[Cfrg] dragonfly, was: Re: Time to recharter CFRG as a working group? Was: Re: [secdir] ISE seeks help with some crypto drafts

Dan Harkins <dharkins@lounge.org> Mon, 25 March 2019 12:47 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 877AB12044E for <cfrg@ietfa.amsl.com>; Mon, 25 Mar 2019 05:47:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ks-18ZpNMBIf for <cfrg@ietfa.amsl.com>; Mon, 25 Mar 2019 05:47:35 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7826F120471 for <cfrg@irtf.org>; Mon, 25 Mar 2019 05:47:35 -0700 (PDT)
Received: from trixy.bergandi.net (cpe-76-93-146-89.san.res.rr.com [76.93.146.89]) by wwwlocal.goatley.com (PMDF V6.8-0 #1001) with ESMTP id <0POX00DC7A7ACA@wwwlocal.goatley.com> for cfrg@irtf.org; Mon, 25 Mar 2019 07:47:34 -0500 (CDT)
Received: from dhcp-95c4.meeting.ietf.org ([31.133.149.196]) by trixy.bergandi.net (PMDF V6.7-x01 #1001) with ESMTPSA id <0POX00F1MA6GG4@trixy.bergandi.net> for cfrg@irtf.org; Mon, 25 Mar 2019 05:47:06 -0700 (PDT)
Received: from dhcp-95c4.meeting.ietf.org ([31.133.149.196] EXTERNAL) (EHLO dhcp-95c4.meeting.ietf.org) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Mon, 25 Mar 2019 05:47:06 -0700
Date: Mon, 25 Mar 2019 05:44:05 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <CAHOTMVJ2StG-wv6FRMescF=0PiZ4ei-MA0H+EV3QNiCb8yGFCQ@mail.gmail.com>
To: cfrg@irtf.org
Message-id: <4831964a-19de-2c33-bd6d-de33a2c63276@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_liLxjucFLIC25MA3ezS++A)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.5.3
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=31.133.149.196)
X-PMAS-External-Auth: dhcp-95c4.meeting.ietf.org [31.133.149.196] (EHLO dhcp-95c4.meeting.ietf.org)
References: <1d8de489fc976b63a911573300a431d4.squirrel@www.amsl.com> <alpine.LRH.2.21.1903081227200.30421@bofh.nohats.ca> <CAHOTMVLtjVxZNy3bFRn09xH+cOw+tPi2CL3BkaQuJEqxAzGOJg@mail.gmail.com> <edca701b-21f3-c80c-d754-fc333f1e2e04@cs.tcd.ie> <20190310182935.GE8182@kduck.mit.edu> <B876B124-7EDE-4E20-A878-3AAD3FA074BC@krovetz.net> <20190310191026.GF8182@kduck.mit.edu> <CAHOTMVJcosEgYV9caWapgyzQfh-g4k5DQry5n42bEfrkJvmdWQ@mail.gmail.com> <042b3f13-7d5a-12d7-e604-9f8cad197608@cs.tcd.ie> <CANeU+ZCmiTKfE1_YgjM6GX9ZCw_35mZoT8M-6VL72UhbenT2og@mail.gmail.com> <CAHOTMVJ2StG-wv6FRMescF=0PiZ4ei-MA0H+EV3QNiCb8yGFCQ@mail.gmail.com>
X-PMAS-Software: PreciseMail V3.3 [190321] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/lNFkQxnCQpi7dEX6cNI0ewZAuGw>
Subject: [Cfrg] dragonfly, was: Re: Time to recharter CFRG as a working group? Was: Re: [secdir] ISE seeks help with some crypto drafts
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 12:47:44 -0000


