[Cfrg] publishing dragonfly (was: Re: 2^40. I can't exhibit it, but it exists.)
David McGrew <mcgrew@cisco.com> Wed, 05 February 2014 13:32 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AC1B1A012D for <cfrg@ietfa.amsl.com>; Wed, 5 Feb 2014 05:32:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.035
X-Spam-Level:
X-Spam-Status: No, score=-10.035 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TrfsjQeMoJo1 for <cfrg@ietfa.amsl.com>; Wed, 5 Feb 2014 05:32:05 -0800 (PST)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) by ietfa.amsl.com (Postfix) with ESMTP id 41F201A00FF for <cfrg@irtf.org>; Wed, 5 Feb 2014 05:32:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=21642; q=dns/txt; s=iport; t=1391607124; x=1392816724; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to; bh=cDogj9FOE7kwchK/emlwcWnNUl1n4lLi0uFxfuCyrbI=; b=mo8acyORIeCT9iSehstR75PX5BpSRku0U3XCbySSblD+dNSgVe5rXYFC gRjxwFsNzuvCRBVYSf0aQG4wgSJp3fviJUDBHfOPH3eL//ydqTcxU4D85 mIdJDNQjQ1rj2ZgNAOWsyx+gMKQSDdcJThgrkFWleTVLNLQaPjBxJYT8d 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhQFAOY88lKtJXHB/2dsb2JhbABPCoMMOL8agQ8WdIIlAQEBAwEBAQELVwMGCgEFCxwEAQEBCQ8HCAcJAwIBAgEPBh8JCAYNAQUCAgULB4dWAwkIDcYMDYkOF4xRDxmBIFwHGIQgBIlJjHaBbIZIhhaFQ4NLHg
X-IronPort-AV: E=Sophos; i="4.95,786,1384300800"; d="scan'208,217"; a="18129852"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by alln-iport-3.cisco.com with ESMTP; 05 Feb 2014 13:32:02 +0000
Received: from [10.0.2.15] (rtp-mcgrew-8913.cisco.com [10.117.10.228]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id s15DW1iV024004; Wed, 5 Feb 2014 13:32:01 GMT
Message-ID: <52F23D52.4090509@cisco.com>
Date: Wed, 05 Feb 2014 08:32:02 -0500
From: David McGrew <mcgrew@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130922 Icedove/17.0.9
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>
References: <20140203192451.6268.76511.idtracker@ietfa.amsl.com> <7af2f9df96e5867d493c614806235363.squirrel@www.trepanning.net> <CACsn0cm1f-P95je5AbEbZ02Ut3+HM7Hx28P6j46TqE-=06eZDg@mail.gmail.com> <52F00EF3.3040505@cisco.com> <CACsn0c=zS5GKex3eF_hKgTsL1kH=TiBi3iAP9oMrJ9hDQcT4Gw@mail.gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7DE5@SC-VEXCH2.marvell.com> <CACsn0cn0TaHsDkyN2ewOorxxBzXivCg=QGR-ZnBiC3nJhvhpRg@mail.gmail.com> <14AB44E0-4C90-4E4C-A656-885A31CF4C02@checkpoint.com> <CACsn0cmDT-FAN8uMZ0w8TX6GKPAZjnrexLeFQd7QhRfoY6AGFQ@mail.gmail.com> <75e1e853dc391b418062ee5e51adeb2f.squirrel@www.trepanning.net> <CABqy+sr7ZKrACj4Ga2_75d9Kea0aKbrp2P5fWWu4YZP53zijxw@mail.gmail.com> <CACsn0cmS152wYQWHiX8ykzaMM=6b=r=fwVuLfPj_u0wmoq0jKw@mail.gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7F7C@SC-VEXCH2.marvell.com> <CACsn0c=a5PvZOZgVRjHaJ2avGCPHF6b6nOpNh+iT0909X-jUFA@mail.gmail.com>
In-Reply-To: <CACsn0c=a5PvZOZgVRjHaJ2avGCPHF6b6nOpNh+iT0909X-jUFA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------060502060707000702090809"
Cc: cfrg@irtf.org
Subject: [Cfrg] publishing dragonfly (was: Re: 2^40. I can't exhibit it, but it exists.)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 13:32:10 -0000
On 02/04/2014 06:43 PM, Watson Ladd wrote: > > > On Feb 4, 2014 2:06 PM, "Paul Lambert" <paul@marvell.com > <mailto:paul@marvell.com>> wrote: > > > > > > > > >From: Cfrg [mailto:cfrg-bounces@irtf.org > <mailto:cfrg-bounces@irtf.org>] On Behalf Of Watson Ladd > > >Sent: Tuesday, February 04, 2014 12:12 PM > > > > > > > > >This attack is interesting because of the limits it puts on > reductions, which are > > >the main tool for doing cryptography. If dragonfly could be shown > to have no > > >other weaknesses this would be fine, but no such proof is forthcoming. > > > > When you say 'no other' you continue to imply that you have > identified a realistic exploitable weakness. The difficulty in > 'reducing' the Dragonfly proposal is not a exploitable flaw. The > changes necessary in protocol to allow a formal proof may in fact > weaken the overall security of the protocol (reference below). > > The paper below claims no such thing. I am claiming that there is a > weakness in standard model security for dragonfly, not that there is > an exploitable flaw. > > In fact tight reductions are possible, despite your claim otherwise. > > > > > > > > On the Security Loss in Cryptographic Reductions > > > > Proceeding: EUROCRYPT '09 Proceedings of the 28th Annual > International Conference on Advances in Cryptology: the Theory and > Applications Cryptographic Techniques > > > > Pages 72 - 87 > > > > Almost all the important cryptographic protocols we have today base > their security on unproven assumptions, which all imply NP $\ne$ P, > and thus having unconditional proofs of their security seems far > beyond our reach. One research effort then is to identify more basic > primitives and prove the security of these protocols by reductions to > the security of these primitives. However, in