[Cfrg] Fwd: New Version Notification for draft-krawczyk-cfrg-opaque-06.txt

Hugo Krawczyk <hugokraw@gmail.com> Sat, 20 June 2020 04:25 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id C6BE93A1033 for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2020 21:25:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Yb8iiTxts7qg for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2020 21:25:33 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 983E33A1031 for <cfrg@ietf.org>; Fri, 19 Jun 2020 21:25:33 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id y6so9344482edi.3 for <cfrg@ietf.org>; Fri, 19 Jun 2020 21:25:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=KdMyojfBW5eveuYMmoLJk41WdV+73e1uUMg/IIZrAds=; b=Y1IuaFOIW0ePHjHJDFtmEggA7LxDtSUWAh3hW8HDsFv01aVxwrvCNNWJTc9riXxMOJ diKcKzCxoSwuBGfjSp8eHdFt+8lXGyjIqiR9a+PVwgnFz1G4PANfhO7f1DRiKFz//rRO EQWdFgDX6qHVWTvXC2UoP7fYwLXKk58Y1KHWxu+qVL0za8e+9PPIPvRCt8wMhcrVFtOG 9FmD5UfNKzr1zKRscWlZBo3RJR7kMS0+QzGTWh0ypPCdsmInGTXl+Tl0I6xMXETIfdYO M9YscG8WlYOt1svl0e1GeG8+HgpAa6Sc1KP8Kn22sUr4iNdDBb/kSS7gY+ObJ4k6Vqqf mCpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=KdMyojfBW5eveuYMmoLJk41WdV+73e1uUMg/IIZrAds=; b=DdDmdm9sk6QmVp9eoy29HzH+H5UeLwAO9TdOFh0CSM/TVSmEuyADG+PIgVARl6otCA 6RFN77EQ39ykWlAFlA4DCZYuIujDmSTiiQmTADjC0pfLjt8ahdc+e2BjmeDJsW5uMdYS Ut5Jq5tjpfkq6eg6fIn5er6lu2VV557de/b9dApdNZrG8F38ePLnYQV7MKgX1+qfNBpO 3/9iKO3urSgto9dzJ4cW3ggCohTwClvtuAMULXaCagcKZ6TaACso+vsU9BsUdOqUOj73 gFfflvcuw1/sJUTb9iHEIzo+JG8f+FvdNctlKcnaJm8jfAJRw3L2U7OLsufuLPHsneKk CboQ==
X-Gm-Message-State: AOAM5339Vk7IwT1rbmGzLUVv3DfGO/RIcIAdL57Dm8DNJhU4Pf5cp1MB 1ccVjZutpZVTSPdAINjtp6nsDR4uhPDS+X9ddr8EI7Dt
X-Google-Smtp-Source: ABdhPJwepnqoKcUptKNCw15t+ukFXwb5Gs/6PfNLUe8fFaXfeGe4Y52u3/e+8zCmAJf+98D2QsYXzIaYuiHrQGVDjMg=
X-Received: by 2002:aa7:d9d3:: with SMTP id v19mr6320928eds.364.1592627131801; Fri, 19 Jun 2020 21:25:31 -0700 (PDT)
MIME-Version: 1.0
References: <159262685532.16711.9973805881349722696@ietfa.amsl.com>
In-Reply-To: <159262685532.16711.9973805881349722696@ietfa.amsl.com>
From: Hugo Krawczyk <hugokraw@gmail.com>
Date: Sat, 20 Jun 2020 00:25:05 -0400
Message-ID: <CADi0yUMB+gyzTuDFW_fVsB6wecWaR=tJrwsYUhGO5ehzafKRAQ@mail.gmail.com>
To: "<cfrg@ietf.org>" <cfrg@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000073644305a87c66f4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/3DPxQTpT-yd-OOIgAslmM0h8KAI>
Subject: [Cfrg] Fwd: New Version Notification for draft-krawczyk-cfrg-opaque-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Jun 2020 04:25:36 -0000

A new version of draft-krawczyk-cfrg-opaque is available.
It has an important change in the way secret information under the
envelope EnvU is protected.

There is no form of optional encryption or use of counter mode anymore.
Instead it defines a very specific mechanism:
Secret information included in EnvU is xor-ed with a pseudo random
pad derived from RwdU, and HMAC is computed on the concatenation of this
and any non-secret information included in EnvU. This simple mechanism
satisfies the encryption requirement of OPAQUE and obviates any need to
other RKR-secure schemes. In particular, it eliminates the "temptation" to
non-RKR modes such as GCM. Performance considerations are insignificant
here as
EnvU requires encryption of very short plaintexts. Applications that require
sending additional information (e.g., non-OPAQUE user secrets stored at the
server) will use ExportKey (previously called KdKey) with any encryption
scheme of their choice. No RKR requirement in this case.
See Section 4 for the details.

This version also corrects a typo in the specification of SIGMA (the
in messages K2 and K3 got mixed up in the version 05 of the draft).

Very important: This draft is still intended as a high level description of
protocol and its components. A detailed specification is underway and will
posted shortly as draft-irtf-cfrg-opaque. OPAQUE implementers should follow
the specifications in that document.


---------- Forwarded message ---------
From: <internet-drafts@ietf.org>
Date: Sat, Jun 20, 2020 at 12:20 AM
Subject: New Version Notification for draft-krawczyk-cfrg-opaque-06.txt
To: Hugo Krawczyk <hugokraw@gmail.com>

A new version of I-D, draft-krawczyk-cfrg-opaque-06.txt
has been successfully submitted by Hugo Krawczyk and posted to the
IETF repository.

Name:           draft-krawczyk-cfrg-opaque
Revision:       06
Title:          The OPAQUE Asymmetric PAKE Protocol
Document date:  2020-06-19
Group:          Individual Submission
Pages:          26
Status:         https://datatracker.ietf.org/doc/draft-krawczyk-cfrg-opaque/
Htmlized:       https://tools.ietf.org/html/draft-krawczyk-cfrg-opaque-06

   This draft describes the OPAQUE protocol, a secure asymmetric
   password authenticated key exchange (aPAKE) that supports mutual
   authentication in a client-server setting without reliance on PKI and
   with security against pre-computation attacks upon server compromise.
   Prior aPAKE protocols did not use salt and if they did, the salt was
   transmitted in the clear from server to user allowing for the
   building of targeted pre-computed dictionaries.  OPAQUE security has
   been proven by Jarecki et al.  (Eurocrypt 2018) in a strong and
   universally composable formal model of aPAKE security.  In addition,
   the protocol provides forward secrecy and the ability to hide the
   password from the server even during password registration.

   Strong security, versatility through modularity, good performance,
   and an array of additional features make OPAQUE a natural candidate
   for practical use and for adoption as a standard.  To this end, this
   draft presents several instantiations of OPAQUE and ways of
   integrating OPAQUE with TLS.

   This draft presents a high-level description of OPAQUE, highlighting
   its components and modular design.  It also provides the basis for a
   specification for standardization but a detailed specification ready
   for implementation is beyond the scope of this document.

   Implementers of OPAQUE should ONLY follow the precise specification
   in the upcoming draft-irtf-cfrg-opaque.

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat