Re: [Cfrg] Adoption call for draft-harkins-pkex-05
Eric Rescorla <ekr@rtfm.com> Sun, 05 August 2018 13:47 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EB16130E5B for <cfrg@ietfa.amsl.com>; Sun, 5 Aug 2018 06:47:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1_TXMJhMOXsw for <cfrg@ietfa.amsl.com>; Sun, 5 Aug 2018 06:47:47 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E16AC130E4D for <cfrg@irtf.org>; Sun, 5 Aug 2018 06:47:46 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id j19-v6so8469867ljc.7 for <cfrg@irtf.org>; Sun, 05 Aug 2018 06:47:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=aOf8aH3yA1x3fbXvqnTsTKckgCP0P+V89UJE55fwh3k=; b=LJZgfNVNCBXQ3yqRZsUkEPt7OiJo4z+6ZbxKGz/ektXSZlx666Vqwitw1LHUVrRbSv ZoIS3kPIH5XP/jmMOO1yywQ1lrd7KzlglTuBmMWcMidIGcf+w+zpQ0ybX4g4sgONXEdk ZXGzFs0xB63qlaepmM61LFj/PEBs45HNl84oxlQQOJFaOTjajbr45HPMsL59tpTTjD4D XBqimNzPyn+aE6w0cu6n7yOkOW2fvzl/sk+JAfCmJveSJ+7+wAGrZoQ4HoYi7GBBpdB7 9lQM2++nMH0nBR8pdzfq+9dBnWZiSHwAcr0MMiRI5KwbRjBqEEISNisaetJ/jCfWZ9zV 1LOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=aOf8aH3yA1x3fbXvqnTsTKckgCP0P+V89UJE55fwh3k=; b=rrPV/qv9L4rVLguHkithIQSjQsf8Gp4gW4HtLmvUpST1lKOslJcRxFFbZgYhE2VAUq 984hIqgsqgAcNSmjEy1KNFUR3YljRMJV4gdBd8G8Sedb1gT3CFBL73ISaToaPApEh5su 2NFh1NOv6mY7BognDaMqz/8eYFZsw1h5CAgtpnzV2UEbiFcZxngQ8C1bHVN8rEWygL1i 7+fF7AqtT0RKJkoyGx5fG155owyqu4/dEvebea9MTwsPEPPp5ETx7hQQLr4kd1zm88Fv aY70Nb40BjVO8DB/oNcVTGKvKYCad5YEPVLvGGu8bJ9ugQPp8+YZp/VDhZgi0OOUL6+H 05lA==
X-Gm-Message-State: AOUpUlHAQU3eEcW8pIymm6XyKJSFqFBr2zdHIiibH//J7pJi7coXKw4+ sQ7fGaGafUNm1y2C/neCsEMELQs+5N9ULE8C7LKILw==
X-Google-Smtp-Source: AAOMgpfOC2UwXX79v5CRW1CuqEaq+v9Sqd4VUpQPIXMVb2gTWmciSKeXqiruYoPTA2I7H59cKxthBAa/B2OovH1n6fQ=
X-Received: by 2002:a2e:458b:: with SMTP id s133-v6mr9857333lja.151.1533476865087; Sun, 05 Aug 2018 06:47:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:4091:0:0:0:0:0 with HTTP; Sun, 5 Aug 2018 06:47:04 -0700 (PDT)
In-Reply-To: <CABkgnnWSNiM6SrbhFuAptRaRpNGAOtQEiG1RtDXXMUbcBV_tGQ@mail.gmail.com>
References: <5ACA0006.4020809@isode.com> <810C31990B57ED40B2062BA10D43FBF501C515B8@XMB116CNC.rim.net> <810C31990B57ED40B2062BA10D43FBF501C5168A@XMB116CNC.rim.net> <810C31990B57ED40B2062BA10D43FBF501C51B18@XMB116CNC.rim.net> <16affdfc-df9a-a883-e0d6-dd52efee15e4@lounge.org> <CAL02cgT72J=cboruKiHnF4BP7ffaDfae=JeoYDJJfjenF4wC8Q@mail.gmail.com> <fe239e8a-0a64-4b8b-7dba-f38fcfcdc4fd@lounge.org> <CAL02cgRy7M8AjQySy=1njavj+cyxPvQe-n1f+N4xVc_GZFwdNA@mail.gmail.com> <90c10953-6550-09d0-642e-e84710b706cf@lounge.org> <CAL02cgTF6E697t+twXwbkrzZ7OHsFPh--W_NaT5-f0VJ=Jo7Tg@mail.gmail.com> <e186b642-7282-3bfe-3da1-f68e4c3b687c@lounge.org> <CAL02cgQc2HJ0bOZzOc1Q9iqX0-E-PN5qYqW6=iWGE3iggdRQUA@mail.gmail.com> <CABkgnnWSNiM6SrbhFuAptRaRpNGAOtQEiG1RtDXXMUbcBV_tGQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 05 Aug 2018 06:47:04 -0700
Message-ID: <CABcZeBOyb9TOZiKSuh_yPHoucQ16gzkv+Kg4FqD1rsR4Tp74gQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Richard Barnes <rlb@ipv.sx>, CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000d0ab1a0572b067ad"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6s7lbsP96WR1gPwnpWLcg1yNyLU>
Subject: Re: [Cfrg] Adoption call for draft-harkins-pkex-05
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Aug 2018 13:47:51 -0000
I concur with Richard and Martin. Given that this will happen only infrequently, what's the advantage over plugging together commodity tools. FWIW, while I recognize that the CFRG does not exist solely to support IETF protocols, I'm not seeing a lot of demand for this in the IETF. In addition to the above, I note that the final line of the security considerations says "There is no proof of security of PKEX at this time." That seems like a pretty big concern. We're moving towards wanting security proofs for IETF protocols, and I'd generally expect that a lot of the value of CFRG is that it would produce primitives with high levels of assurance. For these reasons, I would not support adoption. -Ekr On