Re: [Cfrg] Adoption call for draft-harkins-pkex-05
Richard Barnes <rlb@ipv.sx> Wed, 11 April 2018 18:07 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BC8E126CD8 for <cfrg@ietfa.amsl.com>; Wed, 11 Apr 2018 11:07:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.609
X-Spam-Level:
X-Spam-Status: No, score=-2.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WXWrqEUrBW-h for <cfrg@ietfa.amsl.com>; Wed, 11 Apr 2018 11:07:15 -0700 (PDT)
Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F991126C89 for <cfrg@irtf.org>; Wed, 11 Apr 2018 11:07:15 -0700 (PDT)
Received: by mail-oi0-x229.google.com with SMTP id q71-v6so2597219oic.6 for <cfrg@irtf.org>; Wed, 11 Apr 2018 11:07:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wfzqlUFkpHdOyBJ74GmPxbegLSbp53jkSWbWHC5NnV0=; b=IiSC2DPA+itF/OQGIRLuCSikRIpk5cpb9eIvR1+qxSUgzr/pY+gyo0iSVLmaz7mMI5 207kRZB6X6qtzVPRMxtxA+WPGGtGd/0fRSq4BYHxJM8GYHKtySL1YnlQmNcahpeRoikL v/8hqYMd5nHbVcbAgHXWVka0CNaZ2m8S3j6saxLEIFtZj0TNejCnqP5ZmZlLRxvzV/BC kOVe3BOlJEkTX9ChB7DK26fJdpZjLmoHeYsm49+JkXgQ33aut6ehQ0OXSeVGrydhXzyB i2HopcOFKC7hBzxNz4Pxi25rxAwjfZZNN7le7z5/Wdk3t/hfm6gNDidDdmTAfX32algC 09Fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wfzqlUFkpHdOyBJ74GmPxbegLSbp53jkSWbWHC5NnV0=; b=FkiZR2THmHnxj7vXlsGE5Pq6W8l07tpwcuOXuAnunq4TGBkamSovglnqFSO4sCHQqa bTIHPA7OszkmIhwu+DvB4591XjqqWcLw3L37IRLi6j2diAzdqxZMHG2AinanO9MpzPtE G/VJ7N0wXv8Uw22DpVOLYVNcZZ4cMckIs6pX/y/GLNFKLpzR+0MGGWZF0okIfyBQrYR8 GxyQqJKpNqUZ/quCqSfDGIt36F6nBj+tFI7Uz67MruHhwao9XP/5ognrn2ulq7QJkydF 60cLm3POZUQtD8MOnT7H/fJgLvllh5lvvq2agCFjHOo1DCNJL30G12U4MX5zwFAb+IGi gjbw==
X-Gm-Message-State: ALQs6tBzVXYN++gSA5ljgBwBXU89LbzOzqzPqNQVHmJPKvy5Xc6IcHLJ rQ3wtXEjTLM4y+WGq2mlb6HIXdfaCJqRwRI/byhz89I+iTs=
X-Google-Smtp-Source: AIpwx4+NVZ0r4PurykPJKAxaUVFkMECv1bdhFDR0dvLlhsoERQfkSeC0qRwn1pJK9JwP04zFNcS0Fjus4ccSDqSV3HI=
X-Received: by 2002:aca:df44:: with SMTP id w65-v6mr3468069oig.155.1523470034247; Wed, 11 Apr 2018 11:07:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.90.67 with HTTP; Wed, 11 Apr 2018 11:07:13 -0700 (PDT)
In-Reply-To: <16affdfc-df9a-a883-e0d6-dd52efee15e4@lounge.org>
References: <5ACA0006.4020809@isode.com> <810C31990B57ED40B2062BA10D43FBF501C515B8@XMB116CNC.rim.net> <810C31990B57ED40B2062BA10D43FBF501C5168A@XMB116CNC.rim.net> <810C31990B57ED40B2062BA10D43FBF501C51B18@XMB116CNC.rim.net> <16affdfc-df9a-a883-e0d6-dd52efee15e4@lounge.org>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 11 Apr 2018 14:07:13 -0400
Message-ID: <CAL02cgT72J=cboruKiHnF4BP7ffaDfae=JeoYDJJfjenF4wC8Q@mail.gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Cc: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="00000000000037b6bc05699682e9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/K5tXdanh8bEZ6uXss62iyQ2BHKw>
Subject: Re: [Cfrg] Adoption call for draft-harkins-pkex-05
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2018 18:07:18 -0000
Just to confirm I understand here, the scenario this is intended to address is as follows (?): - Two parties share a password - Each party wishes to allow the other to assert an identity, where the assertion is authenticated by the password I would be interested to learn why people think this a useful problem to solve. If you have a system for provisioning passwords, couldn't you just as well provision key fingerprints? If you care about identities (say if you're using the password to authenticate a group, and you want identities to distinguish individual members), then why are you OK with raw assertion, allowing anyone to claim any identity? Assuming this is a useful problem to solve, it's not clear to me that this is the best way to solve it. For example, it seems like the parties could perform a traditional PAKE, then send their preferred identities to each other protected by the negotiated key. Note that this is basically what happens with the TLS-PAKE I-D that I submitted earlier today ( https://datatracker.ietf.org/doc/draft-barnes-tls-pake/), though in that case, you can have either certified or uncertified keys. This latter question seems important for the adoption question. If this is just a usage of a PAKE, then it's a protocol question more suited to IETF. Only if there's a need to entangle the identity in the PAKE would we need this group to opine. On Wed, Apr 11, 2018 at 12:25 PM, Dan Harkins <dharkins@lounge.org> wrote: > > Hi Dan, > > On 4/11/18 8:25 AM, Dan Brown wrote: > > A 4th issue/question, not really about terminology, but more definitional, > also a