IETF Logo Mail Archive

Re: [Cfrg] Adoption call for draft-harkins-pkex-05

Richard Barnes <rlb@ipv.sx> Thu, 12 April 2018 13:22 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49A7012708C for <cfrg@ietfa.amsl.com>; Thu, 12 Apr 2018 06:22:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0RgCS-FNyt91 for <cfrg@ietfa.amsl.com>; Thu, 12 Apr 2018 06:21:59 -0700 (PDT)
Received: from mail-ot0-x232.google.com (mail-ot0-x232.google.com [IPv6:2607:f8b0:4003:c0f::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08A0D12711D for <cfrg@irtf.org>; Thu, 12 Apr 2018 06:21:58 -0700 (PDT)
Received: by mail-ot0-x232.google.com with SMTP id h55-v6so5932832ote.9 for <cfrg@irtf.org>; Thu, 12 Apr 2018 06:21:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=B1YkWZyGRJq702/yiwMR6EIRA5aYw1CSJ3YRupaLxgk=; b=az8Ar32u/zENujv7D1AnEHavVxn3GcNWm2eCRAHlZ5+rbg0wj1ShnXpRWFdF0oPOD8 /+YGbkgNZ10802rP8fYlbxpcTsaWSUwOEBFXFPl5qxd7hhDe9C6doquSck4Gu+nCCqlB 3BJdDycTu1mnkacoVjw8L41Uo/ATpqGB8R8mrXtIZnY7p5QrrHcDh1yrWUkdXoclb/RN YrA+Jfe1W7BrMQW1I1DlR9IZHGw+KrnsL4jciDpQK4WK9Aj0guroxI3zfcYUOw29WEh/ oQPK44GW20vTkdlQQSCiQgxs1qXz3/GyIvvvDzXwVFs7oJ9zp7/CSH6czG8mAYgXyomP lqfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=B1YkWZyGRJq702/yiwMR6EIRA5aYw1CSJ3YRupaLxgk=; b=oP/6EybvW/csGx8MHbjSz6WlLtoleeryJo/lNvfsUphIrz6vTBQHo1ZaE86+9kQiKV ixh4l2PuNkmeZOtF4WBvCltG2yWhUvHEscSJq9sg23iRWJJnX3jXq4+o2BT6xK+V9KIs SDlGGSRvY/MFN3LbklFAunSVQiP5o0GGwG864dkY4BJAerqcrFANtBlLhpEvboJ4k1zz yc1wTtzIA79Bi/bK+mN6Cub+r6FX+ikv29E6l8QFw5J4+2elwrg+wv3l8ZdJLUzpsLQW bKYiJqrMVGwBHZ+nOxF/D6r84e7COwpQSdi++Fl3JayFGt8O2MsHAahCtq0M6eTCKf0C hCNQ==
X-Gm-Message-State: ALQs6tCDLD3ajW/as2YOPz/BFGaDOK7Mkec2EOj9OLjvEVgqECVDSG0U 2WV7mNZa1Jyexxsc97IWCMNycSX2brwTVvSCaVHFcI08ejo=
X-Google-Smtp-Source: AIpwx4+Lz6NDIw9N91etDv5SLX3GFfTlN7pLrhDF0OVpALCSNLBlCI5k33NaLTlrnPpmQ0w11e5dZU9Lxwyre5uxbBk=
X-Received: by 2002:a9d:1920:: with SMTP id j32-v6mr639734ota.383.1523539318072; Thu, 12 Apr 2018 06:21:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.90.67 with HTTP; Thu, 12 Apr 2018 06:21:57 -0700 (PDT)
In-Reply-To: <90c10953-6550-09d0-642e-e84710b706cf@lounge.org>
References: <5ACA0006.4020809@isode.com> <810C31990B57ED40B2062BA10D43FBF501C515B8@XMB116CNC.rim.net> <810C31990B57ED40B2062BA10D43FBF501C5168A@XMB116CNC.rim.net> <810C31990B57ED40B2062BA10D43FBF501C51B18@XMB116CNC.rim.net> <16affdfc-df9a-a883-e0d6-dd52efee15e4@lounge.org> <CAL02cgT72J=cboruKiHnF4BP7ffaDfae=JeoYDJJfjenF4wC8Q@mail.gmail.com> <fe239e8a-0a64-4b8b-7dba-f38fcfcdc4fd@lounge.org> <CAL02cgRy7M8AjQySy=1njavj+cyxPvQe-n1f+N4xVc_GZFwdNA@mail.gmail.com> <90c10953-6550-09d0-642e-e84710b706cf@lounge.org>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 12 Apr 2018 09:21:57 -0400
Message-ID: <CAL02cgTF6E697t+twXwbkrzZ7OHsFPh--W_NaT5-f0VJ=Jo7Tg@mail.gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Cc: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000dafa2d0569a6a309"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/lW49SOsAN7RLdZKtedMn_wHnxns>
Subject: Re: [Cfrg] Adoption call for draft-harkins-pkex-05
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2018 13:22:01 -0000