doing so, one often > observes some security loss in the form that the security of the > protocols is measured against weaker adversaries, e.g., adversaries > with a smaller running time. Is such a security loss avoidable? We > study two of the most basic cryptographic reductions: hardness > amplification of one-way functions and constructing pseudorandom > generators from one-way functions. We show that when they are done in > a certain black-box way, such a security loss is in fact unavoidable. > > > > > > > > > > > > Your adamancy to make up issues with Dragonfly seems to imply you > feel this is a 'down selection' between multiple protocols. It is > not. TLS is one possible application, but the Dragonfly protocol was > written in a generic manner to specifically allow the analysis > independent of the target application. Other schemes would be viable > for TLS and I would strongly support publication and review of > multiple password protocol alternatives for TLS. > > > > I am not "making up issues". I simply think that when a protocol goes > into an RFC it gets used. And that means we should be careful with the > protocols we publish. > There are plenty of RFCs that specify things that are rarely used. For instance, CAST-128, CAST-256, and RC5 were defined in RFCs, yet never saw significant use in the Internet. Anyway, my understanding is that Dragonfly is already in use, as Paul describes below. It makes sense for CFRG to publish an RFC that describes how it can be implemented in a way that avoids timing attacks, and that documents security considerations around its use, including considerations around the lack of a proof of security. In the past, some people have been very vocal in their criticism of the dragonfly draft for *not* containing these things. It is just not a credible suggestion to ask that the draft not be improved, and that the changes to the draft not get review from this list. Instead of trying to prevent the publication or review of improved versions of the draft, you should suggest changes and additions to the draft that describe the issues that you have found. If you suggest text that the RG agrees with, it will end up in the draft, and you will have made your points. > Which alternative do you think TLS should use? > > > > > > The Dragonfly protocol has been in other standards act ivies for > quite a few years (usually called SAE). The review in this forum has > improved side channel security. Your suggestions for other TLS > solutions should not block the analysis of this protocol if it is > secure. Making sure we have clarity on the actual security of a > fielded solution in critical and we should be professional and correct > in our analysis. Mesh networking networks are using SAE (aka > Dragonfly). Other consumer oriented applications will appear based on > the analysis that the protocol has no exploitable weakness. > > > > > > Not our problem. We are the IETF not the consumer electronics board. > CFRG is the IRTF, not the IETF. > Analyse it yourself. Or wait for someone else to do so. Or pay. > > > > > Do also note that the IPR disclosures for AugPAKE that you advocate > have limitations and are constrained to the IETF and TLS. AugPAKE is > completely unacceptable for any broader application in consumer > equipment (IMHO). There are many engineering criteria to balance in > the section of appropriate algorithms for the industry. Support of > 'reductions' for a formal proof are way down the list in my > priorities. I see that we disagree on this point, and hope that you > would look at the broader set of industry requirements and tone down > your rhetoric. If you continue to have objections, please be clear > and correct with the analysis. You still owe the group a > clarification or a retraction on your claimed 2^40th attack on Dragonfly. > > > > It's a foundations of hashing style attack: utterly impractical but > theoretically important. > > Why don't you list the requirements, and we'll come up with a protocol > that meets them? > > What about being secure against reflection attacks or being well studied? > > Of course I thought we were here to support the IETF. Still, this > explains WEP: marvel does not have a single cryptographer reviewing > standards submissions and expects it to be done by the community. > This slap at Paul and Marvel is not OK. Discussion on the list needs to stick to technical substance and be polite. David > > > > > > Thanks, > > > > > > > > Paul > > > > > > > > > > > > > > > > From: Cfrg [mailto:cfrg-bounces@irtf.org > <mailto:cfrg-bounces@irtf.org>] On Behalf Of Watson Ladd > > Sent: Tuesday, February 04, 2014 12:12 PM > > To: rransom. 