IETF Logo Mail Archive

Re: [CFRG] RGLC on draft-irtf-cfrg-opaque-13

Kevin Lewi <lewi.kevin.k@gmail.com> Thu, 11 April 2024 23:14 UTC

Return-Path: <lewi.kevin.k@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B93BC14F711 for <cfrg@ietfa.amsl.com>; Thu, 11 Apr 2024 16:14:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1YotwVVvYEj8 for <cfrg@ietfa.amsl.com>; Thu, 11 Apr 2024 16:14:34 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E1B0C14F70B for <cfrg@irtf.org>; Thu, 11 Apr 2024 16:14:34 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id 38308e7fff4ca-2d895138ce6so3428951fa.0 for <cfrg@irtf.org>; Thu, 11 Apr 2024 16:14:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712877272; x=1713482072; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=QMeq1wUETrMM5W5GGtn9SkzKQbCb455zbGbDbtNhJKs=; b=kYJfzhOdHQDdyVmRrzg4MYVxQzUxCSoLarFi2ymo7qzG8YRJcmkc4xQDUSG/V48V1B t/hhZpuL6dgZiGKmQZkf88akGvPf1qo5G5sMHXuKFNBk4y1otss2pTF4BWR1J19mrZko LzWrbc4xb0iFTSnq5j+H/+zBFW6QBOQC0Tuz6rehvr6oA0x8yEkEVOPqkmBy00xXuUxk DXWRej6gzni0NYNhcc7hYQ8Iq90FCisgg6XPzeCIpXLiWXrQ93fTkd3ZESTNomHbi47p cyPkm8IiSZLYnPTJI+nluH90M+LF/mlqdQnJLeRRGstrkqdZELNED3UcEQlMt2UOfKwG rg0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712877272; x=1713482072; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=QMeq1wUETrMM5W5GGtn9SkzKQbCb455zbGbDbtNhJKs=; b=eADGuwibNhZNFm6YA/Uc90tZ7PWQujiB2lzN09QkW6rhjMe6tlPryy9wxeLCqtznuX y2kyXZKamwFMUSK4G8vstWQ/IRFSeZ2tX+X6Hl1K/JWLjJP6scCdlh1Dsl51m21f2x+7 CLLHwNSwKk1CEoVDieic7i5Jo8QpXOp/AI6Ur9ZZE26FEvWDb9KZdqyun7XEUH6xUesW 1ZCv5iLB2cwwC0v5TnpK+HBZx1vBKMoYSSGa60txCIJmsVZhXJNn99kQl14mrT3SqeZI x4B4GoxUU/9Wj2nNr3zhLnINzqerbF3EKlPIUk1jFUEQfmaLcflyzDYDth8s7I0wEvBO 8zEQ==
X-Gm-Message-State: AOJu0Yx7lJXlHbTPODfKvyev1vYk+CzLEmZtJrLgz57iV6SvRdGhHte/ ExG7bVZsZHWgIivfYi6PAKM2eBTzC091W12xMtIlkZPjUxdw+dkvAqJwct1gM0G2ajVlm1NKbuF XvEeXabh8rDT6GvtSXF0pjMdB0sa993NH
X-Google-Smtp-Source: AGHT+IHDWZfJt4l2g533WQXlV3xqYorxo6f4ysJ/3tE1CF37fFlyP1e9IxQ9YntaaRHcE2sI0JBBoJQHJahYC6HvXmU=
X-Received: by 2002:a05:651c:19a0:b0:2d8:5e21:8ec5 with SMTP id bx32-20020a05651c19a000b002d85e218ec5mr674206ljb.48.1712877271989; Thu, 11 Apr 2024 16:14:31 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6kOrbwdHEDmmGsVYzqjsEbzBCCtGL39jckNbSWsEumOQg@mail.gmail.com> <994001115.165708.1706765982169@email.ionos.com> <CACitvs8zzoQVY4uo1zOtoBWrSVOLfzGFBCsMnevxnCMXg-CJGw@mail.gmail.com> <CACitvs_kEOgBC0eZNbHZ1EBy6v7kqL2-99-A1kRD_QqTaTuQKw@mail.gmail.com> <CAMr0u6khy2oo6GpxYYWq803NPYvKHLk4=9Lf7Z5ddNVu8KbiZw@mail.gmail.com>
In-Reply-To: <CAMr0u6khy2oo6GpxYYWq803NPYvKHLk4=9Lf7Z5ddNVu8KbiZw@mail.gmail.com>
From: Kevin Lewi <lewi.kevin.k@gmail.com>
Date: Thu, 11 Apr 2024 16:14:21 -0700
Message-ID: <CACitvs-_iZ145ok1A8peN642Z2DmA=Pd1T2cJwrFnQo_PZxWqw@mail.gmail.com>
To: IRTF CFRG <cfrg@irtf.org>
Cc: steve@tobtu.com, cfrg-chairs@ietf.org, draft-irtf-cfrg-opaque@ietf.org
Content-Type: multipart/alternative; boundary="00000000000057481f0615da51fd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/hXnLfgLe2PP34-PZTuhUZdZ8Xms>
Subject: Re: [CFRG] RGLC on draft-irtf-cfrg-opaque-13
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2024 23:14:39 -0000

@steve@tobtu.com <steve@tobtu.com>: Just wanted to check one last time if
you had a chance to review our response. We have updated the latest version
of the draft (draft-irtf-cfrg-opaque-14), which we believe addresses your
feedback. See also the github PR which has some additional discussion:
https://github.com/cfrg/draft-irtf-cfrg-opaque/pull/448

If you could let us know if the changes address your concerns, that
would be great, as it would unblock the process forward.

