IETF Logo Mail Archive

Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-03.txt

Alex Elsayed <eternaleye@gmail.com> Fri, 19 February 2016 23:27 UTC

Return-Path: <giic-cfrg@m.gmane.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 002CA1B2FF5 for <cfrg@ietfa.amsl.com>; Fri, 19 Feb 2016 15:27:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.957
X-Spam-Level:
X-Spam-Status: No, score=0.957 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, FSL_HELO_BARE_IP_2=1.499, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_NUMERIC_HELO=1.164, RP_MATCHES_RCVD=-0.006, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CC6fyL9Vub1D for <cfrg@ietfa.amsl.com>; Fri, 19 Feb 2016 15:27:03 -0800 (PST)
Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DCBD1A8A46 for <cfrg@irtf.org>; Fri, 19 Feb 2016 15:27:03 -0800 (PST)
Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from <giic-cfrg@m.gmane.org>) id 1aWuRw-0005JE-B1 for cfrg@irtf.org; Sat, 20 Feb 2016 00:27:00 +0100
Received: from 50.245.141.73 ([50.245.141.73]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <cfrg@irtf.org>; Sat, 20 Feb 2016 00:27:00 +0100
Received: from eternaleye by 50.245.141.73 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <cfrg@irtf.org>; Sat, 20 Feb 2016 00:27:00 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: cfrg@irtf.org
From: Alex Elsayed <eternaleye@gmail.com>
Date: Fri, 19 Feb 2016 23:26:50 +0000
Lines: 69
Message-ID: <na88bq$psp$1@ger.gmane.org>
References: <20160215145643.14144.52226.idtracker@ietfa.amsl.com> <56C1FB64.1080309@mit.edu> <na713j$kqr$1@ger.gmane.org> <CACsn0cmyGA_QLWx+xYn3VGibdmqD+r+XFg6HVV4yGL4FvgODWg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: 50.245.141.73
User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508 git://git.gnome.org/pan2)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/z-pA-hjniOEOtJ7o7BPYE51fLNs>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2016 23:27:05 -0000

Sent a first-cut PR for the code (is Brian Warner's repository the 
correct one? I saw it linked from your github) that would benefit from 
some review; where's the text of the draft so I can do up a patch for 
that? I didn't see it on your github or Brian Warner's.

On Fri, 19 Feb 2016 10:24:41 -0800, Watson Ladd wrote:

> Write the code and the text, and if I can run it, it goes in.
> 
> On Fri, Feb 19, 2016 at 4:16 AM, Alex Elsayed <eternaleye@gmail.com>
> wrote:
>> On Mon, 15 Feb 2016 11:23:00 -0500, Greg Hudson wrote:
>>
>>> On 02/15/2016 09:56 AM, internet-drafts@ietf.org wrote:
>>>>      Filename        : draft-irtf-cfrg-spake2-03.txt
>>>
>>> I am pleased to see progress on this draft.
>>>
>>> The formatting of the new formula for K' in section 2.2 is a little
>>> off in its use of whitespace.
>>>
>>> SPAKE2+ doesn't use w0 or w1 in the derivation of K'.  Obviously it
>>> can't use w1 as B doesn't have it, but can we call this an augmented
>>> version of SPAKE2 if it more closely resembles SPAKE1?  Should it use
>>> w0?
>>>
>>> The description of SPAKE2+ still refers to "Bob" in one place.
>>>
>>> In section 3, the formatting of the Python code is mangled.  Calls to
>>> ec.canon_pointstr() should be changed to canon_pointstr() since you've
>>> defined that as a function.
>>>
>>> In section 3, the description of the algorithm still doesn't match the
>>> actual algorithm used, although it's closer some details.  The first
>>> mismatch comes from these two passages:
>>>
>>>     This string is turned into an infinite sequence of bytes by
>>>     hashing with SHA256, and hashing that output again to generate the
>>>     next 32 bytes, and so on.
>>>
>>>     If this is impossible, then the next non-overlapping segment of
>>>     sufficient length is taken.
>>>
>>> The actual algorithm doesn't use non-overlapping segments of an
>>> infinite sequence of bytes; instead it uses overlapping concatenations
>>> of hash blocks for successive trials.  For P-521, the first trial uses
>>> H1|H2|H3 (where H1 is hash of the string, H2 is the hash of H1, etc.)
>>> truncated to 65 bytes; the second trial uses H2|H3|H4 truncated, etc..
>>
>> OOI, why not use HKDF, with the string as the IKM? Personally, I'd much
>> prefer that to inventing Yet Another Ad-Hoc Way To Extract Arbitrary-
>> Length Randomness.
>>
>>
>>> The second mismatch comes from this passage:
>>>
>>>     We multiply that point by the cofactor h, and if that is not the
>>>     identity, output it.
>>>
>>> The Python code multiplies the point by the generator order (p), and
>>> if that *is* the identity, outputs the point.  The difference is that
>>> the Python code discards points of order 2p, 4p, ..., hp.  This
>>> difference is irrelevant for P-256 and P-521 which have cofactor 1.
>>
>>
>> _______________________________________________
>> Cfrg mailing list Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email