Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd

Trevor Perrin <trevp@trevp.net> Thu, 05 December 2013 20:42 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A7561AE0DD for <tls@ietfa.amsl.com>; Thu, 5 Dec 2013 12:42:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.208
X-Spam-Level:
X-Spam-Status: No, score=-1.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y1Oe7qSbsofx for <tls@ietfa.amsl.com>; Thu, 5 Dec 2013 12:42:33 -0800 (PST)
Received: from mail-wi0-f176.google.com (mail-wi0-f176.google.com [209.85.212.176]) by ietfa.amsl.com (Postfix) with ESMTP id 7DE9A1AC829 for <tls@ietf.org>; Thu, 5 Dec 2013 12:42:33 -0800 (PST)
Received: by mail-wi0-f176.google.com with SMTP id hq4so280336wib.9 for <tls@ietf.org>; Thu, 05 Dec 2013 12:42:29 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=qBX+c2xrvoPLW1VurYOUD12Gt7xXut0UOwxtnAwB16Q=; b=m6jAltBQ9uHY0olpK6axxmjANN6fi8P3s7COzcJN9OqUbVVDb9pyUBcopjRdOcCGz0 28zsAO4gMdOEH5S73J/UbuHjOQ4fSOtpwHgEH2u4LOptWGgFHSg6RbBVpMfLWGigRop6 YOD9stpaM6iVZMIEkM6DNJtsD1wr9M2vdzaMS9QCTA77NEbgekTGhTKkDl5ygOkeuK6L o7Q8UuW3lmyAgTPD5GOORRPyjeZwGuxdzgpZc442fCaAlET1wn7e7E6yqdqfqtlSsARF YoDcpD8KQNcYeugYyv9RIYXiiOPEkxPWfKo3PsRAjVQjv5u4KGBgKbAP12nif1473PHU /qFQ==
X-Gm-Message-State: ALoCoQmNx5lTtEBlRz2Im4f5q3aJregNT2kCZCLEl7yK103QQu82Ml7z+s+q5gfZhMNY1VFmW5CN
MIME-Version: 1.0
X-Received: by 10.180.187.72 with SMTP id fq8mr13680890wic.26.1386276149513; Thu, 05 Dec 2013 12:42:29 -0800 (PST)
Received: by 10.216.214.134 with HTTP; Thu, 5 Dec 2013 12:42:29 -0800 (PST)
X-Originating-IP: [208.70.28.214]
In-Reply-To: <7c8448fa356f5d764186ca62552efb1d.squirrel@www.trepanning.net>
References: <3065D910-832C-47B6-9E0B-2F8DCD2657D2@cisco.com> <529C990D.3020608@gmail.com> <CACsn0cmtP_dF7N2op4DZUwR8t-fW30GmtdqQoteZ+9Y0oH3dUg@mail.gmail.com> <a4b1729af4966e99df1582943f02a0a8.squirrel@www.trepanning.net> <CACsn0cksrU2GErd6FkZPkXKXK4pSJhTbBoJ-0C-14jsM=UY2iQ@mail.gmail.com> <14e67efee74d2ec6d535f6750ed829db.squirrel@www.trepanning.net> <CACsn0c=PnB2CA8rpNtcOp6RRLNWHEPN-aN+AdWSF7FJM2wZOog@mail.gmail.com> <6d86c3be1741ed14992ec8662e0d32c7.squirrel@www.trepanning.net> <CADMpkcKTAARYK2id27T44eVyx6gF24mkt9nAkUZbSmwtEtd2gg@mail.gmail.com> <6c129fd89a9e5953ba844e4e1d1e6e98.squirrel@www.trepanning.net> <CAGZ8ZG0n7AFWc_WpxLzKbhnRxz8hkQAD-j8VDtX_GOHD5Nc6nw@mail.gmail.com> <7c8448fa356f5d764186ca62552efb1d.squirrel@www.trepanning.net>
Date: Thu, 5 Dec 2013 12:42:29 -0800
Message-ID: <CAGZ8ZG3HwTe0gvrrieYAVZZSd=xfU9GWYo1YHMHWmD9c+EsxbQ@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 20:42:35 -0000