Thu, Apr 12, 2018 at 7:15 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > Richard has summarized my own reservations with this and the > composition of existing primitives makes a lot of sense. We're seeing > a relative explosion in the number of cryptographic tools available of > late, and this is a clear example of where we can make an engineering > decision to use existing tools rather than build new ones. I > recognize that this isn't the IETF, but that doesn't make that any > less valid a choice. > > FWIW, the lack of support for anything other than DSA and ECDSA is > also a major problem. DSA is basically non-existent in practice. What > about Ed25519/Ed448? > > On Fri, Apr 13, 2018 at 11:38 AM, Richard Barnes <rlb@ipv.sx> wrote: > > > > > > On Thu, Apr 12, 2018 at 7:52 PM, Dan Harkins <dharkins@lounge.org> > wrote: > >> > >> > >> > >> On 4/12/18 6:21 AM, Richard Barnes wrote: > >> [snip] > >> > >> > >> I guess what I don't understand here is the benefit of conjoining the > >> primitives rather than composing them. It seems like you would get the > same > >> effects here in the same number of RTTs with a straightforward > combination > >> of PAKE, sending identities, and a proof-of-possession protocol [1], > all of > >> which are already well-established. Instead, you've mushed them all > >> together. That seems like it has some costs, e.g., the restriction to > ECDSA > >> when with a more composed design you could support arbitrary DH or > signing > >> keys. What are the corresponding benefits? > >>> > >>> > >>> I'm not sure where the mashup is. You have basically described PKEX. > It > >>> does > >>> SPAKE2 and then it sends identities and a proof of possession protected > >>> by the > >>> PAKE shared secret. > >> > >> > >> What I mean is that in addition to just using the PAKE, you're also > >> changing its internals: > >> > >> - Instead of using the password as input, PKEX hashes in the identities > >> > >> > >> So? The password is still used. Are you saying this is not SPAKE2 > >> anymore? > >> > >> - The key shares from SPAKE2 are re-used for the proof of possession > >> > >> > >> There needs to be some demonstration that the key is used "live" in > the > >> exchange > >> otherwise you're not really proving possession. In your sketch below > >> (which I > >> admittedly don't understand 100%) you are introducing yet another > >> Diffie-Hellman > >> with Eph_A and Eph_B which I guess are used with the private analogs of > >> Pub_B > >> and Pub_A, respectively, to produce K_DH_B and K_DH_A, respectively. > >> > >> I don't see the value of treating the PAKE a closed some black box. > > > > > > The benefits are the typical "don't roll your own crypto" benefits -- > > generality, code re-use, and analysis re-use. If you have a general > "insert > > proof of possession here" slot, you can address keys from any DH group > (even > > if it can't do SPAKE) or even signing keys. You can take an SPAKE > > implementation that has a "password in, key out" interface and re-use it. > > And when you're trying to prove the properties of the system, you can > treat > > the "black box" sub-units as things with known properties; you don't > have to > > worry about whether re-using a key share will undermine some property. > > > > It seems like you're trading off 1 DH key generation per side (the > > incremental cost of the sketch below over PKEX) against a lot of work to > > analyze this thing and more difficulty implementing. I'm just saying > that > > trade-off doesn't seem like a good deal to me. (If I were the chairs, I > > might consider whether this merits the group's time, given that the can > be > > solved with existing primitives at not much cost.) If others feel it is > > worthwhile, though, I'm not going to stand in the way. > > > > --Richard > > > > > >> > >> It already > >> has a perfectly good ephemeral Diffie-Hellman share which I am putting > to > >> good use > >> instead of ignoring which necessitates generation