Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13
Watson Ladd <watsonbladd@gmail.com> Sat, 17 October 2020 02:43 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 299233A0B0E for <cfrg@ietfa.amsl.com>; Fri, 16 Oct 2020 19:43:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GgsY2s2trHLP for <cfrg@ietfa.amsl.com>; Fri, 16 Oct 2020 19:43:23 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B9303A0B0D for <cfrg@irtf.org>; Fri, 16 Oct 2020 19:43:23 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id v6so5748565lfa.13 for <cfrg@irtf.org>; Fri, 16 Oct 2020 19:43:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=NvddXYh5v7OzW8qXY3nD8ZApfXmVl/a6dBz01ayu4ww=; b=BZYZfs0VYentAjaH6B28L0yDVOAXNE2vKkYCObpn/ZOnyq92MgzeMAcBpSsn7bpRrq luL/LtYZGV+Qp9vcojyLVqGMbm+6FMqHzRN7w9enHZXusAaEUn6chfuT2mLM4SQOIqS0 QPEAvaOsRfDNQ9A2dHu2wwsL5hmld76w6/YKJq9JBtolycaJlFk4Vy9rIigV2oIiXJIv CO3NGT5PxEh9EM8hij90gAL7TOR5pLx1EVoKUaxRjrZCApPKb2Bwwvndoj+oyqE4cGfz RZa7VavSBoh4mDyhmnncOQhApry3fjAmB+NCQ0VKvVL1cTlcZBZUVXopkvEY11WbDBUv hRIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=NvddXYh5v7OzW8qXY3nD8ZApfXmVl/a6dBz01ayu4ww=; b=VAlEePYYcvnRlnS5KMO6/oQNZoTXW4cSSxjwkXy/VR8sPvfbx/14qj/Nw8NZEPvvP8 w+3NVzgS8HwqOxHhkEUAJH3kFpiiJO/DhpnyMktPtAdiDjTLRTUSOIkKsn1HQXHDyN9Y gmaNcLlowLoqoojMdBVN8M5LUPics9lS5Clg4Truob7ehXPCfCPtwfkeDZAUh3O7VIM9 3KTVmNSnlonj5f3gDtBCazUKp9VDo+MOvadKFTyF/+WdaHwlZ8WYxzOEfov4F/nQ+sl7 gYH8ullBCctQaqxs7uxGXd1eceClcBHNJj5mudwVYk49qZqyzap+7bwoBdFwk26e+lEH DMig==
X-Gm-Message-State: AOAM531FFS9q8f2LP5UGPsKtsGUY8LDmlO8+2w0P8DcEdcmToEsk9yLV ncjrNsQwt7fi4CyK404zGXOUl4gxj0UBRz9MZqY=
X-Google-Smtp-Source: ABdhPJz6GNfPweWrIqlte8+DA9+bG9kiePX/kddRkipRTg4wAxG2zmlAOlBpf0oLDKB2mAPz9LJQzu/g1exj4oQ9Lng=
X-Received: by 2002:a19:c74b:: with SMTP id x72mr2352163lff.175.1602902601317; Fri, 16 Oct 2020 19:43:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6n0SVGpWkBc=ZLMoS-SQZta=TxbUZP13Pq=3QBxdMpUdg@mail.gmail.com> <2B592A5F-FC26-4FA8-A71F-55814E301A1D@warwick.ac.uk> <CACsn0ckcqaQpyb_FUSvNefRmYLLKN2T5TDfbK8F4E7bRepYKkA@mail.gmail.com> <9B7997F2-BB22-44CC-B08B-70E978664ADE@warwick.ac.uk> <CACsn0ckYsj13DGpX64hQ53GDNARZZZVfx6bDKyQQk6vdCFMmCQ@mail.gmail.com> <B4421514-6799-4CDA-8470-3BBCECAA1B94@warwick.ac.uk> <CACsn0ck9oKLoAH=gz8AvNOHgc_57Pp07HhqJjmSNCs9eEevRdw@mail.gmail.com> <1BDA5F86-6E6B-40B0-992D-32DA42BA711A@live.warwick.ac.uk>
In-Reply-To: <1BDA5F86-6E6B-40B0-992D-32DA42BA711A@live.warwick.ac.uk>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 16 Oct 2020 19:43:09 -0700
Message-ID: <CACsn0c=ys12x6fjfOenMhsN78SA2go-ZUpXQ8a8+w3LGzdyO6g@mail.gmail.com>
To: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
Cc: CFRG <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/rYEaO4qWXGsOcvfAaBvt1nu49u0>
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Oct 2020 02:43:25 -0000
On Fri, Oct 16, 2020, 1:22 AM Hao, Feng <Feng.Hao@warwick.ac.uk> wrote: > > Would removing this/retaining this and adding a per-application > variant be a way forward? Part of the issue here is that people have > mostly been fine with per-application and global variants, so I can't > really point to a deployment that I know of that works. > > I think the best way forward would be that you code it up and show a realistic implementation that works in the way you describe. Then you can verify your claim yourself. Don't leave difficult implementation questions to developers! I can write an implementation but you would then say no, we cannot know A and B ahead of time or no, this not in the client server case. Do you have a good example of an application where this is an issue so that I can understand what the constraints are? For example would making M depend only on A and N depend only on B (or maybe it is the other way around) so each side can prepare the flow without the other identity resolve your issue? > > I strongly question "cannot be realistically implemented". It would > seem to me that no PAKE that uses user identities would meet the > requirement you outline. > > Have a look at the original (published) SPAKE2 which you should already be familiar with and see how the identities are established in-flow there. Also have a look at PAKEs that have been implemented and used in realistic applications (EKE, SPEKE, J-PAKE) and see how the identities are established in-flow. More broadly, have a look at the nearly 30 years literature on PAKE, and the field of authenticated key exchange in general, and see how identities are defined and established in-flow as part of the key exchange process. If you believe "identities" can be remembered by the communicating parties without needing any communication, you need to show working examples. I think you agree with me that this is only an issue when both sides simultaneously prepare and exchange the first flow. This is quite an exotic application. Even peer-to-peer apps typically have initiators and responders. Again, do you have real world protocols with the constraints you describe? Sincerely, Watson Ladd
- [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Stanislav V. Smyshlyaev
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Hao, Feng
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Watson Ladd
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Hao, Feng
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Hao, Feng
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Watson Ladd
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Hao, Feng
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Watson Ladd
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Hao, Feng
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Björn Haase
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 Björn Haase
- Re: [Cfrg] RGLC on draft-irtf-cfrg-spake2-13 (rej… Annie Yousar