Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00.txt

Trevor Perrin <trevp@trevp.net> Mon, 09 December 2013 19:41 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C90B21AE4CB for <cfrg@ietfa.amsl.com>; Mon, 9 Dec 2013 11:41:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gLAZMvGx-1TN for <cfrg@ietfa.amsl.com>; Mon, 9 Dec 2013 11:41:14 -0800 (PST)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 666D91AE07C for <cfrg@ietf.org>; Mon, 9 Dec 2013 11:41:14 -0800 (PST)
Received: by mail-we0-f172.google.com with SMTP id w62so4013988wes.3 for <cfrg@ietf.org>; Mon, 09 Dec 2013 11:41:08 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=p1b1KlRyLDRtFoR+IFlFwFDdA9vX73FjFY0IAFhcgwc=; b=dVtEKXMBYvzOIYXIVl1TZ2cc2XXMA3cazV/H7mrcTHfqS+6gIUyccUcVAqeViYQetf QU9u4hCcLDSyIWwE3czCANsxFjdiFlBKCYciUGPzEwooafaXSbcibyDfkv8yIimLE2+j NiIm4tICGqgFFg8LU2oQZ9YVSFagzuDmksI8nVcoGUC5KFDE0qmJqwEO2vHMqHtp4sRq CEVLQCzHXjDyTf0gGNUrGnqoQmL5evDXrZRv7+OhRVAhRLVDeb0jrzwLGFRGtKARrPbn 4HUmvC9l31u+e7z40QzJE3PLDy8/RQ7aDKL0VeHi7mRJH9uFJaZSEk9BhbsktvQwj2el Po2g==
X-Gm-Message-State: ALoCoQkS+3UuUa2gq5+UlPaTPlQZ+aImz8mi74b5kuesueGCNFfWFAoo/+R1cJPtf+Ojo3X2A6yd
MIME-Version: 1.0
X-Received: by 10.194.104.42 with SMTP id gb10mr17225084wjb.16.1386618068827; Mon, 09 Dec 2013 11:41:08 -0800 (PST)
Received: by 10.216.214.134 with HTTP; Mon, 9 Dec 2013 11:41:08 -0800 (PST)
X-Originating-IP: [12.27.66.5]
In-Reply-To: <CAGZ8ZG1XXiC-sk==LViYAwFSSY5ampT0O3b2aAN-yRK38bDCYw@mail.gmail.com>
References: <20130906074540.19067.67943.idtracker@ietfa.amsl.com> <CAEKgtqkV=FZgTMtJXGgA2je0ECmrCWUVD7crDXV9994xOwc0Fg@mail.gmail.com> <CAGZ8ZG1XXiC-sk==LViYAwFSSY5ampT0O3b2aAN-yRK38bDCYw@mail.gmail.com>
Date: Mon, 9 Dec 2013 11:41:08 -0800
Message-ID: <CAGZ8ZG3Jaoo0ah3p-6SO6fL6id5kC+ozBQsbkosRyZDYDLMprw@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: SeongHan Shin <seonghan.shin@aist.go.jp>
Content-Type: text/plain; charset=ISO-8859-1
Cc: =?UTF-8?B?5Y+k5Y6f5ZKM6YKm?= <k-kobara@aist.go.jp>, cfrg@ietf.org, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2013 19:41:16 -0000

Hi Shin,

Just to be clear - I was making fun of Kevin Igoe, not yourself -
AugPAKE seems like a great piece of work.

Couple questions:

 - There's obvious similarities with SRP.  Do you think the AugPAKE
proof techniques could be used to make a security proof for SRP?  (For
an elliptic curve SRP, you could imagine using the SRP verifier with
Elligator to encrypt the g^b value, instead of SRP's traditional "B =
kv + g^b").

 - There seems to be an ordering constraint between AugPAKE's client
and server messages, requiring the client to go first.  For TLS at
least, such a constraint is awkward.  It either requires an extra
round-trip for the server to communicate the salt and group values, or
requires the client to assume the group and use no salt (the approach
taken in your TLS draft [1]).  The latest version of SRP [2] was able
to remove this constraint.  Is it possible to do the same for AugPAKE?


