Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00.txt
SeongHan Shin <seonghan.shin@aist.go.jp> Tue, 04 February 2014 08:30 UTC
Return-Path: <seonghan.shin@aist.go.jp>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B6031A03A8 for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 00:30:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.678
X-Spam-Level:
X-Spam-Status: No, score=-3.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3fUcZV1XkQtH for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 00:30:56 -0800 (PST)
Received: from na3sys010aog107.obsmtp.com (na3sys010aog107.obsmtp.com [74.125.245.82]) by ietfa.amsl.com (Postfix) with ESMTP id 813D01A03A9 for <cfrg@ietf.org>; Tue, 4 Feb 2014 00:30:55 -0800 (PST)
Received: from mail-lb0-f176.google.com ([209.85.217.176]) (using TLSv1) by na3sys010aob107.postini.com ([74.125.244.12]) with SMTP ID DSNKUvClP33wKAJHU3VCUBnJWrk0pNGxI3xo@postini.com; Tue, 04 Feb 2014 00:30:55 PST
Received: by mail-lb0-f176.google.com with SMTP id w7so6180591lbi.35 for <cfrg@ietf.org>; Tue, 04 Feb 2014 00:30:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6SOql1HHg2zF0izBgdp798s4fgoDLJja4N6DS+CGtos=; b=ep50tB0DyvMkMVJTavfiJBphXiouEk9/gkbxTrhBMMvYQLOldBrTU1noKn3luo897e hwU0t6cW3812KcRQXgNZa3VA/5aGKqoFyS90AoduqbJV2ZSK/SrZOSDn9aalS32osFC3 w1l0V88MWWcyxbw/3shcwjECsrB3FOiR/pLtk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=6SOql1HHg2zF0izBgdp798s4fgoDLJja4N6DS+CGtos=; b=Y6qjJLIaB+1T0PToneOScgmt0PYKpwjmpacexxAC7by4fWCSn1i53ZCKam2nNwnZGO LUSwpaXQpMtEsHwCT6eYICuK5IkBi14SkTaz91gXVrWjkBXcMduRIRtlCMq0mOG4K1hT lav8GwQocTDSH4H+sOBeL1LWs/0wVKlmJPUwVUQcK6JRR51CMMC499ya7vQmxGPcyU05 W+I2sRrAdwXPa2O4PrUaVJS/IfLlxQeWMQRe2mQwm63fZ6haNDM/U69NZkAaRZvpvixP D3s/Trk6kHqi7D3kQjUv/FkKdhe41rgf0TvXCm5echwZQGWrYv5f90MObLLqdJLrfxKH HQzQ==
X-Gm-Message-State: ALoCoQkX3iVFAEA8sHU9sgxQyoe4BYToeyZHeawyH35BO/F84trvyEuVWlQJNeG/hIOn3WrxI4maFgzQG6nCo0+cfFLXPalhbD9xFhsi3NZYuNyKx/eU03Fo30tOY5op8ndhh/mvFRQsoiTgRYpW/hH92dNcjXo0XA==
X-Received: by 10.152.30.68 with SMTP id q4mr831548lah.44.1391502653858; Tue, 04 Feb 2014 00:30:53 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.152.30.68 with SMTP id q4mr831538lah.44.1391502653733; Tue, 04 Feb 2014 00:30:53 -0800 (PST)
Received: by 10.112.164.35 with HTTP; Tue, 4 Feb 2014 00:30:53 -0800 (PST)
In-Reply-To: <CAGZ8ZG3Jaoo0ah3p-6SO6fL6id5kC+ozBQsbkosRyZDYDLMprw@mail.gmail.com>
References: <20130906074540.19067.67943.idtracker@ietfa.amsl.com> <CAEKgtqkV=FZgTMtJXGgA2je0ECmrCWUVD7crDXV9994xOwc0Fg@mail.gmail.com> <CAGZ8ZG1XXiC-sk==LViYAwFSSY5ampT0O3b2aAN-yRK38bDCYw@mail.gmail.com> <CAGZ8ZG3Jaoo0ah3p-6SO6fL6id5kC+ozBQsbkosRyZDYDLMprw@mail.gmail.com>
Date: Tue, 04 Feb 2014 17:30:53 +0900
Message-ID: <CAEKgtqnRq_K3MeOjvQbh4o-ow_8E0xV-_P+ngKGp6fkER8AS=g@mail.gmail.com>
From: SeongHan Shin <seonghan.shin@aist.go.jp>
To: Trevor Perrin <trevp@trevp.net>
Content-Type: multipart/alternative; boundary="089e0160b42c614e5f04f1907524"
Cc: 古原和邦 <k-kobara@aist.go.jp>, cfrg@ietf.org, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 08:30:59 -0000
Hi Trevor, I am sorry for this delay. > - There's obvious similarities with SRP. Do you think the AugPAKE >proof techniques could be used to make a security proof for SRP? I don't think so because the security of SRP cannot be reduced to the SDH assumption. >(For >an elliptic curve SRP, you could imagine using the SRP verifier with >Elligator to encrypt the g^b value, instead of SRP's traditional "B = >kv + g^b"). In case of SRP5 (EC version of SRP6), I think it may be possible. >taken in your TLS draft [1]). The latest version of SRP [2] was able >to remove this constraint. Is it possible to do the same for AugPAKE? The same approach does not work for AugPAKE. >or >requires the client to assume the group and use no salt (the approach >taken in your TLS draft [1]). One option may be to use the Supported Elliptic Curve Extension [RFC4492] though the tls-augpake draft does not specify over ec groups. Best regards, Shin On Tue, Dec 10, 2013 at 4:41 AM, Trevor Perrin <trevp@trevp.net> wrote: > Hi Shin, > > Just to be clear - I was making fun of Kevin Igoe, not yourself - > AugPAKE seems like a great piece of work. > > Couple questions: > > - There's obvious similarities with SRP. Do you think the AugPAKE > proof techniques could be used to make a security proof for SRP? (For > an elliptic curve SRP, you could imagine using the SRP verifier with > Elligator to encrypt the g^b value, instead of SRP's traditional "B = > kv + g^b"). > > - There seems to be an ordering constraint between AugPAKE's client > and server messages, requiring the client to go first. For TLS at > least, such a constraint is awkward. It either requires an extra > round-trip for the server to communicate the salt and group values, or > requires the client to assume the group and use no salt (the approach > taken in your TLS draft [1]). The latest version of SRP [2] was able > to remove this constraint. Is