Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
Watson Ladd <watsonbladd@gmail.com> Tue, 03 December 2013 18:08 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85B231AD943 for <tls@ietfa.amsl.com>; Tue, 3 Dec 2013 10:08:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kuYAI0D5KdUT for <tls@ietfa.amsl.com>; Tue, 3 Dec 2013 10:08:50 -0800 (PST)
Received: from mail-wg0-x236.google.com (mail-wg0-x236.google.com [IPv6:2a00:1450:400c:c00::236]) by ietfa.amsl.com (Postfix) with ESMTP id 6CD3C1AD6D2 for <tls@ietf.org>; Tue, 3 Dec 2013 10:08:50 -0800 (PST)
Received: by mail-wg0-f54.google.com with SMTP id n12so12621923wgh.21 for <tls@ietf.org>; Tue, 03 Dec 2013 10:08:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=K42ToFJsc81RY/dVkCNdjgyHehvrmtOwNkodBYWmIc4=; b=OFnuI7ocBhrAtEpR/VhPTuXuOJ9gNDr4mj7XGOF3df41Qk9R9RW3FdSRjNMddb+CON B/kszSvsLRwkRwwrSuC82x93E7beK7jESnxtFFyzpWnPYGzmCXDk0kLip2IWl4i5Sikt 0xtEBKtOaWHeHcgHXXfaQq2e7Q0jMjl0H+8LV/y82J8EVgaoL/Km5DUG+b2V6NsrtFVD oN0swRegIqZrb7xRWhcJBbg4JDBfIQpGEZcKLeQl5Nsx/bhoRA96//iX2kNRHXiFNbup xOTsccjyl2/q1f7ycDAkVmlt75sDgf6cveQa5ArwWa16abiYo69CfAhhgQEUTt8bJ3Uj xbiQ==
MIME-Version: 1.0
X-Received: by 10.194.250.100 with SMTP id zb4mr8527561wjc.62.1386094127144; Tue, 03 Dec 2013 10:08:47 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Tue, 3 Dec 2013 10:08:47 -0800 (PST)
In-Reply-To: <14e67efee74d2ec6d535f6750ed829db.squirrel@www.trepanning.net>
References: <3065D910-832C-47B6-9E0B-2F8DCD2657D2@cisco.com> <529C990D.3020608@gmail.com> <CACsn0cmtP_dF7N2op4DZUwR8t-fW30GmtdqQoteZ+9Y0oH3dUg@mail.gmail.com> <a4b1729af4966e99df1582943f02a0a8.squirrel@www.trepanning.net> <CACsn0cksrU2GErd6FkZPkXKXK4pSJhTbBoJ-0C-14jsM=UY2iQ@mail.gmail.com> <14e67efee74d2ec6d535f6750ed829db.squirrel@www.trepanning.net>
Date: Tue, 03 Dec 2013 10:08:47 -0800
Message-ID: <CACsn0c=PnB2CA8rpNtcOp6RRLNWHEPN-aN+AdWSF7FJM2wZOog@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2013 18:08:53 -0000
On Tue, Dec 3, 2013 at 9:41 AM, Dan Harkins <dharkins@lounge.org> wrote: > > On Tue, December 3, 2013 8:12 am, Watson Ladd wrote: >> On Tue, Dec 3, 2013 at 12:50 AM, Dan Harkins <dharkins@lounge.org> wrote: >>> >>> On Mon, December 2, 2013 8:40 am, Watson Ladd wrote: >>>> On Mon, Dec 2, 2013 at 6:28 AM, Rene Struik <rstruik.ext@gmail.com> >>>> wrote: >>>>> Dear colleagues: >>>>> >>>>> I had a look at draft-ietf-tls-pwd-02. While I do appreciate the work >>>>> that >>>>> went into this draft, I have to concur with some other commenters >>>>> (e.g., >>>>> Doug Stebila, Bodo Moeller) that it is unclear what makes this >>>>> protocol >>>>> special compared to other contenders, both in terms of performance and >>>>> detailed cryptanalysis. One glaring omission is detailed security >>>>> evidence, >>>>> which is currently lacking (cross-referencing some other standards >>>>> that >>>>> have >>>>> specified the protocol does not by itself imply the protocol is >>>>> therefore >>>>> secure). I am kind of curious what technical advantages the >>>>> "Dragonfly" >>>>> protocol has over protocols that seem to have efficiency, detailed and >>>>> crypto community reviewed evidence, such as, e.g., AugPAKE (which is >>>>> another >>>>> TLS-aimed draft) and others. So, if the TLS WG has considered a >>>>> feature >>>>> comparison, that would be good to share. >>>>> >>>>> I would recommend to ask CFRG to carefully review the corresponding >>>>> irtf-dragonfly-02 document (to my knowledge, there has been no LC and >>>>> it >>>>> is >>>>> still a draft document there) and align the TLS document >>>>> draft-ietf-tls-pwd-02 document with whatever comes out of that effort >>>>> (currently, there are some security-relevant differences). This time >>>>> window >>>>> could also be used for firming up security rationale, thus aleviating >>>>> concerns on that front. >>>> I do not like the way this standard mixes algorithmic details with >>>> instantiation >>>> details. It makes it hard for me to understand what the protocol >>>> actually >>>> is. >>>> I also do not understand why H needs to be a random oracle as opposed >>>> to >>>> something we have in the standard model. >>> >>> It is difficult to understand how to act on this comment. The >>> specification >>> is of a cipher suite added to an existing protocol and as such has to >>> "mix" the >>> details of the underlying key exchange with the structure and format of >>> the >>> protocol it is being added to. It is not a high-level description of the >>> algorithm, >>> it is a description of how to implement the key exchange as a TLS cipher >>> suit. >> What protocol is this standard implementing? Where is it documented? Where >> is >> the security proof? > > Do you have a specific comment on the draft itself? "I don't like it" is an > unactionable editorial comment. Yes: the draft is unacceptable from a cryptographic perspective because has a protocol that has not faced formal analysis or review by the cryptographic community, is not clearly presented, and has no analysis worthy of the name. The action is to write the protocol, formally prove it correct, submit the paper to a conference wait a few years, and then say "well, this works". Or use a theorem verifier to shorten the time. Rene Struik, Robert Ransom, and I all have the same opinion on the merits of this protocol: questionable at best. I believe this should be sufficient to prevent