Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
Robert Ransom <rransom.8774@gmail.com> Mon, 02 December 2013 19:30 UTC
Return-Path: <rransom.8774@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 344C21ADBFF for <tls@ietfa.amsl.com>; Mon, 2 Dec 2013 11:30:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oGQ1yvRvfbSd for <tls@ietfa.amsl.com>; Mon, 2 Dec 2013 11:30:45 -0800 (PST)
Received: from mail-qa0-x234.google.com (mail-qa0-x234.google.com [IPv6:2607:f8b0:400d:c00::234]) by ietfa.amsl.com (Postfix) with ESMTP id 8AB9B1AC4A7 for <tls@ietf.org>; Mon, 2 Dec 2013 11:30:45 -0800 (PST)
Received: by mail-qa0-f52.google.com with SMTP id k4so4827302qaq.4 for <tls@ietf.org>; Mon, 02 Dec 2013 11:30:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=1QYR5gAoCBStUrtxkJpcgyVJD6RrPJRS9a/ChLgYbeg=; b=bMSyDJIpIPPBQJ7+Dblltd9VC5FxOrPaEJPQvVcsRvmQ+3JfPADQjIo3BFwwRGc4wE ZOCq1k19OFNqIX0GZ2wc018DJqmR7x3zdrttWLVW4Mj2BhwMV/RsYaIPOKDYs6WSfSqE FMDiobFvPaQKjQkzoLeMa+ETzTj62CFoZ5IVr6TKSgtaroOjPj+VmqumhD1tWsCe1aMy /rVgsBdL+qCxLFGaI1BlELxi0L8SAxhTmcwXlANPVm5Ot0YujBdGfZ/7Fa9U+jVUSISh biYzsPCO1u26l3wXM7xG+iJXWK32cvolLtXDFN3YstvK2JzPQzw6Hv5twcKAwd/T5AGT 5EPQ==
MIME-Version: 1.0
X-Received: by 10.49.18.100 with SMTP id v4mr18338565qed.76.1386012642938; Mon, 02 Dec 2013 11:30:42 -0800 (PST)
Received: by 10.229.8.3 with HTTP; Mon, 2 Dec 2013 11:30:42 -0800 (PST)
In-Reply-To: <CACsn0cmtP_dF7N2op4DZUwR8t-fW30GmtdqQoteZ+9Y0oH3dUg@mail.gmail.com>
References: <3065D910-832C-47B6-9E0B-2F8DCD2657D2@cisco.com> <529C990D.3020608@gmail.com> <CACsn0cmtP_dF7N2op4DZUwR8t-fW30GmtdqQoteZ+9Y0oH3dUg@mail.gmail.com>
Date: Mon, 02 Dec 2013 11:30:42 -0800
Message-ID: <CABqy+sqNaDC7nYd7SryPuryHpAHnNg1v2cEVRyBh0rFrQVa8vQ@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2013 19:30:47 -0000
On 12/2/13, Watson Ladd <watsonbladd@gmail.com> wrote: > On Mon, Dec 2, 2013 at 6:28 AM, Rene Struik <rstruik.ext@gmail.com> wrote: >> Dear colleagues: >> >> I had a look at draft-ietf-tls-pwd-02. While I do appreciate the work that >> went into this draft, I have to concur with some other commenters (e.g., >> Doug Stebila, Bodo Moeller) that it is unclear what makes this protocol >> special compared to other contenders, both in terms of performance and >> detailed cryptanalysis. One glaring omission is detailed security >> evidence, >> which is currently lacking (cross-referencing some other standards that >> have >> specified the protocol does not by itself imply the protocol is therefore >> secure). I am kind of curious what technical advantages the "Dragonfly" >> protocol has over protocols that seem to have efficiency, detailed and >> crypto community reviewed evidence, such as, e.g., AugPAKE (which is >> another >> TLS-aimed draft) and others. So, if the TLS WG has considered a feature >> comparison, that would be good to share. >> >> I would recommend to ask CFRG to carefully review the corresponding >> irtf-dragonfly-02 document (to my knowledge, there has been no LC and it >> is >> still a draft document there) and align the TLS document >> draft-ietf-tls-pwd-02 document with whatever comes out of that effort >> (currently, there are some security-relevant differences). This time >> window >> could also be used for firming up security rationale, thus aleviating >> concerns on that front. > I do not like the way this standard mixes algorithmic details with > instantiation > details. It makes it hard for me to understand what the protocol actually > is. > I also do not understand why H needs to be a random oracle as opposed to > something we have in the standard model. > > I also do not like the language of "commitment" used. What is sent is > not a Pedersen commitment or any other recognizable commitment. > It is very malleable in ways that make me question the informal security > analysis. I don't see what advantage their ‘committment’ [sic] provides over using standard Diffie-Hellman with a password-derived secret basepoint. All of the protocol's security against offline attacks and impersonation appears to be provided by requiring that both parties' group elements are in the prime-order subgroup. >> b) The probabilistic nature of the "hunting and pecking" procedure may be >> a >> recipe for triggering implementation attacks. Wouldn't one be much better >> off removing dependency on non-deterministic password-to-point mappings >> (e.g., AugPAKE, Icart map, German BSI-password protocol)? > Well, one could use Elligator to solve this problem. The Elligator paper (published in August) cites a PAKE paper from 2001 as a possible use for injective maps. The J-PAKE paper (published in 2008) states that there were no good unpatented PAKE protocols available at the time J-PAKE was published, and even the patented protocols were not secure. Is this protocol related to the 2001 protocol, is that protocol patented, and if so, does that patent cover this protocol? Robert Ransom
- Re: [TLS] Working Group Last Call for draft-ietf-… Douglas Stebila
- [TLS] Working Group Last Call for draft-ietf-tls-… Joseph Salowey (jsalowey)
- Re: [TLS] Working Group Last Call for draft-ietf-… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Love Hörnquist Åstrand
- Re: [TLS] Working Group Last Call for draft-ietf-… Love Hörnquist Åstrand
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Love Hörnquist Åstrand
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… oscar.koeroo
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Peter Sylvester
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Rene Struik
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Robert Ransom
- Re: [TLS] Working Group Last Call for draft-ietf-… Robert Ransom
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… CodesInChaos
- Re: [TLS] Working Group Last Call for draft-ietf-… Rene Struik
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Mohamad Badra
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Mohamad Badra
- Re: [TLS] Working Group Last Call for draft-ietf-… Eric Rescorla
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Robert Ransom
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Mohamad Badra
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… CodesInChaos
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Joseph Birr-Pixton
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… Manuel Pégourié-Gonnard
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins