IETF Logo Mail Archive

Re: [Cfrg] Adoption call for draft-harkins-pkex-05

Richard Barnes <rlb@ipv.sx> Wed, 11 April 2018 18:07 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BC8E126CD8 for <cfrg@ietfa.amsl.com>; Wed, 11 Apr 2018 11:07:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.609
X-Spam-Level:
X-Spam-Status: No, score=-2.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WXWrqEUrBW-h for <cfrg@ietfa.amsl.com>; Wed, 11 Apr 2018 11:07:15 -0700 (PDT)
Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F991126C89 for <cfrg@irtf.org>; Wed, 11 Apr 2018 11:07:15 -0700 (PDT)
Received: by mail-oi0-x229.google.com with SMTP id q71-v6so2597219oic.6 for <cfrg@irtf.org>; Wed, 11 Apr 2018 11:07:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wfzqlUFkpHdOyBJ74GmPxbegLSbp53jkSWbWHC5NnV0=; b=IiSC2DPA+itF/OQGIRLuCSikRIpk5cpb9eIvR1+qxSUgzr/pY+gyo0iSVLmaz7mMI5 207kRZB6X6qtzVPRMxtxA+WPGGtGd/0fRSq4BYHxJM8GYHKtySL1YnlQmNcahpeRoikL v/8hqYMd5nHbVcbAgHXWVka0CNaZ2m8S3j6saxLEIFtZj0TNejCnqP5ZmZlLRxvzV/BC kOVe3BOlJEkTX9ChB7DK26fJdpZjLmoHeYsm49+JkXgQ33aut6ehQ0OXSeVGrydhXzyB i2HopcOFKC7hBzxNz4Pxi25rxAwjfZZNN7le7z5/Wdk3t/hfm6gNDidDdmTAfX32algC 09Fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wfzqlUFkpHdOyBJ74GmPxbegLSbp53jkSWbWHC5NnV0=; b=FkiZR2THmHnxj7vXlsGE5Pq6W8l07tpwcuOXuAnunq4TGBkamSovglnqFSO4sCHQqa bTIHPA7OszkmIhwu+DvB4591XjqqWcLw3L37IRLi6j2diAzdqxZMHG2AinanO9MpzPtE G/VJ7N0wXv8Uw22DpVOLYVNcZZ4cMckIs6pX/y/GLNFKLpzR+0MGGWZF0okIfyBQrYR8 GxyQqJKpNqUZ/quCqSfDGIt36F6nBj+tFI7Uz67MruHhwao9XP/5ognrn2ulq7QJkydF 60cLm3POZUQtD8MOnT7H/fJgLvllh5lvvq2agCFjHOo1DCNJL30G12U4MX5zwFAb+IGi gjbw==
X-Gm-Message-State: ALQs6tBzVXYN++gSA5ljgBwBXU89LbzOzqzPqNQVHmJPKvy5Xc6IcHLJ rQ3wtXEjTLM4y+WGq2mlb6HIXdfaCJqRwRI/byhz89I+iTs=
X-Google-Smtp-Source: AIpwx4+NVZ0r4PurykPJKAxaUVFkMECv1bdhFDR0dvLlhsoERQfkSeC0qRwn1pJK9JwP04zFNcS0Fjus4ccSDqSV3HI=
X-Received: by 2002:aca:df44:: with SMTP id w65-v6mr3468069oig.155.1523470034247; Wed, 11 Apr 2018 11:07:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.90.67 with HTTP; Wed, 11 Apr 2018 11:07:13 -0700 (PDT)
In-Reply-To: <16affdfc-df9a-a883-e0d6-dd52efee15e4@lounge.org>
References: <5ACA0006.4020809@isode.com> <810C31990B57ED40B2062BA10D43FBF501C515B8@XMB116CNC.rim.net> <810C31990B57ED40B2062BA10D43FBF501C5168A@XMB116CNC.rim.net> <810C31990B57ED40B2062BA10D43FBF501C51B18@XMB116CNC.rim.net> <16affdfc-df9a-a883-e0d6-dd52efee15e4@lounge.org>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 11 Apr 2018 14:07:13 -0400
Message-ID: <CAL02cgT72J=cboruKiHnF4BP7ffaDfae=JeoYDJJfjenF4wC8Q@mail.gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Cc: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="00000000000037b6bc05699682e9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/K5tXdanh8bEZ6uXss62iyQ2BHKw>
Subject: Re: [Cfrg] Adoption call for draft-harkins-pkex-05
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2018 18:07:18 -0000

Just to confirm I understand here, the scenario this is intended to address
is as follows (?):

- Two parties share a password
- Each party wishes to allow the other to assert an identity, where the
assertion is authenticated by the password

I would be interested to learn why people think this a useful problem to
solve.  If you have a system for provisioning passwords, couldn't you just
as well provision key fingerprints?  If you care about identities (say if
you're using the password to authenticate a group, and you want identities
to distinguish individual members), then why are you OK with raw assertion,
allowing anyone to claim any identity?