Thanks!
Kevin

On Mon, Mar 25, 2024 at 4:55 AM "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
<klewi-forward@cs.stanford.edu> wrote:

> Dear CFRG,
>
> The authors have updated the draft.
> Please feel free to express whether the changes address your concerns.
>
> Regards,
> Stanislav (for chairs)
>
> On Tue, Mar 5, 2024 at 9:37 AM Kevin Lewi <klewi@cs.stanford.edu> wrote:
>
>> Hi Steve!
>>
>> Just wanted to check in and see if you had a chance to review my response
>> to your feedback above. Let me know if there is anything else that you
>> would like to see addressed explicitly, or if we are good to go.
>>
>> Kevin
>>
>> On Sun, Feb 11, 2024 at 8:59 PM Kevin Lewi <klewi@cs.stanford.edu> wrote:
>>
>>> (Replying to:
>>> https://mailarchive.ietf.org/arch/msg/cfrg/Fxxdbe6sBae9yqTtZfwrGvtAKRQ/)
>>>
>>> Hi Steve,
>>>
>>> Appreciate the review and the feedback! Here are my thoughts:
>>>
>>> 1) "There should be a section mentioning that OPAQUE is doubly augmented
>>> and why that's better than augmented."
>>>
>>> I gave this some thought and I think I understand the distinction
>>> between an sdPAKE vs. aPAKE. But I am not entirely sure if we should get
>>> into this level of detail in the draft, mainly because I am struggling to
>>> figure out how to phrase this in a way that is generally understandable to
>>> most readers without causing confusion. However, if you do feel like this
>>> would be necessary to include in the draft text, can you perhaps write up a
>>> suggested paragraph under a new subsection of the "Security Considerations"
>>> section which covers this detail? Then we can discuss and iterate on the
>>> wording. You can also open a PR on
>>> https://github.com/cfrg/draft-irtf-cfrg-opaque/pulls and we can
>>> continue the discussion via comments over there.
>>>
>>> 2) Section 10.3. "Related Protocols" should probably be removed.
>>>
>>> I agree, good suggestion! I went ahead and put up a PR for this change.
>>> https://github.com/cfrg/draft-irtf-cfrg-opaque/pull/443
>>>
>>> 3) The mentions of "offline registration" should be changed to "online
>>> registration".
>>>
>>> Good point, this is confusing. Seems like we have a PR up (
>>> https://github.com/cfrg/draft-irtf-cfrg-opaque/pull/439) to address
>>> this, by changing "offline registration" to simply read as "registration"
>>> (no "online"). Let me know if that also sounds acceptable.
>>>
>>> 4) Now the good parts of OPAQUE that weren't mentioned. Stateless HSM
>>> implementation.
>>>
>>> I agree with this as well, but similar to point #1, do you think that
>>> this is something that we actually need to include explicitly in the draft
>>> text? And if so, do you have a suggested change or wording that would be
>>> suitable for adding to one of the sections?
>>>
>>> Let me know if I missed anything.
>>>
>>> Thanks,
>>> Kevin
>>>
>>>
>>> On Thu, Feb 1, 2024 at 12:39 AM <steve@tobtu.com> wrote:
>>>
>>>> I've been meaning to do a full review and just checked the status. So
>>>> this might be a little rushed. Anyway...
>>>>
>>>> ----
>>>>
>>>> "Asymmetric PAKE" is not a thing. aPAKE means "augmented PAKE" and some
>>>> time ago people saw "aPAKE" and thought it meant asymmetric because of it's
>>>> asymmetrical relation between the client and server. The first PAKE was a
>>>> balanced PAKE and it was then augmented so that a server doesn't hold a
>>>> password equivalent. There are currently four types of PAKEs: balanced,
>>>> augmented, doubly augmented, and identity. Abbreviated bPAKE, aPAKE, dPAKE,
>>>> iPAKE and if the non-balanced PAKE has an OPRF then it is "strong" and is
>>>> prefixed with an "s". Note that bPAKE ⊂ aPAKE ⊂ dPAKE ⊂ iPAKE. For info on
>>>> iPAKEs see https://eprint.iacr.org/2020/529.
>>>>
>>>> Doubly augmented PAKEs' best use case is WiFi: compromising a device
>>>> doesn't lead to being able to act as an AP. The first description of a
>>>> dPAKE: "SPAKE2 can even be doubly augmented, where Alice does the same
>>>> thing, but I'm not sure if there's any application to that." -Mike Hamburg (
>>>> https://moderncrypto.org/mail-archive/curves/2015/000424.html). I
>>>> actually couldn't think of a reason either until around the time the WiFi
>>>> Alliance picked a known to be broken bPAKE.
>>>>
>>>> Which brings us to OPAQUE is not an aPAKE, it's a sdPAKE. One way to
>>>> think of OPAQUE, as a sdPAKE, is that it's a cert delivery protocol. Once
>>>> the client has the cert they just store and use it. There should be a
>>>> section mentioning that OPAQUE is doubly augmented and why that's better
>>>> than augmented
>>>
>>>

v2.23.0 | Report a Bug | By Email