Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00.txt

SeongHan Shin <seonghan.shin@aist.go.jp> Tue, 04 February 2014 08:30 UTC

Return-Path: <seonghan.shin@aist.go.jp>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B6031A03A8 for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 00:30:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.678
X-Spam-Level:
X-Spam-Status: No, score=-3.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3fUcZV1XkQtH for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 00:30:56 -0800 (PST)
Received: from na3sys010aog107.obsmtp.com (na3sys010aog107.obsmtp.com [74.125.245.82]) by ietfa.amsl.com (Postfix) with ESMTP id 813D01A03A9 for <cfrg@ietf.org>; Tue, 4 Feb 2014 00:30:55 -0800 (PST)
Received: from mail-lb0-f176.google.com ([209.85.217.176]) (using TLSv1) by na3sys010aob107.postini.com ([74.125.244.12]) with SMTP ID DSNKUvClP33wKAJHU3VCUBnJWrk0pNGxI3xo@postini.com; Tue, 04 Feb 2014 00:30:55 PST
Received: by mail-lb0-f176.google.com with SMTP id w7so6180591lbi.35 for <cfrg@ietf.org>; Tue, 04 Feb 2014 00:30:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6SOql1HHg2zF0izBgdp798s4fgoDLJja4N6DS+CGtos=; b=ep50tB0DyvMkMVJTavfiJBphXiouEk9/gkbxTrhBMMvYQLOldBrTU1noKn3luo897e hwU0t6cW3812KcRQXgNZa3VA/5aGKqoFyS90AoduqbJV2ZSK/SrZOSDn9aalS32osFC3 w1l0V88MWWcyxbw/3shcwjECsrB3FOiR/pLtk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=6SOql1HHg2zF0izBgdp798s4fgoDLJja4N6DS+CGtos=; b=Y6qjJLIaB+1T0PToneOScgmt0PYKpwjmpacexxAC7by4fWCSn1i53ZCKam2nNwnZGO LUSwpaXQpMtEsHwCT6eYICuK5IkBi14SkTaz91gXVrWjkBXcMduRIRtlCMq0mOG4K1hT lav8GwQocTDSH4H+sOBeL1LWs/0wVKlmJPUwVUQcK6JRR51CMMC499ya7vQmxGPcyU05 W+I2sRrAdwXPa2O4PrUaVJS/IfLlxQeWMQRe2mQwm63fZ6haNDM/U69NZkAaRZvpvixP D3s/Trk6kHqi7D3kQjUv/FkKdhe41rgf0TvXCm5echwZQGWrYv5f90MObLLqdJLrfxKH HQzQ==
X-Gm-Message-State: ALoCoQkX3iVFAEA8sHU9sgxQyoe4BYToeyZHeawyH35BO/F84trvyEuVWlQJNeG/hIOn3WrxI4maFgzQG6nCo0+cfFLXPalhbD9xFhsi3NZYuNyKx/eU03Fo30tOY5op8ndhh/mvFRQsoiTgRYpW/hH92dNcjXo0XA==
X-Received: by 10.152.30.68 with SMTP id q4mr831548lah.44.1391502653858; Tue, 04 Feb 2014 00:30:53 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.152.30.68 with SMTP id q4mr831538lah.44.1391502653733; Tue, 04 Feb 2014 00:30:53 -0800 (PST)
Received: by 10.112.164.35 with HTTP; Tue, 4 Feb 2014 00:30:53 -0800 (PST)
In-Reply-To: <CAGZ8ZG3Jaoo0ah3p-6SO6fL6id5kC+ozBQsbkosRyZDYDLMprw@mail.gmail.com>
References: <20130906074540.19067.67943.idtracker@ietfa.amsl.com> <CAEKgtqkV=FZgTMtJXGgA2je0ECmrCWUVD7crDXV9994xOwc0Fg@mail.gmail.com> <CAGZ8ZG1XXiC-sk==LViYAwFSSY5ampT0O3b2aAN-yRK38bDCYw@mail.gmail.com> <CAGZ8ZG3Jaoo0ah3p-6SO6fL6id5kC+ozBQsbkosRyZDYDLMprw@mail.gmail.com>
Date: Tue, 4 Feb 2014 17:30:53 +0900
Message-ID: <CAEKgtqnRq_K3MeOjvQbh4o-ow_8E0xV-_P+ngKGp6fkER8AS=g@mail.gmail.com>
From: SeongHan Shin <seonghan.shin@aist.go.jp>
To: Trevor Perrin <trevp@trevp.net>
Content-Type: multipart/alternative; boundary=089e0160b42c614e5f04f1907524
Cc: =?UTF-8?B?5Y+k5Y6f5ZKM6YKm?= <k-kobara@aist.go.jp>, cfrg@ietf.org, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 08:30:59 -0000

