[CFRG] Re: IRTF Chair review of draft-irtf-cfrg-opaque-16
Kevin Lewi <lewi.kevin.k@gmail.com> Tue, 24 September 2024 04:54 UTC
Return-Path: <lewi.kevin.k@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 659D4C14F60D for <cfrg@ietfa.amsl.com>; Mon, 23 Sep 2024 21:54:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hqDVZrnWVKgc for <cfrg@ietfa.amsl.com>; Mon, 23 Sep 2024 21:54:51 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D841CC1840DD for <cfrg@irtf.org>; Mon, 23 Sep 2024 21:54:50 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id 38308e7fff4ca-2f77be8ffecso49944961fa.1 for <cfrg@irtf.org>; Mon, 23 Sep 2024 21:54:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1727153689; x=1727758489; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=GI8vXQ7rwytGBHGLiupnLE0gLQi5dlf+L7UVjRqq7xo=; b=mBmfRCgf90eBwo5ocAvNEU+8ilv0tQer9JkFuMrgunKQ/1+xeuTzy50FB1EM8yRcrr 1iB8rbrpVkbwRSQNySe6lpUJCtB/STyPYEGPUeuNJpikc/dA0duDyLM8J3VZd5L6ntnC r/7QPBJsXgpsXU6G0HTtS+jHyUPHWc2oLIulNLziUWuLXvTZeOzrqrEBURYUCtUdRgQr +fzaH34s3dBuLxuTywCsJ6xNHHvc+FruLg4f9s0knwzPrfhS9U1hOtDx3xQMdgLDN9bo Welps+x1hQlBMwCZxEmt6onmcKadH+QbbUoFT8O7sN8Yt/zxkmqbw+Zx/dyqAzEMFrfD SmSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727153689; x=1727758489; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GI8vXQ7rwytGBHGLiupnLE0gLQi5dlf+L7UVjRqq7xo=; b=Lyckr6cMonoTAip6RgedxForIsEK3xWRJJWbd/jQXI9IjrP+rEQ4elWdJ1K6jbWUvE W+9TJ7j4WK14YX6iTeBXhcG+d3oxXw2Wj0vnawLeH/YsZhpjm1eapiv5rWJJEe3lnLQB b+th5FMtbskFfwr+R4UpmyaOdLHMjFJ8ArD/vtoAp73u8Qs9V1GRvy4uIUP6CQ7AUCl4 4ZUcg6MoD3SfHVndu4Tm2AeXIUkU2I018NJjhcUghziGN28qLl9j2WXCu0Nz10+iSLlg awNhIE5Mh+up1PUhE+y8ZwvkMJxE9UJ+vliiqQL7ATi9pgKfXbN9BBD9CYwG0K6U5NR9 DEqg==
X-Forwarded-Encrypted: i=1; AJvYcCXRQr5DmMAWbo48aGC0fCFTu+oT3jgDooRTM3bkE+zmuub6pQl33GCQWsmL+xV4DQmm6e4z@irtf.org
X-Gm-Message-State: AOJu0YxbGQsvamOyLnDRsOsIkvH6bSoqpcUd69pDyBn3goOBs0d7vAA8 /ADoi4Cc6xWDGPMJsRrkedjUCCPCBm/BYyCxXKDAtyG3vx8tEEE/Z/pG6yeyfiK3j6Kl1IHED5J qCjGT4EoRkXcpEgqTDrRF2YWIjflceBaV
X-Google-Smtp-Source: AGHT+IFII8WpfbBeJr+4iJvzXYsOycc5cRB0QHtrbhXzYZlb9i35L75i+SVfe+JDTuf4/ZqjGlWibsLH2gG/q+jsL2Y=
X-Received: by 2002:a05:651c:1506:b0:2f7:500c:2212 with SMTP id 38308e7fff4ca-2f7cc36504cmr55774311fa.10.1727153688338; Mon, 23 Sep 2024 21:54:48 -0700 (PDT)
MIME-Version: 1.0
References: <ED4B24C7-4D93-4F17-B5CC-2AE1F818A2E5@csperkins.org>
In-Reply-To: <ED4B24C7-4D93-4F17-B5CC-2AE1F818A2E5@csperkins.org>
From: Kevin Lewi <lewi.kevin.k@gmail.com>
Date: Mon, 23 Sep 2024 21:54:36 -0700
Message-ID: <CACitvs_pyBPqZ7R0MXdpKJue6S-5XSxXmhFihpe7ewpb+BX3sQ@mail.gmail.com>
To: Colin Perkins <csp@csperkins.org>
Content-Type: multipart/alternative; boundary="00000000000011034b0622d64e08"
Message-ID-Hash: GCQSD4U7QQ2DVATCIOLXAX2CMVAOMC7H
X-Message-ID-Hash: GCQSD4U7QQ2DVATCIOLXAX2CMVAOMC7H
X-MailFrom: lewi.kevin.k@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-irtf-cfrg-opaque@ietf.org, cfrg-chairs@ietf.org, cfrg <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: IRTF Chair review of draft-irtf-cfrg-opaque-16
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/NYCjnGuwHuzKuX5B37SK2oGYKC4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
Hi Colin, Thanks for providing the review! Comments and replies below: > Please add a sentence to the end of the Introduction to say “This document is not an IETF product and is not a standard” to meet the requirements of RFC 5743. Done, in https://github.com/cfrg/draft-irtf-cfrg-opaque/pull/460 . > The Discussion Venues section is marked “to be removed before publishing”. That’s appropriate, but the CFRG Chairs should add a link to the GitHub page in the “Additional resources” part of https://datatracker.ietf.org/doc/draft-irtf-cfrg-opaque/ so it can be found after publication. @Stanislav, can you help with this? Thanks in advance! > Section 2.1: some of the APIs reference specific sections of RFC 9497, some do not. To avoid confusion, would it make sense to consistently reference RFC 9497 in cases when the APIs are defined there? Good idea, this has been addressed in https://github.com/cfrg/draft-irtf-cfrg-opaque/pull/463 . > Section 2.2: “Expand(prk, info, L): Expand a pseudorandom key prk using the optional string info…” – will it be clear to readers what to do if the optional string is not provided? As it turns out, this Expand interface as used in the protocol always has the info string supplied. I edited the text and removed the word “optional” to make this more clear in https://github.com/cfrg/draft-irtf-cfrg-opaque/pull/464 . > Section 2.3: the definition of Stretch(msg) doesn’t specify the size of the output. Should it? Similar issues occur elsewhere, e.g., auth_tag in section 4.1.1, so if this is important it may be worth checking that the sizes are consistently specified. The Stretch() function can have a variable-length output size, with the only requirement being that it satisfies collision resistance (which implies that output size cannot be too small). The way Stretch() is used in the protocol is that its output is fed into a hash function, and so the length of the Stretch() output does not matter for protocol correctness purposes. I was not able to find any other occurrences of functions which are missing a definition in the size of their output. The auth_tag value is an output of MAC(), which is specified to have an output size of Nm. > Section 3.2: for clarity, I suggest to change “The registration flow is shown below” to “The registration message flow is shown below and the process is described in detail in Section 5”. Addressed in https://github.com/cfrg/draft-irtf-cfrg-opaque/pull/464 , thanks for the suggestion! > Section 4.1.2: I found the syntax Create Envelope envelope with (envelope_nonce, auth_tag) confusing since it reads like pseudo code but is in the middle of a more precise description. It wasn’t immediately obvious to me that it was referring to previously defined types. Would it be clearer to say envelope = Envelope(envelope_nonce, auth_tag) or similar? (There is similar phrasing in a number of other places) Fair enough. The syntax has now been adjusted to read: envelope = Envelope { envelope_nonce, auth_tag } in all of the places where this occurs. I think this might be a bit better suited rather than using the constructor notation that you suggested, so as to more easily distinguish it as a creation of a struct (as opposed to a subroutine call). > Section 5: what happens to the results that are not sent to the peer? For example, CreateRegistrationRequest() returns (request, blind) and it looks like request is sent to the server, but what is done with blind? (Similar issue with the ladder diagrams elsewhere in this section and in Section 6) Thanks for the catch! The blind parameter is supposed to be supplied to the subsequent FinalizeRegistrationRequest() call in that diagram, but it is absent from the input parameters. This has been fixed in https://github.com/cfrg/draft-irtf-cfrg-opaque/pull/465 . For the other diagram in Section 6, it does follow a similar pattern of requiring the parties to keep state in between protocol messages, but this is captured with the ClientState and ServerState structs, which are (purposefully) not represented in the diagram in order to simplify its presentation. > Finally, I note that the appendices contain a number of test vectors. Has the latest version of the draft been verified against a reference implementation to ensure these are correct? Yes, the test vectors in the latest version of the draft have been verified in the following implementations: https://github.com/cloudflare/opaque-ts, and https://github.com/facebook/opaque-ke . There are other implementations which might also be up-to-date with the latest version, but I have not confirmed: https://github.com/stef/libopaque, https://github.com/bytemare/opaque/ . — Once we have confirmation that these changes suffice, we can go ahead and publish a new version of the draft with all of these changes incorporated. Thanks, Kevin On Wed, Sep 11, 2024 at 9:42 AM Colin Perkins <csp@csperkins.org> wrote: > The CFRG chairs have requested that draft-irtf-cfrg-opaque-16 be published > as an RFC on the IRTF stream. The IRTF publication process is described in > RFC 5743, and comprises a