Re: [Crypto-panel] Request for review: OPAQUE

Kevin Lewi <klewi@cs.stanford.edu> Thu, 07 September 2023 23:20 UTC

Return-Path: <klewi@cs.stanford.edu>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18359C14F73F for <crypto-panel@ietfa.amsl.com>; Thu, 7 Sep 2023 16:20:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.004
X-Spam-Level:
X-Spam-Status: No, score=-7.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.stanford.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U60KyJ41tVHY for <crypto-panel@ietfa.amsl.com>; Thu, 7 Sep 2023 16:19:56 -0700 (PDT)
Received: from smtp1.cs.Stanford.EDU (smtp1.cs.stanford.edu [171.64.64.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3725CC14CE38 for <crypto-panel@irtf.org>; Thu, 7 Sep 2023 16:19:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cs.stanford.edu; s=cs2308; h=Content-Type:Cc:To:Subject:Message-ID:Date: From:In-Reply-To:References:MIME-Version:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=zH7rpdihv0STmtEjXuMcWPoP6qJkUvHeHj/PQ0+j1KI=; t=1694128796; x=1694992796; b=MGpvLVrrDX/jxjDmeKyOEz2ElfUETc8tSHT+eA9EQnw2UA1VH6JebakPfNqCk4MAJru0mhFGJAz lQ1wxyKJesejewRoppLR3LWMhO+vVINksypGpqOjWmSCQByhPwYvLK1/Go0GP0M7J2LLQ7EFfTgVJ pxxVaW6YMDa0oZL47RvdTEGENP/0KyT7THVY5DBJRYrD60sLnpgXCY2hr2SMUFgF8aiqz+1LwRs9H 88sqBdJF8Save7VurjvZKG0BbBFCVyQmwxjSD4joHj5CZZeub7G0vy5u9bWTmL0ozCY03Bbkf8H/M vMcmYFO8LOuK5husUZEMlZyctvj5dAtUuS9A==;
Received: from mail-lj1-f172.google.com ([209.85.208.172]:42176) by smtp1.cs.Stanford.EDU with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <klewi@cs.stanford.edu>) id 1qeOHy-0002Nm-D9 for crypto-panel@irtf.org; Thu, 07 Sep 2023 16:19:56 -0700
Received: by mail-lj1-f172.google.com with SMTP id 38308e7fff4ca-2bcc331f942so17914811fa.0 for <crypto-panel@irtf.org>; Thu, 07 Sep 2023 16:19:54 -0700 (PDT)
X-Gm-Message-State: AOJu0Yw00jfHbrAX0eHnV1Ia+AYt90agOlS8phvn7SwKIfcExU2lPGj3 BCqrDHjGwprz8txEeRkmR8x2bmZhyVt1z0RllBI=
X-Google-Smtp-Source: AGHT+IF/P4Fe+Wp2EUM9jschkJPdhyPIX5wrf4J+18wUxvNofjD66erzCbVm//2B8gN072G/IPzB7pvwd4TLvZrL5Ik=
X-Received: by 2002:a05:651c:128d:b0:2bc:dcbe:f566 with SMTP id 13-20020a05651c128d00b002bcdcbef566mr1372263ljc.11.1694128793296; Thu, 07 Sep 2023 16:19:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6mQXUk+DiJpKg1vLYMrPw_eMMH_Y0ohLLZU_gGEo7A-jA@mail.gmail.com> <CAGiyFdfsgzd8S4X+ZcnuF0+=A77oQ5iTM33uwb8Qj3v9eHaSzw@mail.gmail.com> <CAMr0u6kxifRMmKHykb+ucGCL1vnOU+6jvdM+-SU_ChRM4Cmq8A@mail.gmail.com> <CAL+7JtQdThQtL99OVqBGHAwPvJaJruTs4tQf+x=buwf4xetNXA@mail.gmail.com> <CAMr0u6=zB_B83x8+RRQERwbmYnTY-6guBYS9T7Hm8FS2umVrfQ@mail.gmail.com> <CAMr0u6kUwP4FQmoFY=grVzpSaKuoKCRG=NWTxSSBFV-V52SeGg@mail.gmail.com> <CH0PR11MB54442C12AA045EA05CDE1D29C11EA@CH0PR11MB5444.namprd11.prod.outlook.com> <CH0PR11MB5444D78CB5932C783941D2ADC1E8A@CH0PR11MB5444.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5444D78CB5932C783941D2ADC1E8A@CH0PR11MB5444.namprd11.prod.outlook.com>
From: Kevin Lewi <klewi@cs.stanford.edu>
Date: Thu, 07 Sep 2023 16:19:41 -0700
X-Gmail-Original-Message-ID: <CACitvs86GmqxudApcwCc=XLRfgAm_Tu0BB2u9-UtGZ6OvA5kfg@mail.gmail.com>
Message-ID: <CACitvs86GmqxudApcwCc=XLRfgAm_Tu0BB2u9-UtGZ6OvA5kfg@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, cfrg@ietf.org
Cc: "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>, "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, Chloe Martindale <chloemartindale@gmail.com>, Bjoern Tackmann <bjoern.tackmann@ieee.org>, Julia Hesse <juliahesse2@gmail.com>, Julia Hesse <jhs@zurich.ibm.com>, Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>, "cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>, "crypto-panel@irtf.org" <crypto-panel@irtf.org>, "draft-irtf-cfrg-opaque@ietf.org" <draft-irtf-cfrg-opaque@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000eda8060604cd1851"
X-Scan-Signature: f0e2a97b6e169091ac23c653c4474aa4
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/uoT2ZHQ5ncBGsv5mOUYE3P51P7E>
X-Mailman-Approved-At: Tue, 12 Sep 2023 08:49:34 -0700
Subject: Re: [Crypto-panel] Request for review: OPAQUE
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Review Panel review coordination <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2023 23:20:00 -0000

