Re: [Cfrg] PAKE selection process: Maybe we need a modular approach for integrating authentication of human individuals with TLS?

Benjamin Kaduk <> Sun, 21 July 2019 04:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1B6C31200C3 for <>; Sat, 20 Jul 2019 21:15:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id A7nqX3WAtqkR for <>; Sat, 20 Jul 2019 21:15:10 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2D81212006A for <>; Sat, 20 Jul 2019 21:15:09 -0700 (PDT)
Received: from ([]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by (8.14.7/8.12.4) with ESMTP id x6L4F1OE026457 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 21 Jul 2019 00:15:03 -0400
Date: Sat, 20 Jul 2019 23:15:00 -0500
From: Benjamin Kaduk <>
To: =?iso-8859-1?Q?Bj=F6rn?= Haase <>
Cc: "Stanislav V. Smyshlyaev" <>, CFRG <>
Message-ID: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <>
Subject: Re: [Cfrg] PAKE selection process: Maybe we need a modular approach for integrating authentication of human individuals with TLS?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 21 Jul 2019 04:15:12 -0000

On Fri, Jul 19, 2019 at 09:45:03AM +0000, Björn Haase wrote:
> Hello to all,
> I am writing this mail in order to prepare the future steps regarding PAKE on and after the Montreal Conference.
> My personal perception is that among the set of current nominations no protocol was proposed that is obviously inadequate. (I personally am somewhat sceptic regarding the proof situations for “SPAKE2+EE/BSPAKE” and “SPEKE”, but even for these two I don’t see  obvious flaws if integrated properly.) My expectation is that regarding the security-topics, we might reach consensus in the CFRG community quite easily, once we have established a common understanding of the design priorities regarding patents, round efficiency, computational efficiency and security-guarantees.
> I believe that the main objections regarding PAKE will come from elsewhere: The people that would have to integrate it into larger systems like TLS, browsers, OS or password database management modules (such as PAM).
> I see the urgent need to standardize a sound PAKE for human user authentication and I think that for this purpose we will need to consider the concerns and needs of the “system integration” people very seriously. Otherwise, we might not be successful with the project of improving security and usability.
> When trying to “wear the hat” of these people, I came to the conclusion that we might need some kind of a modular system integration approach. I have spend quite some time and discussions on this topic. I would appreciate your feedback regarding the problem analysis and solution approach that I tried to summarize in the slides available at .
> Maybe somebody might also spread this link to the TLS working group people or discuss the topic of TLS integration of PAKE at the upcoming conference in Montreal. (There seems to be an issue with my mail accounts being blocked from posting to the TLS mailing list ☹).

I forwarded this message to

That said, my understanding is (and I decidedly do not speak with any
authority here) that previous discussions of integrating a PAKE or other
external mechanisms into the TLS handshake have run into stumbling blocks
if there is a need to modify the handshake message flow, e.g., even to add an
extra handshake message, let alone an extra flight (as a GSS-API
integration would need).  That, in turn (if true), would seem to limit us
to just a ClientHello extension and ServerHello response, which is ...
quite constraining.  But let's see where the discussion ends up.