Re: [Cfrg] RFC 7664 on Dragonfly Key Exchange
"Dan Harkins" <dharkins@lounge.org> Thu, 12 November 2015 12:51 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 766DA1A8847; Thu, 12 Nov 2015 04:51:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Level:
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 93A7WgkkM719; Thu, 12 Nov 2015 04:51:29 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id F3F021A8848; Thu, 12 Nov 2015 04:51:28 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 5D2A710224066; Thu, 12 Nov 2015 04:51:28 -0800 (PST)
Received: from 216.1.225.186 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Thu, 12 Nov 2015 04:51:28 -0800 (PST)
Message-ID: <a8ac385bf717dc16a9c88c85f2c049c8.squirrel@www.trepanning.net>
In-Reply-To: <CAHOTMVKnrjeLVi9tgXNBAp8ib4-ECQU-aG4jD9sqh9=1-7P38w@mail.gmail.com>
References: <20151112010004.7D71718000B@rfc-editor.org> <CACsn0cmK5bicERd17PMdha3P2V0rfFfQP11WzQ=trF7e=oDKpA@mail.gmail.com> <CAHOTMVKnrjeLVi9tgXNBAp8ib4-ECQU-aG4jD9sqh9=1-7P38w@mail.gmail.com>
Date: Thu, 12 Nov 2015 04:51:28 -0800
From: Dan Harkins <dharkins@lounge.org>
To: Tony Arcieri <bascule@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/fuo-S2T0Qnro7aXYdMZf5zdZ9Is>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, rfc-dist@rfc-editor.org, irtf-announce@irtf.org, ietf-announce@ietf.org, rfc-editor@rfc-editor.org
Subject: Re: [Cfrg] RFC 7664 on Dragonfly Key Exchange
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2015 12:51:34 -0000
On Wed, November 11, 2015 7:12 pm, Tony Arcieri wrote: > On Wed, Nov 11, 2015 at 5:18 PM, Watson Ladd <watsonbladd@gmail.com> > wrote: > >> Dear all, >> This protocol does not match the one whose security was proven. The >> modification is cheap: include identities in the Confirmation >> Exchange. It's specifically suggested in the text. Why was this not >> done? I wanted to do that but was told not to by one of the chairmen because that was not the exchange that was reviewed by the group. > I second this and also I find the "Security Considerations" section of > this > draft incredibly misleading. Specifically it claims: > > > This key exchange protocol has received cryptanalysis in [clarkehao]. > [lanskro] provides a security proof of Dragonfly in the random oracle > model > when both identities are included in the data sent in the Confirm Exchange > (see Section 3.4). > > > This is, at best, a rather "rose colored glasses" interpretation of the > actual [clarkehao] paper: It is nothing of the sort. That comment refers to the -00 version of the draft which was rushed to get out before an I-D cut-off date-- to see how rushed, note the "Acknowledgements" section of the draft is the xml2rfc boilerplate. In my haste I failed to include a check to validate received elements (note that EAP-pwd which uses the exchange and was published before the draft was written includes element validation so it was part of the exchange, just not included in the -00 version). > https://eprint.iacr.org/2013/058.pdf > > In this paper, we examine the security properties of the Dragonfly > protocol. Contrary to the authorâs claims, we show that both variants > are > subject to an off-line dictionary attack. In this paper, we will base our > analysis upon the original protocol specification as defined in a > peer-reviewed paper [1]. However, the attack we will present is trivially > applicable to the variant specified in [2]. (According to the Dragonfly > author, the current Internet draft, which expires on April 15, 2013 [2], > will be changed soon in light of our reported attack.) > > > I would suggest the protocol be updated as Watson suggests, and that the > wording in "Security Considerations" be modified to clarify the attacks > discovered in the cited [clarkehao] paper and how they have (not yet, but > should be per [lanskro]) been remediated. I would kindly suggest you read the RFC and then read the full paper because it is plainly obvious that you didn't get past the introduction. regards, Dan. > -- > Tony Arcieri > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] RFC 7664 on Dragonfly Key Exchange rfc-editor
- Re: [Cfrg] RFC 7664 on Dragonfly Key Exchange Watson Ladd
- Re: [Cfrg] RFC 7664 on Dragonfly Key Exchange Tony Arcieri
- Re: [Cfrg] RFC 7664 on Dragonfly Key Exchange Andy Lutomirski
- Re: [Cfrg] RFC 7664 on Dragonfly Key Exchange Dan Harkins
- Re: [Cfrg] RFC 7664 on Dragonfly Key Exchange Tony Arcieri
- Re: [Cfrg] RFC 7664 on Dragonfly Key Exchange Dan Harkins
- Re: [Cfrg] RFC 7664 on Dragonfly Key Exchange Andy Lutomirski