Hi Scott,

Replies inline:


>
>
>    - The draft mentions that it supports multiple AKE and OPRF
>    algorithms, and that the server may want to select between them (based on
>    hardware support).  However, the client initiates the transaction, and the
>    generation of the KE1 message would appear to require knowledge of the OPRF
>    used; how does the client know this?  Is it communicated out-of-band (say,
>    in the DNS record)?  Is there expected to be a preliminary (outside the
>    protocol) phase where the client asks the server?  Or, does the client take
>    a guess and if the server doesn’t support that, it informs the client of
>    the one it does expect (and if so, from the KE1 message, how does the
>    server know which one the client guessed)?  I couldn’t find any discussion
>    of such issue in the draft, and I don’t believe it would serve the
>    implementors right by having them try to figure this out for themselves.
>       - This question comes up because one scenario I envision for Opaque
>       is “the user has a PC (or tablet or phone) which might not be the PC he
>       registered with, and wants to log into the server using his password.  The
>       PC has no stored information about the server” – how does this work?
>
>
IMO this is outside of the scope of the protocol and the draft. In the
Protocol Overview section, under Setup, we say "Prior to both stages, the
client and server agree on a configuration that fully specifies the
cryptographic algorithm dependencies necessary to run the protocol; see
{{configurations}} for details." In the past we discussed this and decided
to leave it up to the implementers, primarily because there are many ways
this negotiation could happen in practice, and if we pick one format, it
may be suitable for some but not for others.


>
>    - The draft includes support for Ristretto, which is itself currently
>    a CFRG draft. Is it expected that Ristretto will become an RFC before this
>    does?
>
>
Yes. We also have a dependency on voprf, which itself has a dependency on
Ristretto anyways.


>
>    - At one point, the draft uses “RFCXXXX” as a protocol identifier in
>    the preamble; is that expected to be replaced by the assigned RFC number?
>    If so, I would suggest you add instructions to the RFC editors to that
>    effect.
>
>
Done! Put up a PR for this change:
https://github.com/cfrg/draft-irtf-cfrg-opaque/pull/420


>
>    -
>    - Question about 4.1.2: if the DeriveDiffieHellmanKeyPair has a
>    nonzero (but low) failure rate, why doesn’t the Store functionality retry
>    it internally, rather than asking for the server application to perform
>    that logic?  Of course, this would need to include some sanity limit (to
>    prevent a bogus input from causing an infinite loop); IMHO, this is
>    something that the application shouldn’t be tasked with.
>
>
The failure scenario for DeriveDiffieHellmanKeyPair comes from voprf's
"DeriveKeyPair" function:
https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-21.html#section-3.2.1
which already does the retry logic that you are describing before raising
the error. Presumably it would be unnecessary for us to introduce yet
another layer of a retry loop in DeriveDiffieHellmanKeyPair, no?

Thanks for the comments!

On Tue, Sep 5, 2023 at 10:59 AM Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
wrote:

> Here is my review of the latest Opaque draft:
>
>
>
> It looks pretty good; I do have a few questions and nits:
>
>
>
>    - The draft mentions that it supports multiple AKE and OPRF
>    algorithms, and that the server may want to select between them (based on
>    hardware support).  However, the client initiates the transaction, and the
>    generation of the KE1 message would appear to require knowledge of the OPRF
>    used; how does the client know this?  Is it communicated out-of-band (say,
>    in the DNS record)?  Is there expected to be a preliminary (outside the
>    protocol) phase where the client asks the server?  Or, does the client take
>    a guess and if the server doesn’t support that, it informs the client of
>    the one it does expect (and if so, from the KE1 message, how does the
>    server know which one the client guessed)?  I couldn’t find any discussion
>    of such issue in the draft, and I don’t believe it would serve the
>    implementors right by having them try to figure this out for themselves.
>       - This question comes up because one scenario I envision for Opaque
>       is “the user has a PC (or tablet or phone) which might not be the PC he
>       registered with, and wants to log into the server using his password.  The
>       PC has no stored information about the server” – how does this work?
>    - The draft includes support for Ristretto, which is itself currently
>    a CFRG draft. Is it expected that Ristretto will become an RFC before this
>    does?
>    - At one point, the draft uses “RFCXXXX” as a protocol identifier in
>    the preamble; is that expected to be replaced by the assigned RFC number?
>    If so, I would suggest you add instructions to the RFC editors to that
>    effect.
>    - Question about 4.1.2: if the DeriveDiffieHellmanKeyPair has a
>    nonzero (but low) failure rate, why doesn’t the Store functionality retry
>    it internally, rather than asking for the server application to perform
>    that logic?  Of course, this would need to include some sanity limit (to
>    prevent a bogus input from causing an infinite loop); IMHO, this is
>    something that the application shouldn’t be tasked with.
>
>
>
>
>
>