Re: [Cfrg] ISE seeks comments on: draft-cakulev-ibake-02.txt
David Wagner <daw@cs.berkeley.edu> Tue, 19 October 2010 19:42 UTC
Return-Path: <daw@cs.berkeley.edu>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4F64F3A695E for <cfrg@core3.amsl.com>; Tue, 19 Oct 2010 12:42:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BeGyjQdfrFU3 for <cfrg@core3.amsl.com>; Tue, 19 Oct 2010 12:41:51 -0700 (PDT)
Received: from taverner.cs.berkeley.edu (taverner.CS.Berkeley.EDU [128.32.153.193]) by core3.amsl.com (Postfix) with ESMTP id AD3D33A6929 for <cfrg@irtf.org>; Tue, 19 Oct 2010 12:39:03 -0700 (PDT)
Received: from taverner.cs.berkeley.edu (localhost.localdomain [127.0.0.1]) by taverner.cs.berkeley.edu (8.14.2/8.14.2) with ESMTP id o9JJe6rs026151 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 19 Oct 2010 12:40:06 -0700
Received: (from daw@localhost) by taverner.cs.berkeley.edu (8.14.2/8.14.2/Submit) id o9JJe6qT026149; Tue, 19 Oct 2010 12:40:06 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <201010191940.o9JJe6qT026149@taverner.cs.berkeley.edu>
To: cfrg@irtf.org
Date: Tue, 19 Oct 2010 12:40:06 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Re: [Cfrg] ISE seeks comments on: draft-cakulev-ibake-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Oct 2010 19:42:02 -0000
[I tried sending this two weeks ago, but it never seems to have hit the list. I apologize for any duplicates anyone may receive. This is regarding draft-cakulev-ibake-02.txt.] draft-cakulev-ibake-02.txt's abstract says: > "Cryptographic protocols based on public key methods are based on > certificates and large scale public key infrastructure (PKI) to > support certificate management. The emerging field of Identity Based > Encryption protocols allows to simplify the infrastructure > requirements via a Key Generation Function (KGF) while providing the > same flexibility. However one significant limitation of Identity > Based Encryption methods is that the KGF can end up being a de-facto > key escrow server with undesirable consequences. Another observed > deficiency is a lack of mutual authentication of communicating > parties. Here, Identity Based Authenticated Key Exchange (IBAKE) > Protocol is specified which does not suffer from the key escrow > problem and in addition provides mutual authentication and a perfect > forward and backwards secrecy." Here are my notes, after a quick informal review: I don't immediately see any practical advantage over standard PKI. IBAKE doesn't seem to address the hard problems or limitations of PKI. The practical limitations of PKI mainly arise from the way it is used in a larger system, not from the crypto-mathematics themselves. (See, e.g., writings from Peter Gutmann, Carl Ellison, or Bruce Schneier.) I don't see how IBAKE changes the game in any significant way. For instance, IBAKE "assumes that the Initiator and the Responder trust a third party" (the key generator). If it's acceptable to trust a third party, then one could equally well trust a Certificate Authority. I do not see how IBAKE simplifies the management, revocation, authorization, or other issues associated with standard PKI. I see no advantage here. The Internet-Draft claims that by making the keys date-dependent, IBAKE can address key revocation. But as far as I can see, PKI can support a similar functionality by issuing certificates with appropriately chosen expiration dates. In either case, the requirement for tighter time synchronization may have some practical consequences. Some technical comments (many are nitpicky or at least addressable): * I have questions about the security of this protocol. It does not come with a proof of security, which is the accepted standard for new proposals of this sort. The scheme has apparently not been previously published in an appropriate peer-reviewed scientific conference. I will illustrate some examples of specific potential concerns, which a proof of security would put to rest. The IBAKE protocol uses encryption to authenticate the parties, and relies upon the encryption to bind various plaintext entities securely to each other, which requires careful analysis (for instance, if the encryption method is malleable, then various active attacks may be possible, so any proof of security would need to account for this, implicitly or explicitly). As another example, Message_1 and Message_3 have the same format, raising the possibility of cut-and-paste attacks that copy an intercepted Message_1 and introduce it as Message_3, or vice versa (any proof of security would need to demonstrate, either implicitly or explicitly, that this cannot cause any problems). As a third example, the protocol specification does not explicitly specify that, after decrypting, each party should check that the identities in the decrypted plaintext match what is expected. It's not obvious whether this might have any security consequences; a proof of security would address that concern. These examples are not intended to be exhaustive, and the main value of a proof of security is that it addresses even concerns we may not have anticipated (as opposed to solely those concerns that we were able to identify in advance). * The protocol specification does not require the parties to check that the elliptic curve points they receive are indeed elements of the curve and members of the group. I wonder if this has any consequences. Can a malicious Initiator achieve anything interesting by sending a value of xP that is not actually on the curve? * The security analysis doesn't make explicit the consequences of active man-in-the-middle attacks, where the attacker colludes with the KGF (or compromises the KGF). The security analysis says it is assumed this will not happen. * The protocol specification could provide stronger guidance on the choice of x and y. It says that they should be random and seems to assume they will be chosen anew for each session, but it might help to specify explicitly for implementors that they must be chosen anew for each session. If the Responder re-uses y for multiple sessions with the same Initiator, then it becomes possible for an active attacker to replay past sessions, fooling the Initiator into thinking that he is talking with the Responder when he is actually not. If the Responder's message is a non-idempotent command to the Responder, these replay attacks could be problematic. The Internet-Draft could clearly state that no value of x,y may ever be reused across sessions, not even in a new session with the same (Initiator,Responder)-pair. * The protocol does not describe how messages are associated with or bound to a particular session. There is no session ID. The Internet-Draft does not discuss issues such as concurrent session establishment. Overall, it seemed to me that the IBAKE Internet-Draft did not make a compelling argument for IBAKE, and I felt that its comparison of PKI vs IBAKE was unconvincing. Even if the technical issues listed above were addressed, I feel that the failure to articulate a clear advantage over standard PKI would be sufficient to prevent advancement of this Internet-Draft. Therefore, if I have understood the situation accurately, I do not recommend that this Internet-Draft be advanced for standardization. Caveat: This is based upon a quick look at the I-D. There may well be significant errors or oversight in my analysis, for all I know.
- Re: [Cfrg] ISE seeks comments on: draft-cakulev-i… David Wagner
- [Cfrg] ISE seeks comments on: draft-cakulev-ibake… Nevil Brownlee
- Re: [Cfrg] ISE seeks comments on: draft-cakulev-i… Jim Schaad