Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00.txt
Trevor Perrin <trevp@trevp.net> Mon, 09 December 2013 19:41 UTC
Return-Path: <trevp@trevp.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C90B21AE4CB for <cfrg@ietfa.amsl.com>; Mon, 9 Dec 2013 11:41:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gLAZMvGx-1TN for <cfrg@ietfa.amsl.com>; Mon, 9 Dec 2013 11:41:14 -0800 (PST)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 666D91AE07C for <cfrg@ietf.org>; Mon, 9 Dec 2013 11:41:14 -0800 (PST)
Received: by mail-we0-f172.google.com with SMTP id w62so4013988wes.3 for <cfrg@ietf.org>; Mon, 09 Dec 2013 11:41:08 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=p1b1KlRyLDRtFoR+IFlFwFDdA9vX73FjFY0IAFhcgwc=; b=dVtEKXMBYvzOIYXIVl1TZ2cc2XXMA3cazV/H7mrcTHfqS+6gIUyccUcVAqeViYQetf QU9u4hCcLDSyIWwE3czCANsxFjdiFlBKCYciUGPzEwooafaXSbcibyDfkv8yIimLE2+j NiIm4tICGqgFFg8LU2oQZ9YVSFagzuDmksI8nVcoGUC5KFDE0qmJqwEO2vHMqHtp4sRq CEVLQCzHXjDyTf0gGNUrGnqoQmL5evDXrZRv7+OhRVAhRLVDeb0jrzwLGFRGtKARrPbn 4HUmvC9l31u+e7z40QzJE3PLDy8/RQ7aDKL0VeHi7mRJH9uFJaZSEk9BhbsktvQwj2el Po2g==
X-Gm-Message-State: ALoCoQkS+3UuUa2gq5+UlPaTPlQZ+aImz8mi74b5kuesueGCNFfWFAoo/+R1cJPtf+Ojo3X2A6yd
MIME-Version: 1.0
X-Received: by 10.194.104.42 with SMTP id gb10mr17225084wjb.16.1386618068827; Mon, 09 Dec 2013 11:41:08 -0800 (PST)
Received: by 10.216.214.134 with HTTP; Mon, 9 Dec 2013 11:41:08 -0800 (PST)
X-Originating-IP: [12.27.66.5]
In-Reply-To: <CAGZ8ZG1XXiC-sk==LViYAwFSSY5ampT0O3b2aAN-yRK38bDCYw@mail.gmail.com>
References: <20130906074540.19067.67943.idtracker@ietfa.amsl.com> <CAEKgtqkV=FZgTMtJXGgA2je0ECmrCWUVD7crDXV9994xOwc0Fg@mail.gmail.com> <CAGZ8ZG1XXiC-sk==LViYAwFSSY5ampT0O3b2aAN-yRK38bDCYw@mail.gmail.com>
Date: Mon, 09 Dec 2013 11:41:08 -0800
Message-ID: <CAGZ8ZG3Jaoo0ah3p-6SO6fL6id5kC+ozBQsbkosRyZDYDLMprw@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: SeongHan Shin <seonghan.shin@aist.go.jp>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: 古原和邦 <k-kobara@aist.go.jp>, cfrg@ietf.org, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2013 19:41:16 -0000
Hi Shin, Just to be clear - I was making fun of Kevin Igoe, not yourself - AugPAKE seems like a great piece of work. Couple questions: - There's obvious similarities with SRP. Do you think the AugPAKE proof techniques could be used to make a security proof for SRP? (For an elliptic curve SRP, you could imagine using the SRP verifier with Elligator to encrypt the g^b value, instead of SRP's traditional "B = kv + g^b"). - There seems to be an ordering constraint between AugPAKE's client and server messages, requiring the client to go first. For TLS at least, such a constraint is awkward. It either requires an extra round-trip for the server to communicate the salt and group values, or requires the client to assume the group and use no salt (the approach taken in your TLS draft [1]). The latest version of SRP [2] was able to remove this constraint. Is it possible to do the same for AugPAKE? Trevor [1] http://tools.ietf.org/html/draft-shin-tls-augpake-01 [2] http://tools.ietf.org/html/rfc5054 http://srp.stanford.edu/design.html http://srp.stanford.edu/srp6.ps On Fri, Dec 6, 2013 at 12:26 PM, Trevor Perrin <trevp@trevp.net> wrote: > I really like this idea & can find no problems. > > Since a single cursory opinion counts for CFRG consensus [1,2], > consider this approved by CFRG and our NSA overseers. > > Thanks, come again! > > > Trevor > > > P.S. The treatment of random numbers could be improved, consider > referencing NIST SP 800-90A. > > (psst Kevin ^^^ THIS is how it's done. *FINESSE*, or