IETF Logo Mail Archive

Re: [CFRG] Questions regarding draft-irtf-cfrg-spake2-15.txt

Лилия Ахметзянова <ahmzliliya@gmail.com> Fri, 18 December 2020 11:42 UTC

Return-Path: <ahmzliliya@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0D6D3A12EA for <cfrg@ietfa.amsl.com>; Fri, 18 Dec 2020 03:42:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WdN6bwox-xT5 for <cfrg@ietfa.amsl.com>; Fri, 18 Dec 2020 03:42:18 -0800 (PST)
Received: from mail-ot1-x334.google.com (mail-ot1-x334.google.com [IPv6:2607:f8b0:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FE3C3A12E9 for <cfrg@ietf.org>; Fri, 18 Dec 2020 03:42:17 -0800 (PST)
Received: by mail-ot1-x334.google.com with SMTP id j12so1621279ota.7 for <cfrg@ietf.org>; Fri, 18 Dec 2020 03:42:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4aFPziHmIfnuugtckkjRHv2WXjiISVGYuAvRq/F10Hg=; b=DbdT3AW5COKSaWsu+EJnVwREKvX8BAsBQG/KzsmSPbOa6V7jIGUAwuqPpZ9ZclNbvE rQDQSEyauGN6T6lHf2946/pCrZ+qBts5Vr0vxBGjzZfvvkCh+EOosJmxTB2xb1Y0lxJn gHZhircGQkMutEj0cgPZQ7oTeK9RW8+KlrxjE7Qf3tsFE2ihRp4L5zGMkTm0ggXficJS FViW6WCgk6UhsRXJ8SmvAJoketTNrMhCrMpt4q1QWU6Dgn1CkQRTiF8XEaG5QSiYs9kc vTKKKGW1qxXhbVLhJssJ+K24DSJKCJ4PdfAVoa8QSS4MQw3mvWX5sqoXDHut4qfWccLF Hb7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4aFPziHmIfnuugtckkjRHv2WXjiISVGYuAvRq/F10Hg=; b=LPFo9XHzmwiE02UqMgJX0ySyMN6DB752xwzESLVzqsDZJrXWP2kh/dzEMppPJDZlrU n6jIFj1h4lJHMpq2PpOxNnuHsjkhWKKg4A5dF10+cbEZezlTN376ueSUaL7rKNN2wT5H 7yuMOEpbaiqetjXD1B1noFiiunc8jRoKXLvES1dc0kMEbAY8xHJpWLC7eFqPacro06QS lhRunoyoIYevkywQitrwlMseNDYxt/p/ezu6kbZDBPkOiSPyJNWsLXIoO9JUDWCAotxt Dxt46XP7wHjTgmNpVqlYfM69CUsYCDaAd715a7S58gXRr/UYfvY0AilJcSEzjbulxSKz qoTw==
X-Gm-Message-State: AOAM532d7lrgMvoSMZ0kVJtdIluIBM8CwxuQI/SSQequMzQt8EMHrEI5 TU93HILDAqHzWEVMSVC1qHZfJ4xNUYrbmuDQ8uM=
X-Google-Smtp-Source: ABdhPJwZkockQqYnBIW8uBCurcc9IBZeZnEr97UMDPRWawIDcsgrFkR1dSWINLLaXrK1hl1Tw8jDfxXB8rZV6W5CBTc=
X-Received: by 2002:a9d:6c11:: with SMTP id f17mr2501537otq.83.1608291737228; Fri, 18 Dec 2020 03:42:17 -0800 (PST)
MIME-Version: 1.0
References: <CACi_p6ZMpo-LES9PGqoB33ydTBbCF_bKAc4hiCq6xDUpjEAvGg@mail.gmail.com> <CACsn0c=d+VyQqM0F0bEpYuS=TRMUKXZ5AU=HF69iKT8b6U3HTA@mail.gmail.com>
In-Reply-To: <CACsn0c=d+VyQqM0F0bEpYuS=TRMUKXZ5AU=HF69iKT8b6U3HTA@mail.gmail.com>
From: Лилия Ахметзянова <ahmzliliya@gmail.com>
Date: Fri, 18 Dec 2020 14:42:06 +0300
Message-ID: <CACi_p6Zr6Hc3Fm1Ua-=-qhU95u89MCjGAjcr8Qxxs_X-hBYRHw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: "<cfrg@ietf.org>" <cfrg@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>
Content-Type: multipart/alternative; boundary="000000000000b15cf305b6bb9908"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6wfdSlVowq_8LV4fmuP0-AHjjIA>
Subject: Re: [CFRG] Questions regarding draft-irtf-cfrg-spake2-15.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2020 11:42:20 -0000

Hello Watson!

