IETF Logo Mail Archive

Re: [CFRG] RGLC on draft-irtf-cfrg-opaque-13

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Mon, 25 March 2024 11:55 UTC

Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22F66C14F6B6 for <cfrg@ietfa.amsl.com>; Mon, 25 Mar 2024 04:55:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2j6cfN58cekN for <cfrg@ietfa.amsl.com>; Mon, 25 Mar 2024 04:55:44 -0700 (PDT)
Received: from mail-yw1-x1134.google.com (mail-yw1-x1134.google.com [IPv6:2607:f8b0:4864:20::1134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 398ABC14F6B3 for <cfrg@irtf.org>; Mon, 25 Mar 2024 04:55:44 -0700 (PDT)
Received: by mail-yw1-x1134.google.com with SMTP id 00721157ae682-6098a20ab22so38845897b3.2 for <cfrg@irtf.org>; Mon, 25 Mar 2024 04:55:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711367743; x=1711972543; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=qaqzQV36pUnx9PP1xsAs4vkqGqMqSTfWLLQHyH236XY=; b=GOFnz09BZ/TyGN/8BHAhP+4nV11SRgfRAh97UOdxIwLU7vNb3k3pJSPT3A8vqp4d0m pAYutF3qeYmDCW/m4mx2m6+B9Nu+3EQ6Ah/0ngiM7bE0KSyOQMzXqNBOH52LBuVefHVa 6RXe5mcyzQNR07KIV8GSQ9uFpSHEkCaXujOaLEZXLOx1vG2fLBpCsbaSpdWg413PAKFl rf+eNx0hpxOPZi2cnQmGwieMgrxcJD5T05mVSFlHhd+m/nH8svy1OvvBDM5sFxm+zL0o EF3/zsYm2fsU5SbSxMOIZWs8C9Xhh0d60KGLkT1B9XHg/Jc1Nfze/H7in68O0nnAEQZ8 ABGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711367743; x=1711972543; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qaqzQV36pUnx9PP1xsAs4vkqGqMqSTfWLLQHyH236XY=; b=RQdioxFcBpHmBnM3edULe3Oq3OIHgf5kxt7bhlRouWzZL2XZdPGPTsPAVtHvoYAwwx GppEKSvjpMt/WgIZHZYjeNZ+lsQmc8ZnXNOHEI4wr6ZP1+DspNy+NT9PhKXUvc8AW+sS Hve/rhfxKDYYsDmaTdWUHct8HsOIJuhlXE7Uu5KnuOWO0fMT6uwOEAeAM851FGusFn3F mBbRYzcKIy+v52771zxMYdzu2tEybMivupe8PTBDYCBmoi2paQHHSf/7K22GZw8Q2E8R 3wpiG4fnmM98yghyWPn4kXxxEXn0IN5qzWzxf1OZJa73CXCP5ZtLjR90cmHIVLrq2qzj uF/w==
X-Forwarded-Encrypted: i=1; AJvYcCXbKOHptq0OfZVXYWMIHlZZDwN/pC5ke3cQWAcwwIEAMREt9pbKB0pzI8/cAzQD0MVF6eatq3IWMwBQwjWd
X-Gm-Message-State: AOJu0YyYF6jnf1SfuRRA1QQo7j55ZqEvrtZtNfdAR9ZXHo7SM8hZuhpf gReFr3C7Q3qDIEDgD5SWBt+X0aqt10bFTEkXdlksOqTJwBl2lVY/tW9le9pxY3pmQ2Lf6lS4viI zX1LpnxcK2HlAWzydYIHVuiMv2XgMf186
X-Google-Smtp-Source: AGHT+IGoB5l/EhkE0UVwNTXQL5oq+ZNpznp7TBx7Kw4bWJwZdVnZ6aRH67ip4bVDOZN3i6vZ+PawJXp4MRP3b+F/m/s=
X-Received: by 2002:a81:6e89:0:b0:610:b43f:6263 with SMTP id j131-20020a816e89000000b00610b43f6263mr5915465ywc.14.1711367743233; Mon, 25 Mar 2024 04:55:43 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6kOrbwdHEDmmGsVYzqjsEbzBCCtGL39jckNbSWsEumOQg@mail.gmail.com> <994001115.165708.1706765982169@email.ionos.com> <CACitvs8zzoQVY4uo1zOtoBWrSVOLfzGFBCsMnevxnCMXg-CJGw@mail.gmail.com> <CACitvs_kEOgBC0eZNbHZ1EBy6v7kqL2-99-A1kRD_QqTaTuQKw@mail.gmail.com>
In-Reply-To: <CACitvs_kEOgBC0eZNbHZ1EBy6v7kqL2-99-A1kRD_QqTaTuQKw@mail.gmail.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Mon, 25 Mar 2024 14:55:31 +0300
Message-ID: <CAMr0u6khy2oo6GpxYYWq803NPYvKHLk4=9Lf7Z5ddNVu8KbiZw@mail.gmail.com>
To: Kevin Lewi <klewi@cs.stanford.edu>
Cc: steve@tobtu.com, CFRG <cfrg@irtf.org>, cfrg-chairs@ietf.org, draft-irtf-cfrg-opaque@ietf.org
Content-Type: multipart/alternative; boundary="0000000000006a66b306147ada0f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/4VSs1aPilpBJza_Fb7A_8Xh15WY>
Subject: Re: [CFRG] RGLC on draft-irtf-cfrg-opaque-13
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2024 11:55:48 -0000

Dear CFRG,

The authors have updated the draft.
Please feel free to express whether the changes address your concerns.

