IETF Logo Mail Archive

Re: [Cfrg] Adoption call for draft-harkins-pkex-05

Eric Rescorla <ekr@rtfm.com> Sun, 05 August 2018 13:47 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EB16130E5B for <cfrg@ietfa.amsl.com>; Sun, 5 Aug 2018 06:47:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1_TXMJhMOXsw for <cfrg@ietfa.amsl.com>; Sun, 5 Aug 2018 06:47:47 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E16AC130E4D for <cfrg@irtf.org>; Sun, 5 Aug 2018 06:47:46 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id j19-v6so8469867ljc.7 for <cfrg@irtf.org>; Sun, 05 Aug 2018 06:47:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=aOf8aH3yA1x3fbXvqnTsTKckgCP0P+V89UJE55fwh3k=; b=LJZgfNVNCBXQ3yqRZsUkEPt7OiJo4z+6ZbxKGz/ektXSZlx666Vqwitw1LHUVrRbSv ZoIS3kPIH5XP/jmMOO1yywQ1lrd7KzlglTuBmMWcMidIGcf+w+zpQ0ybX4g4sgONXEdk ZXGzFs0xB63qlaepmM61LFj/PEBs45HNl84oxlQQOJFaOTjajbr45HPMsL59tpTTjD4D XBqimNzPyn+aE6w0cu6n7yOkOW2fvzl/sk+JAfCmJveSJ+7+wAGrZoQ4HoYi7GBBpdB7 9lQM2++nMH0nBR8pdzfq+9dBnWZiSHwAcr0MMiRI5KwbRjBqEEISNisaetJ/jCfWZ9zV 1LOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=aOf8aH3yA1x3fbXvqnTsTKckgCP0P+V89UJE55fwh3k=; b=rrPV/qv9L4rVLguHkithIQSjQsf8Gp4gW4HtLmvUpST1lKOslJcRxFFbZgYhE2VAUq 984hIqgsqgAcNSmjEy1KNFUR3YljRMJV4gdBd8G8Sedb1gT3CFBL73ISaToaPApEh5su 2NFh1NOv6mY7BognDaMqz/8eYFZsw1h5CAgtpnzV2UEbiFcZxngQ8C1bHVN8rEWygL1i 7+fF7AqtT0RKJkoyGx5fG155owyqu4/dEvebea9MTwsPEPPp5ETx7hQQLr4kd1zm88Fv aY70Nb40BjVO8DB/oNcVTGKvKYCad5YEPVLvGGu8bJ9ugQPp8+YZp/VDhZgi0OOUL6+H 05lA==
X-Gm-Message-State: AOUpUlHAQU3eEcW8pIymm6XyKJSFqFBr2zdHIiibH//J7pJi7coXKw4+ sQ7fGaGafUNm1y2C/neCsEMELQs+5N9ULE8C7LKILw==
X-Google-Smtp-Source: AAOMgpfOC2UwXX79v5CRW1CuqEaq+v9Sqd4VUpQPIXMVb2gTWmciSKeXqiruYoPTA2I7H59cKxthBAa/B2OovH1n6fQ=
X-Received: by 2002:a2e:458b:: with SMTP id s133-v6mr9857333lja.151.1533476865087; Sun, 05 Aug 2018 06:47:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:4091:0:0:0:0:0 with HTTP; Sun, 5 Aug 2018 06:47:04 -0700 (PDT)
In-Reply-To: <CABkgnnWSNiM6SrbhFuAptRaRpNGAOtQEiG1RtDXXMUbcBV_tGQ@mail.gmail.com>
References: <5ACA0006.4020809@isode.com> <810C31990B57ED40B2062BA10D43FBF501C515B8@XMB116CNC.rim.net> <810C31990B57ED40B2062BA10D43FBF501C5168A@XMB116CNC.rim.net> <810C31990B57ED40B2062BA10D43FBF501C51B18@XMB116CNC.rim.net> <16affdfc-df9a-a883-e0d6-dd52efee15e4@lounge.org> <CAL02cgT72J=cboruKiHnF4BP7ffaDfae=JeoYDJJfjenF4wC8Q@mail.gmail.com> <fe239e8a-0a64-4b8b-7dba-f38fcfcdc4fd@lounge.org> <CAL02cgRy7M8AjQySy=1njavj+cyxPvQe-n1f+N4xVc_GZFwdNA@mail.gmail.com> <90c10953-6550-09d0-642e-e84710b706cf@lounge.org> <CAL02cgTF6E697t+twXwbkrzZ7OHsFPh--W_NaT5-f0VJ=Jo7Tg@mail.gmail.com> <e186b642-7282-3bfe-3da1-f68e4c3b687c@lounge.org> <CAL02cgQc2HJ0bOZzOc1Q9iqX0-E-PN5qYqW6=iWGE3iggdRQUA@mail.gmail.com> <CABkgnnWSNiM6SrbhFuAptRaRpNGAOtQEiG1RtDXXMUbcBV_tGQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 05 Aug 2018 06:47:04 -0700
Message-ID: <CABcZeBOyb9TOZiKSuh_yPHoucQ16gzkv+Kg4FqD1rsR4Tp74gQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Richard Barnes <rlb@ipv.sx>, CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000d0ab1a0572b067ad"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6s7lbsP96WR1gPwnpWLcg1yNyLU>
Subject: Re: [Cfrg] Adoption call for draft-harkins-pkex-05
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Aug 2018 13:47:51 -0000

I concur with Richard and Martin. Given that this will happen only
infrequently, what's the advantage over plugging together commodity tools.

FWIW, while I recognize that the CFRG does not exist solely to support IETF
protocols, I'm not seeing a lot of demand for this in the IETF.

In addition to the above, I note that the final line of the security
considerations says "There is no proof of security of PKEX at this time."
That seems like a pretty big concern. We're moving towards wanting security
proofs for IETF protocols, and I'd generally expect that a lot of the value
of CFRG is that it would produce primitives with high levels of assurance.

For these reasons, I would not support adoption.

-Ekr


On Thu, Apr 12, 2018 at 7:15 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> Richard has summarized my own reservations with this and the
> composition of existing primitives makes a lot of sense.  We're seeing
> a relative explosion in the number of cryptographic tools available of
> late, and this is a clear example of where we can make an engineering
> decision to use existing tools rather than build new ones.  I
> recognize that this isn't the IETF, but that doesn't make that any
> less valid a choice.
>
> FWIW, the lack of support for anything other than DSA and ECDSA is
> also a major problem. DSA is basically non-existent in practice.  What
> about Ed25519/Ed448?
>
> On Fri, Apr 13, 2018 at 11:38 AM, Richard Barnes <rlb@ipv.sx> wrote:
> >
> >
> > On Thu, Apr 12, 2018 at 7:52 PM, Dan Harkins <dharkins@lounge.org>
> wrote:
> >>
> >>
> >>
> >> On 4/12/18 6:21 AM, Richard Barnes wrote:
> >> [snip]
> >>
> >>
> >> I guess what I don't understand here is the benefit of conjoining the
> >> primitives rather than composing them.  It seems like you would get the
> same
> >> effects here in the same number of RTTs with a straightforward
> combination
> >> of PAKE, sending identities, and a proof-of-possession protocol [1],
> all of
> >> which are already well-established.  Instead, you've mushed them all
> >> together.  That seems like it has some costs, e.g., the restriction to
> ECDSA
> >> when with a more composed design you could support arbitrary DH or
> signing
> >> keys.  What are the corresponding benefits?
> >>>
> >>>
> >>>   I'm not sure where the mashup is. You have basically described PKEX.
> It
> >>> does
> >>> SPAKE2 and then it sends identities and a proof of possession protected
> >>> by the
> >>> PAKE shared secret.
> >>
> >>
> >> What I mean is that in addition to just using the PAKE, you're also
> >> changing its internals:
> >>
> >> - Instead of using the password as input, PKEX hashes in the identities
> >>
> >>
> >>   So? The password is still used. Are you saying this is not SPAKE2
> >> anymore?
> >>
> >> - The key shares from SPAKE2 are re-used for the proof of possession
> >>
> >>
> >>   There needs to be some demonstration that the key is used "live" in
> the
> >> exchange
> >> otherwise you're not really proving possession. In your sketch below
> >> (which I
> >> admittedly don't understand 100%) you are introducing yet another
> >> Diffie-Hellman
> >> with Eph_A and Eph_B which I guess are used with the private analogs of
> >> Pub_B
> >> and Pub_A, respectively, to produce K_DH_B and K_DH_A, respectively.
> >>
> >>   I don't see the value of treating the PAKE a closed some black box.
> >
> >
> > The benefits are the typical "don't roll your own crypto" benefits --
> > generality, code re-use, and analysis re-use.  If you have a general
> "insert
> > proof of possession here" slot, you can address keys from any DH group
> (even
> > if it can't do SPAKE) or even signing keys.   You can take an SPAKE
