Re: [TLS] [Cfrg] Review of Dragonfly PAKE

"Dan Harkins" <> Wed, 11 December 2013 23:04 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8BFE11AE039; Wed, 11 Dec 2013 15:04:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 09LfUAuyO7T6; Wed, 11 Dec 2013 15:04:07 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 28DA21AE032; Wed, 11 Dec 2013 15:04:07 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 4AE3C10224008; Wed, 11 Dec 2013 15:04:01 -0800 (PST)
Received: from (SquirrelMail authenticated user by with HTTP; Wed, 11 Dec 2013 15:04:01 -0800 (PST)
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <> <>
Date: Wed, 11 Dec 2013 15:04:01 -0800 (PST)
From: "Dan Harkins" <>
To: "Trevor Perrin" <>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc:, "" <>
Subject: Re: [TLS] [Cfrg] Review of Dragonfly PAKE
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Dec 2013 23:04:09 -0000

On Wed, December 11, 2013 2:34 pm, Trevor Perrin wrote:
> On Wed, Dec 11, 2013 at 2:07 PM, Dan Harkins <>; wrote:
>> On Wed, December 11, 2013 11:50 am, Trevor Perrin wrote:
>>> On Tue, Dec 10, 2013 at 5:35 PM, Dan Harkins <>;
>>> wrote:
>> [snip]
>>>>   It makes little sense to negotiate a 256-bit or even a 128-bit
>>>> cipher or a hash algorithm with a 256-bit or 512-bit digest size
>>>> when the domain parameter set is fixed to a 1024-bit FFC group.
>>>> What makes sense is to allow for negotiation of a 4096-bit FFC
>>>> group or a 256-bit ECC group along with your AES-GCM-128
>>>> with key derivation using HMAC-256.
>>> It makes little sense to use a 1024-bit FFC group in any circumstances
>>> because (pardon me, Kevin) - fuck the NSA.
>>   That certainly is a fashionable pose to strike these days!
>>   But I brought up binding a 1024-bit FFC to a password because that's
>> what an RFC with your name on it does.
> RFC 5054 has a range of DH groups.  I would've preferred not to
> include the lower-strength ones.
> Care to respond to any other points, or can we assume Dragonfly is
> debunked at this point?

  Your post was a series of personal opinions that were caveated with
things like "I'm not qualified to assess this argument" and "Perhaps I'm
wrong." You restated your preference favoring augmented PAKEs for the
umpteenth time-- "I prefer the security benefit of augmented PAKE"--
and for the umpteenth plus one time-- "I think augmented PAKEs
are preferable." And you called dragonfly "gimmicky" and "a bad PAKE".

  I already responded to the points you raised originally. You replied with
a bunch of opinions. I'll just let those stand.

  Debunked? Ha ha. You sure think highly of yourself.