Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20
Julia Hesse <juliahesse2@gmail.com> Fri, 10 September 2021 18:04 UTC
Return-Path: <juliahesse2@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE52B3A11FF for <cfrg@ietfa.amsl.com>; Fri, 10 Sep 2021 11:04:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.85
X-Spam-Level:
X-Spam-Status: No, score=-1.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t0e8EwuHimCG for <cfrg@ietfa.amsl.com>; Fri, 10 Sep 2021 11:04:20 -0700 (PDT)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9456F3A0F7F for <cfrg@ietf.org>; Fri, 10 Sep 2021 11:04:20 -0700 (PDT)
Received: by mail-wm1-x329.google.com with SMTP id g74so1801408wmg.5 for <cfrg@ietf.org>; Fri, 10 Sep 2021 11:04:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=pWNp4Zx1sNNQszgrJcQ4FkLxj25lLH+ebhCHQjIBxs4=; b=RZWqJx0Knhphs4Yp7YE5sjVh+Mu28PE+AZcRKcOpMTDJ1c905dVuoMEfb/7e7hPZgp B11jTRMMg8wMxH9eFeJgVVqV+l4DSTBTKyzlWB8mapun7ePbqluFqcF257BmnRf09R1q vZynOYjbxHTJSndQSahhKaTpmlDDML+W5/OgulaNr4drR6xvwYQHplZRrSvDXEZ0Wfti b66Cl7w3Um3++KhRM4jZtpNtPjhJZTwKiojPw6C+vUl+vngdbhCj86G5LTnvc0gV5kUG A622dR2bID7g2sb8yVTbG7CeWm3g/19xGBK/KSs7Cf3XIYk4rJXytsu771r+B9GdE/cs ogsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=pWNp4Zx1sNNQszgrJcQ4FkLxj25lLH+ebhCHQjIBxs4=; b=mtwK5c6dlKjxA6L5gYGdIuxx4PjwqziTwfL5/SqKBOlFBTAZASXAyuxJq0wqh9t9tk oxvkX1qsd9Fi38XGfyn0Wblbq3nEjRqGGD4CHhZnQwtNPevlKQ+nQnxeHdSnp5o/uzkQ Uv0FDJlwJdjjkcedsnZ8sj4UImZ2FXEe/FI2h9/6nxFKHJSnUWs8xqp+V2msQ0cfFa+2 LURULpmR1aov6j8k3QPf1x9FGjohMf6VKuhIBTHeWsqAEW9BIJy8XuV8ojJBZrYm+7av HbihwDxhrURwhgEiGvuuVBPqaYKkiq2vsSlkHGiAZiN7PTStfVC6/p3jkKIrqyLv6XcV +Ofg==
X-Gm-Message-State: AOAM530LRNDF/gNpkxNQBpDTYlePiaJb1mz/CpPsmM/tgtmqVo8BKwEs 4VUEaAunpqg/pdu2hLkTj+Q=
X-Google-Smtp-Source: ABdhPJygJEbHxKMr4/y5s6/V/8R9nslxq6tUFdZa0h8qv1ZyMIMAfvBNP4kPyN4VqOfsppItE8RbnQ==
X-Received: by 2002:a05:600c:2193:: with SMTP id e19mr9659470wme.40.1631297057713; Fri, 10 Sep 2021 11:04:17 -0700 (PDT)
Received: from ?IPv6:2a02:aa12:a780:5480:7861:c549:9e18:d53? ([2a02:aa12:a780:5480:7861:c549:9e18:d53]) by smtp.gmail.com with ESMTPSA id d9sm6644002wrb.36.2021.09.10.11.04.16 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 10 Sep 2021 11:04:17 -0700 (PDT)
To: Watson Ladd <watsonbladd@gmail.com>
Cc: crypto-panel@irtf.org, Benjamin Kaduk <kaduk@mit.edu>, cfrg@ietf.org, Colin Perkins <csp@csperkins.org>
References: <aad93bd3-3dd2-bd53-ca21-d6f2632a3cb5@gmail.com> <CACsn0cmQgrYHhWm533R2ybQ7rTMg_sVxqO5qN5TLrs1C4uir+Q@mail.gmail.com>
From: Julia Hesse <juliahesse2@gmail.com>
Message-ID: <172dcce4-017f-f9dd-2ee3-b57652bcdd41@gmail.com>
Date: Fri, 10 Sep 2021 20:04:15 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <CACsn0cmQgrYHhWm533R2ybQ7rTMg_sVxqO5qN5TLrs1C4uir+Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/tkKvUWd7RQoN2MP5p97ik74VVbg>
Subject: Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Sep 2021 18:04:23 -0000
Dear Watson, >> // - What does it mean to exchange messages symmetrically? (In the per-user M and N section) >> * Resolved. I suggest to remove "to have a symmetric variant" - it is not needed and might cause confusion (variant of what?) > It is needed: Magic Wormhole uses this variant. And the concern about > who uses M and who uses N in cases where it isn't clear is best > addressed by using this variant. Ah, apparently I got confused here: the draft is referring to SPAKE2 as a symmetric PAKE, and to the case of M=N as its symmetric variant. So you are completely right, the sentence in question should stay, but I would recommend referring to the case of M=N as "parallel variant" (or something else) instead of assigning two different meanings to the word "symmetric". >> // - Beyond