Assuming this is a useful problem to solve, it's not clear to me that this
is the best way to solve it.  For example, it seems like the parties could
perform a traditional PAKE, then send their preferred identities to each
other protected by the negotiated key.  Note that this is basically what
happens with the TLS-PAKE I-D that I submitted earlier today (
https://datatracker.ietf.org/doc/draft-barnes-tls-pake/), though in that
case, you can have either certified or uncertified keys.

This latter question seems important for the adoption question.  If this is
just a usage of a PAKE, then it's a protocol question more suited to IETF.
Only if there's a need to entangle the identity in the PAKE would we need
this group to opine.


On Wed, Apr 11, 2018 at 12:25 PM, Dan Harkins <dharkins@lounge.org> wrote:

>
>   Hi Dan,
>
> On 4/11/18 8:25 AM, Dan Brown wrote:
>
> A 4th issue/question, not really about terminology, but more definitional,
> also a bit uncertain (I'm tiring out on this one):
>
> The authentication phase of PKEX is basically just SPAKE2, and goes from a
> weak password to a strong symmetric key z.  I'm still fine with this phase,
> modulo (1) subtle differences in PAKEs that I do not yet understand and (2)
> questions whether passwords are properly in scope of IETF, since they don't
> scale well globally, etc.
>
>
>   No they don't. They scale about as well as raw public keys :-) But they
> are in scope.
>
> The reveal phase does not seem to add obvious value.  It seems to be almost
> the opposite of static Diffie-Hellman. We can switch back and forth between
> a secret symmetric key z and authenticated asymmetric keys A,B.   What can
> Alice and Bob with A and B that they could not already do with z.
> Authenticate messages?  They can use HMAC with z - instead of (repudiable)
> signatures or OTR with A and B.  Send each other secret messages? They can
> use AES, etc, with z, - instead of ECIES with A or B?   Generate yet more
> symmetric keys? They can use KDFs, PRFs, wrapped keys, etc., - instead of
> Diffie-Hellman or MQV.
>
>
>   Yes, z (or keys derived from it) can be used for all sorts of things
> while
> Alice and Bob are still talking to each other. This is mentioned at the end
> of section 5.2.
>
>   The value of the reveal phase is confirmation of SPAKE2 and gained trust
> in the public keys. The ability to successfully unwrap a received message
> authenticates the SPAKE2 exchange. The identity associated with the
> password
> is confirmed. The guarantees that AES-SIV provide mean that the received
> public key could only be sent by someone who knows z (and there are only
> two people in the world that know z at that time) so the received key has
> integrity and it is bound to the identity authenticated by SPAKE2. Finally,
> proof of possession is provided by the peer using its private key with the
> ephemeral share sent in SPAKE2 to symmetrically "sign" information binding
> it to the exchange.
>
> If some IETF protocols use public keys but lack any means for Alice and Bob
> to leverage their pre-shared secret (password, etc.), then I guess could
> PKEX retro-fit or shoe-horn it in.  But then one could also, maybe just as
> modularly, run a tunnel based on SPAKE2 and z inside (or outside) such an
> inflexible IETF protocol to get the same effect.  For example, an online
> bank could run a CA-authenticated TLS tunnel, and then run, at a higher
> layer, a SPAKE2-protected connection inside the TLS tunnel, etc.
>
> Please note, although I am deliberately trying to be extra-critical here, I
> am also trying not to be contrarian.
>
>
>   Understood. And appreciated!
>
>   regards,
>
>   Dan.
>
>
> -----Original Message-----
> From: Dan Brown
> Sent: Tuesday, April 10, 2018 4:47 PM
> To: Dan Brown <danibrown@blackberry.com> <danibrown@blackberry.com>; Alexey Melnikov<alexey.melnikov@isode.com> <alexey.melnikov@isode.com>; cfrg@irtf.org
> Subject: RE: [Cfrg] Adoption call for draft-harkins-pkex-05
>
> A third very minor issue (again terminology, and arguably more pedantic):
> 3. The PKEX I-D uses the word "trust" often. It seems to me that is not an
> equivalent in strength trust to a more conventional public-key certificate
> (or a distributed web of trust either).  I think this needs clarification in
> the draft.  I expand on the difference below, in two closely related