it possible to do the same for AugPAKE? > > > Trevor > > > [1] http://tools.ietf.org/html/draft-shin-tls-augpake-01 > > [2] > http://tools.ietf.org/html/rfc5054 > http://srp.stanford.edu/design.html > http://srp.stanford.edu/srp6.ps > > > On Fri, Dec 6, 2013 at 12:26 PM, Trevor Perrin <trevp@trevp.net> wrote: > > I really like this idea & can find no problems. > > > > Since a single cursory opinion counts for CFRG consensus [1,2], > > consider this approved by CFRG and our NSA overseers. > > > > Thanks, come again! > > > > > > Trevor > > > > > > P.S. The treatment of random numbers could be improved, consider > > referencing NIST SP 800-90A. > > > > (psst Kevin ^^^ THIS is how it's done. *FINESSE*, or you'll never > > work the big leagues!) > > > > > > [1] http://www.ietf.org/mail-archive/web/cfrg/current/msg03047.html > > [2] http://www.ietf.org/proceedings/84/minutes/minutes-84-tls > > > > > > On Sun, Sep 29, 2013 at 11:18 PM, SeongHan Shin > > <seonghan.shin@aist.go.jp> wrote: > >> Dear all, > >> > >> We submitted our I-D regarding augmented PAKE > >> that provides extra protection to server compromise compared to balanced > >> PAKE. > >> (Of course, it can be easily converted to the balanced one) > >> > >> Any comments are welcome! > >> > >> Best regards, > >> Shin > >> > >> > >> On Fri, Sep 6, 2013 at 4:45 PM, <internet-drafts@ietf.org> wrote: > >>> > >>> > >>> A New Internet-Draft is available from the on-line Internet-Drafts > >>> directories. > >>> This draft is a work item of the Crypto Forum Research Group Working > >>> Group of the IETF. > >>> > >>> Title : Augmented Password-Authenticated Key Exchange > >>> (AugPAKE) > >>> Author(s) : SeongHan Shin > >>> Kazukuni Kobara > >>> Filename : draft-irtf-cfrg-augpake-00.txt > >>> Pages : 17 > >>> Date : 2013-09-06 > >>> > >>> Abstract: > >>> This document describes a secure and highly-efficient augmented > >>> password-authenticated key exchange (AugPAKE) protocol where a user > >>> remembers a low-entropy password and its verifier is registered in > >>> the intended server. In general, the user password is chosen from a > >>> small set of dictionary whose space is within the off-line > dictionary > >>> attacks. The AugPAKE protocol described here is secure against > >>> passive attacks, active attacks and off-line dictionary attacks (on > >>> the obtained messages with passive/active attacks). Also, this > >>> protocol provides resistance to server compromise in the context > that > >>> an attacker, who obtained the password verifier from the server, > must > >>> at least perform off-line dictionary attacks to gain any advantage > in > >>> impersonating the user. The AugPAKE protocol is not only provably > >>> secure in the random oracle model but also the most efficient over > >>> the previous augmented PAKE protocols (SRP and AMP). > >>> > >>> > >>> The IETF datatracker status page for this draft is: > >>> https://datatracker.ietf.org/doc/draft-irtf-cfrg-augpake > >>> > >>> There's also a htmlized version available at: > >>> http://tools.ietf.org/html/draft-irtf-cfrg-augpake-00 > >>> > >>> > >>> Please note that it may take a couple of minutes from the time of > >>> submission > >>> until the htmlized version and diff are available at tools.ietf.org. > >>> > >>> Internet-Drafts are also available by anonymous FTP at: > >>> ftp://ftp.ietf.org/internet-drafts/ > >>> > >>> _______________________________________________ > >>> Cfrg mailing list > >>> Cfrg@irtf.org > >>> http://www.irtf.org/mailman/listinfo/cfrg > >> > >> > >> > >> > >> -- > >> ------------------------------------------------------------------ > >> SeongHan Shin > >> Research Institute for Secure Systems (RISEC), > >> National Institute of Advanced Industrial Science and Technology (AIST), > >> Central 2, 1-1-1, Umezono, Tsukuba City, Ibaraki 305-8568 Japan > >> Tel : +81-29-861-2670/5284 > >> Fax : +81-29-861-5285 > >> E-mail : seonghan.shin@aist.go.jp > >> ------------------------------------------------------------------ > >> > >> _______________________________________________ > >> Cfrg mailing list > >> Cfrg@irtf.org > >> http://www.irtf.org/mailman/listinfo/cfrg > >> > -- ------------------------------------------------------------------ SeongHan Shin Research Institute for Secure Systems (RISEC), National Institute of Advanced Industrial Science and Technology (AIST), Central 2, 1-1-1, Umezono, Tsukuba City, Ibaraki 305-8568 Japan Tel : +81-29-861-2670/5284 Fax : +81-29-861-5285 E-mail : seonghan.shin@aist.go.jp ------------------------------------------------------------------
- [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00.txt internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00… SeongHan Shin
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00… Trevor Perrin
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00… Trevor Perrin
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-00… SeongHan Shin