Re: [CFRG] I-D Action: draft-irtf-cfrg-spake2-24.txt
Watson Ladd <watsonbladd@gmail.com> Sat, 04 December 2021 13:06 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E3DD3A0943; Sat, 4 Dec 2021 05:06:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.098
X-Spam-Level:
X-Spam-Status: No, score=-1.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5y-v7tGgdpqD; Sat, 4 Dec 2021 05:06:45 -0800 (PST)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D53CE3A092D; Sat, 4 Dec 2021 05:06:44 -0800 (PST)
Received: by mail-ed1-x534.google.com with SMTP id o20so22923608eds.10; Sat, 04 Dec 2021 05:06:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Jxt36j60giHb5SFF+nR6xWXQNoj8g0k1zkYLZA7ECEc=; b=JqqHzMKAPMyHf0Cdg5rDdPlR/3J+zD4xjqsFZNNNonzGyDcxPdXBko7RAXjJZgGSTV bb7P3H1icz/P2gnyHXL+rimTt9phKQ5d9QPpMR5TpQ3t/kz0cc9Uf2im1eZO1Wm09jb3 CxaSODcNG0W/QzBKS/zzrGq+LIANB4pk7ehPJ8gkftbLioZiYc0nBZusvH1pe1CG9wyH 2YVFT6Y/fAmNqH2HIv41htgYk8/VVc4N1+wMzy2xb7hARmZ1yyAqlhaZRElV4BjB6p2j e8tbxwUJRSeOCWJOjFkDhERd7vF9U+393lkwfyjsJIORlrRDS3W8JSc3D5Utj/XQJcDu c74A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Jxt36j60giHb5SFF+nR6xWXQNoj8g0k1zkYLZA7ECEc=; b=Nzjcj06Mw3HIdQCQmA9n9Zk5winLhxa+8kgLwZnKEXJAvMe0xNR3jV+5t1SbxW+g7V G8/rtMS74adO4Hr1YZU6PAmYoxKw6NbanL1oCBJ+miVqk0Xl1fhbZ9lHfBNZpR/aD2LZ P65rzJ//6lUSa9t7/hA40+T0X86ZDq9VpH4oMXnX/D4Dl/UBf2PuRwlqeRBdcvjxpInO EHaz0G86JsfHi8JS1xZ2thhic1gqRd+w6lPYcCmPNHjYVBK90dh9G5lLKyu4p2r5THIu qTd3+TtiPXM2LQVPZitN9JUpv0X+DJwLFRe651lLj//cTUmoNFaVLz1IqDelKG58ro/Z tvvg==
X-Gm-Message-State: AOAM533H7Z0e68XJKzwPu2xLYhZPPYeyJb1pClyFMkghr3o7BPMxKbq/ mMHvQ0GbKbfy8I9fbr2VhUgLKdKUcNiewqQkwUbPWz0Jc60=
X-Google-Smtp-Source: ABdhPJzd0apSbhTfuwDs8m9Qh6FwYmToiXpk34FQB2zrL51euKV/PdLOorUJ/JnfODyeuprXVovJnRuVKrFdoY3ErcI=
X-Received: by 2002:a17:907:a42c:: with SMTP id sg44mr30933941ejc.335.1638623198184; Sat, 04 Dec 2021 05:06:38 -0800 (PST)
MIME-Version: 1.0
References: <163779438705.7630.11284925259086244674@ietfa.amsl.com> <150d01c6-4dd4-81aa-a1b6-c483089d88f7@gmail.com>
In-Reply-To: <150d01c6-4dd4-81aa-a1b6-c483089d88f7@gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sat, 04 Dec 2021 08:06:24 -0500
Message-ID: <CACsn0ckUhK-Je8-dh2fdBOA88v3_oxOi=2JuKPE49ps-b42xug@mail.gmail.com>
To: Rene Struik <rstruik.ext@gmail.com>
Cc: "<cfrg@ietf.org>" <cfrg@ietf.org>, i-d-announce@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/O5v487oXhwUxMKy48AqVz67MYn8>
Subject: Re: [CFRG] I-D Action: draft-irtf-cfrg-spake2-24.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Dec 2021 13:06:50 -0000
On Fri, Nov 26, 2021 at 1:23 PM Rene Struik <rstruik.ext@gmail.com> wrote: > > Dear Watson, Ben: > > I did have a brief look at rev24 of the SPAKE2 draft and noticed that > the abstract now includes the statement "This document predated the CFRG > PAKE competition and it was not selected, however, given existing use of > variants in Kerberos and other applications it was felt publication was > beneficial. Applications that need a symmetric PAKE and where hashing > onto an elliptic curve at execution time is not possible can use > SPAKE2". I was wondering which applications would not have the > capability to perform a hash-to-curve operation (after all, if an > application implements elliptic-curve arithmetic, it seems unlikely it > could not easily implement a hash-to-curve mapping). In other words, > what am I missing? It is important to understand that this draft has been in preparation for 7 years, has passed multiple last calls, is really in the final stages, so we don't have as much ability to make large changes as we did earlier in the process. Hash to curve did not exist when it was begun, and many applications will not incorporate it for some time. SPAKE2 is being used in multiple places. That's why it's important to document, and some applications will not be able to get hash2curve everywhere, versus once to create (optionally) parameters. > > A few comments from rereading the draft (without trying to be exhaustive > [I do realize this may be too late in the game, but wonder who looked at > this stuff carefully]): > 1) Proper naming. The draft mentions the curve P512 a few times. I > presume this should be the NIST curve P-521 (I think I sent Watson an > offline note on this two years ago). Shouldn't one have a proper > reference to NIST curves (e.g., FIPS Pub 186-4) and denote these in > slightly less sloppy way as P-256, P-384, and P-521? {The same remark > applies to SHA2 hash function family members, which in FIPS 180-4 are > denoted by SHA-256, SHA-384, and SHA-512.} Thank you for catching this typo. > 2) Representation. Table 1 of the draft refers to edwards25519 and > edwards448, but RFC 7748 does not specify the encoding format of points > of these curves. This leaves the transcript TT underspecified. Shouldn't > one also specify whether one uses compressed or uncompressed formats? We'll correct the reference to https://datatracker.ietf.org/doc/html/rfc8032, and specify the formats in more detail. > 3) Test vectors. Appendix B only gives test vectors for SPAKE2 with the > {P-256, SHA-256, HKDF, HMAC} suite. Given that Table 1 lists many more > ciphersuites, this makes me wonder why this particular one was singled > out in Appendix B. This is the one kitten is likely to use. > 4) Ciphersuites. Table 1 uses two ciphersuites with P-256, viz. one wish > SHA-256 and one with SHA-512. What is the reason for including SHA-512? > If this was only included because SHA-256 was deemed "too short" for key > derivation, this seems more an artifact of the key derivation itself > (where one partitions Hash(TT) into two half-size strings) and would be > easily remedied by using the (already used) hkdf function for key > derivation). If more ciphersuites are needed we can define them in later documents. 256 bit keys are not usually used. > 5) Security Considerations. The main construction does not mention at > all that M and N should be elements of the prime-order subgroup (of, > unfortunately named, order "p"), while this is required to not leak w > (mod h), where h is the co-factor of the group. It would be beneficial > to have a reference that illustrates why "x" and "y" cannot be reused at > all (or a simple illustration in a sentence or two that a single repeat > destroys security [this is not entirely obvious]). We shall amend the security consideration accordingly. > 6) Some small notes: > -i) The set-up (Section 3.2) considers very general set-ups (groups in > which the gap-Diffie-Hellman problem is hard), but then refers to > "points at infinity" and SEC1 formatting, where the former is not > defined for (complete) twisted Edwards curves and where the latter is > only defined for short-Weierstrass curves. Lots of concepts are > well-known to insiders, but not so much to others (as an example, "we > will work in the quotient group" may make sense to people with a > background in abstract algebra, but perhaps not too much to others. > Moreover, there are many ways to represent elements of a quotient > group...). We haven't seen this pose a problem for implementors. > ii) According to the abstract, SPAKE2 is above all useful if one does > not have access to hash-to-curve functionality, which makes me wonder > why (in Section 3.2, p.4, 2nd para) one suddenly invokes hash-to-curve > concepts. Even if one would use this (seemingly superfluous) reference, > one should then at least properly introduce notions as DST and indicate > which of the zillions of flavors of hash-to-curve constructs one wishes > to recommend (since you use "SHOULD", one would expect some precision > here). If hash-to-curve is somehow used in the draft, why weren't the M > and N parameters generated that way (rather than using the > trial-and-error method)? This would also make it much easier for an > implementation to check whether and N were indeed generated that way. Historical reasons: we shipped with hunt and peck, then later people wanted to generate their own points and suggested hash to curve. I'm not sure what you mean by introducing DST: we'll take a look at this area of the text. > iii) In the informal introduction of KDF (Section 3.2, p. 5), both ikm > and IKM are used, while MAC is used without arguments (e.g., > MAC(key,msg)). Since the hash function has as output a bit string, > shouldn't its minimum length be 256 bits (rather than 32 bytes)? These seem like fairly simple textual clarifications. > > > On 2021-11-24 5:53 p.m., internet-drafts@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > > This draft is a work item of the Crypto Forum RG of the IRTF. > > > > Title : SPAKE2, a PAKE > > Authors : Watson Ladd > > Benjamin Kaduk > > Filename : draft-irtf-cfrg-spake2-24.txt > > Pages : 17 > > Date : 2021-11-24 > > > > Abstract: > > This document describes SPAKE2 which is a protocol for two parties > > that share a password to derive a strong shared key without > > disclosing the password. This method is compatible with any group, > > is computationally efficient, and SPAKE2 has a security proof. This > > document predated the CFRG PAKE competition and it was not selected, > > however, given existing use of variants in Kerberos and other > > applications it was felt publication was beneficial. Applications > > that need a symmetric PAKE and where hashing onto an elliptic curve > > at execution time is not possible can use SPAKE2. This document is a > > product of the Crypto Forum Research Group (CFRG) in the IRTF. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-irtf-cfrg-spake2/ > > > > There is also an htmlized version available at: > > https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-spake2-24 > > > > A diff from the previous version is available at: > > https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-spake2-24 > > > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > > > _______________________________________________ > > CFRG mailing list > > CFRG@irtf.org > > https://www.irtf.org/mailman/listinfo/cfrg > > > -- > email: rstruik.ext@gmail.com | Skype: rstruik > cell: +1 (647) 867-5658 | US: +1 (415) 287-3867 > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg -- Astra mortemque praestare gradatim
- [CFRG] I-D Action: draft-irtf-cfrg-spake2-24.txt internet-drafts
- Re: [CFRG] I-D Action: draft-irtf-cfrg-spake2-24.… Rene Struik
- Re: [CFRG] I-D Action: draft-irtf-cfrg-spake2-24.… Watson Ladd
- Re: [CFRG] I-D Action: draft-irtf-cfrg-spake2-24.… Watson Ladd