[CFRG] IRSG review draft-irtf-cfrg-spake2-20
Julia Hesse <juliahesse2@gmail.com> Tue, 07 September 2021 08:41 UTC
Return-Path: <juliahesse2@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B46E63A14F1 for <cfrg@ietfa.amsl.com>; Tue, 7 Sep 2021 01:41:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eCn14MRsy0kU for <cfrg@ietfa.amsl.com>; Tue, 7 Sep 2021 01:41:39 -0700 (PDT)
Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D90193A14F3 for <cfrg@ietf.org>; Tue, 7 Sep 2021 01:41:38 -0700 (PDT)
Received: by mail-ej1-x636.google.com with SMTP id i21so18213892ejd.2 for <cfrg@ietf.org>; Tue, 07 Sep 2021 01:41:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:from:subject:message-id:date:user-agent:mime-version; bh=2TFLTd+HVTkepsuST/xPry5dp4XVMGoSXF//2OFkzMc=; b=Lry/j8mDSIXEMfgxMV8XDPbN/scuOBV8HPlk0F/Ei8+/mKdf9ChdE9h2mAcsX4oUDa p5+3/59IqtMoSEempf6FoalE56lKOD8g/VrIBPHDDnRsf3anMXLCjYdXZAL7E98iopcn XkrPZiwV/9hKTigKLO0xKpfUDWxaCfNL+714IqGv09h6fYzNIefGItBxXaJJixbGrYxb WM9B5tQWCLFW80j374Ljr1/k9gDY+VP3LudDQmJ2lapU/mh8+gBX6E9rArI9pYZKop0P wqJwmORcCE5R46hxq3+C5JDnnwrkEMWfUNBzpEZtZMwQIxFs4ZUFBxKzD/WN7Hr6ohTK hSpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version; bh=2TFLTd+HVTkepsuST/xPry5dp4XVMGoSXF//2OFkzMc=; b=PiUIJIaQLiCJIy2eoCsCVILxMnC3HQExx851HOqiq1bcORykNeFzgch1Aa5UqVHziV BzKZo16ICYDmus7Hr4mr5HR3Ses6dPP4COq78p9nqJIYxbvmdW2sGrivreu/MMlAxI8r KCegJj+tQEXWQjNCvI7sHDBxIY2Ytmu35R3gyTLEY6HfUfnwedW3yFQP/VOGS4Ukbvlu 6hUZK5IKrK/uM8a0OmYQNJpeyHXIFDGrYE6Ss4ae6Sobm9mVN2WB+771NTqncLtpJNQu Q9Cvuh/dRuvpitgbqPLSbd4oXoKT77YJmwQbgxwMaTeSQ7fKgKdBxyN9xREZ0Cq5dBmI znbg==
X-Gm-Message-State: AOAM532BCgTATcRJUxcNaWoGEczbFJ19VotKFAEtM0EG7z/weoxPzdl3 RdaIeaQLNUcUvsZw21xA1vg=
X-Google-Smtp-Source: ABdhPJxZ32Ol+Ro7rrmCmCPZecIQjxaZWKzh5+Hq283CtPWZ661f4HyMj8b3+azrV8Au9S5BNmNQ0A==
X-Received: by 2002:a17:906:ed1:: with SMTP id u17mr17806115eji.304.1631004095437; Tue, 07 Sep 2021 01:41:35 -0700 (PDT)
Received: from ?IPv6:2001:620:20:16:ffff:0:8a5d:8611? ([2001:620:20:16:ffff:0:8a5d:8611]) by smtp.gmail.com with ESMTPSA id b2sm5133517ejj.124.2021.09.07.01.41.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 07 Sep 2021 01:41:35 -0700 (PDT)
To: crypto-panel@irtf.org, watsonbladd@gmail.com, kaduk@mit.edu, cfrg@ietf.org
From: Julia Hesse <juliahesse2@gmail.com>
Message-ID: <aad93bd3-3dd2-bd53-ca21-d6f2632a3cb5@gmail.com>
Date: Tue, 07 Sep 2021 10:41:35 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------85F3B6315A9B5E6F23ABD772"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/fDOZ2AcNmewIxtgU2rX3hmdeX9Y>
Subject: [CFRG] IRSG review draft-irtf-cfrg-spake2-20
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2021 08:41:42 -0000
Dear all, below is a review of the latest SPAKE2 draft. I did not verify changes in test vectors. The // - questions were posted by Chris Wood here https://gist.github.com/chris-wood/2205c8e79b309adec5a785470d31226e <https://gist.github.com/chris-wood/2205c8e79b309adec5a785470d31226e> and my * comments are about how they were addressed. Best regards, Julia // - Should we include a definition of UKS attacks inline, rather than cite draft-ietf-mmusic-sdp-uks? * Resolved. Maybe substitute "over who is authenticated" by "over whom the key is shared with"? Because this is tied to the key. // - Should SPAKE2 require that the output length of Hash is at least 256-bits? (It's output is split in half to derive Ke and Ka, and we probably want those to have at least 128 bits.) * Watson said he will add the requirement, but I cannot seem to find it. However, all ciphersuites use at least SHA-256 and it is very clear from the draft that the key length is half of the hash output. So I do not see the need to edit further in this regard. // - What does it mean to exchange messages symmetrically? (In the per-user M and N section) * Resolved. I suggest to remove "to have a symmetric variant" - it is not needed and might cause confusion (variant of what?) // - Beyond scalar multiplication being constant time, are there any other constant time considerations we should include? * Resolved // - Why is Ke not included in the test vectors? It may be redundant, but it seems useful as an additional sanity check. // - There are currently no test vectors that include AAD -- should we add some? * I have not verified these two. // - Why is len() a little-endian output? * I agree with Watson to be consistent with Kerberos here // - Should we clarify that the transcript assumes a particular point encoding scheme, and that is to be defined by the calling application or implementation? * Resolved Some more comments, not related to the IRSG review, below. I was missing a minimal list of data that A and B can start SPAKE2 from: ciphersuite, pw, A, B, M, N - did I forget something? What about the output key length? This can be easily included in 3.2, replacing "A and B are provisioned with information such as..." The document does not specify who uses M and who uses N. In the M\neq N variant of the protocol, which is mostly described in this draft, this is relevant, since no analysis was conducted in case A sends both xM and xN (a solution that implementors are not unlikely to come up with). I would include an instruction in the RFC, e.g., that the application must ensure that M and N are assigned to A and B, e.g., by having them apply some lexicographically-first-... rule. p.2 The KDF has only 3 inputs, but a fourth (key length L) is described in the text p.3 servers -> serves flow figure should include "verify cA" and "verify cB", since it is a MUST. p.4 remove unnecessary variables T and S? E.g., directly set pB=w*N+Y.
- [CFRG] IRSG review draft-irtf-cfrg-spake2-20 Julia Hesse
- Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20 Watson Ladd
- Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20 Colin Perkins
- Re: [CFRG] [Crypto-panel] IRSG review draft-irtf-… Stanislav V. Smyshlyaev
- Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20 Julia Hesse
- Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20 Watson Ladd
- Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20 Julia Hesse
- Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20 Watson Ladd
- Re: [CFRG] [Crypto-panel] IRSG review draft-irtf-… Stanislav V. Smyshlyaev