Re: [Cfrg] Adoption call for draft-harkins-pkex-05
Eric Rescorla <ekr@rtfm.com> Tue, 07 August 2018 18:38 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6E76130F25 for <cfrg@ietfa.amsl.com>; Tue, 7 Aug 2018 11:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4KWF7h4uUJzA for <cfrg@ietfa.amsl.com>; Tue, 7 Aug 2018 11:38:36 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF50C130E42 for <cfrg@irtf.org>; Tue, 7 Aug 2018 11:38:35 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id p10-v6so14253976ljg.2 for <cfrg@irtf.org>; Tue, 07 Aug 2018 11:38:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ZKdA8+eVNeAqVsUnnGtFU/7+vo1RAHmihOGjl9W1wHs=; b=oFA4xtTySV3sEj2hDiocYdNYR+wLGqRPg8bRgFxOJxJDZXk0QiVVwbkMRMOs3HmCXN BPxy3C00VEgTi0VOEIGFAP+o3REjyYYgOU6GfSQTuvmWBMGhax07AKDsFLa0oH40L6pn lhljdtfQlEZ11yKFfy2Bu+xQr5UkuXj0hoNsF+Qt5ucgOLab9w0XYSqZolM1SPGMjq6w rhmLJ5toZqi6Dov/E5jkBlzrq3AY/pzHfOrzAIL2XPwNcOynXK+rJnYlZMw55ilHFq6/ HxuQYhPZO9g10Ts5E/ekrfpAkgj9lijZuRgvGviv20UM0I0y+1rH7VvsOSkHVZY2l1SQ xXrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ZKdA8+eVNeAqVsUnnGtFU/7+vo1RAHmihOGjl9W1wHs=; b=n+lvSWPyX0TekqUCz/cJqzsGSRag6D2x7zwwBMLmNKlC3StwHe0+flmLOlu2SXfIkg v1G4e9XW29dWNCZchFoAxUu8eDMPl6jpK4aMXtmod/LX0LEsVyD8sjX5qEDpWpHLxofm kNa9S7gs1gFrIgTFwu6EljhZMyUjllOo/8oI1oLrllwNQsf14Id8c4Nu9Cv8tIfWloZk wFQm7jikoRno67vlUq65FSFslhs6SZZD+sscGEYQ+bPxAsYawrpQXYnRRsKLDVK5yJXm Y9rbHsMDa7Q2jx2gWWZHNW1+aPwwzyu5wNtH+5fBPcWRQcfvcoAEMeHDAES37wrG9mAF 1LgQ==
X-Gm-Message-State: AOUpUlGdmDBNdWrbkbCLkJ2rf7YQrQhpd9dFkCTrqKRklFmjab9iBLQn wfdmWfNhKYdzyRiKNgzK/ZPwFlHwB+U7+Rd7wdWHbKBh
X-Google-Smtp-Source: AAOMgpcyDrxMV9W4CSdhultCLlWVvPqmfqjctGkXaigTt/ol+vbG8ZoTk+uWrSco6s3ZalKDm7L02PpsnfMZeKlCFgg=
X-Received: by 2002:a2e:458b:: with SMTP id s133-v6mr16012650lja.151.1533667113920; Tue, 07 Aug 2018 11:38:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:4091:0:0:0:0:0 with HTTP; Tue, 7 Aug 2018 11:37:53 -0700 (PDT)
In-Reply-To: <493c5403-19e6-d620-5bb8-22ab2b9fbfb0@lounge.org>
References: <5ACA0006.4020809@isode.com> <810C31990B57ED40B2062BA10D43FBF501C515B8@XMB116CNC.rim.net> <810C31990B57ED40B2062BA10D43FBF501C5168A@XMB116CNC.rim.net> <810C31990B57ED40B2062BA10D43FBF501C51B18@XMB116CNC.rim.net> <16affdfc-df9a-a883-e0d6-dd52efee15e4@lounge.org> <CAL02cgT72J=cboruKiHnF4BP7ffaDfae=JeoYDJJfjenF4wC8Q@mail.gmail.com> <fe239e8a-0a64-4b8b-7dba-f38fcfcdc4fd@lounge.org> <CAL02cgRy7M8AjQySy=1njavj+cyxPvQe-n1f+N4xVc_GZFwdNA@mail.gmail.com> <90c10953-6550-09d0-642e-e84710b706cf@lounge.org> <CAL02cgTF6E697t+twXwbkrzZ7OHsFPh--W_NaT5-f0VJ=Jo7Tg@mail.gmail.com> <e186b642-7282-3bfe-3da1-f68e4c3b687c@lounge.org> <CAL02cgQc2HJ0bOZzOc1Q9iqX0-E-PN5qYqW6=iWGE3iggdRQUA@mail.gmail.com> <CABkgnnWSNiM6SrbhFuAptRaRpNGAOtQEiG1RtDXXMUbcBV_tGQ@mail.gmail.com> <CABcZeBOyb9TOZiKSuh_yPHoucQ16gzkv+Kg4FqD1rsR4Tp74gQ@mail.gmail.com> <493c5403-19e6-d620-5bb8-22ab2b9fbfb0@lounge.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 07 Aug 2018 11:37:53 -0700
Message-ID: <CABcZeBNETzotkk1bo8JygP_UxvL3x4Agk6-XmgHzuX2mUCGCdQ@mail.gmail.com>
To: Daniel Harkins <dharkins@lounge.org>
Cc: cfrg <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000008781050572dcb31b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/OtP-fsnPUl0d1_bPMttuWUWPquQ>
Subject: Re: [Cfrg] Adoption call for draft-harkins-pkex-05
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Aug 2018 18:38:41 -0000
