Re: [Cfrg] Requesting removal of CFRG co-chair

Watson Ladd <> Sat, 21 December 2013 17:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 922241ADFD6 for <>; Sat, 21 Dec 2013 09:58:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pNOz6xpG3D98 for <>; Sat, 21 Dec 2013 09:58:42 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c05::232]) by (Postfix) with ESMTP id 74F301ADFCF for <>; Sat, 21 Dec 2013 09:58:42 -0800 (PST)
Received: by with SMTP id bz8so4928643wib.17 for <>; Sat, 21 Dec 2013 09:58:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=hOWBAKeS94RBJBQ3Qg2eAL10Fhg2fpGZ2oqIVxYVYZM=; b=nXHSJLrIFVbUcfm7LF+hhJA6AqxuADfQwCstF1FLX9qo8AHjDMfrpQpJ2YR21NGAf4 u4hOutgr1gYOK4GLK6X6h6+Lk21sobT2r8l4reSwT41M4r/Hvi5jjElsDtiUqHR0gABk fB8zt6YnnDAuE11QNAEkdEtInJ0SEm2C40UZnpDzdnHArzlha6rEjru/cUlcCJ4sl1SF 94UC/UdN/8IkTs4NutcgIn2bAfdahNGKgkkB7sYm8AhhyynakvMAc2aUA1QPta8BPNZA WvgnBcRDQhhn4KNrBfJN4HB8y/uZLDj5cDryQ1yCt+N4fHwlCq/IEFp07Q5SYHBTpVIT IVpg==
MIME-Version: 1.0
X-Received: by with SMTP id dl2mr12409742wib.17.1387648719372; Sat, 21 Dec 2013 09:58:39 -0800 (PST)
Received: by with HTTP; Sat, 21 Dec 2013 09:58:39 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Sat, 21 Dec 2013 09:58:39 -0800
Message-ID: <>
From: Watson Ladd <>
To: "" <>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [Cfrg] Requesting removal of CFRG co-chair
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 21 Dec 2013 17:58:45 -0000

On Sat, Dec 21, 2013 at 12:28 AM, Dan Harkins <> wrote:
>   This request is FUD on top of innuendo.
>   The protocol in question, dragonfly, does not have any security
> flaws that would cause it to be inappropriate as a TLS cipher suite.
> Given that Standards Track RFCs defining TLS cipher suites are
> susceptible to attacks that dragonfly is provably resistant to
> underscores that fact.

There are no proofs for Dragonfly. And this is not about any particular
protocol, but rather Kevin's misrepresentation of list consensus to the TLS WG.

>   The recent discussion on the TLS list actually just rehashed old
> issues raised 2 years or more before the WGLC, namely:
>   1) there is no security proof for resistance to an off-line
>       dictionary attack; and
>   2) there is text in the draft that deals with a potential side
>       channel attack.
> It was #1 that prompted the request to CFRG. The TLS WG did
> not feel it was capable of evaluating that part of a cryptographic
> key exchange and asked the CFRG to take a look. No attack
> against dragonfly was brought up during the CFRG review, and
> to this day there is no known attack against it.

The situation is much worse: Dragonfly falls apart in the standard
model for contrived hash functions.
In the ROM nothing was known. Should CFRG decide this is adequate for
a protocol?
I think that CFRG should take a much harder line due to a long and
checkered history of
protocols falling apart because of a lack of proof. The CFRG exists
because the IETF has
made inexcusable cryptography errors.

> Issue #2 is the result of a mailing list discussion prior to WGLC.
> Note that Trevor  Perrin did not have an opinion on the matter when
> it was discussed; he actually only commented 2+ years later, after
> WGLC closed. If WG consensus wanted to re-open the issue, it might
> make sense to discuss other resolutions as a way to move forward
> but Trevor has stated that it doesn't matter, he will oppose the draft
> no matter what changes are done.

The reasons why the TLS WG doesn't feel like a PAKE is needed are orthogonal
to the issues of Dragonfly's review by the CFRG. Let's try to focus on
the relevant claims.
The CFRG has been reactive and seems to have ignored the IETF 88
revelations that
protocols might be backdoored. Dragonfly did not go through a process
that lead to adequate

>   I am extremely sorry that my draft seems to have caused the CFRG
> chairs to be the target of these accusations.
>   It's always easy to be a critic and it's especially easy to launch a
> FUD-based criticism. But criticizing someone who volunteers to
> do work that one is not capable of doing himself is especially
> lazy. The added implication of a conspiracy theory should be all
> the more reason to reject it.
>   There is no substance to this complaint and I hope it is
> summarily dismissed.

I think I can make a last call on time, and see if anyone says no. In
fact, I think a perl script can do it.
Kevin didn't properly represent the state of the CFRG list, nor did he
properly indicate he was going to
relay approval to the TLS WG. This in effect meant that the CFRG was
one person: Kevin.

