Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13
"Hao, Feng" <Feng.Hao@warwick.ac.uk> Thu, 15 October 2020 23:02 UTC
Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92DD33A0C0A for <cfrg@ietfa.amsl.com>; Thu, 15 Oct 2020 16:02:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f-sqpaWfE4Qp for <cfrg@ietfa.amsl.com>; Thu, 15 Oct 2020 16:02:01 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40070.outbound.protection.outlook.com [40.107.4.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8591F3A0C00 for <cfrg@irtf.org>; Thu, 15 Oct 2020 16:02:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RczBpdT1kcFHbbSq1TauNGG/OHH14jhkVxszr72ez56uLjp2WMmXqGgCONbWbJTviMiGkFOuNwc/eAf8+YvQ1mgNuWV2Esk9xEKmk3KHIOconfHWHl4tO+cRv9DFe8MlDh2Q+e8VaHAwt9gyzEa6EWwOzoCoNkKciHZGAUR1NeDwwDi0r9OgmfPaL7eSaWS/nELn7L+zQb5RbMtAez30YTRUxTYsSDuacVZ0NgNITVg4tpu292Q2ckoTbxjK2XsEWVLxYlXXp9OGXOcjyNhEmyKykIIwzXQUQNH0EGJyzOeFJSQZCt7P8GOx5Lj3XE4iPCxdxt6DILm9WYPykxz2jA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=d+iKpw609HLEFIHnHNzx3Y0U66vfbQ57YUqerFVDcDk=; b=VI6AS9iE9lFP0ZTwrtr5ytzoSXUfpeSbpyE/aXz9vNg01iXRO6W2Mi/Wx0RYpW+Vb6Rcsz9Lv76/F+atIfbOBUTKTqVpdohLgN/yThAvfbSdGl5p7hgLIwcHvE7jcUoATHQwFaS4vo+tDZ2WZQGsFZNpLWHOI6XepkH1A7t8t9iu42cJDTvlRCqd0QMVB+LaH7OM74LY6cfpFLDerT3REwl+egQos/xCWwKgw/Kyfxg5jrO5iSPUmqqQhQVSE66ZvNHqk7RYXvQDKuPvAPWnBsMzPyVX1Y+I/8pMAddJwmoDMgmc8PGtjz5gvO4cJy/w9dHIZk4rcySqkWGOl+9W9w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
Received: from AM6PR01MB4278.eurprd01.prod.exchangelabs.com (2603:10a6:20b:23::18) by AM6PR01MB4376.eurprd01.prod.exchangelabs.com (2603:10a6:20b:23::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3477.20; Thu, 15 Oct 2020 23:01:58 +0000
Received: from AM6PR01MB4278.eurprd01.prod.exchangelabs.com ([fe80::441:a0de:d758:2635]) by AM6PR01MB4278.eurprd01.prod.exchangelabs.com ([fe80::441:a0de:d758:2635%6]) with mapi id 15.20.3455.031; Thu, 15 Oct 2020 23:01:58 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13
Thread-Index: AQHWoe/ilD4bNNgNOUCLW6H2BOQ/Y6mXj3gAgAARA4CAACSjgIAACw0AgAGLFYA=
Date: Thu, 15 Oct 2020 23:01:58 +0000
Message-ID: <B4421514-6799-4CDA-8470-3BBCECAA1B94@warwick.ac.uk>
References: <CAMr0u6n0SVGpWkBc=ZLMoS-SQZta=TxbUZP13Pq=3QBxdMpUdg@mail.gmail.com> <2B592A5F-FC26-4FA8-A71F-55814E301A1D@warwick.ac.uk> <CACsn0ckcqaQpyb_FUSvNefRmYLLKN2T5TDfbK8F4E7bRepYKkA@mail.gmail.com> <9B7997F2-BB22-44CC-B08B-70E978664ADE@warwick.ac.uk> <CACsn0ckYsj13DGpX64hQ53GDNARZZZVfx6bDKyQQk6vdCFMmCQ@mail.gmail.com>
In-Reply-To: <CACsn0ckYsj13DGpX64hQ53GDNARZZZVfx6bDKyQQk6vdCFMmCQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.41.20091302
authentication-results: irtf.org; dkim=none (message not signed) header.d=none;irtf.org; dmarc=none action=none header.from=warwick.ac.uk;
x-originating-ip: [86.1.47.16]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 614b0285-5fda-4ea6-19b2-08d8715e51bd
x-ms-traffictypediagnostic: AM6PR01MB4376:
x-microsoft-antispam-prvs: <AM6PR01MB437653AD92441521F1323B87D6020@AM6PR01MB4376.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YuFb5kMeIonEpvodDcJsz+h3Z9IbdF9BiksSyxPA/CPm3e63kUW5cajou5dJJ3Lh+oRicsZFBiPrNWH86289etH/4vMDFRMdMrvPczMxUgge2DMJKrBfDUwQeR8r6Mg4aLk+gioWy7kK+MZg6+BaE13YIcqOxmk/Yt+cW6buTb5fugH2JbemvPbDPI2Mbk+ahEfvSpD9NRT1LuswViCu2fQLgzPQzWuoQQjH6XI8R8yZxwiYwma3QgkMyg/AM2yeulUB4aAonZPjsTC4H/gO4EBZVKhS1YkfjArIVM9l9mBJrBhGehJ8gtYNgnfifse03uIGMrahLjMiQT2omRpwBTqP/FW+F1/V0V7HOzWPVRWSS1SHMGU7Mv27c9r5zjbPle8HRBMCo0gzVqIuBYtsoQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR01MB4278.eurprd01.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(366004)(396003)(136003)(376002)(346002)(6506007)(76116006)(786003)(186003)(6512007)(6486002)(8676002)(64756008)(2906002)(2616005)(26005)(66476007)(33656002)(6916009)(66946007)(91956017)(66446008)(8936002)(5660300002)(66574015)(478600001)(71200400001)(83380400001)(66556008)(36756003)(316002)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: Q7dwOE+7wKqsAD6cXKWf3hJHttyDIWPzfrMICbuk1m5iySFbA1BgtYXX3iHCCJSAe3jq1smxDnUHdG5PTBMJ4X2y4VidmC2FTrjX8KBHHWhsq8gTXK65iHH8+XbOyjlqLHwtrDXGSPP4e+RGUlt7hggoSw+cRCyGbj2qhVCca5RP0qiUNFyLqfL1254Fmwv8S9/pRwN52xjTw9Ob3FR/FBUs6QTGjjIabaAKkUvdgXN22v4MtBzxIClC7WMW1V32GLgavh1bxeexJNV2ovlciVi/glJq9QTBsevHnEcwR9orr4TzuK9vd1JpDMkAzmmupcOqQMfF9jwTeUxB1r+DCvb7+ycYmtHjZrVqU4DovNGIPr5vcGKPvSluf1A9isdKdOBwx4Hz41/koC1vYJaGq2HlTrJUVujl3+9/bODM2I4PU6KB0XibF3ZQQKlA4HuB5aBpQ74D0HXf51qnDgbiXgWDlhVZ6IaEOjoiVrp45bjxiwDWhRgUKBFLU4/OeWpjSvVWnsg1F4xYFKK5+vEo89AgYouUnK5z0Yvj5+Qe0oxN2h6zBKcRWFX1yT2VgRlBJeDjCsm2luAJP9umr2m4ZqtslcR4rabzMRAra0h1GKo47dDX/USVjhhJjspCKwSFDVkXr63gJ4kms16WR+f4dg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <746C817128A839418A78692F27848957@eurprd01.prod.exchangelabs.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR01MB4278.eurprd01.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 614b0285-5fda-4ea6-19b2-08d8715e51bd
