Re: [Cfrg] draft-irtf-cfrg-dragonfly document status

  Watson,

On Wed, October 8, 2014 6:22 pm, Watson Ladd wrote:
> On Wed, Oct 8, 2014 at 4:40 PM, Dan Harkins <dharkins@lounge.org> wrote:
>>
>>   Watson,
>>
>> On Wed, October 8, 2014 3:46 pm, Watson Ladd wrote:
>>> On Oct 8, 2014 3:26 PM, "Paul Lambert" <paul@marvell.com> wrote:
>>>>>
>>>>> On Oct 8, 2014 10:53 AM, "Alexey Melnikov"
>>>>> <alexey.melnikov@isode.com>
>>> wrote:
>>>>> >
>>>>> > Hi,
>>>>> > My apologies for taking so long on this. But I felt I needed to
>>>>> review
>>> mailing list discussions to make up my own mind on this topic.
>>>>> >
>>>>> > After reviewing mailing list discussions about this draft, I would
>>> like to do another RGLC on it. I've seen negative comments on the
>>> mailing
>>> list, but I've also seen some interest in this work and I am also aware
>>> that some variants of the algorithm are already implemented/deployed.
>>> Also,
>>> there were a couple of new revisions of the draft and it is not clear
>>> whether people who reported original problems are happy with how they
>>> got
>>> resolved. So I would like to see a bit more positive feedback on the
>>> latest
>>> version, in particular I would like to know if specific issues raised
>>> by
>>> earlier reviews are addressed in the latest version.
>>>>
>>>> This draft should be published as an RFC.  There is considerable value
>>>> in
>>> having a published stable reference document.   The market should be
>>> allowed to do the estimations of risk and value to field this protocol.
>>>
>>> Just as they did with RC4 and renegotiation?
>>
>>   This has nothing to do with RC4 and renegotiation (I assume you mean
>> in TLS).
>
> I'm questioning the ability of market participants to evaluate
> cryptography.

  Well then you are making very odd comments. Market participants had
nothing to do with defining renegotiation. But, again, this has nothing to
do with the draft in question.

>>>> Versions of the protocol have been adopted and fied. This protocol was
>>> first  introduced into IEEE 802.11s in 2008. The base protocol exchange
>>> has
>>> also been adopted in the Wi-Fi  Alliance.  The protocol has been
>>> improved
>>> by the review in the cfrg and if published, the specification would
>>> positively impact the application of the protocol in other forums.
>>>>
>>>>> My comment (there is no security proof, and alternatives with better
>>> provable security) has been acknowledged to be unresolveable.
>>>>
>>>> Yes, this may be considered a negative point by some but not all.
>>>> While
>>> not a proof, the protocol has been analyzed:
>>>> Cryptanalysis of the Dragonfly Key Exchange Protocol
>>>> It was interested that the only issue mentioned was a small subgroup
>>> attack if the public key is not validated â¦. which it always should.
>>>
>>> This analysis ignores Rene Struik's timing attack, my reflection
>>> attack,
>>> and other comments incorporated into the draft.
>>
>>   And I thanked Rene, you, and others for your comments and, as you
>> note,
>> incorporated resolutions into the draft. Once again, thank you for
>> helping
>> improve the draft. All of the comments have been resolved in -04.
>>
>>   (I will note that the reflection attack you mentioned is not possible
>> in the IEEE 802.11 version of dragonfly, which predated your comment
>> and this draft by a few years, and neither was small subgroup attack
>> described by Clarke and Hao mentioned above. The -00 version of this
>> draft was rushed, take a look at the Acknowledgements in section 4 to
>> see just how bad, and I left some things out that I shouldn't have. All
>> this has all been addressed in -04).
>
> Why did the draft not track the IEEE 802.11 version? Also, as I
> remember from discussing this issue in the TLS WG, the CFRG draft
> version and the TLS draft version differed substantially, enough to
> make the reflection attack not work. (There were interactions with the
> rest of TLS that prevented it) While only tangentially relevant to the
> issue, this is the kind of issue which leads to all sorts of bugs in
> protocols that should be secure.

  The draft was intended to be a generic instantiation of a key
exchange that had been defined in 3 different protocols, each of
which has its own idiosyncrasies. I dealt with the reflection issue in
the IEEE 802.11 instantiation because it was for mesh networks and
there is no notion of a "server" or a "client" or an "initiator" or a
"responder" in a mesh, everyone is an equal peer who can actually
each view themselves as the "initiator" if the timing is right. The
reflection attack was something that needed addressing in the
protocol as opposed to, say, the TLS variant which is not susceptible
to that attack due to the nature of TLS. Again, in my haste to generalize
the key exchange I removed stuff that should not have been removed.
But, as I mentioned, it is in the latest draft that is subject of the RGLC,
thanks to the useful and constructive comments of RG members,
including you.

> It also is not clear how relevant the proposed draft will be
>
>>
>>>>>
>>>>> The draft authors knew this from the very beginning.
>>>>>
>>>>> I don't think we should approve a protocol that doesn't have a
>>>>> security
>>> proof, particularly given that we are going to work on alternatives.
>>>>
>>>> ââ¦ Going to work on â¦â is the issue.  The draft under
>>>> discussion
>>>> has been
>>> on IETF servers for 2 years.  It has been used in other industry forums
>>> for
>>> four or five years.
>>>
>>> Plenty of alternatives have been put forward in those two years,
>>> including
>>> EKE+Elligator,  SPAKE2,  JPAKE,  and SMP based solutions. The failure
>>> to
>>> advance these is inexplicable.
>>
>>   Oh no, it's very easily explained. It's because no one has stepped
>> forward
>> to actually write the I-Ds. You have stated on numerous occasions that
>> these
>> should be written up but you have never actually taken on the task of
>> actually doing it. Please, write up a draft or four.  Whether or not you
>> do,
>> though, this really has nothing to do with the RGLC underway right now.
>
> JPAKE was described in a series of drafts that weren't made WG work
> items. I see no reason that the eventual disposition of SPAKE2, SMP,
> or EKE+Elligator drafts would be any different, and thus see no reason
> to write the drafts.