of yet another > ephemeral > >> Diffie-Hellman share. > >> > >> You're not treating the PAKE as a box that takes a password on one side > >> and emits a key on the other side. > >> > >> > >>> > >>> The limitations are that the two sides have to be exchanging > >>> keys from the same group and since they've already agreed on a group > for > >>> their > >>> identity keys then they have to use the same one for the PAKE. Those > were > >>> not > >>> seen as serious issues because such a restriction may already be > imposed > >>> on the > >>> subsequent key exchange protocol (e.g. MQV), and it obviates the need > to > >>> discuss > >>> what it means to exchange, for instance, a p521 public key over a PAKE > >>> that uses > >>> brainpool256. It cuts down on problematic options. That's the same > reason > >>> that > >>> the hash algorithm and SIV key length are determined by the prime > >>> defining the > >>> group, less options that might be used poorly means a more robust and > >>> idiot-proof > >>> protocol. > >> > >> > >> I'll grant that you do get more rigidity from the conjunction. But I'm > >> not sure that this is more effective than simply expressing the > requirement > >> in prose. > >> > >> > >>> > >>> > >>> Also, there is no restriction on ECDSA. > >> > >> > >> Maybe you should revise this text then :) > >> > >> """ > >> Due to the nature of the exchange, only DSA ([DSS]) and ECDSA > >> ([X9.62]) keys can be exchanged with PKEX. > >> """ > >> > >> > >> Right, it expressly includes DSA keys. > >> > >> And maybe add a clearer explanation than "due to the nature of the > >> exchange". > >> > >> > >> OK, good comment. That is overly vague. > >> > >> Dan. > >> > >> --Richard > >> > >> > >>> > >>> In fact, Appendix A.2 has the SPAKE2 > >>> role-specific elements for four standard DH groups and the Appendix > talks > >>> about > >>> how to generate role-specific elements for other groups not enumerated. > >>> > >>> --Richard > >>> > >>> [1] Sketch: > >>> > >>> A->B: SPAKE-Kex > >>> B->A: SPAKE-Kex, SPAKE-Confirm, {ID_B, Pub_B, Eph_B}K_spake_B > >>> A->B: SPAKE-Confirm, {ID_A, Pub_A, Eph_A}K_spake_A, MAC(K_DH_A, > >>> transcript} > >>> B->A: MAC(K_DH_B, transcript) > >>> > >>> Note that at this point, it's starting to look simpler just to do TLS! > >>> > >>> > >>> It's not really. There is running code for this protocol (and not > just > >>> by > >>> me) and it's much simpler than TLS. > >>> > >>> regards, > >>> > >>> Dan. > >>> > >>> > >> > >> > > > > > > _______________________________________________ > > Cfrg mailing list > > Cfrg@irtf.org > > https://www.irtf.org/mailman/listinfo/cfrg > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Adoption call for draft-harkins-pkex-05 Alexey Melnikov
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Greg Rose
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Stanislav V. Smyshlyaev
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Brown
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Greg Rose
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Brown
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Benjamin Kaduk
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Brown
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Richard Barnes
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Richard Barnes
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Richard Barnes
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Richard Barnes
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Richard Barnes
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Martin Thomson
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Eric Rescorla
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Daniel Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Christopher Wood
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Eric Rescorla
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Salz, Rich
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Greg Rose