Re: [Cfrg] [http-auth] Fwd: Another PAKE question

Yutaka OIWA <y.oiwa@aist.go.jp> Fri, 07 March 2014 04:57 UTC

Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EB081A01B6 for <cfrg@ietfa.amsl.com>; Thu, 6 Mar 2014 20:57:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.679
X-Spam-Level:
X-Spam-Status: No, score=-3.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SX9EyefDeiot for <cfrg@ietfa.amsl.com>; Thu, 6 Mar 2014 20:57:07 -0800 (PST)
Received: from na3sys010aog105.obsmtp.com (na3sys010aog105.obsmtp.com [74.125.245.78]) by ietfa.amsl.com (Postfix) with ESMTP id F3AB51A009E for <cfrg@irtf.org>; Thu, 6 Mar 2014 20:57:06 -0800 (PST)
Received: from mail-vc0-f175.google.com ([209.85.220.175]) (using TLSv1) by na3sys010aob105.postini.com ([74.125.244.12]) with SMTP ID DSNKUxlRnqHU0h9t316LPjmtvbGOwJmGkKsW@postini.com; Thu, 06 Mar 2014 20:57:03 PST
Received: by mail-vc0-f175.google.com with SMTP id lh14so1661586vcb.6 for <cfrg@irtf.org>; Thu, 06 Mar 2014 20:57:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=EKERpcFfZXimDS05T4oVCB7VFh85kPVKJgOKl3jZgK4=; b=ZY5KoX0mplbgkqWMcTZ8k5skeswaJE0HAOnPuy2J4IOFm1iS5b4mlwv8Kfk+2b3e0O 5ZmCMbwNkumxToHXXphkBX+SGAIXpnDrq5K+nYkXio6r/3geFsue8WRVifbGjBfwJanv nTgOaISno114ACiM6ZIGQAoOW3r7EzWHK+WeY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=EKERpcFfZXimDS05T4oVCB7VFh85kPVKJgOKl3jZgK4=; b=iD0mXaCakRAFvK++1/J1Zu2lrgx5i7lpiFGCLYL84tdJpKajoFTkNYlWPWnbHEzMjg LA0fdMglmoGp3WR5fmhkSIAy07JLNB7vyyfsOZphrshFOc5J9makZXfqwwZpZxFdscR2 wYH2SGZbWFx1wg16cykZutVubGE6yiz/vf+Yc/G0wgEv5dHGQTzWBHGpOrNW/TeyT2Xs HI9kVTbe1KGdoeM6P8xFNDIYsmH8gQzEVtz0kNprydOPxeHSpNyELl+whEpXUMWfYyQN gOeFaCTn30jaJ1NJTkdzDKdeDoEVccspBH6+6C+TNQmESpIUUxT5k6N9XEzfh336oOUk g8Dg==
X-Gm-Message-State: ALoCoQnmn1PQIiPLS079UYxHSveuRDmMMYlymhrsrlYtVlxmWO3g0tdese00BdtszwFQfxRmlqUHgsXwvPQc7rMV10T8vOkP1qKmJpApcyT5u6JKTmYD0d+RXlG4eu+03Z3qgl03zLtB3DEuXGdpogbpR5Ef7ouD2A==
X-Received: by 10.220.133.80 with SMTP id e16mr8350456vct.13.1394168222235; Thu, 06 Mar 2014 20:57:02 -0800 (PST)
X-Received: by 10.220.133.80 with SMTP id e16mr8350441vct.13.1394168222117; Thu, 06 Mar 2014 20:57:02 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.100.227 with HTTP; Thu, 6 Mar 2014 20:56:42 -0800 (PST)
In-Reply-To: <CAMeZVwsv1LWAcEdqFU94d8GXMYLmgC=E=ji1O_Cx_cDgBQAOOw@mail.gmail.com>
References: <CACsn0cmSH0hfuZs19Epvh_=vCPszx3Y3_GP5+snFDMcmAQUyQg@mail.gmail.com> <A4A326BF-6C6B-482F-85FB-36880BF315DA@checkpoint.com> <CAMeZVwsv1LWAcEdqFU94d8GXMYLmgC=E=ji1O_Cx_cDgBQAOOw@mail.gmail.com>
From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Fri, 07 Mar 2014 13:56:42 +0900
Message-ID: <CAMeZVwu-UPDWM7P+m6xj7inryY8PYFs-AAoD5ALwYZe3NTYQ1g@mail.gmail.com>
To: Yoav Nir <ynir@checkpoint.com>, Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/vQkhGTmHs3BGX8AotekPJQCWCj8
Cc: "http-auth@ietf.org" <http-auth@ietf.org>, cfrg@irtf.org
Subject: Re: [Cfrg] [http-auth] Fwd: Another PAKE question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Mar 2014 04:57:09 -0000

Dear Watson and all,

I received a private communication from internal colleagues
and would like to update my description.

