Re: [Cfrg] Review of Dragonfly PAKE

Watson Ladd <watsonbladd@gmail.com> Wed, 11 December 2013 01:54 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E0DA1AE2C1; Tue, 10 Dec 2013 17:54:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MU8hBiri2p3p; Tue, 10 Dec 2013 17:54:38 -0800 (PST)
Received: from mail-we0-x22e.google.com (mail-we0-x22e.google.com [IPv6:2a00:1450:400c:c03::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 1E82E1AE0A0; Tue, 10 Dec 2013 17:54:37 -0800 (PST)
Received: by mail-we0-f174.google.com with SMTP id q58so5795720wes.19 for <multiple recipients>; Tue, 10 Dec 2013 17:54:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Gucq3GyM0Kfinj5jv6OmNuD2XomJz3+GRxIBYq4MGwk=; b=bUKVq69iikFfJPcIiWNg2wxBdOFGz1zIawm5T3BLM58b0xvDPWZ7fkbjHpqn70d40o m5dpLO6sN3YhwtOLCnFtc80C0zjvU3tnKDV0Il8vf/gUjyfrWODNqgCLZud1ltPM2oDv A02sLEqBcJ9/agGE8vLweRlpSEBiPhrefBOHoavM4WoRVPtHQCz4QRESjFHNUU6dTpxA NlONAyTztqKE/9ueccEVgyO1fx5bf5fAAsFuzlxpnY0i8keRZnHHTclq7DT6hlqX/4SI eQvz1yk2GnH0GydafAejkOqg5xiFQUY1a0SpHE2ZNCefx2coNTIc05swmsPkEkIUvKaY yFPA==
MIME-Version: 1.0
X-Received: by 10.180.24.193 with SMTP id w1mr1765259wif.44.1386726872287; Tue, 10 Dec 2013 17:54:32 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Tue, 10 Dec 2013 17:54:32 -0800 (PST)
In-Reply-To: <CAGZ8ZG0+LBsSiub9JDpXpn3NA366a8_9DqiA-HERMpmyWjq0kw@mail.gmail.com>
References: <CAGZ8ZG0+LBsSiub9JDpXpn3NA366a8_9DqiA-HERMpmyWjq0kw@mail.gmail.com>
Date: Tue, 10 Dec 2013 17:54:32 -0800
Message-ID: <CACsn0c=zdq5ZC9s46ibAT59eO6uS+OSjpymcK=5=hTGsuPgL8w@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Trevor Perrin <trevp@trevp.net>
Content-Type: text/plain; charset="UTF-8"
Cc: cfrg@ietf.org, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] Review of Dragonfly PAKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2013 01:54:40 -0000

On Tue, Dec 10, 2013 at 2:30 PM, Trevor Perrin <trevp@trevp.net> wrote:
> Dear CFRG (cc: TLS),
>
> Here's a review of the Dragonfly Password-Authenticated Key Exchange (PAKE) from
> draft-irtf-cfrg-dragonfly-02 [CFRGDRAFT].
>
> Overview
> ----
> The Dragonfly PAKE is built on SPEKE with an "obfuscation" applied to
> the exchange of Diffie-Hellman values.  The obfuscation lacks formal
> analysis and serves no obvious purpose, but may be an attempt to avoid
> the SPEKE patent [IPSEC].  Dragonfly has security weaknesses due to
> use of a variable-time algorithm to map a password to an EC point
> [STRUIK], and lack of "augmented" PAKE properties.
>
> Obfuscating the SPEKE DH exchange
> ----
> SPEKE is an old and well-known PAKE [JABLON].  In SPEKE each party
> uses a shared password to derive a Diffie-Hellman generator.  The
> generator is then used for a Diffie-Hellman exchange.
>
> SPEKE is patented until 2017 [SPEKEPATENT].  Alternatives without
> current patents incude [DH-EKE] and [J-PAKE].  Alternatives with
> royalty-free terms include [SRP] and [AUGPAKE].
>
> Dragonfly uses the SPEKE approach but obfuscates the exchange of DH
> values.  In particular, given:
>
>   g : DH generator (calculated by hashing the password)
>   a : Alice's DH private key
>
> In SPEKE, Alice sends g^a.
>
> In Dragonfly, Alice generates a mask m, and sends (a+m, g^-m).  Bob
> uses these values and g to reconstruct g^a.  [ g^a = g^(a+m) * g^-m ]
>
> This obfuscation adds computation and bandwidth costs.  It's not clear
> whether it adds any security benefit.  It's not clear how Dragonfly's
> security relates to SPEKE; whether the SPEKE security proof from
> [MACKENZIE] still applies; or whether another security proof could be
> created.
>
Note Bena: The proof does not address resistance to offline attack,
and uses an assumption that
isn't know to be equivalent to anything.