> > implementation that has a "password in, key out" interface and re-use it.
> > And when you're trying to prove the properties of the system, you can
> treat
> > the "black box" sub-units as things with known properties; you don't
> have to
> > worry about whether re-using a key share will undermine some property.
> >
> > It seems like you're trading off 1 DH key generation per side (the
> > incremental cost of the sketch below over PKEX) against a lot of work to
> > analyze this thing and more difficulty implementing.  I'm just saying
> that
> > trade-off doesn't seem like a good deal to me.  (If I were the chairs, I
> > might consider whether this merits the group's time, given that the can
> be
> > solved with existing primitives at not much cost.)  If others feel it is
> > worthwhile, though, I'm not going to stand in the way.
> >
> > --Richard
> >
> >
> >>
> >> It already
> >> has a perfectly good ephemeral Diffie-Hellman share which I am putting
> to
> >> good use
> >> instead of ignoring which necessitates generation of yet another
> ephemeral
> >> Diffie-Hellman share.
> >>
> >> You're not treating the PAKE as a box that takes a password on one side
> >> and emits a key on the other side.
> >>
> >>
> >>>
> >>> The limitations are that the two sides have to be exchanging
> >>> keys from the same group and since they've already agreed on a group
> for
> >>> their
> >>> identity keys then they have to use the same one for the PAKE. Those
> were
> >>> not
> >>> seen as serious issues because such a restriction may already be
> imposed
> >>> on the
> >>> subsequent key exchange protocol (e.g. MQV), and it obviates the need
> to
> >>> discuss
> >>> what it means to exchange, for instance, a p521 public key over a PAKE
> >>> that uses
> >>> brainpool256. It cuts down on problematic options. That's the same
> reason
> >>> that
> >>> the hash algorithm and SIV key length are determined by the prime
> >>> defining the
> >>> group, less options that might be used poorly means a more robust and
> >>> idiot-proof
> >>> protocol.
> >>
> >>
> >> I'll grant that you do get more rigidity from the conjunction.  But I'm
> >> not sure that this is more effective than simply expressing the
> requirement
> >> in prose.
> >>
> >>
> >>>
> >>>
> >>>   Also, there is no restriction on ECDSA.
> >>
> >>
> >> Maybe you should revise this text then :)
> >>
> >> """
> >> Due to the nature of the exchange, only DSA ([DSS]) and ECDSA
> >>    ([X9.62]) keys can be exchanged with PKEX.
> >> """
> >>
> >>
> >>   Right, it expressly includes DSA keys.
> >>
> >> And maybe add a clearer explanation than "due to the nature of the
> >> exchange".
> >>
> >>
> >>   OK, good comment. That is overly vague.
> >>
> >>   Dan.
> >>
> >> --Richard
> >>
> >>
> >>>
> >>> In fact, Appendix A.2 has the SPAKE2
> >>> role-specific elements for four standard DH groups and the Appendix
> talks
> >>> about
> >>> how to generate role-specific elements for other groups not enumerated.
> >>>
> >>> --Richard
> >>>
> >>> [1] Sketch:
> >>>
> >>> A->B: SPAKE-Kex
> >>> B->A: SPAKE-Kex, SPAKE-Confirm, {ID_B, Pub_B, Eph_B}K_spake_B
> >>> A->B: SPAKE-Confirm, {ID_A, Pub_A, Eph_A}K_spake_A, MAC(K_DH_A,
> >>> transcript}
> >>> B->A: MAC(K_DH_B, transcript)
> >>>
> >>> Note that at this point, it's starting to look simpler just to do TLS!
> >>>
> >>>
> >>>   It's not really. There is running code for this protocol (and not
> just
> >>> by
> >>> me) and it's much simpler than TLS.
> >>>
> >>>   regards,
> >>>
> >>>   Dan.
> >>>
> >>>
> >>
> >>
> >
> >
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
> >
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email