Re: [Cfrg] draft-irtf-cfrg-dragonfly document status
"Dan Harkins" <dharkins@lounge.org> Wed, 08 October 2014 23:40 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE3191A1AE1 for <cfrg@ietfa.amsl.com>; Wed, 8 Oct 2014 16:40:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.267
X-Spam-Level:
X-Spam-Status: No, score=-3.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_39=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iwF2Gxj0tD1G for <cfrg@ietfa.amsl.com>; Wed, 8 Oct 2014 16:40:45 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id A543A1A01F7 for <cfrg@irtf.org>; Wed, 8 Oct 2014 16:40:45 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 2624710224008; Wed, 8 Oct 2014 16:40:45 -0700 (PDT)
Received: from 104.36.248.10 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Wed, 8 Oct 2014 16:40:45 -0700 (PDT)
Message-ID: <73d51db893a4b847db6d8eaae7f45cf5.squirrel@www.trepanning.net>
In-Reply-To: <CACsn0ckGqUVeOeP17opaynVYm5E7RLJnF4=r20zBYMidBZzEKw@mail.gmail.com>
References: <54357A2A.2010800@isode.com> <CACsn0c=222g7HHpPh++noS3H1jEhawtQAdeA1WbPObN3wZr6jQ@mail.gmail.com> <D05AE162.50264%paul@marvell.com> <CACsn0ckGqUVeOeP17opaynVYm5E7RLJnF4=r20zBYMidBZzEKw@mail.gmail.com>
Date: Wed, 08 Oct 2014 16:40:45 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Watson Ladd <watsonbladd@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Hv-6HDNCQr89H_gU2d-MbM_Kpvc
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] draft-irtf-cfrg-dragonfly document status
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Oct 2014 23:40:50 -0000
Watson, On Wed, October 8, 2014 3:46 pm, Watson Ladd wrote: > On Oct 8, 2014 3:26 PM, "Paul Lambert" <paul@marvell.com> wrote: >>> >>> On Oct 8, 2014 10:53 AM, "Alexey Melnikov" <alexey.melnikov@isode.com> > wrote: >>> > >>> > Hi, >>> > My apologies for taking so long on this. But I felt I needed to >>> review > mailing list discussions to make up my own mind on this topic. >>> > >>> > After reviewing mailing list discussions about this draft, I would > like to do another RGLC on it. I've seen negative comments on the mailing > list, but I've also seen some interest in this work and I am also aware > that some variants of the algorithm are already implemented/deployed. > Also, > there were a couple of new revisions of the draft and it is not clear > whether people who reported original problems are happy with how they got > resolved. So I would like to see a bit more positive feedback on the > latest > version, in particular I would like to know if specific issues raised by > earlier reviews are addressed in the latest version. >> >> This draft should be published as an RFC. There is considerable value >> in > having a published stable reference document. The market should be > allowed to do the estimations of risk and value to field this protocol. > > Just as they did with RC4 and renegotiation? This has nothing to do with RC4 and renegotiation (I assume you mean in TLS). >> >> Versions of the protocol have been adopted and fied. This protocol was > first introduced into IEEE 802.11s in 2008. The base protocol exchange > has > also been adopted in the Wi-Fi Alliance. The protocol has been improved > by the review in the cfrg and if published, the specification would > positively impact the application of the protocol in other forums. >> >>> My comment (there is no security proof, and alternatives with better > provable security) has been acknowledged to be unresolveable. >> >> Yes, this may be considered a negative point by some but not all. >> While > not a proof, the protocol has been analyzed: >> Cryptanalysis of the Dragonfly Key Exchange Protocol >> It was interested that the only issue mentioned was a small subgroup > attack if the public key is not validated â¦. which it always should. > > This analysis ignores Rene Struik's timing attack, my reflection attack, > and other comments incorporated into the draft. And I thanked Rene, you, and others for your comments and, as you note, incorporated resolutions into the draft. Once again, thank you for helping improve the draft. All of the comments have been resolved in -04. (I will note that the reflection attack you mentioned is not possible in the IEEE 802.11 version of dragonfly, which predated your comment and this draft by a few years, and neither was small subgroup attack described by Clarke and Hao mentioned above. The -00 version of this draft was rushed, take a look at the Acknowledgements in section 4 to see just how bad, and I left some things out that I shouldn't have. All this has all been addressed in -04). >>> >>> The draft authors knew this from the very beginning. >>> >>> I don't think we should approve a