What Watson has mentioned seems to be the one in
Section 11.2 of the main draft
<http://tools.ietf.org/html/draft-ietf-httpauth-mutual-01#section-11.2>.
VK_c and VK_s contain the log of the transactions
K_c1 and K_s1 into the calculation.
These values were already included in the original
cryptographic primitives, and is treated as a
"common" structure among primitives in the drafts
(that's why it is in the main draft, instead of the algo draft).

# Do you think we need more to be embedded, such as
# session IDs into consideration?

I think this makes a correct answer to the question, and
I'd like to update the specs so that it becomes more
clearer to the readers in the cryptographic community and
future designers of additional algorithms.
Thank you very much again for informative comments.


2014-03-06 3:30 GMT+09:00 Yutaka OIWA <y.oiwa@aist.go.jp>:
> Watson, Sorry, I completely missed this mail in the pile of unread mails.
>
> # Thanks Yoav, your comment in WG reminds me and help finding out of this.
>
> AFAIK, putting the transaction history into the calculation is
> already embedded as the values t_1 and t_2 described in
> the algorithm in
> <https://tools.ietf.org/html/draft-oiwa-httpauth-mutual-algo-01>,
> Sections 2.2 and 2.3.
> Isn't this t_1 and t_2 (put into the calculation of z) suffice for the purpose?
>
> My understanding is that the functionality what Watson mentioned is a
> fundamental requirements for all PAKE primitives, and
> is already embedded in the specification of such primitives' layer.
> If this assumption is not, or if we need to protect more values than
> the values appear in the cryptographic primitives, I agree that the
> functionality
> should be again implemented in the layer of the "HTTP Mutual authentication".
> In such case I will do it with our cryptographer colleagues.
>
> Sorry for the very late reply, but I'm very happy if you can help me
> better understanding of this issue.
>
>
> 2014-01-10 0:24 GMT+09:00 Yoav Nir <ynir@checkpoint.com>:
>> Hi.
>>
>> CFRG has recently had some discussion about PAKEs in general. I have asked
>> them to take a look at MutualAuth. This is one of the replies that we got.
>>
>> Yoav
>>
>> Begin forwarded message:
>>
>> From: Watson Ladd <watsonbladd@gmail.com>
>> Subject: Re: [Cfrg] Another PAKE question
>> Date: January 9, 2014 4:57:19 PM GMT+02:00
>> To: Yoav Nir <ynir@checkpoint.com>
>>
>> Why is this protocol secure?
>> I would recommend taking the z, and computing a hash of z and the
>> transcript of the protocol. In
>> this way under the ROM, the computed value doesn't reveal information.
>> It ensures that any
>> manipulation of the messages leads to different z values.
>>
>> I'll try to think of ways to make a proof given that change.
>> Sincerely,
>> Watson Ladd
>>
>>
>> On Wed, Jan 8, 2014 at 10:09 PM, Yoav Nir <ynir@checkpoint.com> wrote:
>>
>> Hi
>>
>> I almost feel like I'm asking for trouble after the roast that Dan went
>> through, but some on this list might want to consider another PAKE going
>> through an IETF working group.
>>
>> HTTP-Auth is making experimental authentication mechanisms for the HTTP
>> layer. One of those is a PAKE. If people here on the CFRG list would like to
>> comment on it, that would be great. We can have some discussion here, but
>> ultimately, comments criticisms and suggestions should go to the HTTP-auth
>> list (details below).
>>
>> The draft in question is called "Mutual Authentication Protocol for HTTP".
>>
>> Link: http://tools.ietf.org/html/draft-ietf-httpauth-mutual-01
>>
>> Yoav
>> co-chair of HTTP-Auth
>>
>> Mailing list details:
>> * http-auth List Information:
>> https://www.ietf.org/mailman/listinfo/http-auth
>> * http-auth List Archives:
>> http://www.ietf.org/mail-archive/web/http-auth/current/maillist.html
>> * http-auth Posting Address (requires registration): http-auth@ietf.org
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>>
>>
>>
>>
>> --
>> "Those who would give up Essential Liberty to purchase a little
>> Temporary Safety deserve neither  Liberty nor Safety."
>> -- Benjamin Franklin
>>
>>
>> Email secured by Check Point
>>
>>
>>
>> _______________________________________________
>> http-auth mailing list
>> http-auth@ietf.org
>> https://www.ietf.org/mailman/listinfo/http-auth
>>
>
>
>
> --
> Yutaka OIWA, Ph.D.                 Leader, System Life-cycle Research Group
>                                Research Institute for Secure Systems (RISEC)
>      National Institute of Advanced Industrial Science and Technology (AIST)
>                        Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]



-- 
Yutaka OIWA, Ph.D.                 Leader, System Life-cycle Research Group
                               Research Institute for Secure Systems (RISEC)
     National Institute of Advanced Industrial Science and Technology (AIST)
                       Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]