IETF Logo Mail Archive

Re: [Cfrg] draft-irtf-cfrg-dragonfly document status

"Dan Harkins" <dharkins@lounge.org> Wed, 08 October 2014 23:40 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE3191A1AE1 for <cfrg@ietfa.amsl.com>; Wed, 8 Oct 2014 16:40:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.267
X-Spam-Level:
X-Spam-Status: No, score=-3.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_39=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iwF2Gxj0tD1G for <cfrg@ietfa.amsl.com>; Wed, 8 Oct 2014 16:40:45 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id A543A1A01F7 for <cfrg@irtf.org>; Wed, 8 Oct 2014 16:40:45 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 2624710224008; Wed, 8 Oct 2014 16:40:45 -0700 (PDT)
Received: from 104.36.248.10 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Wed, 8 Oct 2014 16:40:45 -0700 (PDT)
Message-ID: <73d51db893a4b847db6d8eaae7f45cf5.squirrel@www.trepanning.net>
In-Reply-To: <CACsn0ckGqUVeOeP17opaynVYm5E7RLJnF4=r20zBYMidBZzEKw@mail.gmail.com>
References: <54357A2A.2010800@isode.com> <CACsn0c=222g7HHpPh++noS3H1jEhawtQAdeA1WbPObN3wZr6jQ@mail.gmail.com> <D05AE162.50264%paul@marvell.com> <CACsn0ckGqUVeOeP17opaynVYm5E7RLJnF4=r20zBYMidBZzEKw@mail.gmail.com>
Date: Wed, 08 Oct 2014 16:40:45 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Watson Ladd <watsonbladd@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Hv-6HDNCQr89H_gU2d-MbM_Kpvc
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] draft-irtf-cfrg-dragonfly document status
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Oct 2014 23:40:50 -0000

  Watson,

On Wed, October 8, 2014 3:46 pm, Watson Ladd wrote:
> On Oct 8, 2014 3:26 PM, "Paul Lambert" <paul@marvell.com> wrote:
>>>
>>> On Oct 8, 2014 10:53 AM, "Alexey Melnikov" <alexey.melnikov@isode.com>
> wrote:
>>> >
>>> > Hi,
>>> > My apologies for taking so long on this. But I felt I needed to
>>> review
> mailing list discussions to make up my own mind on this topic.
>>> >
>>> > After reviewing mailing list discussions about this draft, I would
> like to do another RGLC on it. I've seen negative comments on the mailing
> list, but I've also seen some interest in this work and I am also aware
> that some variants of the algorithm are already implemented/deployed.
> Also,
> there were a couple of new revisions of the draft and it is not clear
> whether people who reported original problems are happy with how they got
> resolved. So I would like to see a bit more positive feedback on the
> latest
> version, in particular I would like to know if specific issues raised by
> earlier reviews are addressed in the latest version.
>>
>> This draft should be published as an RFC.  There is considerable value
>> in
> having a published stable reference document.   The market should be
> allowed to do the estimations of risk and value to field this protocol.
>
> Just as they did with RC4 and renegotiation?

  This has nothing to do with RC4 and renegotiation (I assume you mean
in TLS).

>>
>> Versions of the protocol have been adopted and fied. This protocol was
> first  introduced into IEEE 802.11s in 2008. The base protocol exchange
> has
> also been adopted in the Wi-Fi  Alliance.  The protocol has been improved
> by the review in the cfrg and if published, the specification would
> positively impact the application of the protocol in other forums.
>>
>>> My comment (there is no security proof, and alternatives with better
> provable security) has been acknowledged to be unresolveable.
>>
>> Yes, this may be considered a negative point by some but not all.
>> While
> not a proof, the protocol has been analyzed:
>> Cryptanalysis of the Dragonfly Key Exchange Protocol
>> It was interested that the only issue mentioned was a small subgroup
> attack if the public key is not validated …. which it always should.
>
> This analysis ignores Rene Struik's timing attack, my reflection attack,
> and other comments incorporated into the draft.

