Re: [Cfrg] Fwd: New Version Notification for draft-harkins-pkex-00.txt

Andy Lutomirski <luto@amacapital.net> Mon, 12 September 2016 16:20 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D55512B35C for <cfrg@ietfa.amsl.com>; Mon, 12 Sep 2016 09:20:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=amacapital-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vBDAwOKL8l0G for <cfrg@ietfa.amsl.com>; Mon, 12 Sep 2016 09:20:32 -0700 (PDT)
Received: from mail-yb0-x22f.google.com (mail-yb0-x22f.google.com [IPv6:2607:f8b0:4002:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A296612B68A for <cfrg@irtf.org>; Mon, 12 Sep 2016 08:20:23 -0700 (PDT)
Received: by mail-yb0-x22f.google.com with SMTP id d69so15415921ybf.2 for <cfrg@irtf.org>; Mon, 12 Sep 2016 08:20:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rZDDVceSLBMzymnDfwDRbti3VAeaiCu7F6azYJ3sa9k=; b=0Tzwlud2UxjzQQdTR52z1qvvqwNuyUGfyWeGIf123U6V8664PXMYRkP8WqJYlDMoGG WRF4X7VWiCZT73kX0CzX7JaNpOfW7Hi4htvzdkYieRDNGyhHcL1wTgovn4pkGQIfU+Sy DvtpK2ZA0Mw4sBD37xx/4ZsXgs5fO5THEFiQViWpm184fStiBR9bPzjqZfYu9Ij0wTqX yLBgmKMtvLxIx39RqfLWuLLRWH4c1cEv3TQcgP9JQC3X9fCnSRb72BoAgENEPPn87VXG q01bBYldydxNSxXMgDnAMQ8e8IkQPBBqQ0DGFvKwstrPFv3zbkmj6aDFUfg+LKZWxff0 k2lw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rZDDVceSLBMzymnDfwDRbti3VAeaiCu7F6azYJ3sa9k=; b=Xy4dPOprEvsBJvmG5fFD7k5OHJI9SGITlG51meX0EoI/8vcxuvBG1X5JbqqXwu+nCQ ONEc5/rE9VO2Rf1TGkhfxF0M4fzlfVGbtCG29LkHLTmr8DIkaIpeXZvYLQEWKfs81Y3F OcrN1VWnk5kW19FdF99VXBEe1Cb3CAt4Pydh2SI0C3ZsPxyqf52uTgabmrnUBoFGVeTw 92PhodxpxvHGZ8gp9d3LpemhOLktgbgAFwKOrKEwWoDfOS9rK8GMpQ+0QuI0BcNl+nir 6sPeqRL6XfYOXPeh4/lbrpueJU6gYNg8ELGxKcEkf+gOhhvHf8VyND0cdJgf0CNk8vnS 1jfQ==
X-Gm-Message-State: AE9vXwOca2xrTjFpYKC4k2azifCe5lhBv1t82G9wReItoMrFcavSA1j8tvb+blU520kswa2FV0Ysdw4wjTqTNbjE
X-Received: by 10.31.199.67 with SMTP id x64mr12478364vkf.124.1473693622741; Mon, 12 Sep 2016 08:20:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.51.23 with HTTP; Mon, 12 Sep 2016 08:20:22 -0700 (PDT)
Received: by 10.103.51.23 with HTTP; Mon, 12 Sep 2016 08:20:22 -0700 (PDT)
In-Reply-To: <3e9341e6-d826-a028-df40-a4e0dff98635@lounge.org>
References: <147367129321.14577.4302361405783294005.idtracker@ietfa.amsl.com> <3e9341e6-d826-a028-df40-a4e0dff98635@lounge.org>
From: Andy Lutomirski <luto@amacapital.net>
Date: Mon, 12 Sep 2016 08:20:22 -0700
Message-ID: <CALCETrXo3AQNJGzvVQ-O3YtGhPOu45Y6S13u3WUJO8PjkU6EJQ@mail.gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: multipart/alternative; boundary=001a114d8fe2e48a36053c5108b8
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Q8eZmvju5YwPoLLoDAx9IfLI-RQ>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Fwd: New Version Notification for draft-harkins-pkex-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Sep 2016 16:20:34 -0000

This appears to be more or less the same protocol described in the 802.11
DPP drafts.  It was terminally insecure then and it appears to be just as
terminally insecure now.  If it's really necessary for some reason, I can
reiterate the multiple ways I found to break it after half an hour of
thinking.

This protocol needs to be replaced, starting from scratch.  By "from
scratch", I mean that a real PAKE should be used, in its intended form.
The result will not even need to mention "groups", because there is no
reason at all for the tiny bit of protocol layered above the PAKE to care
that the exchanged keys are anything other than opaque strings.

--Andy

On Sep 12, 2016 2:19 AM, "Dan Harkins" <dharkins@lounge.org> wrote:

>
>   Hello,
>
>   In the current PAKE requirements draft there is an application
> described for which we have no candidate protocols. Namely,
>
>  "In addition to key retrieval from escrow, there is also the variant
>   of two parties exchanging public keys using a PAKE in lieu of
>   certificates.  In this variant, public keys can be encrypted using a
>   password.  Authentication key distribution can be performed because
>   each side knows the private key associated with its unencrypted
>   public key and can also decrypt the peer's public key.  This
>   technique can be used to transform a short, one-time code into a
>   long-term public key."
>
> So I have written an I-D that proposes just such a protocol. I
> solicit review and criticism.
>
>   regards,
>
>   Dan.
>
> -------- Forwarded Message --------
> A new version of I-D, draft-harkins-pkex-00.txt
>
> has been successfully submitted by Dan Harkins and posted to the
> IETF repository.
>
> Name:		draft-harkins-pkex
> Revision:	00
> Title:		PKEX
> Document date:	2016-09-12
> Group:		Individual Submission
> Pages:		9
> URL:            https://www.ietf.org/internet-drafts/draft-harkins-pkex-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-harkins-pkex/
> Htmlized:       https://tools.ietf.org/html/draft-harkins-pkex-00
>
>
> Abstract:
>    This memo describes a password-authenticated protocol to allow two
>    devices to exchange "raw" (uncertified) public keys and establish
>    trust that the keys belong to their respective identities.
>
>
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>
>