IETF Logo Mail Archive

Re: [Cfrg] Adoption call for draft-harkins-pkex-05

Daniel Harkins <dharkins@lounge.org> Mon, 06 August 2018 17:58 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77B0D130E7D for <cfrg@ietfa.amsl.com>; Mon, 6 Aug 2018 10:58:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKTa8AgU_WZc for <cfrg@ietfa.amsl.com>; Mon, 6 Aug 2018 10:58:31 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3A29130E44 for <cfrg@irtf.org>; Mon, 6 Aug 2018 10:58:31 -0700 (PDT)
Received: from trixy.bergandi.net ([76.93.146.89]) by wwwlocal.goatley.com (PMDF V6.7-x02 #1001) with ESMTP id <0PD100D1WWLJXW@wwwlocal.goatley.com> for cfrg@irtf.org; Mon, 06 Aug 2018 12:58:31 -0500 (CDT)
Received: from thinny.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #1001) with ESMTPSA id <0PD10096ZWL46G@trixy.bergandi.net> for cfrg@irtf.org; Mon, 06 Aug 2018 10:58:17 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO thinny.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Mon, 06 Aug 2018 10:58:17 -0700
Date: Mon, 06 Aug 2018 10:58:29 -0700
From: Daniel Harkins <dharkins@lounge.org>
In-reply-to: <CABcZeBOyb9TOZiKSuh_yPHoucQ16gzkv+Kg4FqD1rsR4Tp74gQ@mail.gmail.com>
To: cfrg@irtf.org
Message-id: <493c5403-19e6-d620-5bb8-22ab2b9fbfb0@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_FG8a12Eyf9advVgg9kwLJg)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO thinny.local)
References: <5ACA0006.4020809@isode.com> <810C31990B57ED40B2062BA10D43FBF501C515B8@XMB116CNC.rim.net> <810C31990B57ED40B2062BA10D43FBF501C5168A@XMB116CNC.rim.net> <810C31990B57ED40B2062BA10D43FBF501C51B18@XMB116CNC.rim.net> <16affdfc-df9a-a883-e0d6-dd52efee15e4@lounge.org> <CAL02cgT72J=cboruKiHnF4BP7ffaDfae=JeoYDJJfjenF4wC8Q@mail.gmail.com> <fe239e8a-0a64-4b8b-7dba-f38fcfcdc4fd@lounge.org> <CAL02cgRy7M8AjQySy=1njavj+cyxPvQe-n1f+N4xVc_GZFwdNA@mail.gmail.com> <90c10953-6550-09d0-642e-e84710b706cf@lounge.org> <CAL02cgTF6E697t+twXwbkrzZ7OHsFPh--W_NaT5-f0VJ=Jo7Tg@mail.gmail.com> <e186b642-7282-3bfe-3da1-f68e4c3b687c@lounge.org> <CAL02cgQc2HJ0bOZzOc1Q9iqX0-E-PN5qYqW6=iWGE3iggdRQUA@mail.gmail.com> <CABkgnnWSNiM6SrbhFuAptRaRpNGAOtQEiG1RtDXXMUbcBV_tGQ@mail.gmail.com> <CABcZeBOyb9TOZiKSuh_yPHoucQ16gzkv+Kg4FqD1rsR4Tp74gQ@mail.gmail.com>
X-PMAS-Software: PreciseMail V3.3 [180806] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/8FHXy0JcGP9Tm7ANdwnnsR-pNb4>
Subject: Re: [Cfrg] Adoption call for draft-harkins-pkex-05
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Aug 2018 17:58:34 -0000

  About "commodity tools", there were two complaints raised:

   1. PKEX hashes the user identity with the password and uses the result
      with the role-specific constant while SPAKE2 does not;
   2. PKEX should just have a generic proof-of-possession protocol after 
the PAKE.

The implication being you combine these two and voila, something better 
than PKEX
because it's just using known tools to do this and is not rolling new 
crypto.

   Regarding the first, it's a draft that will be a work item of the 
research
group. If the consensus of the group is to edit the draft then the draft 
gets
edited to reflect the consensus of the group.

   Regarding the second, the suggestion was to do this:

     A->B: SPAKE-Kex
     B->A: SPAKE-Kex, SPAKE-Confirm, {ID_B, Pub_B, Eph_B}K_spake_B
     A->B: SPAKE-Confirm, {ID_A, Pub_A, Eph_A}K_spake_A, 
MAC(K_DH_A,transcript}
     B->A: MAC(K_DH_B, transcript)

Now I'm pretty sure that is not a generic commodity tool for doing 
proof-of-possession
so I'm not sure what complaint is. That proof-of-possession is more 
complicated than
what PKEX does, has more moving parts in the form of new ephemeral keys, 
does not
actually seem to prove possession of the private key, and I'd wager does 
not have a
security proof (Eric's final complaint about PKEX).