On Wed, Apr 11, 2018 at 8:32 PM, Dan Harkins <dharkins@lounge.org> wrote:

>
>   Hi Richard,
>
> On 4/11/18 2:58 PM, Richard Barnes wrote:
>
>
>
> On Wed, Apr 11, 2018 at 5:06 PM, Dan Harkins <dharkins@lounge.org> wrote:
>
>>
>>
>>   Hi Richard,
>>
>> On 4/11/18 11:07 AM, Richard Barnes wrote:
>>
> [snip]
>
> Assuming this is a useful problem to solve, it's not clear to me that this
>> is the best way to solve it.  For example, it seems like the parties could
>> perform a traditional PAKE, then send their preferred identities to each
>> other protected by the negotiated key.  Note that this is basically what
>> happens with the TLS-PAKE I-D that I submitted earlier today (
>> https://datatracker.ietf.org/doc/draft-barnes-tls-pake/), though in that
>> case, you can have either certified or uncertified keys.
>>
>>
>>   TLS-pake, yea! What used to be draft-ietf-tls-pwd-- certificate-less
>> authentication
>> for TLS-- is sitting in the RFC editor's queue waiting for the TLS
>> registry to get reworked.
>>
>>   PKEX is a little different though. You could do TLS-pake and use the
>> negotiated
>> key with an identity you pass but then you'd have to maintain a
>> multiplicity of
>> public keys, one for each server you did TLS-pake to, otherwise you void
>> the security
>> of TLS-pake. PKEX will allow me to share my single uncertified public key
>> with multiple
>> people (using different passwords, of course).
>>
>
> Thanks for the reminder of the proof-of-possession part.  i had gotten
> fixated on the PAKE part :)
>
> I guess what I don't understand here is the benefit of conjoining the
> primitives rather than composing them.  It seems like you would get the
> same effects here in the same number of RTTs with a straightforward
> combination of PAKE, sending identities, and a proof-of-possession protocol
> [1], all of which are already well-established.  Instead, you've mushed
> them all together.  That seems like it has some costs, e.g., the
> restriction to ECDSA when with a more composed design you could support
> arbitrary DH or signing keys.  What are the corresponding benefits?
>
>
>   I'm not sure where the mashup is. You have basically described PKEX. It
> does
> SPAKE2 and then it sends identities and a proof of possession protected by
> the
> PAKE shared secret.
>

What I mean is that in addition to just using the PAKE, you're also
changing its internals:

- Instead of using the password as input, PKEX hashes in the identities
- The key shares from SPAKE2 are re-used for the proof of possession

You're not treating the PAKE as a box that takes a password on one side and
emits a key on the other side.



> The limitations are that the two sides have to be exchanging
> keys from the same group and since they've already agreed on a group for
> their
> identity keys then they have to use the same one for the PAKE. Those were
> not
> seen as serious issues because such a restriction may already be imposed
> on the
> subsequent key exchange protocol (e.g. MQV), and it obviates the need to
> discuss
> what it means to exchange, for instance, a p521 public key over a PAKE
> that uses
> brainpool256. It cuts down on problematic options. That's the same reason
> that
> the hash algorithm and SIV key length are determined by the prime defining
> the
> group, less options that might be used poorly means a more robust and
> idiot-proof
> protocol.
>

I'll grant that you do get more rigidity from the conjunction.  But I'm not
sure that this is more effective than simply expressing the requirement in
prose.



>
>   Also, there is no restriction on ECDSA.
>

Maybe you should revise this text then :)

"""
Due to the nature of the exchange, only DSA ([DSS]) and ECDSA
   ([X9.62]) keys can be exchanged with PKEX.
"""

And maybe add a clearer explanation than "due to the nature of the
exchange".

--Richard



> In fact, Appendix A.2 has the SPAKE2
> role-specific elements for four standard DH groups and the Appendix talks
> about
> how to generate role-specific elements for other groups not enumerated.
>
> --Richard
>
> [1] Sketch:
>
> A->B: SPAKE-Kex
> B->A: SPAKE-Kex, SPAKE-Confirm, {ID_B, Pub_B, Eph_B}K_spake_B
> A->B: SPAKE-Confirm, {ID_A, Pub_A, Eph_A}K_spake_A, MAC(K_DH_A, transcript}
> B->A: MAC(K_DH_B, transcript)
>
> Note that at this point, it's starting to look simpler just to do TLS!
>
>
>   It's not really. There is running code for this protocol (and not just by
> me) and it's much simpler than TLS.
>
>   regards,
>
>   Dan.
>
>
>

v2.23.0 | Report a Bug | By Email