Re: [CFRG] Questions regarding draft-irtf-cfrg-spake2-15.txt
Watson Ladd <watsonbladd@gmail.com> Sun, 06 December 2020 20:08 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE7D03A0AD3 for <cfrg@ietfa.amsl.com>; Sun, 6 Dec 2020 12:08:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ka1la_PVf6sa for <cfrg@ietfa.amsl.com>; Sun, 6 Dec 2020 12:08:20 -0800 (PST)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04F1C3A0ABE for <cfrg@ietf.org>; Sun, 6 Dec 2020 12:08:20 -0800 (PST)
Received: by mail-lf1-x133.google.com with SMTP id r24so15014860lfm.8 for <cfrg@ietf.org>; Sun, 06 Dec 2020 12:08:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=4ImmdhhTtHznQKh5juPdp2qYZ7BAivX1i1TL7fhHgLo=; b=JVRNGkfqoPuhmbbd4BuNpDBaZEYgCvavf0CxuTCa+g4EINyVaStCn0tof0fpYVh5Gw s7ME5WK5SYs7MDd7VBk8ioKdokDkXX3wMYqRDpMHikpp28OiA+w4A63zo+kd1B7Bdfyr DLxqGrR25TPY4vt6cjMbUZqnxkJB0gY5q/VaoPbHnSl+q2u/RHH7/570glojM98WGBaw zrScIpjLd7Is1i1HFsO1Xg0B93iYRJew+iYut9XMUk9BHRcm1mdTb/k7FmU3z7g2lrIl qSkm4jU4tK6iIrPzcDrIaCZoUgfWPb+sRkYElwhtmXH5CgrK6i6cEqwW8JsQw3Gvwh6u Z6yQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=4ImmdhhTtHznQKh5juPdp2qYZ7BAivX1i1TL7fhHgLo=; b=N9mhbYl8wEjm0a0KrKbcJjAHN9EfuYoaYG9E6nWtYxyUE+r+Jk/3iV2qf48cPAOpVm hClxJoDmrOhPy6t563tujZXOf6jvtksfaqVpmAHIq9vjEOOD6wXflvWwU7N9IArZrfQ2 MMx5XuIppav/CfHYNcd2jlKVLbqJf3WERntcbRMaQGXL7Y9BV0qUQO3fQW+XbtW7Owb0 TPDOBkjmZAvzpuQw1G64+CGlAkZkjhMH4HbLRnUmIQ00QKr7jy0JllyykWV68+Bd5iTu eI1sQg5Z9Jf62RA8B2Zizbi6CAU4ODY9QadC/z/x3tb2Uu0I/mlvKK0VBIdF2DZEK8dz r61g==
X-Gm-Message-State: AOAM530eyvzKSj3SSSBHHKn8DDZN/aQoAbywvEysM0S9chZcU/HY5QWo EvMWNqt1lUFOyN4TKgeF+DlZ3A/OXnW0hLVJXCk=
X-Google-Smtp-Source: ABdhPJz0O7T4NFXsluyj2+LEgPPBha53nhE0tDo6SY2NcEiV4Dz1RoBOI6u+iqw9Rb/WOcowYQzpPJtMuhGUlBTrP7Y=
X-Received: by 2002:ac2:514e:: with SMTP id q14mr6591366lfd.130.1607285298054; Sun, 06 Dec 2020 12:08:18 -0800 (PST)
MIME-Version: 1.0
References: <CACi_p6ZMpo-LES9PGqoB33ydTBbCF_bKAc4hiCq6xDUpjEAvGg@mail.gmail.com>
In-Reply-To: <CACi_p6ZMpo-LES9PGqoB33ydTBbCF_bKAc4hiCq6xDUpjEAvGg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sun, 06 Dec 2020 12:08:06 -0800
Message-ID: <CACsn0c=d+VyQqM0F0bEpYuS=TRMUKXZ5AU=HF69iKT8b6U3HTA@mail.gmail.com>
To: Лилия Ахметзянова <ahmzliliya@gmail.com>
Cc: "<cfrg@ietf.org>" <cfrg@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/53lFQr2l-Y3aqWe0Xc9D9fv61co>
Subject: Re: [CFRG] Questions regarding draft-irtf-cfrg-spake2-15.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Dec 2020 20:08:22 -0000
On Sun, Dec 6, 2020 at 11:44 AM Лилия Ахметзянова <ahmzliliya@gmail.com> wrote: > > Hello CRFG, Watson and Benjamin, > > Recently, I’ve interested in the draft https://tools.ietf.org/html/draft-irtf-cfrg-spake2-15. I have come up with several thoughts and comments (hope I'm not late). > > Considerations on key schedule: > In section 4 the following key schedule is defined: > > Both parties use TT to derive shared symmetric secrets Ke and Ka as Ke || Ka = Hash(TT), with |Ke| = |Ka|. > > A and B compute them as KcA || KcB = KDF(nil, Ka, "ConfirmationKeys" || AAD) > > > 1. If one chooses a ciphersuite, e.g., with P-256 and SHA-512 to produce keys Ke and Ka of length 256 bits, then the SHA-512 function seems to be used here as a PRG function. However, as far as I know, it is not the standard properties of the hash functions. It seems better to directly use the extract and expand concept to produce Ke, KcA, KcB. Could you explain, what caused the keys to be produced in such a way? In most applications where the scheme is used the higher level protocol will derive keys and hash the transcript itself. Hashing the transcript and key works fine and I don't think there were any questions about not using HMAC during RGLC or the reviews as part of the PAKE selection process. > > 2. The keys KcA, KcB can be used as a key input for HMAC(SHA-256). If HKDF(SHA-256) was used for producing these keys, then |KcA| = |KcB| = 128 bits. However, RFC 2104 points out the following recommendation: In any case the minimal recommended length for K is L bytes (as the hash output length). Does using these ciphersuites contradict the document RFC 2104? The text of RFC 2104: " The key for HMAC can be of any length (keys longer than B bytes are first hashed using H). However, less than L bytes is strongly discouraged as it would decrease the security strength of the function." But we don't need the mac to be 256 bits long. 128 would be fine in that case. > > Considerations on Key confirmation > For key confirmation the following procedure is used: F = MAC(KcA, TT). Here tag is computed for data TT that contains the D-H key K. This may complicate the implementation of the protocol since many secure API does not allow to use “naked” keys in such a way. Is adding the K value crucial for the security here? No, but it's easier to have one transcript versus 2. > > And a few editorial comments: > 1. The words that one needs to check points for belonging to a group are specified in Security Consideration. It seems important to indicate these checks directly when describing the protocol. > 2. Page 3, in the sentence "Common choices for H are SHA256 or SHA512 [RFC6234]", H should be replaced with Hash. > 3. During the document. the following KDF interface is used: > KDF (salt, IKM, info) > -- It seems better to swap salt and IKM, because now it looks a little unnatural. > -- It seems better to write the length L as the fourth parameter everywhere (since it was introduced in the introduction) Thanks for your comment. This seems like the sort of minor nonsubstantive fix I can apply easily, and is something I noticed when coding the test vector generation. > > > Best wishes, > Liliya Akhmetzyanova -- Astra mortemque praestare gradatim
- Re: [CFRG] Questions regarding draft-irtf-cfrg-sp… Watson Ladd
- Re: [CFRG] Questions regarding draft-irtf-cfrg-sp… Лилия Ахметзянова
- Re: [CFRG] Questions regarding draft-irtf-cfrg-sp… Watson Ladd