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Oct 2020 23:01:58.4057 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vceJbolKh8MyjxuKVeMVdfT8/xI0QUNbnN4GrXQoXkFH0mRLmzDfZU2va3fPWg4FgjsdODBUHFIYsTgxcHM4jualDNvPOtDF5aQUL+sqIzQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR01MB4376
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/T7QZCl-fK7aeO-BvAj0PUM_2O2Y>
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2020 23:02:04 -0000
In reply to Watson's offlist questions and with his permission I post my response on the CFRG list, as I feel the discussion may be of wider interest. On 15/10/2020, 01:28, "Watson Ladd" <watsonbladd@gmail.com> wrote: Offlist: On Wed, Oct 14, 2020, 3:48 PM Hao, Feng <Feng.Hao@warwick.ac.uk> wrote: > > > > On Wed, Oct 14, 2020, 12:36 PM Hao, Feng <Feng.Hao@warwick.ac.uk> wrote: > > For “per-user M and N”, the authors need to be explicit how exactly will each party know the identity to be used by the other party even before any communication starts. Otherwise, you will end up with a “one-round PAKE” that can’t be implemented in one round. > > > > This is a higher level protocol consideration, but I don't see how an extra round would be needed since the server seems the client identity in the first message. It has to look up the password after all. > > > > How about the initiator? Besides client-server, you also need to consider peer-to-peer which is a typical setting for a balanced PAKE. How do peers know each other’s identity beforehand? I'm really struggling to understand what is meant here. Do you have a concrete application that can't work because of this limitation? In what world do you open a connection with no idea of who you will find on the other end? The identity used in PAKE must be "exact", as it will be used to look up the shared password from a local database. You of course know where to open a connection, say if you want to connect to a site, you may use "example.com", "www.example.com", "example.com:80", and etc. All these will lead you to the same site. However, these strings are too ambiguous to be used as an identity. You have to agree with the other party which "exact" string you two shall use. This can't happen out of thin air; it needs two parties to communicate and negotiate. Your draft mentions using internet addresses for identities - however, IP or MAC addresses are unsuitable to be used as identities as they may change at any time. When they change, the user will get authentication failure even after they have used the correct password. This is clearly unacceptable. To sum up, the identity in PAKE is defined at the application level. It must NOT be mixed up with "identities" used in the lower layers in the TCP/IP stack, which serve different purposes. > > > > If you have specific text that would be helpful I'm happy to add it post collecting all the comments. > > > > I’m afraid I don’t have any specific text to propose. It’s not about tweaking text. It’s a fundamental issue that needs to be considered carefully, especially that what you are doing here deviates from the established practice in the past many years research on PAKE where the user identities are established in-flow rather than being presumed or “remembered”. It’s OK that you do something different, but extra care is needed. I can only suggest you to flesh out full details on “per-user M and N” and how it is integrated within the SPAKE2 protocol as a complete specification before it’s possible for others to review and comment on your proposal; or alternatively revert to the original (published) SPAKE2 scheme and acknowledge the limitation of using a global trusted setup. The global setup is still an option in this version. I can also add a per-application variant. It's good to see that you're taking steps to address the trusted setup issue. However, the pre-application solution, as you currently describe in the draft, cannot be realistically implemented in one round. You may want to revise your claims. Also, technically speaking, what you propose in Section 5 is not a "variant" of SPAKE2, but a new protocol (which hasn't gone through any formal peer-review process). You should at least call it a different name to avoid mixing up with the original (peer-reviewed) SPAKE2.
- [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Stanislav V. Smyshlyaev
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Hao, Feng
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Watson Ladd
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Hao, Feng
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Hao, Feng
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Watson Ladd
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Hao, Feng
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Watson Ladd
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Hao, Feng
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Björn Haase
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Björn Haase
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 (rej… Annie Yousar