Regards,
Stanislav (for chairs)

On Tue, Mar 5, 2024 at 9:37 AM Kevin Lewi <klewi@cs.stanford.edu> wrote:

> Hi Steve!
>
> Just wanted to check in and see if you had a chance to review my response
> to your feedback above. Let me know if there is anything else that you
> would like to see addressed explicitly, or if we are good to go.
>
> Kevin
>
> On Sun, Feb 11, 2024 at 8:59 PM Kevin Lewi <klewi@cs.stanford.edu> wrote:
>
>> (Replying to:
>> https://mailarchive.ietf.org/arch/msg/cfrg/Fxxdbe6sBae9yqTtZfwrGvtAKRQ/)
>>
>> Hi Steve,
>>
>> Appreciate the review and the feedback! Here are my thoughts:
>>
>> 1) "There should be a section mentioning that OPAQUE is doubly augmented
>> and why that's better than augmented."
>>
>> I gave this some thought and I think I understand the distinction between
>> an sdPAKE vs. aPAKE. But I am not entirely sure if we should get into this
>> level of detail in the draft, mainly because I am struggling to figure out
>> how to phrase this in a way that is generally understandable to most
>> readers without causing confusion. However, if you do feel like this would
>> be necessary to include in the draft text, can you perhaps write up a
>> suggested paragraph under a new subsection of the "Security Considerations"
>> section which covers this detail? Then we can discuss and iterate on the
>> wording. You can also open a PR on
>> https://github.com/cfrg/draft-irtf-cfrg-opaque/pulls and we can continue
>> the discussion via comments over there.
>>
>> 2) Section 10.3. "Related Protocols" should probably be removed.
>>
>> I agree, good suggestion! I went ahead and put up a PR for this change.
>> https://github.com/cfrg/draft-irtf-cfrg-opaque/pull/443
>>
>> 3) The mentions of "offline registration" should be changed to "online
>> registration".
>>
>> Good point, this is confusing. Seems like we have a PR up (
>> https://github.com/cfrg/draft-irtf-cfrg-opaque/pull/439) to address
>> this, by changing "offline registration" to simply read as "registration"
>> (no "online"). Let me know if that also sounds acceptable.
>>
>> 4) Now the good parts of OPAQUE that weren't mentioned. Stateless HSM
>> implementation.
>>
>> I agree with this as well, but similar to point #1, do you think that
>> this is something that we actually need to include explicitly in the draft
>> text? And if so, do you have a suggested change or wording that would be
>> suitable for adding to one of the sections?
>>
>> Let me know if I missed anything.
>>
>> Thanks,
>> Kevin
>>
>>
>> On Thu, Feb 1, 2024 at 12:39 AM <steve@tobtu.com> wrote:
>>
>>> I've been meaning to do a full review and just checked the status. So
>>> this might be a little rushed. Anyway...
>>>
>>> ----
>>>
>>> "Asymmetric PAKE" is not a thing. aPAKE means "augmented PAKE" and some
>>> time ago people saw "aPAKE" and thought it meant asymmetric because of it's
>>> asymmetrical relation between the client and server. The first PAKE was a
>>> balanced PAKE and it was then augmented so that a server doesn't hold a
>>> password equivalent. There are currently four types of PAKEs: balanced,
>>> augmented, doubly augmented, and identity. Abbreviated bPAKE, aPAKE, dPAKE,
>>> iPAKE and if the non-balanced PAKE has an OPRF then it is "strong" and is
>>> prefixed with an "s". Note that bPAKE ⊂ aPAKE ⊂ dPAKE ⊂ iPAKE. For info on
>>> iPAKEs see https://eprint.iacr.org/2020/529.
>>>
>>> Doubly augmented PAKEs' best use case is WiFi: compromising a device
>>> doesn't lead to being able to act as an AP. The first description of a
>>> dPAKE: "SPAKE2 can even be doubly augmented, where Alice does the same
>>> thing, but I'm not sure if there's any application to that." -Mike Hamburg (
>>> https://moderncrypto.org/mail-archive/curves/2015/000424.html). I
>>> actually couldn't think of a reason either until around the time the WiFi
>>> Alliance picked a known to be broken bPAKE.
>>>
>>> Which brings us to OPAQUE is not an aPAKE, it's a sdPAKE. One way to
>>> think of OPAQUE, as a sdPAKE, is that it's a cert delivery protocol. Once
>>> the client has the cert they just store and use it. There should be a
>>> section mentioning that OPAQUE is doubly augmented and why that's better
>>> than augmented
>>
>>

v2.23.0 | Report a Bug | By Email