> sub-issues.
> 3a. First, if Bob lost his secret password, or has a bad RNG, then Eve may
> be able to impersonate Alice to Bob, even if Alice system's is entirely
> uncompromised.  In regular authenticated key exchange, this type of attack
> is called key-compromise impersonation (KCI).  I guess KCI applies to every
> PAKE, which is fair enough.  But PKEX has farther aims than a just PAKE,
> kind of a sub-PKI. (Is PKEX a play on PKIX?)  But in a PKI, relying parties
> can "trust" public keys, such as code signing keys, without having any
> secrets at all to guard.  So, in some sense there is lesser degree of trust
> provided by a PKI.
> 3b. Second, and this issue is an extension of the first (not independent of
> it), I would argue that part of "trust" in a public key includes an ability
> to trust its use in non-repudiable signed transaction.  Because of the KCI
> threat, Alice could do PKEX with Bob, sign a message with her key A, then
> try to repudiate.  Bob will not be able to prove to anybody A is Alice's
> key, because he could have generated A himself, as if Bob did a KCI attack
> on himself.  So, Bob will not be able to trust Alice as much as usual in a
> PKI.
>
> At the moment I don't have a concrete suggestion to correct this
> terminology.  Also, I forget if PKI spec use the word "trust" or something
> else.
>
> -----Original Message-----
> From: Cfrg [mailto:cfrg-bounces@irtf.org <cfrg-bounces@irtf.org>] On Behalf Of Dan Brown
> Sent: Tuesday, April 10, 2018 2:00 PM
> To: Alexey Melnikov <alexey.melnikov@isode.com> <alexey.melnikov@isode.com>; cfrg@irtf.org
> Subject: Re: [Cfrg] Adoption call for draft-harkins-pkex-05
>
> I'm seeing two minor issues to be resolved before adoption:
> 1. "Public key exchange" is a totally non-specific name, so much so, that I
> oppose adoption under this name.  Public key exchange could mean
> Diffie-Hellman key agreement, for example.  If PKEX has been deployed in
> some places, the name should be updated retroactively.  (Sorry that this is
> merely a terminology issue (as in the color of bikeshed, not the bikeshed
> itself.)
> 2. What is the problem being solved here?  For example, I think that TLS
> will or does offer PSK authentication.  So, why not just do an out-of-band
> PAKE to establish a PSK, then use PSK-authenticated TLS.  So, to rephrase my
> question: is there some security defect with PSK-authenticated TLS that PKEX
> solves?  Maybe this was discussed already, sorry if I missed it (and am out
> of order).
> Otherwise, I do not have much of an opinion in either direction.
>
> -----Original Message-----
> From: Cfrg [mailto:cfrg-bounces@irtf.org <cfrg-bounces@irtf.org>] On Behalf Of Alexey Melnikov
> Sent: Sunday, April 8, 2018 7:42 AM
> To: cfrg@irtf.org
> Subject: [Cfrg] Adoption call for draft-harkins-pkex-05
>
> Dear CFRG participants,
> This message is starting a 2 weeks adoption call for
> draft-harkins-pkex-05 (Public Key Exchange). From the document's
> Introduction:
>
>    [RFC7250] further states that "the main security challenge [to using
>    'raw' public keys] is how to associate the public key with a specific
>    entity.  Without a secure binding between identifier and key, the
>    protocol will be vulnerable to man-in-the- middle attacks."
>
>    The Public Key Exchange (PKEX) is designed to fill that gap: it
>    establishes a secure binding between exchanged public keys and
>    identifiers, it provides proof-of-possession of the exchanged public
>    keys to each peer, and it enables the establishment of trust in
>    public keys that can subsequently be used to facilitate
>    authentication in other authentication and key exchange protocols.
>    At the end of a successful run of PKEX the two peers will have trust
>    in each others exchanged public keys and also share an authenticated
>    symmetric key which may be discarded or used for another purpose.
>
> The adoption call will last for 2 weeks and will end on April 22nd.
>
> Thank you,
> Kenny and Alexey
>
> _______________________________________________
> Cfrg mailing listCfrg@irtf.orghttps://www.irtf.org/mailman/listinfo/cfrg
>
>
>
> _______________________________________________
> Cfrg mailing listCfrg@irtf.orghttps://www.irtf.org/mailman/listinfo/cfrg
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>
>

v2.23.0 | Report a Bug | By Email