IETF Logo Mail Archive

Re: [Cfrg] OPAQUE: Secure aPAKE (presentation and draft)

Richard Barnes <rlb@ipv.sx> Wed, 18 July 2018 12:40 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B79D8131179 for <cfrg@ietfa.amsl.com>; Wed, 18 Jul 2018 05:40:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XaspPeDhYlhZ for <cfrg@ietfa.amsl.com>; Wed, 18 Jul 2018 05:40:22 -0700 (PDT)
Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03B9B130E04 for <cfrg@irtf.org>; Wed, 18 Jul 2018 05:40:21 -0700 (PDT)
Received: by mail-oi0-x22f.google.com with SMTP id q11-v6so8438404oic.12 for <cfrg@irtf.org>; Wed, 18 Jul 2018 05:40:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gdtXw4n25sNRvAPOAS0oea7dJIslfeTtlIEs8YI6uic=; b=Rh9t6hYgv6Jq9VF9jXyWU3Iv5Q7kcNTJT3AtkfyDkHRw8y67aiUJF6ihRKBtAIb4sD F0MzTS4NpNJ6S/VTtArindgeNnY6oCNMWTYbsH4of8CetNdltYHNIyVYegUV4hXE7CXp X38nXatweExqiHRnSZGp3plo7xNABgN63S6IRr2IA6NVN/8C60cdVaK6iwzbipcr2zTv N7sYORS4Qdlx4LJdB4MmVK90YD12QFNzkCW6iwE0k2DFmRQCavgjuVTDJ/2BLhPODPHQ 5UZSlLCFYcNCXkIe5JwF3Nt+wxeGhWMlY/zNM0mJ4Jzie/4KbHydc5xWGaXhN/KvrF8L pItQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gdtXw4n25sNRvAPOAS0oea7dJIslfeTtlIEs8YI6uic=; b=YJWRSxDKWx9zFfXFNltBJgvWK2Ta7Qeb4N1GVE6t1Y/shG6y+Ip3QBXhGQ9Odz2qbo 6GYZ0LvfavSwYAtfJMAYBD7eyg0M13GmWxyqtv5j9rdzuUzq+l4W1UhQjW8ulxkXNGpA BMrjNJ/5plsYZzbVkzT3n8aCVkWtlU83HrV56VNj4fAHp+tDFLN5vYwQiUg+iNt66z1m 7dR3fil5PgE46LqPMqMIeF509qCZ+l84Ux1GYN8ciSPpHb+52zp/qWoTINhG82sCYfe1 z6IuWpS5tcSNTLH26pUl44Qf0CYwdya+U+Q9XjCeKOBpV0Y4pm5dCvPg16mzx7zxh6VP sgrg==
X-Gm-Message-State: AOUpUlFxuFaEvQK2KW5VfAVSECCqYmGeJOtm+rdUzePcoQExMbetndE5 RDISuMNmlhXUVHPJ5cJ77FuQWOXlEUA+pXTrV1kJww==
X-Google-Smtp-Source: AAOMgpc6S17ypfs9AznP7qPLC9ro5lxby3t1zov/3buLOGh7V6cXkzuLAw8ZKqeQPu3vyfoPM2V7YA8K8LBgX0y2fAQ=
X-Received: by 2002:aca:f383:: with SMTP id r125-v6mr5915000oih.6.1531917621228; Wed, 18 Jul 2018 05:40:21 -0700 (PDT)
MIME-Version: 1.0
References: <CADi0yUM+rm6A-pPqxFUh_Hn+msVCo1TpbWL=e=vz+p7E3VaK3g@mail.gmail.com> <a3c93381-e5f7-7079-cfc2-7e7aad99cd5b@htt-consult.com>
In-Reply-To: <a3c93381-e5f7-7079-cfc2-7e7aad99cd5b@htt-consult.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 18 Jul 2018 08:40:09 -0400
Message-ID: <CAL02cgSyoRLS-_mpkd6W17fWNG6Sie4wC4mQJZ7cM4nSdhkqpA@mail.gmail.com>
To: Robert Moskowitz <rgm-sec@htt-consult.com>
Cc: Hugo Krawczyk <hugo@ee.technion.ac.il>, CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000a38b540571455d7f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/efScHIqMEUC9PM12PIm4AqkbYSM>
Subject: Re: [Cfrg] OPAQUE: Secure aPAKE (presentation and draft)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 12:40:25 -0000

The TXT one has an extra '.' character.  If you delete that, it works.

On Tue, Jul 17, 2018, 18:24 Robert Moskowitz <rgm-sec@htt-consult.com>
wrote:

> Hugo,
>
> The link below to this draft is not working.  :(
>
> Bob
>
>
>
> On 07/11/2018 03:13 AM, Hugo Krawczyk wrote:
>
> ​During the CFRG meeting in Montreal I will have a short presentation
> about the OPAQUE protocol, the first PKI-free aPAKE ('a' is for
> asymmetric or augmented)   to accommodate secret salt and be secure
> against pre-computation attacks.  In contrast, prior aPAKE protocols did
> not use salt and if they did, the salt was transmitted in the clear from
> server to user allowing for the building of pre-computed dictionaries.
>
> OPAQUE was presented in a recent paper at Eurocrypt 2018
> https://eprint.iacr.org/2018/163
> that includes a full proof of security in a strong aPAKE model that
> guarantees security agai​nst pre-computation.
>
> I believe OPAQUE to be a good candidate for standardization as an aPAKE.
> It compares favorably, both in actual security and proven security, to
> other aPAKE schemes considered for standardization, including SPAKE2+,
> AugPAKE and the old SRP. In particular, none of these protocols
>
> ​has
>  a proof of security (*), not even in a weak model, and none can
> accommodate secret salt.
>
> I have not made the deadline for posting a draft before the IETF meeting
> so I am posting an unofficial version (that I will submit after the
> meeting) here:
> http://webee.technion.ac.il/~hugo/draft-krawczyk-cfrg-opaque-00.txt
> <http://webee.technion.ac.il/%7Ehugo/draft-krawczyk-cfrg-opaque-00..txt>
> http://webee.technion.ac.il/~hugo/draft-krawczyk-cfrg-opaque-00.pdf
>
> Comments are welcome (although I may be slow in responding)
>
> Hugo
>
> (*) Clarification: Contrary to what recent drafts have claimed, SPAKE2+
> does not have a proof as aPAKE - the protocol was described by Cash et al
> with a short informal discussion of its rationale and no intention to claim
> its security formally (the paper does not even contain a security model for
> aPAKE protocols). This is in contrast to SPAKE2 that does have a proof as
> PAKE (without the augmented part).
>
>
>
>
>
>
>
> _______________________________________________
> Cfrg mailing listCfrg@irtf.orghttps://www.irtf.org/mailman/listinfo/cfrg
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email