scalar multiplication being constant time, are there any other constant time considerations we should include? >> * Resolved >> >> // - Why is Ke not included in the test vectors? It may be redundant, but it seems useful as an additional sanity check. >> // - There are currently no test vectors that include AAD -- should we add some? >> * I have not verified these two. >> >> // - Why is len() a little-endian output? >> * I agree with Watson to be consistent with Kerberos here >> >> // - Should we clarify that the transcript assumes a particular point encoding scheme, and that is to be defined by the calling application or implementation? >> * Resolved >> >> Some more comments, not related to the IRSG review, below. >> >> I was missing a minimal list of data that A and B can start SPAKE2 from: ciphersuite, pw, A, B, M, N - did I forget something? What about the output key length? This can be easily included in 3.2, replacing "A and B are provisioned with information such as..." >> >> The document does not specify who uses M and who uses N. In the M\neq N variant of the protocol, which is mostly described in this draft, this is relevant, since no analysis was conducted in case A sends both xM and xN (a solution that implementors are not unlikely to come up with). I would include an instruction in the RFC, e.g., that the application must ensure that M and N are assigned to A and B, e.g., by having them apply some lexicographically-first-... rule. > I'm not sure I follow the issue. The sentence says 'A picks x randomly > and uniformly from the integers in [0,p), and calculates X=x*P and > S=w*M+X, then transmits pA=S to B.' Alice is hence the initiatior. If > it's impossible to do this easily then one of the M=N variants should > be used. Most protocols have an asymmetry here where one side is > initiating a request and the other receiving. Happy to add clarifying > text. Ack to all. It would actually be good to clarify this in the draft: the M != N variant is for an initiator-responder variant, the M=N for a parallel variant that MUST (?) be used whenever the applicatoin cannot assign initiator and responder role to the parties. My concern was from a security perspective, from which we should avoid situation such as the following: a user generates pA wrt M, but then receives pB also generated wrt M, suddenly realizes that it is the responder, and *additionally* sends pA wrt N. This voids the security proof, so we need to be pretty clear here. Best regards, Julia >> p.2 >> The KDF has only 3 inputs, but a fourth (key length L) is described in the text >> >> p.3 >> servers -> serves >> flow figure should include "verify cA" and "verify cB", since it is a MUST. >> >> p.4 >> remove unnecessary variables T and S? E.g., directly set pB=w*N+Y. > These editorial comments seem worthwile to fix. Side note to Colin: is > there another set of reviews I should be waiting for at this stage? If > not I should be able to fix these all pretty promptly. > > Sincerely, > Watson Ladd > > > -- > Astra mortemque praestare gradatim
- [CFRG] IRSG review draft-irtf-cfrg-spake2-20 Julia Hesse
- Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20 Watson Ladd
- Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20 Colin Perkins
- Re: [CFRG] [Crypto-panel] IRSG review draft-irtf-… Stanislav V. Smyshlyaev
- Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20 Julia Hesse
- Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20 Watson Ladd
- Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20 Julia Hesse
- Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20 Watson Ladd
- Re: [CFRG] [Crypto-panel] IRSG review draft-irtf-… Stanislav V. Smyshlyaev