Dan, I'm not sure what your argument is here. I agree that it's not like there's some fully worked out alternative proposal, but I don't think that's an argument for adopting this one. If your argument is that there's nothing mature enough here to take on, you'll get no argument from me. -Ekr On Mon, Aug 6, 2018 at 10:58 AM, Daniel Harkins <dharkins@lounge.org> wrote: > > About "commodity tools", there were two complaints raised: > > 1. PKEX hashes the user identity with the password and uses the result > with the role-specific constant while SPAKE2 does not; > 2. PKEX should just have a generic proof-of-possession protocol after > the PAKE. > > The implication being you combine these two and voila, something better > than PKEX > because it's just using known tools to do this and is not rolling new > crypto. > > Regarding the first, it's a draft that will be a work item of the > research > group. If the consensus of the group is to edit the draft then the draft > gets > edited to reflect the consensus of the group. > > Regarding the second, the suggestion was to do this: > > A->B: SPAKE-Kex > B->A: SPAKE-Kex, SPAKE-Confirm, {ID_B, Pub_B, Eph_B}K_spake_B > A->B: SPAKE-Confirm, {ID_A, Pub_A, Eph_A}K_spake_A, > MAC(K_DH_A,transcript} > B->A: MAC(K_DH_B, transcript) > > Now I'm pretty sure that is not a generic commodity tool for doing > proof-of-possession > so I'm not sure what complaint is. That proof-of-possession is more > complicated than > what PKEX does, has more moving parts in the form of new ephemeral keys, > does not > actually seem to prove possession of the private key, and I'd wager does > not have a > security proof (Eric's final complaint about PKEX). > > The request is not to rubber stamp the imprimatur of the CFRG on a > document, > it is to adopt a document as a work item of the research group. With that > in mind, > I have updated PKEX to incorporate the first suggestion (don't hash the ID > with the > password). The current version is -06, it's in the repository. Please take > a look and > consider its adoption. > > thanks, > > Dan. > > On 8/5/18 6:47 AM, Eric Rescorla wrote: > > I concur with Richard and Martin. Given that this will happen only > infrequently, what's the advantage over plugging together commodity tools. > > FWIW, while I recognize that the CFRG does not exist solely to support > IETF protocols, I'm not seeing a lot of demand for this in the IETF. > > In addition to the above, I note that the final line of the security > considerations says "There is no proof of security of PKEX at this time." > That seems like a pretty big concern. We're moving towards wanting security > proofs for IETF protocols, and I'd generally expect that a lot of the value > of CFRG is that it would produce primitives with high levels of assurance. > > For these reasons, I would not support adoption. > > -Ekr > > > On Thu, Apr 12, 2018 at 7:15 PM, Martin Thomson <martin.thomson@gmail.com> > wrote: > >> Richard has summarized my own reservations with this and the >> composition of existing primitives makes a lot of sense. We're seeing >> a relative explosion in the number of cryptographic tools available of >> late, and this is a clear example of where we can make an engineering >> decision to use existing tools rather than build new ones. I >> recognize that this isn't the IETF, but that doesn't make that any >> less valid a choice. >> >> FWIW, the lack of support for anything other than DSA and ECDSA is >> also a major problem. DSA is basically non-existent in practice. What >> about Ed25519/Ed448? >> >> On Fri, Apr 13, 2018 at 11:38 AM, Richard Barnes <rlb@ipv.sx> >> <rlb@ipv.sx> wrote: >> > >> > >> > On Thu, Apr 12, 2018 at 7:52 PM, Dan Harkins <dharkins@lounge.org> >> wrote: >> >> >> >> >> >> >> >> On 4/12/18 6:21 AM, Richard Barnes wrote: >> >> [snip] >> >> >> >> >> >> I guess what I don't understand here is the benefit of conjoining the >> >> primitives rather than composing them. It seems like you would get >> the same >> >> effects here in the same number of RTTs with a straightforward >> combination >> >> of PAKE, sending identities, and a proof-of-possession protocol [1], >> all of >> >> which are already well-established. Instead, you've mushed them all >> >> together. That seems like it has some costs, e.g., the restriction to >> ECDSA >> >> when with a more composed design you could support arbitrary DH or >> signing >> >> keys. What are the corresponding benefits? >> >>> >> >>> >> >>> I'm not sure where the mashup is. You have basically described >> PKEX. It >> >>> does >> >>> SPAKE2 and then it sends identities and a proof of possession >> protected >> >>> by the >> >>> PAKE shared secret. >> >> >> >> >> >> What I mean is that in addition to just using the PAKE, you're also >> >> changing its internals: >> >> >> >> - Instead of using the password as input, PKEX hashes in the identities >> >> >> >> >> >> So? The password is still used. Are you saying this is not SPAKE2 >> >> anymore? >> >> >> >> - The key shares from SPAKE2 are re-used for the proof of possession >> >> >> >> >> >> There needs to be some demonstration that the key is used "live" in >> the >> >> exchange >> >> otherwise you're not really proving possession. In your sketch below >> >> (which I >> >> admittedly don't understand 100%) you are introducing yet another >> >> Diffie-Hellman >> >> with Eph_A and Eph_B which I guess are used with the private analogs of >> >> Pub_B >> >> and Pub_A, respectively, to produce K_DH_B and K_DH_A, respectively. >> >> >> >> I don't see the value of treating the PAKE a closed some black box. >> > >> > >> > The benefits are the typical "don't roll your own crypto" benefits -- >> > generality, code re-use, and analysis re-use. If you have a general >> "insert >> > proof of possession here" slot, you can address keys from any DH group >> (even >> > if it can't do SPAKE) or even signing keys. You can take an SPAKE >> > implementation that has a "password in, key out" interface and re-use >> it. >> > And when you're trying to prove the properties of the system, you can >> treat >> > the "black box" sub-units as things with known properties; you don't >> have to >> > worry about whether re-using a key share will undermine some property. >> > >> > It seems like you're trading off 1 DH key generation per side (the >> > incremental cost of the sketch below over PKEX) against a lot of work to >> > analyze this thing and more difficulty implementing. I'm just saying >> that >> > trade-off doesn't seem like a good deal to me. (If I were the chairs, I >> > might consider whether this merits the group's time, given that the can >> be >> > solved with existing primitives at not much cost.) If others feel it is >> > worthwhile, though, I'm not going to stand in the way. >> > >> > --Richard >> > >> > >> >> >> >> It already >> >> has a perfectly good ephemeral Diffie-Hellman share which I am putting >> to >> >> good use >> >> instead of ignoring which necessitates generation of yet another >> ephemeral >> >> Diffie-Hellman share. >> >> >> >> You're not treating the PAKE as a box that takes a password on one side >> >> and emits a key on the other side. >> >> >> >> >> >>> >> >>> The limitations are that the two sides have to be exchanging >> >>> keys from the same group and since they've already agreed on a group >> for >> >>> their >> >>> identity keys then they have to use the same one for the PAKE. Those >> were >> >>> not >> >>> seen as serious issues because such a restriction may already be >> imposed >> >>> on the >> >>> subsequent key exchange protocol (e.g. MQV), and it obviates the need >> to >> >>> discuss >> >>> what it means to exchange, for instance, a p521 public key over a PAKE >> >>> that uses >> >>> brainpool256. It cuts down on problematic options. That's the same >> reason >> >>> that >> >>> the hash algorithm and SIV key length are determined by the prime >> >>> defining the >> >>> group, less options that might be used poorly means a more robust and >> >>> idiot-proof >> >>> protocol. >> >> >> >> >> >> I'll grant that you do get more rigidity from the conjunction. But I'm >> >> not sure that this is more effective than simply expressing the >> requirement >> >> in prose. >> >> >> >> >> >>> >> >>> >> >>> Also, there is no restriction on ECDSA. >> >> >> >> >> >> Maybe you should revise this text then :) >> >> >> >> """ >> >> Due to the nature of the exchange, only DSA ([DSS]) and ECDSA >> >> ([X9.62]) keys can be exchanged with PKEX. >> >> """ >> >> >> >> >> >> Right, it expressly includes DSA keys. >> >> >> >> And maybe add a clearer explanation than "due to the nature of the >> >> exchange". >> >> >> >> >> >> OK, good comment. That is overly vague. >> >> >> >> Dan. >> >> >> >> --Richard >> >> >> >> >> >>> >> >>> In fact, Appendix A.2 has the SPAKE2 >> >>> role-specific elements for four standard DH groups and the Appendix >> talks >> >>> about >> >>> how to generate role-specific elements for other groups not >> enumerated. >> >>> >> >>> --Richard >> >>> >> >>> [1] Sketch: >> >>> >> >>> A->B: SPAKE-Kex >> >>> B->A: SPAKE-Kex, SPAKE-Confirm, {ID_B, Pub_B, Eph_B}K_spake_B >> >>> A->B: SPAKE-Confirm, {ID_A, Pub_A, Eph_A}K_spake_A, MAC(K_DH_A, >> >>> transcript} >> >>> B->A: MAC(K_DH_B, transcript) >> >>> >> >>> Note that at this point, it's starting to look simpler just to do TLS! >> >>> >> >>> >> >>> It's not really. There is running code for this protocol (and not >> just >> >>> by >> >>> me) and it's much simpler than TLS. >> >>> >> >>> regards, >> >>> >> >>> Dan. >> >>> >> >>> >> >> >> >> >> > >> > >> > _______________________________________________ >> > Cfrg mailing list >> > Cfrg@irtf.org >> > https://www.irtf.org/mailman/listinfo/cfrg >> > >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg >> > > > > _______________________________________________ > Cfrg mailing listCfrg@irtf.orghttps://www.irtf.org/mailman/listinfo/cfrg > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > >
- [Cfrg] Adoption call for draft-harkins-pkex-05 Alexey Melnikov
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Greg Rose
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Stanislav V. Smyshlyaev
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Brown
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Greg Rose
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Brown
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Benjamin Kaduk
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Brown
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Richard Barnes
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Richard Barnes
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Richard Barnes
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Richard Barnes
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Dan Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Richard Barnes
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Martin Thomson
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Eric Rescorla
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Daniel Harkins
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Christopher Wood
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Eric Rescorla
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Salz, Rich
- Re: [Cfrg] Adoption call for draft-harkins-pkex-05 Greg Rose