8774; cfrg@irtf.org <mailto:cfrg@irtf.org> > > Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.txt > > > > > > > > > > On Feb 4, 2014 11:41 AM, "Robert Ransom" <rransom.8774@gmail.com > <mailto:rransom.8774@gmail.com>> wrote: > > > > > > On 2/4/14, Dan Harkins <dharkins@lounge.org > <mailto:dharkins@lounge.org>> wrote: > > > > > > > This is mentioned in section 6.3 of RFC 5931 (dragonfly as an EAP > > > > method), knowledge of r where PE = r * G can enable a dictionary > > > > attack. But knowledge of r requires doing a discrete logarithm. > A discrete > > > > logarithm is assumed to be "computationally infeasible" and > you're talking > > > > about doing 2^40 of them!?! > > > > > > <http://cr.yp.to/papers.html#nonuniform> is relevant here. It > > > discusses several other 'attacks' of this general type, and explains > > > why they should not be taken seriously. > > > > Bernstein actually argues that one should define complexity measures > to exclude such attacks. This is clear in the paper. Unfortunately > time memory product for the weak password variation is only 2^40. > > > > The problem with foundations of hashing usually isn't a real > problem: one can sign r,H (r, m) with r random to bypass it. > > > > This attack is interesting because of the limits it puts on > reductions, which are the main tool for doing cryptography. If > dragonfly could be shown to have no other weaknesses this would be > fine, but no such proof is forthcoming. > > > > Such a proof would be in the ROM, but as the IETF 88 slides show it > would be tricky. > > > > > > > > > Robert Ransom > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.t… internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… David McGrew
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… David McGrew
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Paul Lambert
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Yoav Nir
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Mike Hamburg
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Robert Ransom
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] 2^40. I can't exhibit it, but it exist… Paul Lambert
- Re: [Cfrg] 2^40. I can't exhibit it, but it exist… Michael Hamburg
- Re: [Cfrg] 2^40. I can't exhibit it, but it exist… Watson Ladd
- [Cfrg] publishing dragonfly (was: Re: 2^40. I can… David McGrew
- Re: [Cfrg] publishing dragonfly (was: Re: 2^40. I… Eggert, Lars
- Re: [Cfrg] publishing dragonfly (was: Re: 2^40. I… Manger, James
- Re: [Cfrg] publishing dragonfly (was: Re: 2^40. I… Eggert, Lars
- [Cfrg] NSA sabotaging crypto standards Manger, James
- Re: [Cfrg] NSA sabotaging crypto standards Alexandre Anzala-Yamajako
- Re: [Cfrg] how can CFRG improve cryptography in t… Rob Stradling
- Re: [Cfrg] NSA sabotaging crypto standards Eggert, Lars
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- Re: [Cfrg] NSA sabotaging crypto standards Paul Hoffman
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- Re: [Cfrg] NSA sabotaging crypto standards Paul Hoffman
- Re: [Cfrg] NSA sabotaging crypto standards David McGrew
- Re: [Cfrg] NSA sabotaging crypto standards Dan Harkins
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- Re: [Cfrg] how can CFRG improve cryptography in t… David McGrew
- Re: [Cfrg] NSA sabotaging crypto standards Nikos Mavrogiannopoulos
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- Re: [Cfrg] NSA sabotaging crypto standards Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- [Cfrg] how can CFRG improve cryptography in the I… David McGrew
- Re: [Cfrg] how can CFRG improve cryptography in t… Daniel Kahn Gillmor
- Re: [Cfrg] NSA sabotaging crypto standards Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] how can CFRG improve cryptography in t… Hannes Tschofenig
- Re: [Cfrg] how can CFRG improve cryptography in t… Rene Struik
- Re: [Cfrg] how can CFRG improve cryptography in t… Stephen Farrell
- Re: [Cfrg] how can CFRG improve cryptography in t… dan
- Re: [Cfrg] how can CFRG improve cryptography in t… Watson Ladd
- Re: [Cfrg] how can CFRG improve cryptography in t… Daniel Kahn Gillmor
- Re: [Cfrg] how can CFRG improve cryptography in t… David McGrew
- Re: [Cfrg] how can CFRG improve cryptography in t… Stephen Farrell
- Re: [Cfrg] how can CFRG improve cryptography in t… Tom Ritter
- Re: [Cfrg] how can CFRG improve cryptography in t… Igoe, Kevin M.
- Re: [Cfrg] how can CFRG improve cryptography in t… Hannes Tschofenig
- Re: [Cfrg] how can CFRG improve cryptography in t… Hannes Tschofenig
- Re: [Cfrg] how can CFRG improve cryptography in t… Hannes Tschofenig
- Re: [Cfrg] how can CFRG improve cryptography in t… David McGrew
- Re: [Cfrg] how can CFRG improve cryptography in t… Paul Lambert
- Re: [Cfrg] how can CFRG improve cryptography in t… Watson Ladd
- Re: [Cfrg] how can CFRG improve cryptography in t… Rene Struik
- Re: [Cfrg] how can CFRG improve cryptography in t… Geoffrey Waters
- Re: [Cfrg] how can CFRG improve cryptography in t… S Moonesamy
- Re: [Cfrg] how can CFRG improve cryptography in t… David McGrew