bit uncertain (I'm tiring out on this one): > > The authentication phase of PKEX is basically just SPAKE2, and goes from a > weak password to a strong symmetric key z. I'm still fine with this phase, > modulo (1) subtle differences in PAKEs that I do not yet understand and (2) > questions whether passwords are properly in scope of IETF, since they don't > scale well globally, etc. > > > No they don't. They scale about as well as raw public keys :-) But they > are in scope. > > The reveal phase does not seem to add obvious value. It seems to be almost > the opposite of static Diffie-Hellman. We can switch back and forth between > a secret symmetric key z and authenticated asymmetric keys A,B. What can > Alice and Bob with A and B that they could not already do with z. > Authenticate messages? They can use HMAC with z - instead of (repudiable) > signatures or OTR with A and B. Send each other secret messages? They can > use AES, etc, with z, - instead of ECIES with A or B? Generate yet more > symmetric keys? They can use KDFs, PRFs, wrapped keys, etc., - instead of > Diffie-Hellman or MQV. > > > Yes, z (or keys derived from it) can be used for all sorts of things > while > Alice and Bob are still talking to each other. This is mentioned at the end > of section 5.2. > > The value of the reveal phase is confirmation of SPAKE2 and gained trust > in the public keys. The ability to successfully unwrap a received message > authenticates the SPAKE2 exchange. The identity associated with the > password > is confirmed. The guarantees that AES-SIV provide mean that the received > public key could only be sent by someone who knows z (and there are only > two people in the world that know z at that time) so the received key has > integrity and it is bound to the identity authenticated by SPAKE2. Finally, > proof of possession is provided by the peer using its private key with the > ephemeral share sent in SPAKE2 to symmetrically "sign" information binding > it to the exchange. > > If some IETF protocols use public keys but lack any means for Alice and Bob > to leverage their pre-shared secret (password, etc.), then I guess could > PKEX retro-fit or shoe-horn it in. But then one could also, maybe just as > modularly, run a tunnel based on SPAKE2 and z inside (or outside) such an > inflexible IETF protocol to get the same effect. For example, an online > bank could run a CA-authenticated TLS tunnel, and then run, at a higher > layer, a SPAKE2-protected connection inside the TLS tunnel, etc. > > Please note, although I am deliberately trying to be extra-critical here, I > am also trying not to be contrarian. > > > Understood. And appreciated! > > regards, > > Dan. > > > -----Original Message----- > From: Dan Brown > Sent: Tuesday, April 10, 2018 4:47 PM > To: Dan Brown <danibrown@blackberry.com> <danibrown@blackberry.com>; Alexey Melnikov<alexey.melnikov@isode.com> <alexey.melnikov@isode.com>; cfrg@irtf.org > Subject: RE: [Cfrg] Adoption call for draft-harkins-pkex-05 > > A third very minor issue (again terminology, and arguably more pedantic): > 3. The PKEX I-D uses the word "trust" often. It seems to me that is not an > equivalent in strength trust to a more conventional public-key certificate > (or a distributed web of trust either). I think this needs clarification in > the draft. I expand on the difference below, in two closely related > sub-issues. > 3a. First, if Bob lost his secret password, or has a bad RNG, then Eve may > be able to impersonate Alice to Bob, even if Alice system's is entirely > uncompromised. In regular authenticated key exchange, this type of attack > is called key-compromise impersonation (KCI). I guess KCI applies to every > PAKE, which is fair enough. But PKEX has farther aims than a just PAKE, > kind of a sub-PKI. (Is PKEX a play on PKIX?) But in a PKI, relying parties > can "trust" public keys, such as code signing keys, without having any > secrets at all to guard. So, in some sense there is lesser degree of trust > provided by a PKI. > 3b. Second, and this issue is an extension of the first (not independent of > it), I would argue that part of "trust" in a public key includes an ability > to trust its use in non-repudiable signed transaction. Because of the KCI > threat, Alice could do PKEX with Bob, sign a message with her key A, then > try to repudiate. Bob will not be able to prove to anybody A is Alice's > key, because he could have generated A himself, as if Bob did a KCI attack > on himself. So, Bob will not be able to trust Alice as much as usual in a > PKI. > > At the moment I don't have a concrete suggestion to correct this > terminology. Also, I forget if PKI spec use the word "trust" or something > else. > > -----Original Message----- > From: Cfrg [mailto:cfrg-bounces@irtf.org <cfrg-bounces@irtf.org>] On Behalf Of Dan Brown > Sent: Tuesday, April 10, 2018 2:00 PM > To: Alexey Melnikov <alexey.melnikov@isode.com> <alexey.melnikov@isode.com>; cfrg@irtf.org > Subject: Re: [Cfrg] Adoption call for draft-harkins-pkex-05 > > I'm seeing two minor issues to be resolved before adoption: > 1. "Public key exchange" is a totally non-specific name, so much so, that I > oppose adoption under this name. Public key exchange could mean > Diffie-Hellman key agreement, for example. If PKEX has been deployed in > some places, the name should be updated retroactively. (Sorry that this is > merely a terminology issue (as in the color of bikeshed, not the bikeshed > itself.) > 2. What is the problem being solved here? For example, I think that TLS > will or does offer PSK authentication. So, why not just do an out-of-band > PAKE to establish a PSK, then use PSK-authenticated TLS. So, to rephrase my > question: is there some security defect with PSK-authenticated TLS that PKEX > solves? Maybe this was discussed already, sorry if I missed it (and am out > of order). > Otherwise, I do not have much of an opinion in either direction. > > -----Original Message----- > From: Cfrg [mailto:cfrg-bounces@irtf.org <cfrg-bounces@irtf.org>] On Behalf Of Alexey Melnikov > Sent: Sunday, April 8, 2018 7:42 AM > To: cfrg@irtf.org > Subject: [Cfrg] Adoption call for draft-harkins-pkex-05 > > Dear CFRG participants, > This message is starting a 2 weeks adoption call for > draft-harkins-pkex-05 (Public Key Exchange). From the document's > Introduction: > > [RFC7250] further states that "the main security challenge [to using > 'raw' public keys] is how to associate the public key with a specific > entity. Without a secure binding between identifier and key, the > protocol will be vulnerable to man-in-the- middle attacks." > > The Public Key Exchange (PKEX) is designed to fill that gap: it > establishes a secure binding between exchanged public keys and > identifiers, it provides proof-of-possession of the exchanged public > keys to each peer, and it enables the establishment of trust in > public keys that can subsequently be used to facilitate > authentication in other authentication and key exchange protocols. > At the end of a successful run of PKEX the two peers will have trust > in each others exchanged public keys and also share an authenticated > symmetric key which may be discarded or used for another purpose. > > The adoption call will last for 2 weeks and will end on April 22nd. > > Thank you, > Kenny and Alexey > > _______________________________________________ > Cfrg mailing listCfrg@irtf.orghttps://www.irtf.org/mailman/listinfo/cfrg > > > > _______________________________________________ > Cfrg mailing listCfrg@irtf.orghttps://www.irtf.org/mailman/listinfo/cfrg > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > >
- [Cfrg] Adoption call for draft-harkins-pkex-05 Alexey Melnikov
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Greg Rose
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Stanislav V. Smyshlyaev
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Brown
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Greg Rose
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Brown
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Benjamin Kaduk
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Brown
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Richard Barnes
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Richard Barnes
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Richard Barnes
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Richard Barnes
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Richard Barnes
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Martin Thomson
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Eric Rescorla
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Daniel Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Christopher Wood
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Eric Rescorla
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Salz, Rich
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Greg Rose