   The request is not to rubber stamp the imprimatur of the CFRG on a 
document,
it is to adopt a document as a work item of the research group. With 
that in mind,
I have updated PKEX to incorporate the first suggestion (don't hash the 
ID with the
password). The current version is -06, it's in the repository. Please 
take a look and
consider its adoption.

   thanks,

   Dan.

On 8/5/18 6:47 AM, Eric Rescorla wrote:
> I concur with Richard and Martin. Given that this will happen only 
> infrequently, what's the advantage over plugging together commodity tools.
>
> FWIW, while I recognize that the CFRG does not exist solely to support 
> IETF protocols, I'm not seeing a lot of demand for this in the IETF.
>
> In addition to the above, I note that the final line of the security 
> considerations says "There is no proof of security of PKEX at this 
> time." That seems like a pretty big concern. We're moving towards 
> wanting security proofs for IETF protocols, and I'd generally expect 
> that a lot of the value of CFRG is that it would produce primitives 
> with high levels of assurance.
>
> For these reasons, I would not support adoption.
>
> -Ekr
>
>
> On Thu, Apr 12, 2018 at 7:15 PM, Martin Thomson 
> <martin.thomson@gmail.com <mailto:martin.thomson@gmail.com>> wrote:
>
>     Richard has summarized my own reservations with this and the
>     composition of existing primitives makes a lot of sense. We're seeing
>     a relative explosion in the number of cryptographic tools available of
>     late, and this is a clear example of where we can make an engineering
>     decision to use existing tools rather than build new ones.  I
>     recognize that this isn't the IETF, but that doesn't make that any
>     less valid a choice.
>
>     FWIW, the lack of support for anything other than DSA and ECDSA is
>     also a major problem. DSA is basically non-existent in practice.  What
>     about Ed25519/Ed448?
>
>     On Fri, Apr 13, 2018 at 11:38 AM, Richard Barnes <rlb@ipv.sx> wrote:
>     >
>     >
>     > On Thu, Apr 12, 2018 at 7:52 PM, Dan Harkins
>     <dharkins@lounge.org <mailto:dharkins@lounge.org>> wrote:
>     >>
>     >>
>     >>
>     >> On 4/12/18 6:21 AM, Richard Barnes wrote:
>     >> [snip]
>     >>
>     >>
>     >> I guess what I don't understand here is the benefit of
>     conjoining the
>     >> primitives rather than composing them.  It seems like you would
>     get the same
>     >> effects here in the same number of RTTs with a straightforward
>     combination
>     >> of PAKE, sending identities, and a proof-of-possession protocol
>     [1], all of
>     >> which are already well-established.  Instead, you've mushed
>     them all
>     >> together.  That seems like it has some costs, e.g., the
>     restriction to ECDSA
>     >> when with a more composed design you could support arbitrary DH
>     or signing
>     >> keys.  What are the corresponding benefits?
>     >>>
>     >>>
>     >>>   I'm not sure where the mashup is. You have basically
>     described PKEX. It
>     >>> does
>     >>> SPAKE2 and then it sends identities and a proof of possession
>     protected
>     >>> by the
>     >>> PAKE shared secret.
>     >>
>     >>
>     >> What I mean is that in addition to just using the PAKE, you're also
>     >> changing its internals:
>     >>
>     >> - Instead of using the password as input, PKEX hashes in the
>     identities
>     >>
>     >>
>     >>   So? The password is still used. Are you saying this is not SPAKE2
>     >> anymore?
>     >>
>     >> - The key shares from SPAKE2 are re-used for the proof of
>     possession
>     >>
>     >>
>     >>   There needs to be some demonstration that the key is used
>     "live" in the
>     >> exchange
>     >> otherwise you're not really proving possession. In your sketch
>     below
>     >> (which I
>     >> admittedly don't understand 100%) you are introducing yet another
>     >> Diffie-Hellman
>     >> with Eph_A and Eph_B which I guess are used with the private
>     analogs of
>     >> Pub_B
>     >> and Pub_A, respectively, to produce K_DH_B and K_DH_A,
>     respectively.
>     >>
>     >>   I don't see the value of treating the PAKE a closed some
>     black box.
>     >
>     >
>     > The benefits are the typical "don't roll your own crypto"
>     benefits --
>     > generality, code re-use, and analysis re-use.  If you have a
>     general "insert
>     > proof of possession here" slot, you can address keys from any DH
>     group (even
>     > if it can't do SPAKE) or even signing keys.   You can take an SPAKE