On Thu, Dec 5, 2013 at 10:40 AM, Dan Harkins <dharkins@lounge.org> wrote:
>
>
> On Thu, December 5, 2013 10:01 am, Trevor Perrin wrote:
>> On Thu, Dec 5, 2013 at 9:15 AM, Dan Harkins <dharkins@lounge.org> wrote:
>>>
>>> On Thu, December 5, 2013 3:48 am, Bodo Moeller wrote:
>>>> Dan Harkins <dharkins@lounge.org>rg>:
>>>>
>>>> The exchange was reviewed by the CFRG with, as Joe noted, satisfactory
>>>>> results.
>>>>
>>>>
>>>> While it is true that Joe noted that, I think the point of the present
>>>> discussion is that the protocol wasn't actually reviewed by the CFRG
>>>> with
>>>> satisfactory results.
>>>
>>>   No, that's not really true.  There is a difference between "your
>>> protocol has
>>> not been proven secure" and "your protocol has a security flaw". And
>>> while
>>> the former has been pointed out on this list and the CFRG list, the
>>> later
>>> has not.
>>
>> Yes, it has.  Bodo pointed out a security flaw.
>
>   You should read the entire email before you respond to it. Like the
> very next 6 lines.

I did.  Bodo pointed out a security flaw, despite your attempts to spin it.


>>>   The present discussion on the list boils down to these subjects:
>>>
>>>   1) there's no security proof and that is unacceptable (Rene, Watson)
>>>   2) there's nothing special about this protocol so why don't you (being
>>>       me) spend your time working on something else that we (Rene,
>>>       Watson) think is better.
>>>   3) the TLS-pwd benefits and your use cases are not compelling to
>>>       me (Trevor).
>>>
>>> The response to #1 is that security proofs have never been required
>>> and we have standards-track protocols today that are susceptible to
>>> offline dictionary attack (every PSK cipher suite). So it's an appeal to
>>> a
>>> process that does not exist.
>>
>> At Watson points out, times have changed and the bar is higher now.
>
>   You are appealing to a process that does not exist.

The process for acquiring trust in new cryptographic algorithms is
widely understood to involve (A) rigorous security proofs, and (B)
succesfully withstanding years of cryptanalysis (particularly
important if lacking A).

You have neither.


>>> The response to #2 is that lack of implementation of these other
>>> protocols has been hampered by patents
>>
>> See the discussion around SRP that occurred when you first presented
>> this.  Any patent FUD which *might* have existed, once, has expired:
>>
>> http://www.ietf.org/mail-archive/web/tls/current/msg08203.html
>> http://www.ietf.org/mail-archive/web/tls/current/msg08191.html
>
>   Yes I am aware that the original EKE patent expired. But EKE cannot be
> used with elliptic curves.

Not true, for example see Hamburg and Bernstein's Elligator 2 [1],
which could be used as the basis for a DH-EKE style PAKE.


>>> The response to #3 is: so? There is rarely uniformity in viewpoints
>>> as everyone's experience is different. Now there's a choice and if
>>> the benefits of one are not compelling then be happy you can
>>> choose the other.
>>
>> The benefits of *both* are uncompelling.  The low uptake of TLS/SRP
>> has nothing to do with this draft's cryptographic differences.  It has
>> to do with architectural issues with the approach, which your draft
>> does not improve on.
>
>   You are free to not use this protocol as well if you do not find it
> compelling.

We should not standardize protocols which are inferior to existing
ones and to newer alternatives, have insufficient cryptographic
analysis, have no application, and have no support in the WG beside
the draft authors and the NSA [2].

I remain opposed.


Trevor

[1] https://eprint.iacr.org/2013/325.pdf
[2] http://www.ietf.org/mail-archive/web/tls/current/msg08371.html