  The disposition is due to the diligence and hard work of the editor of
the I-D. If you want drafts to be produced in a RG (or WG) the best way
to do that is to socialize the idea, write the draft, and advocate for it.
If you sit back and send periodic emails criticizing everyone else for not
doing what you, in your wisdom from the comfort of your couch, see as
necessary nothing will get done.

>>   If there was a security proof of dragonfly it would not be, nor should
>> it
>> be, part of this draft. It would be a stand-alone paper. The complaint
>> about
>> the lack of a security proof is really procedural and not technical as
>> it is
>> not a comment on the draft that can be resolved by changing the draft.
>> The IRTF (and the IETF as well) has never put a security proof as a
>> process
>> requirement for advancement of I-Ds. You may think it should but that
>> is an argument for a different place, not a RGLC.
>
> It could be resolved by opening the draft, deleting the contents,
> inserting contents describing a protocol with a security proof and
> referring to the proof published elsewhere, and submitting the new
> version, so clearly it is an issue with the contents of the draft.

  No, I'm talking about other protocols which have security proofs
behind the that have been specified in IRTF or IETF RFCs. Look at
SRP (RFC 2945). The security proof is not in the RFC. And if a security
proof of dragonfly comes around there is no reason why it should be
part of this I-D or a subsequent RFC.

> I think what you meant to say is it couldn't be resolved without
> substantially changing the protocol, which also isn't true: if the
> shared secret was a hash of all the messages, and the peer-scalars
> were removed, the result would be a secure PAKE with a security proof.
> But unfortunately it would be a patented one.

  No, that's not what I mean at all. I mean that security proofs are
usually stand-alone papers (in the proceedings of the such-and-such
symposium of secure communications), not parts of RFCs. This is no
different.

> There are plenty of drafts that have piled up in various nooks and
> crannies that never get adopted as WG items, despite requests from
> authors. I don't see why we need to publish this draft, and I don't
> see why we need to publish a draft for a protocol inferior to
> alternatives that have been well-studied and are well-regarded. The
> argument you are making seems to be that anything will get published,
> provided it's sufficiently polished, no matter how much better the
> alternatives are.

  If you have any further technical comments on the I-D, I encourage
their mention.

  regards,

  Dan.

> Sincerely,
> Watson Ladd
>
>>
>>   regards,
>>
>>   Dan.
>>
>>>>
>>>> Yes, the cfrg should work as quickly as possible to make alternatives.
>>> Stopping the progression of this draft does not accelerate new work,
>>> but
>>> does prevent existing applications from utilizing a reviewed and
>>> improved
>>> specification.
>>>
>>> The nonexistence of this draft did not stop adoption in Wifi. By
>>> contrast
>>> advancing a number of PAKEs will kick the issue to WGs without the
>>> capacity
>>> to evaluate the issues.
>>>
>>>>>
>>>>> There is plenty of terrible crypto in IEEE standards
>>>>
>>>> â¦ and IETF standards.  Bringing in other good or bad protocols into
>>>> the
>>> discussion is irrelevant to the decision at hand.
>>>>>
>>>>> we don't issue drafts for because it is so terrible.
>>>>
>>>> Since when did the IETF mandate a security proof â¦   There are
>>>> terrible
>>> protocols with proofs, so why does the lack of a proof made something
>>> âterribleâ.
>>>>
>>>> Paul
>>>>
>>>>
>>>>
>>>>> To the extent our publication leads to use of dragonfly as opposed to
>>> known - good protocols, it's a problem.
>>>>
>>>>
>>>>
>>>>
>>>>> >
>>>>> > Considering how difficult previous Last Call on the document was, I
>>> would like to ask people to:
>>>>> > 1) keep in mind that CFRG chairs believe that the RG should work on
>>> PAKE requirements and after that on other PAKE proposals. This was
>>> suggested by our previous co-chair David McGrew:
>>>>> >   http://www.ietf.org/mail-archive/web/cfrg/current/msg03723.html
>>>>>
>>>>> Why doesn't this apply to dragonfly, but only other proposals?
>>>>>
>>>>> > 2) be professional, in particular no ad hominem attacks
>>>>> > 3) be constructive. In particular if you would like a disclaimer
>>>>> being
>>> added to the document, please suggest specific text.
>>>>> > 4) simple statements of support for publishing the document or
>>> objection to publishing it are fine and encouraged. Sending them
>>> directly
>>> to RG chairs is fine. But please avoid saying "but what about
>>> PAKEXXX?",
>>> due to 1).
>>>>> > 5) unlike IETF, IRTF RGs are not required to reach rough consensus.
>>> However I would like to see us try.
>>>>> >
>>>>> > Best Regards,
>>>>> > Alexey,
>>>>> > on behalf of chairs.
>>>>> >
>>>>> > _______________________________________________
>>>>> > Cfrg mailing list
>>>>> > Cfrg@irtf.org
>>>>> > http://www.irtf.org/mailman/listinfo/cfrg
>>>>
>>>>
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> http://www.irtf.org/mailman/listinfo/cfrg
>>>
>>
>
>
>
> --
> "Those who would give up Essential Liberty to purchase a little
> Temporary Safety deserve neither  Liberty nor Safety."
> -- Benjamin Franklin
>