>     > implementation that has a "password in, key out" interface and
>     re-use it.
>     > And when you're trying to prove the properties of the system,
>     you can treat
>     > the "black box" sub-units as things with known properties; you
>     don't have to
>     > worry about whether re-using a key share will undermine some
>     property.
>     >
>     > It seems like you're trading off 1 DH key generation per side (the
>     > incremental cost of the sketch below over PKEX) against a lot of
>     work to
>     > analyze this thing and more difficulty implementing.  I'm just
>     saying that
>     > trade-off doesn't seem like a good deal to me. (If I were the
>     chairs, I
>     > might consider whether this merits the group's time, given that
>     the can be
>     > solved with existing primitives at not much cost.)  If others
>     feel it is
>     > worthwhile, though, I'm not going to stand in the way.
>     >
>     > --Richard
>     >
>     >
>     >>
>     >> It already
>     >> has a perfectly good ephemeral Diffie-Hellman share which I am
>     putting to
>     >> good use
>     >> instead of ignoring which necessitates generation of yet
>     another ephemeral
>     >> Diffie-Hellman share.
>     >>
>     >> You're not treating the PAKE as a box that takes a password on
>     one side
>     >> and emits a key on the other side.
>     >>
>     >>
>     >>>
>     >>> The limitations are that the two sides have to be exchanging
>     >>> keys from the same group and since they've already agreed on a
>     group for
>     >>> their
>     >>> identity keys then they have to use the same one for the PAKE.
>     Those were
>     >>> not
>     >>> seen as serious issues because such a restriction may already
>     be imposed
>     >>> on the
>     >>> subsequent key exchange protocol (e.g. MQV), and it obviates
>     the need to
>     >>> discuss
>     >>> what it means to exchange, for instance, a p521 public key
>     over a PAKE
>     >>> that uses
>     >>> brainpool256. It cuts down on problematic options. That's the
>     same reason
>     >>> that
>     >>> the hash algorithm and SIV key length are determined by the prime
>     >>> defining the
>     >>> group, less options that might be used poorly means a more
>     robust and
>     >>> idiot-proof
>     >>> protocol.
>     >>
>     >>
>     >> I'll grant that you do get more rigidity from the conjunction. 
>     But I'm
>     >> not sure that this is more effective than simply expressing the
>     requirement
>     >> in prose.
>     >>
>     >>
>     >>>
>     >>>
>     >>>   Also, there is no restriction on ECDSA.
>     >>
>     >>
>     >> Maybe you should revise this text then :)
>     >>
>     >> """
>     >> Due to the nature of the exchange, only DSA ([DSS]) and ECDSA
>     >>    ([X9.62]) keys can be exchanged with PKEX.
>     >> """
>     >>
>     >>
>     >>   Right, it expressly includes DSA keys.
>     >>
>     >> And maybe add a clearer explanation than "due to the nature of the
>     >> exchange".
>     >>
>     >>
>     >>   OK, good comment. That is overly vague.
>     >>
>     >>   Dan.
>     >>
>     >> --Richard
>     >>
>     >>
>     >>>
>     >>> In fact, Appendix A.2 has the SPAKE2
>     >>> role-specific elements for four standard DH groups and the
>     Appendix talks
>     >>> about
>     >>> how to generate role-specific elements for other groups not
>     enumerated.
>     >>>
>     >>> --Richard
>     >>>
>     >>> [1] Sketch:
>     >>>
>     >>> A->B: SPAKE-Kex
>     >>> B->A: SPAKE-Kex, SPAKE-Confirm, {ID_B, Pub_B, Eph_B}K_spake_B
>     >>> A->B: SPAKE-Confirm, {ID_A, Pub_A, Eph_A}K_spake_A, MAC(K_DH_A,
>     >>> transcript}
>     >>> B->A: MAC(K_DH_B, transcript)
>     >>>
>     >>> Note that at this point, it's starting to look simpler just to
>     do TLS!
>     >>>
>     >>>
>     >>>   It's not really. There is running code for this protocol
>     (and not just
>     >>> by
>     >>> me) and it's much simpler than TLS.
>     >>>
>     >>>   regards,
>     >>>
>     >>>   Dan.
>     >>>
>     >>>
>     >>
>     >>
>     >
>     >
>     > _______________________________________________
>     > Cfrg mailing list
>     > Cfrg@irtf.org <mailto:Cfrg@irtf.org>
>     > https://www.irtf.org/mailman/listinfo/cfrg
>     <https://www.irtf.org/mailman/listinfo/cfrg>
>     >
>
>     _______________________________________________
>     Cfrg mailing list
>     Cfrg@irtf.org <mailto:Cfrg@irtf.org>
>     https://www.irtf.org/mailman/listinfo/cfrg
>     <https://www.irtf.org/mailman/listinfo/cfrg>
>
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email