Re: [Cfrg] 2^40. I can't exhibit it, but it exists. -> Re: I-D Action: draft-irtf-cfrg-dragonfly-03.txt
Paul Lambert <paul@marvell.com> Tue, 04 February 2014 21:42 UTC
Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B77291A015A for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 13:42:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.566
X-Spam-Level:
X-Spam-Status: No, score=-1.566 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sY7swda5ZVIi for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 13:42:37 -0800 (PST)
Received: from mx0a-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by ietfa.amsl.com (Postfix) with ESMTP id 408561A0155 for <cfrg@ietf.org>; Tue, 4 Feb 2014 13:42:37 -0800 (PST)
Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id s14LgXjY007030; Tue, 4 Feb 2014 13:42:33 -0800
Received: from sc-owa.marvell.com ([199.233.58.135]) by mx0a-0016f401.pphosted.com with ESMTP id 1hsj9vx3sa-39 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 04 Feb 2014 13:42:33 -0800
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA.marvell.com ([::1]) with mapi; Tue, 4 Feb 2014 13:42:32 -0800
From: Paul Lambert <paul@marvell.com>
To: David McGrew <mcgrew@cisco.com>
Date: Tue, 04 Feb 2014 13:42:31 -0800
Thread-Topic: 2^40. I can't exhibit it, but it exists. -> Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.txt
Thread-Index: Ac8hqZ2xmXABOVVERN6/sIyaiXOTugAR8vpQ
Message-ID: <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7F69@SC-VEXCH2.marvell.com>
References: <CF15D9D2.2E696%paul@marvell.com> <52F0E4D9.1010600@cisco.com>
In-Reply-To: <52F0E4D9.1010600@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_7BAC95F5A7E67643AAFB2C31BEE662D018B81B7F69SCVEXCH2marve_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-02-04_06:2014-02-04, 2014-02-04, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1402040124
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] 2^40. I can't exhibit it, but it exists. -> Re: I-D Action: draft-irtf-cfrg-dragonfly-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 21:42:39 -0000
David, Thank you for the thoughtful position. I to agree that there should be a slight preference to have a 'proof' of security where possible. However, the lack of a formal proof should not be considered a flaw. Some of the text you have below might be worth squirreling away to for use in some future form of CFRG guidelines for recommendations. Regards, Paul From: David McGrew [mailto:mcgrew@cisco.com] Sent: Tuesday, February 04, 2014 5:02 AM To: Paul Lambert Cc: Watson Ladd; cfrg@ietf.org Subject: Re: 2^40. I can't exhibit it, but it exists. -> Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.txt HI Paul and Watson, On 02/04/2014 03:05 AM, Paul Lambert wrote: > A proof might be desirable but should not block the use of a proposed protocol. > For example there is no adequate proof that integer factorization is "secure". > This is not a reason to stop using RSA based algorithms. The lack of > a complete security proof for draft-irtf-cfrg-dragonfly-03.txt should not > stop it's use (in fact it's already in other standards that would benefit > from the analysis and improvements of this group). But there is a proof that OAEP has a reduction to RSA security. PKCS 1.5 had no proof, and got broken a few times. RSA has been intensively studied for decades, dragonfly hasn't. Slight variants of RSA (Rabin-Williams) are provably reducible to factoring, an extensively studied problem for centuries. You missed the point. The difficulty of factoring as a problem to build secure systems is not provable. . . . Paul, you are right that the computational cost of factoring the product of two large primes is unknown, and there is no proof that it is hard. But Watson also has a point, that the factoring problem is easily understood and has been very well studied. In particular, it has been more well studied than the dragonfly security conjecture, whatever that conjecture is. (Has it been isolated?) At the end of the day, none of the crypto that we use is actually proven to be unconditionally secure. (I'm ignoring information theoretic security here, to make the discussion easier ;-) It might be proven to be secure if factoring is hard, or if AES with a random secret key is indistinguishable from a random permutation, or under some other well-understood conjecture. It is a major goal to reduce the number of conjectures that we need to rely on, and to rely on conjectures that we have more confidence in. I think we should prefer algorithms and protocols that rely only on well-understood conjectures. I will hedge this statement, though, and say that the security conjectures are just one factor in the decision making process. For instance: the Blum Blum Shub (BBS) pseudorandom number generator is secure if factoring is hard, but we use AES or HMAC based PRNGs instead, because BBS would be *slow*. Furthermore, it is quite possible that AES-CTR is more secure than BBS; it may we be that we see advances in the state of the art in factoring. > Watson, in your technical analysis of the > protocol in its current form (draft-irtf-cfrg-dragonfly-03.txt), > can you identify any exploitable security flaw specific to > the protocol? Yes: an algorithm exists that guesses passwords in time 2^40. I can't exhibit it, but it exists. JPAKE doesn't have this issue. Watson, can you quantify the claim of 2^40? David I will take your answer as a 'no' - you are unable to identify any exploitable security flaw with draft-irtf-cfrg-dragonfly-03.txt Making such repeated and adversarial negative pronouncements on a technical topic without documentation or your own demonstrable analysis would be considered by some to be unprofessional behavior. Paul
- Re: [Cfrg] 2^40. I can't exhibit it, but it exist… David McGrew
- [Cfrg] 2^40. I can't exhibit it, but it exists. -… Paul Lambert
- Re: [Cfrg] 2^40. I can't exhibit it, but it exist… Paul Lambert