Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG document

Michael Hamburg <mike@shiftleft.org> Mon, 15 December 2014 17:34 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF3841A8711 for <cfrg@ietfa.amsl.com>; Mon, 15 Dec 2014 09:34:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.555
X-Spam-Level: *
X-Spam-Status: No, score=1.555 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GS_-NkjCw6zF for <cfrg@ietfa.amsl.com>; Mon, 15 Dec 2014 09:34:37 -0800 (PST)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 248D71A8723 for <cfrg@irtf.org>; Mon, 15 Dec 2014 09:34:20 -0800 (PST)
Received: from [192.168.1.117] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 963283AA12; Mon, 15 Dec 2014 09:33:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1418664792; bh=jYKGpsTDOFkut4IisDesc4X7/ZSI489d9dSOHHClAbY=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=Hh+GHv+N2pfXwRTeCcC8RrR/vocGPCBARHuRupRfTOQ4KMjlqogBarAjHEvWPl0s/ ZsQva1S5Frv3r+E8d8TsU0E8A3VPxXpZUeOLwHi8tNOgVDmYh89nwDXuODO36gJQ+b sKOhe/nTMlIDweQ7fG8nSeqz5Gv0SKO9gB0a05lo=
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <548ECB98.7060709@cs.tcd.ie>
Date: Mon, 15 Dec 2014 09:34:17 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <24AB5B70-2641-40EE-988F-64F333C53A31@shiftleft.org>
References: <BF9DADF6-003F-454D-8E96-4A28A060CA72@isode.com> <A635D82B-B55C-4574-AB73-D0408853D642@gmail.com> <548ECB98.7060709@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/TTFHf3SIRAavs_mt09qMsxQXDHc
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Dec 2014 17:34:38 -0000

> On Dec 15, 2014, at 3:52 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>; wrote:
> 
> 
> 
> On 15/12/14 11:16, Yoav Nir wrote:
>> But I would really like to know who needs a PAKE right now. PAKEs
>> require the server to store the cleartext password or a password
>> equivalent, creating a security issue that is potentially worse than
>> sending cleartext passwords through authenticated channels (as in
>> form-based or basic authentication to a TLS-protected server)
> 

It is definitely a disadvantage of the SPAKE2 draft as currently written that it does not support augmentation, which would allow the server to store a non-password-equivalent token.  Perhaps this part of the feedback would best be expressed as “there should be an augmented option in the draft, such as PAKE2+”?

> +many - PAKEs are IMO cool but mostly-useless crypto for exactly
> this reason (and before others disagree, yes, I know some folks
> disagree:-) If however, CFRG folk want to work on 'em I've no
> objection but just so you all know, there is no horde of IETFers
> waiting with bated breath for more PAKE protocol options.

> There are to be fair a quite small number of sensible people who
> do figure there's a niche there to fill though (Dan H. for example
> but not sure who else), so I could of course be wrong about that.
> As I understand it, the niche Dan has in mind is for signing up
> to get a certificate in a PKI, where the password is used to
> authenticate the certificate request. Even in that case, I'm
> not convinced that PAKEs add value - esp since a one (or limited)
> time use password could be better there and requires no new
> crypto.
> 

PAKEs are definitely a niche technology, but they are occasionally useful.  For example, they would be handy to protect WiFi, and possibly to add a layer of protection to protocols like SSH and IMAP which are often accessed with a password.

> It's also fair to say that the IETF hasn't ever done any kind of
> generic consensus call on the (lack of) value of PAKEs, and the
> IETF does have a history of adding PAKE options to protocols, (for
> some to me unfathomable reason:-) so the above is just my personal
> opinion.
> 
> S.
> 



Cheers,
— Mike