IETF Logo Mail Archive

Re: [Cfrg] Adoption call for draft-harkins-pkex-05

Christopher Wood <christopherwood07@gmail.com> Tue, 07 August 2018 16:59 UTC

Return-Path: <christopherwood07@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F5CC130E43 for <cfrg@ietfa.amsl.com>; Tue, 7 Aug 2018 09:59:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b0efX1BjSTu6 for <cfrg@ietfa.amsl.com>; Tue, 7 Aug 2018 09:59:21 -0700 (PDT)
Received: from mail-io0-x22c.google.com (mail-io0-x22c.google.com [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47DBF12777C for <cfrg@irtf.org>; Tue, 7 Aug 2018 09:59:21 -0700 (PDT)
Received: by mail-io0-x22c.google.com with SMTP id w11-v6so14589545iob.2 for <cfrg@irtf.org>; Tue, 07 Aug 2018 09:59:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UKBHLeQ6VnWOPLmVcZUtb7TfuavK1wWcBt0xr2blgjs=; b=P6bR1dwFBzT7JcPpnIuFJsOp+SCeVQFp+i70egv8h4qn+LTqH/XBFbatFhbmNeXYv4 bkII3sOIsIduVLxx81UQQ8FMm2EvwBqFDvHWlKbR9bO7jzWwXxwNokj3Xvlx8HFf83VO P+ttgIbJlQq8TM1VB6nkrifqdFK0MmcuKDPGd1PqtgdYJUoKKxkCAv0v5dJgJh2Gohv9 xkYTlNvux18JS3QQGcEQeVvf0A8LvJ4vNgykA9JwHwo9v7EtP6s7Ipa9SVwOgNs/nhn4 JME6bORIM8kN6Rw0ioHXfBHFSOC11sYRE56Qqycxog5yRXc1vibj6QxzvTvm5pPaJKNz MsNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UKBHLeQ6VnWOPLmVcZUtb7TfuavK1wWcBt0xr2blgjs=; b=l/TeI3yWc1xXNYqRAEiK5Vu0ZxyYQmESU8xafhtUB4hxpnJHG1j6YtLdoA9/nj8nFF bWa+euKDB59Qge2FlerSqglVs1DlIaAVyz42IxnyMoyTTm17jEkSxboV0ijq/Aj+s77d Ak+vCucYpU/7l2ktTfgZkiW3XRF3J/3UsdsW7HKt2VjwTz3dBeR4qHDFmmK9IZ4yovoo MkgiXB6rB5t/zyKLIH1+r2ksx4qTaCngJdaHafAaZg9l1Ch2B4SXgi1T3SHjkCA9Ypuc 5e8ucWzfT4+9oMi2fZG2KMOJNIqqH94/pSQs4IQMHwZtKJ//gOv5wUJPpNFHMg3G18oG 3Vmw==
X-Gm-Message-State: AOUpUlF+Iu4xCqMZYCtSmgWPULXN+GxTYP68mc01XYcT1TNUEGF+H7NB 4hhgehfoTB6kLCPIc6hY4YShiEBsbfvLbNUQEgI=
X-Google-Smtp-Source: AAOMgpfbfy7T1y8VY7rVKqfPeTRTErQ6eUs4f4yjv2H5ZLNciHI09NrNmnxHPNtHd8dlRiObQikDC0OPFULBBquaJiA=
X-Received: by 2002:a6b:2055:: with SMTP id g82-v6mr18871238iog.204.1533661160440; Tue, 07 Aug 2018 09:59:20 -0700 (PDT)
MIME-Version: 1.0
References: <5ACA0006.4020809@isode.com> <810C31990B57ED40B2062BA10D43FBF501C515B8@XMB116CNC.rim.net> <810C31990B57ED40B2062BA10D43FBF501C5168A@XMB116CNC.rim.net> <810C31990B57ED40B2062BA10D43FBF501C51B18@XMB116CNC.rim.net> <16affdfc-df9a-a883-e0d6-dd52efee15e4@lounge.org> <CAL02cgT72J=cboruKiHnF4BP7ffaDfae=JeoYDJJfjenF4wC8Q@mail.gmail.com> <fe239e8a-0a64-4b8b-7dba-f38fcfcdc4fd@lounge.org> <CAL02cgRy7M8AjQySy=1njavj+cyxPvQe-n1f+N4xVc_GZFwdNA@mail.gmail.com> <90c10953-6550-09d0-642e-e84710b706cf@lounge.org> <CAL02cgTF6E697t+twXwbkrzZ7OHsFPh--W_NaT5-f0VJ=Jo7Tg@mail.gmail.com> <e186b642-7282-3bfe-3da1-f68e4c3b687c@lounge.org> <CAL02cgQc2HJ0bOZzOc1Q9iqX0-E-PN5qYqW6=iWGE3iggdRQUA@mail.gmail.com> <CABkgnnWSNiM6SrbhFuAptRaRpNGAOtQEiG1RtDXXMUbcBV_tGQ@mail.gmail.com> <CABcZeBOyb9TOZiKSuh_yPHoucQ16gzkv+Kg4FqD1rsR4Tp74gQ@mail.gmail.com> <493c5403-19e6-d620-5bb8-22ab2b9fbfb0@lounge.org>
In-Reply-To: <493c5403-19e6-d620-5bb8-22ab2b9fbfb0@lounge.org>
From: Christopher Wood <christopherwood07@gmail.com>
Date: Tue, 07 Aug 2018 09:59:08 -0700
Message-ID: <CAO8oSXkGLxUnUabWNoukWB-FtyFSXdbLaU7bRj9w_OQZhW4iMA@mail.gmail.com>
To: dharkins@lounge.org
Cc: cfrg@irtf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zGxEgUz0iW2v0QKbMdUuLmUfsiM>
Subject: Re: [Cfrg] Adoption call for draft-harkins-pkex-05
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Aug 2018 16:59:22 -0000

