IETF Logo Mail Archive

Re: [Cfrg] aPAKE Analysis / Why System-Level-View

Natanael <natanael.l@gmail.com> Thu, 19 September 2019 15:28 UTC

Return-Path: <natanael.l@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BADA112000F for <cfrg@ietfa.amsl.com>; Thu, 19 Sep 2019 08:28:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OCcICvFMSZDg for <cfrg@ietfa.amsl.com>; Thu, 19 Sep 2019 08:28:43 -0700 (PDT)
Received: from mail-vs1-xe30.google.com (mail-vs1-xe30.google.com [IPv6:2607:f8b0:4864:20::e30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 837061200A1 for <cfrg@irtf.org>; Thu, 19 Sep 2019 08:28:43 -0700 (PDT)
Received: by mail-vs1-xe30.google.com with SMTP id m22so2544251vsl.9 for <cfrg@irtf.org>; Thu, 19 Sep 2019 08:28:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xvVl0IcZ/F7Es6KyxUgCwgaZlZeHmui4qPMbCQ9YZ9M=; b=SlVBNtxCwQ+oAjssW49rVuLvH7+3TpoNVMrOE0EIWBX73KiUJvpw0ACkzVaY7LvIeQ cM1AiNXq36cf07CUKE5ZYhVUdX3SKwJ93YIky+6VPDfFnyCtOqzZs7SVrKK77tu6WYjK sKY4cq9MWEfN2tPwv/z+RhQGd7YbDptN2zC0Yld3UMJX9SAsTfipWalLfbhpLXYXoRdS e0cyKx7v9q7RODmLeTdJabYVCVGeoF5MeM5qTP2wplZxf2+eXHfBOWOK+mByinhN6oXi +yTiYz+YmFtozmvW+Hordgyu5vJrpXsrYPYVFUMJyC0gPNjtc+roxHzl0QV2oLQaDRTy 0Vag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xvVl0IcZ/F7Es6KyxUgCwgaZlZeHmui4qPMbCQ9YZ9M=; b=pBqKINzjHVdIWl07K6+aWd4t91hqTjCkt5ercLXb+41NcorBppGHq9uUPhnW79jKGW aUkXJYp6CF3Pcme64QpY12l6I28h5G1qMsev5BmiJHywO4VATm7/OiPqeeKfgqlJ+Pu/ Fh4CeraLDMEuXv6HQ3J4UEOr4iGncYkNImLuVujukgv2w5b25+J+lvqj50INpsBBESsn Ofi78ClnZ+O76rdy968avkGKFV811P0Dr+FqiF/Qtpr4cUcj9Zs6f7/fWJSg+0DDCAuJ oAe0kwOABI/7sXiL7l9yJbXbzx9V53UuMp1XXMnMZbWhU/jfhKW/e7FPBIjmBNOHa2mQ gfuQ==
X-Gm-Message-State: APjAAAX0rIGaLgWerlPGl672/eG1vCpC+0JskJX9b58z1CJuBFZWqzln wFwc1nzxG74UKmbeiq38IFplCrYnFVwNwv8b+cE=
X-Google-Smtp-Source: APXvYqy8OVwKJgqgCFIm3fRBbeXjk2w5KEOa5WqMzv1a5ctvSXWSeMsuo8m4Qs7k9N1BX/ennFz782RpuvXY9N13OlU=
X-Received: by 2002:a05:6102:10a:: with SMTP id z10mr1868935vsq.176.1568906922316; Thu, 19 Sep 2019 08:28:42 -0700 (PDT)
MIME-Version: 1.0
References: <VI1PR0501MB22558468E3C0549F452736CC838E0@VI1PR0501MB2255.eurprd05.prod.outlook.com> <CACykbs2-4XVJKZU_f90QN42XH-ec1HoUx02ts19gd3=AjjYTCA@mail.gmail.com>
In-Reply-To: <CACykbs2-4XVJKZU_f90QN42XH-ec1HoUx02ts19gd3=AjjYTCA@mail.gmail.com>
From: Natanael <natanael.l@gmail.com>
Date: Thu, 19 Sep 2019 17:28:29 +0200
Message-ID: <CAAt2M1-zVqxQNQSts6PZmQrC7dcK4RKdn4vHKh_MeOAAK-=aPg@mail.gmail.com>
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Cc: Björn Haase <bjoern.haase@endress.com>, IRTF CFRG <cfrg@irtf.org>, Hugo Krawczyk <hugo@ee.technion.ac.il>
Content-Type: multipart/alternative; boundary="000000000000ca57190592e99b25"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/VTUdeHtKbjCxMEO7Xs_cMUThiqs>
Subject: Re: [Cfrg] aPAKE Analysis / Why System-Level-View
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2019 15:28:46 -0000

Den ons 18 sep. 2019 13:51Jonathan Hoyland <jonathan.hoyland@gmail.com>
skrev:

> Hi Björn,
>
> I think the aPAKE candidates analysed in the UC model are taking the right
> approach. I think it would be valuable for as
> to give them composable features such that it is well defined how to bind
> them to other protocols, and how to bind other
> protocols to them. If we can define a channel binding for the aPAKE and
> further allow the aPAKE to commit to ancillary
> data then are well on our way to making it a useful primitive.
>

I'd like to note that the U2F spec has a channel binding option. IIRC it
derives a session ID (or equivalent value) from the TLS key exchange and
commits to it.

Reference;
https://fidoalliance.org/fido-technotes-channel-binding-and-fido/

Unfortunately it isn't implemented in any U2F compatible browser - only
Chrome used to support it, but then they later removed it (citing
complexity, although I believe the security benefit justifies it). Firefox
never supported it. Hopefully it will regain support. But regardless, the
approach used in that spec might be a good starting point here too?

And a sidenote: as I've mentioned before, I'd really like to see a PAKE
protocol and a 2FA protocol like U2F being supported together. If both of
these protocols would also have proper channel binding, then this would
offer significantly improved security without sacrificing usability.

Being able to trigger a PAKE from a button press on your 2FA hardware token
would also be a significant UX improvement over many of the other options
with similar security level.

v2.23.0 | Report a Bug | By Email