review by the IRSG to ensure technical and > editorial quality, followed by a check by the IESG to ensure the work does > not conflict with IETF standards activities. > > As IRTF Chair, I perform an initial review of all drafts submitted for > publication on the IRTF stream before sending them for detailed review by > the IRSG. This note provides my review comments, for discussion. > > The document shepherd write-up states that the authors have made all > necessary IPR disclosures, as described at https://irtf.org/policies/ipr. > > *Result:* Ready with nits > > *RFC 5743 compliance:* The draft does not follow the guidelines in RFC > 5743 > > *Comments:* > > Thank you for preparing this draft. Apologies for the delay in my review. > Overall this looks good, and I thank the authors and others in the group > for the effort they have spent developing and reviewing the work. > > I have two procedural details that should be resolved: > > - > > Please add a sentence to the end of the Introduction to say “This > document is not an IETF product and is not a standard” to meet the > requirements of RFC 5743. > - > > The Discussion Venues section is marked “to be removed before > publishing”. That’s appropriate, but the CFRG Chairs should add a link to > the GitHub page in the “Additional resources” part of > https://datatracker.ietf.org/doc/draft-irtf-cfrg-opaque/ so it can be > found after publication. > > While reviewing the draft, I also noted areas where I thought > clarifications might be helpful. I’m a generalist, and very much not a > security expert, so none of these should be considered blocking comments – > I’m happy to be told that the draft follows the usual conventions in the > field and the description will be clear to the intended audience: > > - > > Section 2.1: some of the APIs reference specific sections of RFC 9497, > some do not. To avoid confusion, would it make sense to consistently > reference RFC 9497 in cases when the APIs are defined there? > - > > Section 2.2: “Expand(prk, info, L): Expand a pseudorandom key prk > using the optional string info…” – will it be clear to readers what to do > if the optional string is not provided? > - > > Section 2.3: the definition of Stretch(msg) doesn’t specify the size > of the output. Should it? Similar issues occur elsewhere, e.g., > auth_tag in section 4.1.1, so if this is important it may be worth > checking that the sizes are consistently specified. > - > > Section 3.2: for clarity, I suggest to change “The registration flow > is shown below” to “The registration message flow is shown below and the > process is described in detail in Section 5”. > - > > Section 4.1.2: I found the syntax Create Envelope envelope with > (envelope_nonce, auth_tag) confusing since it reads like pseudo code > but is in the middle of a more precise description. It wasn’t immediately > obvious to me that it was referring to previously defined types. Would it > be clearer to say envelope = Envelope(envelope_nonce, auth_tag) or > similar? (There is similar phrasing in a number of other places) > - > > Section 5: what happens to the results that are not sent to the peer? > For example, CreateRegistrationRequest() returns (request, blind) and > it looks like request is sent to the server, but what is done with > blind? (Similar issue with the ladder diagrams elsewhere in this > section and in Section 6) > > Finally, I note that the appendices contain a number of test vectors. Has > the latest version of the draft been verified against a reference > implementation to ensure these are correct? > > Regards, > Colin >
- [CFRG] IRTF Chair review of draft-irtf-cfrg-opaqu… Colin Perkins
- [CFRG] Re: IRTF Chair review of draft-irtf-cfrg-o… Kevin Lewi
- [CFRG] Re: IRTF Chair review of draft-irtf-cfrg-o… stef
- [CFRG] Re: IRTF Chair review of draft-irtf-cfrg-o… Daniel Bourdrez
- [CFRG] Re: IRTF Chair review of draft-irtf-cfrg-o… Colin Perkins
- [CFRG] Re: IRTF Chair review of draft-irtf-cfrg-o… Kevin Lewi
- [CFRG] Re: IRTF Chair review of draft-irtf-cfrg-o… Hugo Krawczyk
- [CFRG] Re: IRTF Chair review of draft-irtf-cfrg-o… Daniel Bourdrez