On 3/10/19 4:20 PM, Tony Arcieri wrote:
> On Sun, Mar 10, 2019 at 3:46 PM StJohns, Michael 
> <msj@nthpermutation.com <mailto:msj@nthpermutation.com>> wrote:
>
>     In recent years, the CFRG has produced documents that are for lack
>     of a better phrase de facto standards.  The rate of document
>     production of the CFRG mimics more closely that of a WG than the
>     other extant RGs AFAICT.   As an RG the CFRG isn’t permitted to
>     publish standards track documents, nor is the IESG or the ISE
>     permitted or constrained to require a conflict review on the
>     documents the CFRG does produce.  [the latter comment is my
>     understanding of the rules of the research stream - it may be
>     flawed, but the purpose of RGs is supposed to be looking at
>     futures and that by definition shouldn’t be conflicting with the
>     nows].
>
>
> An interesting datapoint on this is Dragonfly key exchange, published 
> as RFC 7664, has now been incorporated into the Wifi Alliance's WPA3 
> standard:
>
> https://sarwiki.informatik.hu-berlin.de/WPA3_Dragonfly_Handshake
>
> I will preface the following statement by saying that my criticisms of 
> Dragonfly on the CFRG list at the time were misinformed and due to a 
> lack of understanding, and would now call it "okay" (and many of my 
> concerns were assuaged after it received a security proof)..

   Well thanks for that.

> However, I think it's fair to say that as a non-standards document, it 
> has something of a sordid history:
>
> https://arstechnica.com/information-technology/2013/12/critics-nsa-agent-co-chairing-key-crypto-standards-body-should-be-removed/
>

   That was an amazing piece of "journalism". The author got spun up by 
a troll army on twitter (which
was about as accurate and reasonable as twitter tends to be) and 
basically alleged I was an NSA stooge
without even contacting me before printing (which is also a failure of 
the editorial process at Ars). It
was extremely unprofessional and resulted in numerous angry emails being 
received from people
who had no idea what they were talking about but were furious with me 
nonetheless.

   One of the problems with discussing the history of dragonfly is that 
everyone seems to get it
basically backwards. The protocol that is now part of WPA3 is SAE and it 
was actually the first
dragonfly protocol. It entered the 802.11 standard through an amendment 
in 2008 or so. I then
took the PAKE to EMU and that became EAP-pwd (published in 2010),  I 
took it to IPsec and it
became one of the possible PAKE extensions to IKEv2, and then I took it 
to TLS and got TLS-pwd
adopted as a work item at IETF 82 in Nov 2011. There was discussion in 
TLS of a security proof
(which it didn't have) and so a request for the CFRG to look at it. And 
that's where everything stood
when CFRG got involved.

   The reason this became so "sordid" is because people think everything 
began with the CFRG and
that I presented this protocol, as "journalist" Dan Goodin alleged, as a 
kind of follow on to
Dual_EC_DRBG.

> I think if there were a WG chartered specifically with a 
> standards-track document for what the next generation key exchange to 
> be used for use cases similar to and including, but not limited to 
> WiFi were, my best guess is we could've done better than Dragonfly. 
> I'm not sure why the Wifi Alliance chose it specifically, but it seems 
> the CFRG was treated at least in part as a bar the algorithm must pass 
> for incorporation into their standards, and for a standard of such 
> importance I guess what I'm saying is I wish that bar were higher.

   Well, WiFi Alliance didn't really "choose" SAE, it certifies things 
in 802.11 and the only thing in
802.11 that does a PAKE is SAE. Why wasn't a different PAKE chosen in 
802.11? Basically patents,
which were a problem back in 2006-7 and earlier when I was advocating 
for it. Why didn't anyone
else try and propose a PAKE to solve the dictionary attack problem 
against WPA-PSK? Good question.
That problem was known since around 2003 and was widely publicized yet I 
was the only person
to try and fix it.

   Bottom line, though, is the WiFi Alliance did not use the CFRG as a 
bar. The only group that was
using CFRG as a bar that the algorithm had to pass was TLS and TLS-pwd 
was parked and then
withdrawn from the TLS WG so for what it's worth the hullabaloo over 
dragonfly in CFRG-- right
or wrong-- served its purpose.

   regards,

   Dan.