[Hipsec] Using a PAKE within HIP for enrollment

Robert Moskowitz <rgm@htt-consult.com> Wed, 27 July 2016 13:20 UTC

Return-Path: <rgm@htt-consult.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 9910412D7A8 for <hipsec@ietfa.amsl.com>; Wed, 27 Jul 2016 06:20:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.488
X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id fnJW3n2brdEx for <hipsec@ietfa.amsl.com>; Wed, 27 Jul 2016 06:20:00 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 278C112D79D for <hipsec@ietf.org>; Wed, 27 Jul 2016 06:20:00 -0700 (PDT)
Received: from localhost (localhost []) by z9m9z.htt-consult.com (Postfix) with ESMTP id 2C52762239 for <hipsec@ietf.org>; Wed, 27 Jul 2016 09:19:59 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([]) by localhost (z9m9z.htt-consult.com []) (amavisd-new, port 10024) with LMTP id u37USUKk1-lb for <hipsec@ietf.org>; Wed, 27 Jul 2016 09:19:54 -0400 (EDT)
Received: from lx120e.htt-consult.com (unknown []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id B7BF0621B0 for <hipsec@ietf.org>; Wed, 27 Jul 2016 09:19:53 -0400 (EDT)
To: HIP <hipsec@ietf.org>
From: Robert Moskowitz <rgm@htt-consult.com>
Message-ID: <76ef2589-9016-cdde-afb2-99224327effd@htt-consult.com>
Date: Wed, 27 Jul 2016 06:19:49 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/xWu7__z2F4xF0SMr0bOQJeJ-49U>
Subject: [Hipsec] Using a PAKE within HIP for enrollment
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2016 13:20:01 -0000

I am looking at a HIT enrollment function using 5403-bis.  But why 
should the Registrar accept the Register.  This is our basic need of an 
Out-off-Band process to trust an enrollment.

So assume that some process establishes a PSK between the two parties.  
Perhaps a failed enrollment that sent the phone's # that returns an SMS 
message with the PSK.  The enrollment then grabs that PSK and uses a 
PAKE HIP parameter for authentication.  This would be stronger than what 
I have in DEX...

I would like to get the draft done this week, or early next week.  It is 
mostly written.  But I need to put in the trust for the enrollment.  I 
can either lift what I have in DEX, or go with one of the PAKE efforts 
in CFRG.  But which one and how would it work in HIP BEX/DEX?