Hi Trevor,

I am sorry for this delay.

> - There's obvious similarities with SRP.  Do you think the AugPAKE
>proof techniques could be used to make a security proof for SRP?
I don't think so because the security of SRP cannot be reduced to the SDH
assumption.

>(For
>an elliptic curve SRP, you could imagine using the SRP verifier with
>Elligator to encrypt the g^b value, instead of SRP's traditional "B =
>kv + g^b").
In case of SRP5 (EC version of SRP6), I think it may be possible.


>taken in your TLS draft [1]).  The latest version of SRP [2] was able
>to remove this constraint.  Is it possible to do the same for AugPAKE?
The same approach does not work for AugPAKE.

>or
>requires the client to assume the group and use no salt (the approach
>taken in your TLS draft [1]).
One option may be to use the Supported Elliptic Curve Extension [RFC4492]
though the tls-augpake draft does not specify over ec groups.

Best regards,
Shin


On Tue, Dec 10, 2013 at 4:41 AM, Trevor Perrin <trevp@trevp.net>; wrote:

> Hi Shin,
>
> Just to be clear - I was making fun of Kevin Igoe, not yourself -
> AugPAKE seems like a great piece of work.
>
> Couple questions:
>
>  - There's obvious similarities with SRP.  Do you think the AugPAKE
> proof techniques could be used to make a security proof for SRP?  (For
> an elliptic curve SRP, you could imagine using the SRP verifier with
> Elligator to encrypt the g^b value, instead of SRP's traditional "B =
> kv + g^b").
>
>  - There seems to be an ordering constraint between AugPAKE's client
> and server messages, requiring the client to go first.  For TLS at
> least, such a constraint is awkward.  It either requires an extra
> round-trip for the server to communicate the salt and group values, or
> requires the client to assume the group and use no salt (the approach
> taken in your TLS draft [1]).  The latest version of SRP [2] was able
> to remove this constraint.  Is it possible to do the same for AugPAKE?
>
>
> Trevor
>
>
> [1] http://tools.ietf.org/html/draft-shin-tls-augpake-01
>
> [2]
>  http://tools.ietf.org/html/rfc5054
>  http://srp.stanford.edu/design.html
>  http://srp.stanford.edu/srp6.ps
>
>
> On Fri, Dec 6, 2013 at 12:26 PM, Trevor Perrin <trevp@trevp.net>; wrote:
> > I really like this idea & can find no problems.
> >
> > Since a single cursory opinion counts for CFRG consensus [1,2],
> > consider this approved by CFRG and our NSA overseers.
> >
> > Thanks, come again!
> >
> >
> > Trevor
> >
> >
> > P.S. The treatment of random numbers could be improved, consider
> > referencing NIST SP 800-90A.
> >
> > (psst Kevin ^^^ THIS is how it's done.  *FINESSE*, or you'll never
> > work the big leagues!)
> >
> >
> > [1] http://www.ietf.org/mail-archive/web/cfrg/current/msg03047.html
> > [2] http://www.ietf.org/proceedings/84/minutes/minutes-84-tls
> >
> >
> > On Sun, Sep 29, 2013 at 11:18 PM, SeongHan Shin
> > <seonghan.shin@aist.go.jp>; wrote:
> >> Dear all,
> >>
> >> We submitted our I-D regarding augmented PAKE
> >> that provides extra protection to server compromise compared to balanced
> >> PAKE.
> >> (Of course, it can be easily converted to the balanced one)
> >>
> >> Any comments are welcome!
> >>
> >> Best regards,
> >> Shin
> >>
> >>
> >> On Fri, Sep 6, 2013 at 4:45 PM, <internet-drafts@ietf.org>; wrote:
> >>>
> >>>