Trevor


[1] http://tools.ietf.org/html/draft-shin-tls-augpake-01

[2]
 http://tools.ietf.org/html/rfc5054
 http://srp.stanford.edu/design.html
 http://srp.stanford.edu/srp6.ps


On Fri, Dec 6, 2013 at 12:26 PM, Trevor Perrin <trevp@trevp.net>; wrote:
> I really like this idea & can find no problems.
>
> Since a single cursory opinion counts for CFRG consensus [1,2],
> consider this approved by CFRG and our NSA overseers.
>
> Thanks, come again!
>
>
> Trevor
>
>
> P.S. The treatment of random numbers could be improved, consider
> referencing NIST SP 800-90A.
>
> (psst Kevin ^^^ THIS is how it's done.  *FINESSE*, or you'll never
> work the big leagues!)
>
>
> [1] http://www.ietf.org/mail-archive/web/cfrg/current/msg03047.html
> [2] http://www.ietf.org/proceedings/84/minutes/minutes-84-tls
>
>
> On Sun, Sep 29, 2013 at 11:18 PM, SeongHan Shin
> <seonghan.shin@aist.go.jp>; wrote:
>> Dear all,
>>
>> We submitted our I-D regarding augmented PAKE
>> that provides extra protection to server compromise compared to balanced
>> PAKE.
>> (Of course, it can be easily converted to the balanced one)
>>
>> Any comments are welcome!
>>
>> Best regards,
>> Shin
>>
>>
>> On Fri, Sep 6, 2013 at 4:45 PM, <internet-drafts@ietf.org>; wrote:
>>>
>>>
>>> A New Internet-Draft is available from the on-line Internet-Drafts
>>> directories.
>>>  This draft is a work item of the Crypto Forum Research Group Working
>>> Group of the IETF.
>>>
>>>         Title           : Augmented Password-Authenticated Key Exchange
>>> (AugPAKE)
>>>         Author(s)       : SeongHan Shin
>>>                           Kazukuni Kobara
>>>         Filename        : draft-irtf-cfrg-augpake-00.txt
>>>         Pages           : 17
>>>         Date            : 2013-09-06
>>>
>>> Abstract:
>>>    This document describes a secure and highly-efficient augmented
>>>    password-authenticated key exchange (AugPAKE) protocol where a user
>>>    remembers a low-entropy password and its verifier is registered in
>>>    the intended server.  In general, the user password is chosen from a
>>>    small set of dictionary whose space is within the off-line dictionary
>>>    attacks.  The AugPAKE protocol described here is secure against
>>>    passive attacks, active attacks and off-line dictionary attacks (on
>>>    the obtained messages with passive/active attacks).  Also, this
>>>    protocol provides resistance to server compromise in the context that
>>>    an attacker, who obtained the password verifier from the server, must
>>>    at least perform off-line dictionary attacks to gain any advantage in
>>>    impersonating the user.  The AugPAKE protocol is not only provably
>>>    secure in the random oracle model but also the most efficient over
>>>    the previous augmented PAKE protocols (SRP and AMP).
>>>
>>>
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-irtf-cfrg-augpake
>>>
>>> There's also a htmlized version available at:
>>> http://tools.ietf.org/html/draft-irtf-cfrg-augpake-00
>>>
>>>
>>> Please note that it may take a couple of minutes from the time of
>>> submission
>>> until the htmlized version and diff are available at tools.ietf.org.
>>>
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>>
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> http://www.irtf.org/mailman/listinfo/cfrg
>>
>>
>>
>>
>> --
>> ------------------------------------------------------------------
>> SeongHan Shin
>> Research Institute for Secure Systems (RISEC),
>> National Institute of Advanced Industrial Science and Technology (AIST),
>> Central 2, 1-1-1, Umezono, Tsukuba City, Ibaraki 305-8568 Japan
>> Tel : +81-29-861-2670/5284
>> Fax : +81-29-861-5285
>> E-mail : seonghan.shin@aist.go.jp
>> ------------------------------------------------------------------
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>>