  And I thanked Rene, you, and others for your comments and, as you note,
incorporated resolutions into the draft. Once again, thank you for helping
improve the draft. All of the comments have been resolved in -04.

  (I will note that the reflection attack you mentioned is not possible
in the IEEE 802.11 version of dragonfly, which predated your comment
and this draft by a few years, and neither was small subgroup attack
described by Clarke and Hao mentioned above. The -00 version of this
draft was rushed, take a look at the Acknowledgements in section 4 to
see just how bad, and I left some things out that I shouldn't have. All
this has all been addressed in -04).

>>>
>>> The draft authors knew this from the very beginning.
>>>
>>> I don't think we should approve a protocol that doesn't have a security
> proof, particularly given that we are going to work on alternatives.
>>
>> “… Going to work on …” is the issue.  The draft under discussion
>> has been
> on IETF servers for 2 years.  It has been used in other industry forums
> for
> four or five years.
>
> Plenty of alternatives have been put forward in those two years, including
> EKE+Elligator,  SPAKE2,  JPAKE,  and SMP based solutions. The failure to
> advance these is inexplicable.

  Oh no, it's very easily explained. It's because no one has stepped forward
to actually write the I-Ds. You have stated on numerous occasions that these
should be written up but you have never actually taken on the task of
actually doing it. Please, write up a draft or four.  Whether or not you do,
though, this really has nothing to do with the RGLC underway right now.

  If there was a security proof of dragonfly it would not be, nor should it
be, part of this draft. It would be a stand-alone paper. The complaint about
the lack of a security proof is really procedural and not technical as it is
not a comment on the draft that can be resolved by changing the draft.
The IRTF (and the IETF as well) has never put a security proof as a process
requirement for advancement of I-Ds. You may think it should but that
is an argument for a different place, not a RGLC.

  regards,

  Dan.

>>
>> Yes, the cfrg should work as quickly as possible to make alternatives.
> Stopping the progression of this draft does not accelerate new work, but
> does prevent existing applications from utilizing a reviewed and improved
> specification.
>
> The nonexistence of this draft did not stop adoption in Wifi. By contrast
> advancing a number of PAKEs will kick the issue to WGs without the
> capacity
> to evaluate the issues.
>
>>>
>>> There is plenty of terrible crypto in IEEE standards
>>
>> … and IETF standards.  Bringing in other good or bad protocols into
>> the
> discussion is irrelevant to the decision at hand.
>>>
>>> we don't issue drafts for because it is so terrible.
>>
>> Since when did the IETF mandate a security proof …   There are
>> terrible
> protocols with proofs, so why does the lack of a proof made something
> ‘terrible’.
>>
>> Paul
>>
>>
>>
>>> To the extent our publication leads to use of dragonfly as opposed to
> known - good protocols, it's a problem.
>>
>>
>>
>>
>>> >
>>> > Considering how difficult previous Last Call on the document was, I
> would like to ask people to:
>>> > 1) keep in mind that CFRG chairs believe that the RG should work on
> PAKE requirements and after that on other PAKE proposals. This was
> suggested by our previous co-chair David McGrew:
>>> >   http://www.ietf.org/mail-archive/web/cfrg/current/msg03723.html
>>>
>>> Why doesn't this apply to dragonfly, but only other proposals?
>>>
>>> > 2) be professional, in particular no ad hominem attacks
>>> > 3) be constructive. In particular if you would like a disclaimer
>>> being
> added to the document, please suggest specific text.
>>> > 4) simple statements of support for publishing the document or
> objection to publishing it are fine and encouraged. Sending them directly
> to RG chairs is fine. But please avoid saying "but what about PAKEXXX?",
> due to 1).
>>> > 5) unlike IETF, IRTF RGs are not required to reach rough consensus.
> However I would like to see us try.
>>> >
>>> > Best Regards,
>>> > Alexey,
>>> > on behalf of chairs.
>>> >
>>> > _______________________________________________
>>> > Cfrg mailing list
>>> > Cfrg@irtf.org
>>> > http://www.irtf.org/mailman/listinfo/cfrg
>>
>>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email