> >>> A New Internet-Draft is available from the on-line Internet-Drafts
> >>> directories.
> >>>  This draft is a work item of the Crypto Forum Research Group Working
> >>> Group of the IETF.
> >>>
> >>>         Title           : Augmented Password-Authenticated Key Exchange
> >>> (AugPAKE)
> >>>         Author(s)       : SeongHan Shin
> >>>                           Kazukuni Kobara
> >>>         Filename        : draft-irtf-cfrg-augpake-00.txt
> >>>         Pages           : 17
> >>>         Date            : 2013-09-06
> >>>
> >>> Abstract:
> >>>    This document describes a secure and highly-efficient augmented
> >>>    password-authenticated key exchange (AugPAKE) protocol where a user
> >>>    remembers a low-entropy password and its verifier is registered in
> >>>    the intended server.  In general, the user password is chosen from a
> >>>    small set of dictionary whose space is within the off-line
> dictionary
> >>>    attacks.  The AugPAKE protocol described here is secure against
> >>>    passive attacks, active attacks and off-line dictionary attacks (on
> >>>    the obtained messages with passive/active attacks).  Also, this
> >>>    protocol provides resistance to server compromise in the context
> that
> >>>    an attacker, who obtained the password verifier from the server,
> must
> >>>    at least perform off-line dictionary attacks to gain any advantage
> in
> >>>    impersonating the user.  The AugPAKE protocol is not only provably
> >>>    secure in the random oracle model but also the most efficient over
> >>>    the previous augmented PAKE protocols (SRP and AMP).
> >>>
> >>>
> >>> The IETF datatracker status page for this draft is:
> >>> https://datatracker.ietf.org/doc/draft-irtf-cfrg-augpake
> >>>
> >>> There's also a htmlized version available at:
> >>> http://tools.ietf.org/html/draft-irtf-cfrg-augpake-00
> >>>
> >>>
> >>> Please note that it may take a couple of minutes from the time of
> >>> submission
> >>> until the htmlized version and diff are available at tools.ietf.org.
> >>>
> >>> Internet-Drafts are also available by anonymous FTP at:
> >>> ftp://ftp.ietf.org/internet-drafts/
> >>>
> >>> _______________________________________________
> >>> Cfrg mailing list
> >>> Cfrg@irtf.org
> >>> http://www.irtf.org/mailman/listinfo/cfrg
> >>
> >>
> >>
> >>
> >> --
> >> ------------------------------------------------------------------
> >> SeongHan Shin
> >> Research Institute for Secure Systems (RISEC),
> >> National Institute of Advanced Industrial Science and Technology (AIST),
> >> Central 2, 1-1-1, Umezono, Tsukuba City, Ibaraki 305-8568 Japan
> >> Tel : +81-29-861-2670/5284
> >> Fax : +81-29-861-5285
> >> E-mail : seonghan.shin@aist.go.jp
> >> ------------------------------------------------------------------
> >>
> >> _______________________________________________
> >> Cfrg mailing list
> >> Cfrg@irtf.org
> >> http://www.irtf.org/mailman/listinfo/cfrg
> >>
>



-- 
------------------------------------------------------------------
SeongHan Shin
Research Institute for Secure Systems (RISEC),
National Institute of Advanced Industrial Science and Technology (AIST),
Central 2, 1-1-1, Umezono, Tsukuba City, Ibaraki 305-8568 Japan
Tel : +81-29-861-2670/5284
Fax : +81-29-861-5285
E-mail : seonghan.shin@aist.go.jp
------------------------------------------------------------------