>   regards,
>   Dan.
> On Fri, December 20, 2013 8:01 am, Trevor Perrin wrote:
>> Dear IRTF Chair, IAB, and CFRG:
>> I'd like to request the removal of Kevin Igoe from CFRG co-chair.
>> The Crypto Forum Research Group is chartered to provide crypto advice
>> to IETF Working Groups.  As CFRG co-chair for the last 2 years, Kevin
>> has shaped CFRG discussion and provided CFRG opinion to WGs.
>> Kevin's handling of the "Dragonfly" protocol raises doubts that he is
>> performing these duties competently.  Additionally, Kevin's employment
>> with the National Security Agency raises conflict-of-interest
>> concerns.
>> Dragonfly Background
>> ----
>> Dragonfly is a "Password-Authenticated Key Exchange" protocol (or
>> "PAKE").  Dragonfly was proposed to CFRG 2 years ago [PROPOSAL].
>> Compared to better-known PAKEs, Dragonfly has no security proof, a
>> lack of extensive security analysis, nonfunctional complications added
>> for IPR reasons, and some security issues [REVIEW].
>> Dragonfly became a hot topic recently when the TLS WG disputed CFRG's
>> alleged report that Dragonfly was "satisfactory", as well as disputing
>> that this report reflected CFRG consensus [TLS_1].  After extensive
>> criticism of Dragonfly, the TLS WG ceased work on a Dragonfly
>> extension [TLS_2].
>> NSA Background
>> ----
>> The National Security Agency ("NSA") is a U.S. Intelligence Agency
>> which is believed to devote considerable resources to:
>>  - "Influence policies, standards and specifications for commercial
>> public key technologies"
>>  - "Shape the worldwide cryptography marketplace to make it more
>> tractable to advanced cryptanalytic capabilities" [BULLRUN]
>> While much is unknown about these activities, the NSA is known to have
>> placed a "back door" in a NIST standard for random number generation
>> [ECDRBG].  A recent report from the President's Review Group
>> recommends that the NSA:
>>  - "fully support and not undermine efforts to create encryption
>> standards"
>>  - "not in any way subvert, undermine, weaken, or make vulnerable
>> generally available commercial software" [PRESIDENTS]
>> This suggests the NSA is currently behaving contrary to the
>> recommendations.
>> Reasons for requesting Kevin's removal
>> ----
>> 1)  Kevin has provided the *ONLY* positive feedback for Dragonfly that
>> can be found on the CFRG mailing list or meeting minutes.  The
>> contrast between Kevin's enthusiasm and the group's skepticism is
>> striking [CFRG_SUMMARY].  It's unclear what this enthusiasm is based
>> on.  There's no record of Kevin making any effort to understand
>> Dragonfly's unusual structure, compare it to alternatives, consider
>> possible use cases, or construct a formal security analysis.
>> 2)  Twice Kevin suggested a technique for deriving the Dragonfly
>> password-based element which would make the protocol easy to break
>> [IGOE_1, IGOE_2].  He also endorsed an ineffective attempt to avoid
>> timing attacks by adding extra iterations to one of the loops [IGOE_3,
>> IGOE_4].  These are surprising mistakes from an experienced
>> cryptographer.
>> 3)  Kevin's approval of Dragonfly to the TLS WG misrepresented CFRG
>> consensus, which was skeptical of Dragonfly [CFRG_SUMMARY].
>> 4)  Kevin's NSA affiliation raises unpleasant but unavoidable
>> questions regarding these actions.  It's entirely possible these are
>> just mistakes by a novice chair who lacks experience in a particular
>> sort of protocol and is being pressured by IETF participants to
>> endorse something.  But it's hard to escape an impression of
>> carelessness and unseriousness in Kevin's work.  One wonders whether
>> the NSA is happy to preside over this sort of sloppy crypto design.
>> While that's of course speculation, it remains baffling that an
>> experienced cryptographer would champion such a shoddy protocol.  The
>> CFRG chairs have been silent for months, and haven't responded to
>> attempts to clarify this.
>> Conclusion
>> ----
>> The position of CFRG chair (or co-chair) is a role of crucial
>> importance to the IETF community.  The IETF is in desperate need of
>> trustworthy crypto guidance from parties who are above suspicion.  I
>> encourage the IAB and IRTF to replace Kevin Igoe with someone who can
>> provide this.
>> Thanks for considering this request.
>> Trevor
>> [TLS_1]
>> [TLS_2]
>> [IGOE_1]
>> [IGOE_2]
>> [IGOE_3]
>> [IGOE_4]
>> _______________________________________________
>> Cfrg mailing list
> _______________________________________________
> Cfrg mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin