[Cfrg] Personal feedback regarding the CFRG PAKE selection process

Björn Haase <bjoern.m.haase@web.de> Tue, 19 November 2019 23:19 UTC

Return-Path: <bjoern.m.haase@web.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90B871208AC for <cfrg@ietfa.amsl.com>; Tue, 19 Nov 2019 15:19:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fcwvnz2nJ3Gb for <cfrg@ietfa.amsl.com>; Tue, 19 Nov 2019 15:19:01 -0800 (PST)
Received: from mout.web.de (mout.web.de [217.72.192.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00E5F120882 for <cfrg@irtf.org>; Tue, 19 Nov 2019 15:19:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1574205536; bh=F1857D9BrrujFofl8pSDShz5s6qNCYxdmuZRAboO6E4=; h=X-UI-Sender-Class:From:Subject:To:Date; b=Ck9dQ7j7Xkkz/5XLei6fZoIrVzFI6mc3m5lHvDGnIVZYk1GJtDpdagJ3wvMX63fCs khmFlGsngknmvX6U10rc8r95o2Xv2J3z3xhWq9NwPoJtMI585KippyOi8P1FfzVc69 8WJGyP6MZ7LvAlFYuBszdL0P2IrMvzSnaWkB6TiY=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [192.168.2.161] ([178.2.111.156]) by smtp.web.de (mrweb101 [213.165.67.124]) with ESMTPSA (Nemesis) id 0LkPrz-1i1ArF1Fkp-00cP6n for <cfrg@irtf.org>; Wed, 20 Nov 2019 00:13:50 +0100
From: =?UTF-8?Q?Bj=c3=b6rn_Haase?= <bjoern.m.haase@web.de>
To: cfrg <cfrg@irtf.org>
Message-ID: <890b2b0b-59a1-55d1-1914-862fc4a5010b@web.de>
Date: Wed, 20 Nov 2019 00:13:39 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:Rt/oDigGRcgHvMv5OUX6hhrng9G8M4TEsNv61PLcZ5vt+jxz36G ZUewrfqvQKVTsOpamHj8ShFmr20LKU7J19kCm9lMoJxP3Xvbis9jXJ35WaPKDVe+8bG0QRP 9WolfeRWHGSVOCCNJSDdPgLD3wevE43RSJ23RjkWHztLBB0N7WtvIQZxNebMiNTKlrajJQU L0neqf/XN1XvAqZa506gQ==
X-UI-Out-Filterresults: notjunk:1;V03:K0:3AirA69r2hI=:mtESSy6CLT8uE+bpnyUY7p 0/jYwfiTr8bZ8seBpSv82fqzowy59AxVT1GowuEdHjq31F+Uh8tQQY2CQA5Lc3bGEXm1WEDhQ DmQGoIrk0lLv73M62U4vkhRaq50Sh+og/RZewEnUHD6+Hevb55ojEbyElXzocI327psDCtL0Y bclDn92/9mOsyfGMf7T7YDkD2MWP2YPpOB7p7V4MHYlBi0F59n4bx7sJ1aaH1PZs26SDwp5R1 Q5MJJ8Q7w+IhEpt6CaSnfjnLahleKdorf35T8sKeWXDiT+OmCQACxiPh5GAsWHvvfTg+6JLMh YDS1ywFIxt6opNPyzxRMj0eAzH5OVt6avumI/fnnDOeqR0FjPzPo69CV6FaLCkcxoDJI4MIgl 6c1lQZZa08aPYwQarjNGCglptzeHtypjSl4iRpKdBqfsmgSf8h4yJvI+IgOnqINbhtilg/hTg gwIhq4LKswXi51DkKUXFDQurXlUOADk048YQ0g6IOjdA5Kb887myF2qLUrQQkA8YWhDz/BM8V DHUk+Htb4/tYluOEnCyHTbWlfJyjU2lxGTw///rwR6q4PHczOtMqli1lTrwd9a1MwZZAfx3sQ +OJsUy7n1glmmhCsp44E37WkIBWcbQoeaF15FmtffHhQGQt9rvgIoJuSbcjz0wPrm/8CYjooc cGRRewHiBMlADrFQwEBpPKkjw5uKCGjBUeVuNN0gebO0UECS7FcKRM+4Nu99P/ny8ZJcNq83w wfe5QYm1Lh0FIBS+Di+PQCAzAUL/uDiQeKtEb9De/kOLPpEDQZkhjnm+2YmZSDRPMqyfAkqff MT31W7kx82uM9RCT+Rp0FNVIL9GvdTzWK0xSzYwA37Q67vjKdm2PNzDRTxnJPBEMiByqtOxAG EoNYQVn6BAmPY1CAp0frBBDebX32r3S+wvNAhWns1hHrpMcxFEE8kAHtK9w2Vt7yYIOIbaMUo OcTYDIOdqTTD6Nv/9QAXVO/NAMZs1a0oGDtIklKBPwngJiujlnSxsVjKfC/Q3d1dHck5FuBN5 /NncipMHMn8kfjA1Q3FOfwniX+XYIEd81SEL0XqyHYa8Um/D5/5FOc2orhS4rSoMb+UjfXKFU MXUyQGUtihYkUaTHEthTr/uA5cgFP1xgnREGoCLSd6smXhFqr1KZPBYq9EakkKgP5mEOPlT0b uf7B70doBdgsgwALNyEpN3TEDE/l41pf2CojeikHoIm5MFOFFcA75jjWpjP3u1z7Jm1hMLPzr Mv3RkJLAn0VRg6OkEx8Gv5Gd5kbEQ850zwVy4C+72fThxXlLHBB+l6fgmXWM=
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/PRGceW-FyXmaJ1oPawovXVZIBw4>
Subject: [Cfrg] Personal feedback regarding the CFRG PAKE selection process
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 23:19:03 -0000

Dear CFRG community,

I would like to share with you the following thoughts regarding the
current state of the PAKE selection process.

It is my conviction (as stated before on the list) that none of the
nominated schemes has critical weaknesses. Therefore the task of the
selection of the primitives might be not so easy/obvious.

In my opinion the team involved with the selection process should base
their choice on the primitives which the best potential of being
actually used in real-world settings. It is my conviction that
protecting password-based authentication will be one of the most
important aspects for improving real-world security and privacy.

In the past patent pitfalls did seriously hamper roll-out of the most
secure options. Now, finally that many PAKE patents having expired
(except for PAK which will expire soon) and patent-free and efficient
constant-time mapping algorithms have been developed for all relevant
curves, chances stand better that PAKE technology with its main feature
of establishing roots of trust in a completely de-centralized setting
will become more wide-spread use.

I now still see the following main risks that might hamper such more
wide-spread use:

- The PAKE scheme rollout in real-world applications might be hampered
by fear, uncertainty and doubt against PAKE regarding resilience to
quantum computer attacks. Personally with my background as a physicists
which has graduated and spent years of his life on studying quantum
correlations in solids, I assess the threat of quantum computing based
attacks *not* to be relevant for most applications. However the true
threat of quantum computing might rather be that people are scared away
from using PAKE because of presumably missing resilience and/or missing
quantum-attack mitigations and use inferior designs instead.

- The second most important aspect which might scare away people from
PAKE is, if implementing the PAKE is considered as too costly / resource
consuming / needs too much code size / too much storage space for
password databases / too complex to implement, etc.. This will most
surely not be an issue for powerful devices, but might result in severe
problems for constrained ones. (To give an example, it was not an
accident, IMO, that the for the earliest Bluetooth LE security layer 4.0
the bluetooth SIG did remove all of the asymmetric cryptographic
algorithms that were already in use for the previous Bluetooth
Basic-Rate security profiles. What drove the SIG was a true resource
problem! It took the SIG years to correct this mistake with BLE 4.2 and
later.)

- Finally, If there are too many protocols recommended, we might face
inter-operability issues and people might be scared away from using PAKE
because of too many different options to support and an
inter-operability nightmare.


I am truly curious about what will come out. The only thing that I would
like to stress is that in my opinion CFRG should really come up with *at
least one* recommendation for balanced and augmented PAKE. (Recall that
there were people that did stress that the mission of the PAKE selection
process is actuall choosing "zero or more", seemingly with some
inclination to rather choose zero!)

Finally, I would like to thank all of the reviewers and involved people
for the amazing work and commitment for the tedious work of digging
through all of the provided materials.

Yours,

Björn Haase