Hi Dan,

On Mon, Aug 6, 2018 at 10:58 AM Daniel Harkins <dharkins@lounge.org> wrote:
>  About "commodity tools", there were two complaints raised:
>
>   1. PKEX hashes the user identity with the password and uses the result
>      with the role-specific constant while SPAKE2 does not;
>   2. PKEX should just have a generic proof-of-possession protocol after the PAKE.
>
> The implication being you combine these two and voila, something better than PKEX
> because it's just using known tools to do this and is not rolling new crypto.
>
>   Regarding the first, it's a draft that will be a work item of the research
> group. If the consensus of the group is to edit the draft then the draft gets
> edited to reflect the consensus of the group.
>
>   Regarding the second, the suggestion was to do this:
>
>     A->B: SPAKE-Kex
>     B->A: SPAKE-Kex, SPAKE-Confirm, {ID_B, Pub_B, Eph_B}K_spake_B
>     A->B: SPAKE-Confirm, {ID_A, Pub_A, Eph_A}K_spake_A, MAC(K_DH_A,transcript}
>     B->A: MAC(K_DH_B, transcript)
>
> Now I'm pretty sure that is not a generic commodity tool for doing proof-of-possession
> so I'm not sure what complaint is. That proof-of-possession is more complicated than
> what PKEX does, has more moving parts in the form of new ephemeral keys, does not
> actually seem to prove possession of the private key, and I'd wager does not have a
> security proof (Eric's final complaint about PKEX).
>
>   The request is not to rubber stamp the imprimatur of the CFRG on a document,
> it is to adopt a document as a work item of the research group. With that in mind,
> I have updated PKEX to incorporate the first suggestion (don't hash the ID with the
> password). The current version is -06, it's in the repository. Please take a look and
> consider its adoption.

Putting aside the issue of whether or not this should be done with
existing tools, I do not think the RG should adopt this document in
the absence of security analysis and a corresponding proof. Have you
(or anyone else) started work on this missing piece?

Best,
Chris

v2.23.0 | Report a Bug | By Email