IETF Logo Mail Archive

Re: [Cfrg] Key-Derivation Scheme

Paul Lambert <paul@marvell.com> Mon, 09 June 2014 18:21 UTC

Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05A801A02B0 for <cfrg@ietfa.amsl.com>; Mon, 9 Jun 2014 11:21:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.266
X-Spam-Level:
X-Spam-Status: No, score=-2.266 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQBpe5fHVmNy for <cfrg@ietfa.amsl.com>; Mon, 9 Jun 2014 11:21:43 -0700 (PDT)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A67841A02A3 for <cfrg@irtf.org>; Mon, 9 Jun 2014 11:21:43 -0700 (PDT)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id s59IL9hB003504; Mon, 9 Jun 2014 11:21:41 -0700
Received: from sc-owa01.marvell.com ([199.233.58.136]) by mx0b-0016f401.pphosted.com with ESMTP id 1mce8wneku-1 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Mon, 09 Jun 2014 11:21:41 -0700
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA01.marvell.com ([10.93.76.21]) with mapi; Mon, 9 Jun 2014 11:21:31 -0700
From: Paul Lambert <paul@marvell.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Mon, 09 Jun 2014 11:21:27 -0700
Thread-Topic: [Cfrg] Key-Derivation Scheme
Thread-Index: Ac+ED6NgC1PV+BYGQLaT7gDfiSd/Vg==
Message-ID: <CFBB4799.3DB26%paul@marvell.com>
References: <CAGL6epKMqH835XTDeGnUc-AZkF2DqYawQyBZaxbOcO4Pqbh8Ng@mail.gmail.com> <CACXcFmmiQYXEy+LNhzUrz1irPdko0somtccDPtFBqUvR4xjaUQ@mail.gmail.com> <CAGL6epK5P0Y0mHMQGF+Y_sJ1Yt0+OXz2Gnwj_D-ezvjt7yf0nA@mail.gmail.com> <34ba86c72778f67cb4d5afdf382fd471.squirrel@www.trepanning.net> <87ha3uzgb6.fsf@latte.josefsson.org> <CACsn0c=5uc8wyZnqzgpEfmwgnE2+K7dbsSkm+G6JGjZEtF2dsQ@mail.gmail.com> <CFBB2124.3D8C7%paul@marvell.com> <CAGL6epL9OnBSZBR45HmKAR=N+Zn3qHW=OrFM_+dewi1R8tVnEw@mail.gmail.com>
In-Reply-To: <CAGL6epL9OnBSZBR45HmKAR=N+Zn3qHW=OrFM_+dewi1R8tVnEw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.1.140326
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_CFBB47993DB26paulmarvellcom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.12.52, 1.0.14, 0.0.0000 definitions=2014-06-09_03:2014-06-09,2014-06-09,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1406090233
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/KPVF46nQhnOw4RCf3-kEWx9E92U
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Simon Josefsson <simon@josefsson.org>
Subject: Re: [Cfrg] Key-Derivation Scheme
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jun 2014 18:21:47 -0000

The following is a quote from section 1 of the J-PAKE draft (http://tools.ietf.org/html/draft-hao-jpake-01):


   There are a few factors that may be considered in favor of J-PAKE
   over others.  First, J-PAKE has security proofs, while equivalent
   proofs are lacking in EKE, SPEKE and SRP-6.  Second, J-PAKE is not

   patented.  It follows a completely different design approach from all
   other PAKE protocols, and is built upon a well-established Zero
   Knowledge Proof (ZKP) primitive: Schnorr NIZK proof [I-D-Schnorr<http://tools.ietf.org/html/draft-hao-jpake-01#ref-I-D-Schnorr>].

If this is indeed the case, then we do have a PAKE with a proof and no patents.

Would be very nice if true, while not patented some investigation by interested parties would be useful.
Also … quick skim of the references it looks like there is some possible clean-up work depending on goals:
 - better clarification of operation (e.g. Use and necessity of  “UserId”)
 - clarification of protocol formats associated with algorithm
 - translation to ECC and clear identification of default curves
 - … Etc



Paul



Regards,
 Rifaat



On Mon, Jun 9, 2014 at 11:57 AM, Paul Lambert <paul@marvell.com<mailto:paul@marvell.com>> wrote:


On 6/9/14, 5:00 AM, "Watson Ladd" <watsonbladd@gmail.com<mailto:watsonbladd@gmail.com>> wrote:

>On Mon, Jun 9, 2014 at 4:35 AM, Simon Josefsson <simon@josefsson.org<mailto:simon@josefsson.org>>
>wrote:
>> "Dan Harkins" <dharkins@lounge.org<mailto:dharkins@lounge.org>> writes:
>>
>>>   A much better solution to your problem is to use a
>>>password-authenticated
>>> key exchange based on a zero knowledge proof. That way, not only does
>>> the password not cross the wire/ether, neither does password-derived
>>> data.
>>
>> I think most people agree would agree with that -- but as far as I know
>> existing zero-knowledge authentication password mechanisms have other
>> serious problem (e.g., servers knowing password, lack of security proof,
>> or patent issues).  Given that, I think it is wortwhile to improve the
>> practical but theoretically less optimal solutions.
>
>Socialist Millionaires Protocol was published in 1996. Any patents
>expire in 2016 if any were filed for: a quick search finds none.
>It can be made to work over any group.
>
>PAKE (the original) has a patent expiring in 2016. It has optimal
>security with a proof done in 2001.

The Dragonfly key exchange was adopted by IEEE 802.11s in 2009. This
key exchange has no identified patent issues.  The protocol
(called SAE in the IEEE) will be adopted for other wireless applications
and will be deployed in a large number of consumer
devices in the future (IMO).

The key exchange has been documented for use in applications that include:
IEEE 802.11, IEEE 802.15.9, IPsec and TLS.

The protocol has no identified security issues, but it¹s
structure is less amenable to the development of a security proof.
No formal proof has been developed at this time.

So the options are:
 1 - pake      proof         patents (until after at least 2016)
 2 - pake      no-proof      no-patents (now)
 3 - no-pake   same-old less optimal solutions  no-patents (now)

I¹d rather have a pake now with no proof than continue the same-old
suboptimal solutions.

Paul




>
>SIncerely,
>Watson Ladd
>>
>
>
>--
>"Those who would give up Essential Liberty to purchase a little
>Temporary Safety deserve neither  Liberty nor Safety."
>-- Benjamin Franklin
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org<mailto:Cfrg@irtf.org>
>http://www.irtf.org/mailman/listinfo/cfrg

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email