gm-Message-State: ALoCoQmb2d2Thp7dUlWrmVw7KuQSoxS8DDV8sXBUSdGfb/rjLCwlvffv0x3/fu7jVD/zXncDur1/
X-Received: by 10.112.173.202 with SMTP id bm10mr31172725lbc.74.1418672360668; Mon, 15 Dec 2014 11:39:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.152.7.132 with HTTP; Mon, 15 Dec 2014 11:39:00 -0800 (PST)
In-Reply-To: <24AB5B70-2641-40EE-988F-64F333C53A31@shiftleft.org>
References: <BF9DADF6-003F-454D-8E96-4A28A060CA72@isode.com> <A635D82B-B55C-4574-AB73-D0408853D642@gmail.com> <548ECB98.7060709@cs.tcd.ie> <24AB5B70-2641-40EE-988F-64F333C53A31@shiftleft.org>
From: Andy Lutomirski <luto@amacapital.net>
Date: Mon, 15 Dec 2014 11:39:00 -0800
Message-ID: <CALCETrV8uMkcEF6b-Df5fOos4mGb9OKMWU7TfRREcndS+uOA6A@mail.gmail.com>
To: Michael Hamburg <mike@shiftleft.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/2rz0_fBXQQykR70ZMKhuiyvuAJw
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Dec 2014 19:40:03 -0000
On Mon, Dec 15, 2014 at 9:34 AM, Michael Hamburg <mike@shiftleft.org> wrote: > >> On Dec 15, 2014, at 3:52 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: >> >> >> >> On 15/12/14 11:16, Yoav Nir wrote: >>> But I would really like to know who needs a PAKE right now. PAKEs >>> require the server to store the cleartext password or a password >>> equivalent, creating a security issue that is potentially worse than >>> sending cleartext passwords through authenticated channels (as in >>> form-based or basic authentication to a TLS-protected server) >> > > It is definitely a disadvantage of the SPAKE2 draft as currently written that it does not support augmentation, which would allow the server to store a non-password-equivalent token. Perhaps this part of the feedback would best be expressed as “there should be an augmented option in the draft, such as PAKE2+”? > >> +many - PAKEs are IMO cool but mostly-useless crypto for exactly >> this reason (and before others disagree, yes, I know some folks >> disagree:-) If however, CFRG folk want to work on 'em I've no >> objection but just so you all know, there is no horde of IETFers >> waiting with bated breath for more PAKE protocol options. > >> There are to be fair a quite small number of sensible people who >> do figure there's a niche there to fill though (Dan H. for example >> but not sure who else), so I could of course be wrong about that. >> As I understand it, the niche Dan has in mind is for signing up >> to get a certificate in a PKI, where the password is used to >> authenticate the certificate request. Even in that case, I'm >> not convinced that PAKEs add value - esp since a one (or limited) >> time use password could be better there and requires no new >> crypto. >> > > PAKEs are definitely a niche technology, but they are occasionally useful. For example, they would be handy to protect WiFi, and possibly to add a layer of protection to protocols like SSH and IMAP which are often accessed with a password. IMO essentially all password-protected crypto tokens (chip-and-PIN cards, etc) should be using PAKEs to protect the PIN. Otherwise if you sniff a valid transaction between the keypad and the token, you can very easily brute-force the PIN. Admittedly, the usual threat models probably don't distinguish such attacks from attacks that directly compromise the keypad, but I bet that it's easy to sniff enough of the transaction from RF leakage to do the same thing if you can put some malicious device near the keypad, even if you haven't compromised the keypad or token and both have perfect internal side-channel countermeasures. --Andy
- [Cfrg] Adoption of draft-ladd-spake2 as a RG docu… Alexey Melnikov
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Rene Struik
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Watson Ladd
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Watson Ladd
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … David Leon Gil
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Alexey Melnikov
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Yoav Nir
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Alexey Melnikov
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Stephen Farrell
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Michael Hamburg
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Dan Harkins
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Watson Ladd
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Dan Harkins
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Derek Atkins
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Dan Harkins
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Andy Lutomirski
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Paul Lambert
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Watson Ladd
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Alexey Melnikov
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Alexey Melnikov
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Dan Harkins
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Paul Lambert
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Tom Yu
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Andy Lutomirski
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Dearlove, Christopher (UK)
- Re: [Cfrg] Point format endian (was: Adoption of … Alyssa Rowan
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Alexey Melnikov
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Adam Langley
- Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG … Paul Lambert
- [Cfrg] On the topic of the SPAKE2 draft Paul Lambert
- Re: [Cfrg] Point format endian (was: Adoption of … Dan Harkins
- Re: [Cfrg] Point format endian (was: Adoption of … Watson Ladd
- Re: [Cfrg] Point format endian (was: Adoption of … Salz, Rich
- Re: [Cfrg] Point format endian (was: Adoption of … Dan Harkins
- Re: [Cfrg] Point format endian (was: Adoption of … Watson Ladd
- Re: [Cfrg] Point format endian (was: Adoption of … D. J. Bernstein
- Re: [Cfrg] Point format endian (was: Adoption of … Dan Harkins
- Re: [Cfrg] Point format endian (was: Adoption of … Mike Hamburg
- Re: [Cfrg] Point format endian (was: Adoption of … Salz, Rich
- Re: [Cfrg] Point format endian (was: Adoption of … Watson Ladd
- Re: [Cfrg] Point format endian (was: Adoption of … Andrey Jivsov
- Re: [Cfrg] Point format endian Alyssa Rowan
- Re: [Cfrg] Point format endian (was: Adoption of … Salz, Rich
- Re: [Cfrg] Point format endian (was: Adoption of … Damien Miller
- Re: [Cfrg] Point format endian (was: Adoption of … Dan Harkins
- Re: [Cfrg] Point format endian (was: Adoption of … Mike Hamburg
- Re: [Cfrg] Point format endian (was: Adoption of … Watson Ladd
- Re: [Cfrg] Point format endian (was: Adoption of … Yoav Nir
- Re: [Cfrg] Point format endian Michael Clark