Re: [TLS] Fwd: New Version Notification for draft-barnes-tls-pake-00.txt

Richard Barnes <> Fri, 13 April 2018 18:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 73AFD127775 for <>; Fri, 13 Apr 2018 11:50:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ik4MjfYysItn for <>; Fri, 13 Apr 2018 11:50:07 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c0f::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3CDF9127601 for <>; Fri, 13 Apr 2018 11:50:07 -0700 (PDT)
Received: by with SMTP id i5-v6so1492650oth.1 for <>; Fri, 13 Apr 2018 11:50:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SL7q2BszXqXC/PEnvjBKtljdZAQ6Pek9mgOlqyyuQqw=; b=Z8CVksf/Mbx/Nxg029nFnTJkJRVX6RtsS0EFkgGXPaTm9p1SaMvIgoL5e/tcrWAkP4 3dLRvDU8iflJFzEWo4ERmN9zw/ZPATpVAH2q/e9x0941b2fFE9w3byBm+zDgp1IPlYYs DlNn7cXf/1wp7RHQwVxD2cDt0yn/HzOrgdAe+NdkkJDHyaPFl6Ev9GVNyYdndFO+n0uL 75YULUkhq2HpNYodfeqNM9D1tNWGNb9UA7r4Lrnerqo0z37WRDVNJgiCm6w79KXgzf7m tp2lpy2Fn1I2sI2UZw3fHxbSg2iT4i0nz0hhcIWEAQN8l82hVnMAdU6khbBBGMobjuCE pGbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SL7q2BszXqXC/PEnvjBKtljdZAQ6Pek9mgOlqyyuQqw=; b=WMlatJk+IIa9gbPl1D4MWyjH1sQndzLtYcO4sn/gHgd6yV1cNe6U+d9+ri4XPAneSS KQm3emAKsZi4lOYOr/uiekIjMe5pRfqdZbF1RNzdzX7hlXDoGed2emC8p0LXzeN/ikEF aoUdrPo8c5QUqzkuC+QjiZHIVLrGOBGoDZOHM3yB7eRAGWt4IAGOXcDDFuOMZFqHdb9v FT1zEgOalBV+i1zJJfNSlBRuNlwCpZzzRdRDNRehQOnh7KP/9oHcS/dwud22P4b1ebqy Vhf94tU0VR/HHZjNraJeQm7MSmG8grjMu2j1jL3/C8YWeo7iSJ5lFkTdXq593f7ouRyP ZcMA==
X-Gm-Message-State: ALQs6tD2zLwRy24d9hw4h1b1697qgxGhy+rxVYYmnUBGrOGvMmMsY13I IKSQVqx08OYegSr1JEiPHjw6wac8kBrG3M8ZHh9enwgl8qw=
X-Google-Smtp-Source: AIpwx4++UEG2wMacloGxLflNgtG6WBdCPsUwzu2JgpXLUszCpPA827hyZX/yHjHTKrKLGm7PKAfRsYng1YZ2TOqBLKU=
X-Received: by 2002:a9d:1361:: with SMTP id q30-v6mr4592351otq.103.1523645406188; Fri, 13 Apr 2018 11:50:06 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 13 Apr 2018 11:50:05 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
From: Richard Barnes <>
Date: Fri, 13 Apr 2018 14:50:05 -0400
Message-ID: <>
To: Tony Putman <>
Cc: "<>" <>, Benjamin Kaduk <>, Watson Ladd <>
Content-Type: multipart/alternative; boundary="0000000000003378650569bf577b"
Archived-At: <>
Subject: Re: [TLS] Fwd: New Version Notification for draft-barnes-tls-pake-00.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 13 Apr 2018 18:50:11 -0000

Hey Tony,

Thanks for the comments.  Hopefully we can adapt this document to tick more
boxes for you :)  Since I had noticed some other errors in the document
(e.g., figures not rendering properly), I went ahead and submitted a new
version that takes these comments into account.

Some responses inline below.