Thank you for your clarifications! I have no additional questions, just a
minor comment regarding key schedule and ciphersuites: it would be great if
the arguments you mentioned were added in Security Considerations.

Best wishes,
Liliya

вс, 6 дек. 2020 г. в 23:08, Watson Ladd <watsonbladd@gmail.com>:

> On Sun, Dec 6, 2020 at 11:44 AM Лилия Ахметзянова <ahmzliliya@gmail.com>
> wrote:
> >
> > Hello CRFG, Watson and Benjamin,
> >
> > Recently, I’ve interested in the draft
> https://tools.ietf.org/html/draft-irtf-cfrg-spake2-15.  I have come up
> with several thoughts and comments (hope I'm not late).
> >
> > Considerations on key schedule:
> > In section 4 the following key schedule is defined:
> >
> > Both parties use TT to derive shared symmetric secrets Ke and Ka as Ke
> || Ka = Hash(TT), with |Ke| = |Ka|.
> >
> > A and B compute them as KcA || KcB = KDF(nil, Ka, "ConfirmationKeys" ||
> AAD)
> >
> >
> > 1. If one chooses a ciphersuite, e.g., with P-256 and SHA-512 to produce
> keys Ke and Ka of length 256 bits, then the SHA-512 function seems to be
> used here as a PRG function. However, as far as I know, it is not the
> standard properties of the hash functions. It seems better to directly use
> the extract and expand concept to produce Ke, KcA, KcB. Could you explain,
> what caused the keys to be produced in such a way?
>
> In most applications where the scheme is used the higher level
> protocol will derive keys and hash the transcript itself. Hashing the
> transcript and key works fine and I don't think there were any
> questions about not using HMAC during RGLC or the reviews as part of
> the PAKE selection process.
>
> >
> > 2. The keys KcA, KcB can be used as a key input for HMAC(SHA-256). If
> HKDF(SHA-256) was used for producing these keys, then |KcA| = |KcB| = 128
> bits. However, RFC 2104 points out the following recommendation: In any
> case the minimal recommended length for K is L bytes (as the hash output
> length).  Does using these ciphersuites contradict the document RFC 2104?
>
> The text of RFC 2104: " The key for HMAC can be of any length (keys
> longer than B bytes are first hashed using H).  However, less than L
> bytes is strongly discouraged as it would decrease the security
> strength of the function." But we don't need the mac to be 256 bits
> long. 128 would be fine in that case.
>
> >
> > Considerations on Key confirmation
> > For key confirmation the following procedure is used:  F = MAC(KcA, TT).
> Here tag is computed for data TT that contains the D-H key K. This may
> complicate the implementation of the protocol since many secure API does
> not allow to use “naked” keys in such a way. Is adding the K value crucial
> for the security here?
>
> No, but it's easier to have one transcript versus 2.
>
> >
> > And a few editorial comments:
> > 1. The words that one needs to check points for belonging to a group are
> specified in Security Consideration. It seems important to indicate these
> checks directly when describing the protocol.
> > 2. Page 3, in the sentence "Common choices for H are SHA256 or SHA512
> [RFC6234]", H should be replaced with Hash.
> > 3. During the document. the following KDF interface is used:
> >             KDF (salt, IKM, info)
> > -- It seems better to swap salt and IKM, because now it looks a little
> unnatural.
> > -- It seems better to write the length L as the fourth parameter
> everywhere (since it was introduced in the introduction)
>
> Thanks for your comment. This seems like the sort of minor
> nonsubstantive fix I can apply easily, and is something I noticed when
> coding the test vector generation.
>
> >
> >
> > Best wishes,
> > Liliya Akhmetzyanova
>
>
>
>
> --
> Astra mortemque praestare gradatim
>

v2.23.0 | Report a Bug | By Email