you'll never > work the big leagues!) > > > [1] http://www.ietf.org/mail-archive/web/cfrg/current/msg03047.html > [2] http://www.ietf.org/proceedings/84/minutes/minutes-84-tls > > > On Sun, Sep 29, 2013 at 11:18 PM, SeongHan Shin > <seonghan.shin@aist.go.jp> wrote: >> Dear all, >> >> We submitted our I-D regarding augmented PAKE >> that provides extra protection to server compromise compared to balanced >> PAKE. >> (Of course, it can be easily converted to the balanced one) >> >> Any comments are welcome! >> >> Best regards, >> Shin >> >> >> On Fri, Sep 6, 2013 at 4:45 PM, <internet-drafts@ietf.org> wrote: >>> >>> >>> A New Internet-Draft is available from the on-line Internet-Drafts >>> directories. >>> This draft is a work item of the Crypto Forum Research Group Working >>> Group of the IETF. >>> >>> Title : Augmented Password-Authenticated Key Exchange >>> (AugPAKE) >>> Author(s) : SeongHan Shin >>> Kazukuni Kobara >>> Filename : draft-irtf-cfrg-augpake-00.txt >>> Pages : 17 >>> Date : 2013-09-06 >>> >>> Abstract: >>> This document describes a secure and highly-efficient augmented >>> password-authenticated key exchange (AugPAKE) protocol where a user >>> remembers a low-entropy password and its verifier is registered in >>> the intended server. In general, the user password is chosen from a >>> small set of dictionary whose space is within the off-line dictionary >>> attacks. The AugPAKE protocol described here is secure against >>> passive attacks, active attacks and off-line dictionary attacks (on >>> the obtained messages with passive/active attacks). Also, this >>> protocol provides resistance to server compromise in the context that >>> an attacker, who obtained the password verifier from the server, must >>> at least perform off-line dictionary attacks to gain any advantage in >>> impersonating the user. The AugPAKE protocol is not only provably >>> secure in the random oracle model but also the most efficient over >>> the previous augmented PAKE protocols (SRP and AMP). >>> >>> >>> The IETF datatracker status page for this draft is: >>> https://datatracker.ietf.org/doc/draft-irtf-cfrg-augpake >>> >>> There's also a htmlized version available at: >>> http://tools.ietf.org/html/draft-irtf-cfrg-augpake-00 >>> >>> >>> Please note that it may take a couple of minutes from the time of >>> submission >>> until the htmlized version and diff are available at tools.ietf.org. >>> >>> Internet-Drafts are also available by anonymous FTP at: >>> ftp://ftp.ietf.org/internet-drafts/ >>> >>> _______________________________________________ >>> Cfrg mailing list >>> Cfrg@irtf.org >>> http://www.irtf.org/mailman/listinfo/cfrg >> >> >> >> >> -- >> ------------------------------------------------------------------ >> SeongHan Shin >> Research Institute for Secure Systems (RISEC), >> National Institute of Advanced Industrial Science and Technology (AIST), >> Central 2, 1-1-1, Umezono, Tsukuba City, Ibaraki 305-8568 Japan >> Tel : +81-29-861-2670/5284 >> Fax : +81-29-861-5285 >> E-mail : seonghan.shin@aist.go.jp >> ------------------------------------------------------------------ >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> http://www.irtf.org/mailman/listinfo/cfrg >>
- [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00.txt internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00… SeongHan Shin
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00… Trevor Perrin
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00… Trevor Perrin
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00… SeongHan Shin