On Thu, Apr 12, 2018 at 9:23 AM, Tony Putman <> wrote:

> Hi Richard,
> I work in the IoT space and am interested in handshakes that involve
> little computation but offer better protection than symmetric PSK in the
> event of server breach.
> *From:* TLS [] *On Behalf Of *Richard Barnes
> *Sent:* 11 April 2018 15:54
> […]
> We would love to hear any feedback on the approach proposed here, and on
> whether other people here would be interested in working on a PAKE
> mechanism for TLS in this working group.
> […]
> I was interested in this draft as it seemed to tick some boxes, and I
> offer some comments below. But in the end I don't think it offers what I'm
> looking for, so I can't offer to help with it in its current form.
> My main comment is that I disagree with the assertion in section 3 that
> "w" is effectively a salted password hash. An attacker who obtains "w" can
> impersonate the client to the server, so it is equivalent to a password.
> The only advantage is that a server breach cannot be extended to other
> servers where the user uses the same password, but different salts are
> used. It seems to me that SPAKE2+ prevents this, so perhaps this should be
> used instead.
> Secondly, SPAKE2 is fitted to the TLS 1.3 handshake by forcing the client
> to know the salt. This seems unreasonable to me unless there is also some
> mechanism to retrieve the salt from the server. Could the salt be a hash of
> client identity and server identity? (I suspect there is not enough entropy
> in this). But in any case I think this is an issue which must be addressed
> in the draft.

I'm not a cryptographer, but it seems to me that combining the client and
server identities would probably provide enough salt.  After all, the idea
of salt is just to make add a small degree of multiplicity to the hash.

Your point about SPAKE2+ / having the server only store public keys is
probably superseding, though.  I agree that we should try to arrange this
protocol so that the server only has to store a verifier value, but it's
not totally clear whether SPAKE2+ is needed, or whether we can use SPAKE2
and just have the server cache w*N.  After all, both w and N are fixed over
multiple runs of the protocol, so it doesn't seem like there's much benefit
to storing w and not w*N.

Given all that, I think my proposal would be:

- w = H( client identity || SNI || password ) (probably by extending the
IdentifierAndPassword struct that's in the document now)
- Client stores w or takes identities/password as input
- Server stores w*N

Maybe Ben or Watson (CCed) could comment on whether this approach seems

> Why does the draft need to specify what the identity of the server is? It
> doesn't seem to be used.

The identity field that the server sends isn't intended to be the server's
identity, but rather to indicate which of the client's offered identities
the server has selected.  The design pattern here is the same as the
key_share extension in TLS 1.3, where the server sends back a (group, key
share) pair, and the group identifies which of the client's shares the
server is using.

> Would it be helpful to send a list of SPAKE2Shares in ClientHello? For
> example, if the application layer protocol is being negotiated, would it be
> necessary to supply shares for multiple protocols? Alternatively, if the
> client and/or server support multiple pre-provisioned values (G, M, N, H),
> how would this be signalled/managed? And would there be associated security
> concerns?

The ClientHello extension in the document (SPAKE2ClientHello) already
allows the client to send multiple SPAKE2Shares.  Note, however, that the
only thing that can be negotiated is which identity/password is to be
used.  The current document assumes that the group (and thus G, M, N) and
the hash function (H) are fixed / pre-negotiated based on the identity.

I can understand why people might want negotiation, but it does seem safer
to me to only ever use a given password with the same group and hash.  It's
also consistent with the "server stores w*N" approach above.

> It is worth noting explicitly somewhere that x and y should have the same
> ephemeral characteristics as are used by the key_share elements, and that
> if this is followed then forward secrecy is provided by SPAKE2.


> IMHO "w" should not be used as the PSK input. If somebody gets hold of a
> derived key (e.g. early_exporter_master_secret) then the low entropy of "w"
> may allow it to be recovered. "K" provides all that's needed for key
> derivation.
Agreed.  Using "w" in the key schedule also means that the server has to
have it.  As noted above, this is bad.

> The draft should recommend somewhere (security section?) that H should be
> suitable for password hashing (e.g. Argon2) and not a standard hash
> function. This is particularly true if my earlier suggestion to use SPAKE2+
> is followed.



> Regards,
> Tony
> Dyson Technology Limited, company number 01959090, Tetbury Hill,
> Malmesbury, SN16 0RP, UK.
> This message is intended solely for the addressee and may contain
> confidential information. If you have received this message in error,
> please immediately and permanently delete it, and do not use, copy or
> disclose the information contained in this message or in any attachment.
> Dyson may monitor email traffic data and content for security & training.