Re: [Cfrg] Another PAKE question

"Dan Harkins" <dharkins@lounge.org> Thu, 09 January 2014 07:25 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BCAB1AE08C for <cfrg@ietfa.amsl.com>; Wed, 8 Jan 2014 23:25:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Level:
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XmYuemYHaXdd for <cfrg@ietfa.amsl.com>; Wed, 8 Jan 2014 23:25:24 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 61C871A1F61 for <cfrg@irtf.org>; Wed, 8 Jan 2014 23:25:24 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id E5782A888012; Wed, 8 Jan 2014 23:25:09 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Wed, 8 Jan 2014 23:25:10 -0800 (PST)
Message-ID: <53bf7ac99fb17e4f9333d42fea20505c.squirrel@www.trepanning.net>
In-Reply-To: <B17D6E18-898E-44EF-94EF-A4419BDE908A@checkpoint.com>
References: <B17D6E18-898E-44EF-94EF-A4419BDE908A@checkpoint.com>
Date: Wed, 8 Jan 2014 23:25:10 -0800 (PST)
From: "Dan Harkins" <dharkins@lounge.org>
To: "Yoav Nir" <ynir@checkpoint.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Another PAKE question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2014 07:25:28 -0000

  Hi Yoav,

On Wed, January 8, 2014 10:09 pm, Yoav Nir wrote:
> Hi
>
> I almost feel like I'm asking for trouble after the roast that Dan went
> through, but some on this list might want to consider another PAKE going
> through an IETF working group.

  While I think you are definitely asking for trouble, it's good that you do.
Trying to fly under the radar would not be a good thing.

> HTTP-Auth is making experimental authentication mechanisms for the HTTP
> layer. One of those is a PAKE. If people here on the CFRG list would like
> to comment on it, that would be great. We can have some discussion here,
> but ultimately, comments criticisms and suggestions should go to the
> HTTP-auth list (details below).
>
> The draft in question is called "Mutual Authentication Protocol for HTTP".
>
> Link: http://tools.ietf.org/html/draft-ietf-httpauth-mutual-01

  It doesn't look like that draft specifies a PAKE. It seems to specify the
exchange of data that can be used by a PAKE, but not necessarily. Section
11 states:

    Cryptographic authentication algorithms which are used with this
    protocol will be defined separately¬Ö.

    All algorithm used with this protocol SHOULD provide secure mutual
    authentication between client and servers, and generate a
    cryptographically strong shared secret value z, equivalently strong
    to or stronger than the hash function H. If any passwords (or pass-
    phrases or any equivalents, i.e. weak secrets) are involved, these
    SHOULD NOT be guessable from any data transmitted in the protocol,
    even if an attacker (either an eavesdropper or an active server)
    knows the possible thoroughly-searchable candidate list of the
    passwords.

That SHOULD and SHOULD NOT mean that it could actually use an
authentication algorithm that doesn't provide mutual authentication
and that is susceptible to an off-line dictionary attack. You might
want to make those a MUST and MUST NOT.

  So where is the separately defined protocol that this draft uses?

  Also, figure 5 seems almost like a joke. Is this protocol _really_
that complicated? A security protocol that complicated seems like
a recipe for disaster.

  regards,

  Dan.

> Yoav
> co-chair of HTTP-Auth
>
> Mailing list details:
>  * http-auth List Information:
> https://www.ietf.org/mailman/listinfo/http-auth
>  * http-auth List Archives:
> http://www.ietf.org/mail-archive/web/http-auth/current/maillist.html
>  * http-auth Posting Address (requires registration): http-auth@ietf.org
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>