Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-03.txt
Alex Elsayed <eternaleye@gmail.com> Fri, 19 February 2016 12:17 UTC
Return-Path: <giic-cfrg@m.gmane.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BDF31B2A8A for <cfrg@ietfa.amsl.com>; Fri, 19 Feb 2016 04:17:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.856
X-Spam-Level: **
X-Spam-Status: No, score=2.856 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, FSL_HELO_BARE_IP_2=1.499, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_NUMERIC_HELO=1.164, RP_MATCHES_RCVD=-0.006, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cnh8d3TYnqkJ for <cfrg@ietfa.amsl.com>; Fri, 19 Feb 2016 04:17:03 -0800 (PST)
Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 697EA1ACDE7 for <cfrg@irtf.org>; Fri, 19 Feb 2016 04:17:02 -0800 (PST)
Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from <giic-cfrg@m.gmane.org>) id 1aWjzW-0002Dy-TV for cfrg@irtf.org; Fri, 19 Feb 2016 13:16:59 +0100
Received: from 66.87.138.178 ([66.87.138.178]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <cfrg@irtf.org>; Fri, 19 Feb 2016 13:16:58 +0100
Received: from eternaleye by 66.87.138.178 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <cfrg@irtf.org>; Fri, 19 Feb 2016 13:16:58 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: cfrg@irtf.org
From: Alex Elsayed <eternaleye@gmail.com>
Date: Fri, 19 Feb 2016 12:16:51 +0000
Lines: 53
Message-ID: <na713j$kqr$1@ger.gmane.org>
References: <20160215145643.14144.52226.idtracker@ietfa.amsl.com> <56C1FB64.1080309@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: 66.87.138.178
User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508 git://git.gnome.org/pan2)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/91tlk8rSpgZQ-w4krdVe0zm3CZA>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2016 12:17:04 -0000
On Mon, 15 Feb 2016 11:23:00 -0500, Greg Hudson wrote: > On 02/15/2016 09:56 AM, internet-drafts@ietf.org wrote: >> Filename : draft-irtf-cfrg-spake2-03.txt > > I am pleased to see progress on this draft. > > The formatting of the new formula for K' in section 2.2 is a little off > in its use of whitespace. > > SPAKE2+ doesn't use w0 or w1 in the derivation of K'. Obviously it > can't use w1 as B doesn't have it, but can we call this an augmented > version of SPAKE2 if it more closely resembles SPAKE1? Should it use > w0? > > The description of SPAKE2+ still refers to "Bob" in one place. > > In section 3, the formatting of the Python code is mangled. Calls to > ec.canon_pointstr() should be changed to canon_pointstr() since you've > defined that as a function. > > In section 3, the description of the algorithm still doesn't match the > actual algorithm used, although it's closer some details. The first > mismatch comes from these two passages: > > This string is turned into an infinite sequence of bytes by hashing > with SHA256, and hashing that output again to generate the next 32 > bytes, and so on. > > If this is impossible, then the next non-overlapping segment of > sufficient length is taken. > > The actual algorithm doesn't use non-overlapping segments of an infinite > sequence of bytes; instead it uses overlapping concatenations of hash > blocks for successive trials. For P-521, the first trial uses H1|H2|H3 > (where H1 is hash of the string, H2 is the hash of H1, etc.) truncated > to 65 bytes; the second trial uses H2|H3|H4 truncated, etc.. OOI, why not use HKDF, with the string as the IKM? Personally, I'd much prefer that to inventing Yet Another Ad-Hoc Way To Extract Arbitrary- Length Randomness. > The second mismatch comes from this passage: > > We multiply that point by the cofactor h, and if that is not the > identity, output it. > > The Python code multiplies the point by the generator order (p), and if > that *is* the identity, outputs the point. The difference is that the > Python code discards points of order 2p, 4p, ..., hp. This difference > is irrelevant for P-256 and P-521 which have cofactor 1.
- [Cfrg] I-D Action: draft-irtf-cfrg-spake2-03.txt internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-03.… Greg Hudson
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-03.… Alex Elsayed
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-03.… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-03.… Alex Elsayed
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-03.… Adam Langley