protocol that doesn't have a security > proof, particularly given that we are going to work on alternatives. >> >> â⦠Going to work on â¦â is the issue. The draft under discussion >> has been > on IETF servers for 2 years. It has been used in other industry forums > for > four or five years. > > Plenty of alternatives have been put forward in those two years, including > EKE+Elligator, SPAKE2, JPAKE, and SMP based solutions. The failure to > advance these is inexplicable. Oh no, it's very easily explained. It's because no one has stepped forward to actually write the I-Ds. You have stated on numerous occasions that these should be written up but you have never actually taken on the task of actually doing it. Please, write up a draft or four. Whether or not you do, though, this really has nothing to do with the RGLC underway right now. If there was a security proof of dragonfly it would not be, nor should it be, part of this draft. It would be a stand-alone paper. The complaint about the lack of a security proof is really procedural and not technical as it is not a comment on the draft that can be resolved by changing the draft. The IRTF (and the IETF as well) has never put a security proof as a process requirement for advancement of I-Ds. You may think it should but that is an argument for a different place, not a RGLC. regards, Dan. >> >> Yes, the cfrg should work as quickly as possible to make alternatives. > Stopping the progression of this draft does not accelerate new work, but > does prevent existing applications from utilizing a reviewed and improved > specification. > > The nonexistence of this draft did not stop adoption in Wifi. By contrast > advancing a number of PAKEs will kick the issue to WGs without the > capacity > to evaluate the issues. > >>> >>> There is plenty of terrible crypto in IEEE standards >> >> ⦠and IETF standards. Bringing in other good or bad protocols into >> the > discussion is irrelevant to the decision at hand. >>> >>> we don't issue drafts for because it is so terrible. >> >> Since when did the IETF mandate a security proof ⦠There are >> terrible > protocols with proofs, so why does the lack of a proof made something > âterribleâ. >> >> Paul >> >> >> >>> To the extent our publication leads to use of dragonfly as opposed to > known - good protocols, it's a problem. >> >> >> >> >>> > >>> > Considering how difficult previous Last Call on the document was, I > would like to ask people to: >>> > 1) keep in mind that CFRG chairs believe that the RG should work on > PAKE requirements and after that on other PAKE proposals. This was > suggested by our previous co-chair David McGrew: >>> > http://www.ietf.org/mail-archive/web/cfrg/current/msg03723.html >>> >>> Why doesn't this apply to dragonfly, but only other proposals? >>> >>> > 2) be professional, in particular no ad hominem attacks >>> > 3) be constructive. In particular if you would like a disclaimer >>> being > added to the document, please suggest specific text. >>> > 4) simple statements of support for publishing the document or > objection to publishing it are fine and encouraged. Sending them directly > to RG chairs is fine. But please avoid saying "but what about PAKEXXX?", > due to 1). >>> > 5) unlike IETF, IRTF RGs are not required to reach rough consensus. > However I would like to see us try. >>> > >>> > Best Regards, >>> > Alexey, >>> > on behalf of chairs. >>> > >>> > _______________________________________________ >>> > Cfrg mailing list >>> > Cfrg@irtf.org >>> > http://www.irtf.org/mailman/listinfo/cfrg >> >> > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] draft-irtf-cfrg-dragonfly document status Alexey Melnikov
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Paul Lambert
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Paul Lambert
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Dan Harkins
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Peter Gutmann
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Dan Harkins
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Schmidt
- [Cfrg] PAKEs in general (was; Re: draft-irtf-cfrg… Stephen Farrell
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Paul Lambert
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Andy Lutomirski
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Mike Hamburg
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Alexey Melnikov
- [Cfrg] JPAKE and a few other things (was Re: draf… Alexey Melnikov
- [Cfrg] Writing proposals as drafts first (was Re:… Alexey Melnikov
- [Cfrg] PAKE requirements Alexey Melnikov
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Yoav Nir
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Dan Harkins