this draft from becoming a standard. > >>>> I also do not like the language of "commitment" used. What is sent is >>>> not a Pedersen commitment or any other recognizable commitment. >>>> It is very malleable in ways that make me question the informal >>>> security >>>> analysis. >>> >>> Of course it's a recognizable commitment because it allows the sender >>> to commit to a particular value (the password) without exposing it to >>> anyone else. >> The sender is committed to the password, but not to the value of the PE >> point. > > There is a one-to-one mapping of password (plus username and salt) > and point. If one is committed to the password, he's committed to the > point. No, because the point might not be from a password. He might not be able to show a password going to the point that he claims he was committed to, but that doesn't necessarily matter. Without a proof we have no idea how much it matters. Reading the draft I don't think the password needs to be guessed or known, but the point itself, and the attacker isn't bound to a choice of point. > >> This is noted in the "security analysis" section, but absent a proof I >> can't tell you >> that it doesn't matter. The security analysis section reads like a >> bunch of attacks >> were tried and failed. All that shows is *you* couldn't break it, not >> that anyone else >> couldn't. >>> >>>>> Two final comments: >>>>> a) It is unclear why one should hard code in the draft that elliptic >>>>> curves >>>>> with co-factor h>1 would be ruled out. After all, this would make it >>>>> much >>>>> harder to extend the reach of the draft to prime curves with co-factor >>>>> larger than one and to binary curves. >>>> I think the authors wanted to specify secure curves and haddn't the >>>> slightest to do it right. >>> >>> (Note: I always like to have my intelligence questioned with a >>> statement >>> that has multiple grammatical errors). >> It's not your intell > > Again, thank you for that comment. > As I ment to say, but due to an editing failure did not, it is not your intelligence I am questioning but your ability to do cryptographic work. The present draft shows no evidence of it. Of course, it turns out that you weren't attempting to specify secure curves, but unpatented ones. But all that matter is one curve has one implementation not reached by patents, not that the standard can only be used with unpatented implementations >>> As I mentioned to Rene, the reason for limiting the curves to those >>> over a prime field with a co-factor of 1 is to avoid the patent mine >>> field. >> What mine field? What is so patented about cofactor>1 over prime field? >> For binary curves I agree. > > There are plenty of patents that deal with acceleration when the > cofactor is > 1 or deal with verification of received elements when > the cofactor is > 1. I just don't want to deal with it. And so you preemptively limit the ability of implementers to use Ed25519 if they feel confident that it is not patented, or they don't need the "acceleration" that you claim is patented. It might be worthwhile to say everyone support P256 so we can interoperate, but why rule out particular instantiations a priori? I just don't get the rationale here. > >> But why not use whatever curve > TLS specifies? >> Also, why not use the existing mechanisms to deal with implementation >> limits >> caused by patents? > > What mechanisms _speciifcally_ is TLS-pwd doing that is causing you > to say this? It uses the existing mechanisms provided by the base TLS > protocol to convey the group to use. Again, I don't know how to address > a comment that says to change the protocol to do what it already does. > >>>> Weierstrauß form has big problems: Edwards is much better from an >>>> implementation security >>>> perspective. Cofactor isn't enough: you also need high embedding >>>> degree, big discriminant, >>>> or you could just use curves we agree are good instead of reinventing >>>> the >>>> wheel. > > "[U]se curves we all agree are good instead of reinventing the wheel"? Now > I'm starting to think you didn't even read the draft. We do not need 3 different places in the TLS handshake containing EC curve parameters. When a TLS client implementing this protocol talks to a server, it will send this extension with EC parameters, as well as EC parameters for the extensions permitting EC ciphersuites to be used, as well as special TLS ciphers saying it can use EC. This is ridiculous. Any gains from specifying the curves are lost because of the strong restrictions on shape. It's entirely possible that this is the best possible result given the current state of TLS, and my objection to the mechanism is not strong: my strong objection is from the lack of serious cryptographic effort in this draft and that we have no idea how strong this protocol is. > > Dan. > >>>> Higher order protocols should be group agnostic.This prevents a major >>>> problem when >>>> Joux comes up with something new. >>> >>> It specifies a single group for interoperability purposes. It's >>> "crypto >>> agility" is inherited from TLS. >>> >>> Dan. >>> >>>>> b) The probabilistic nature of the "hunting and pecking" procedure may >>>>> be a >>>>> recipe for triggering implementation attacks. Wouldn't one be much >>>>> better >>>>> off removing dependency on non-deterministic password-to-point >>>>> mappings >>>>> (e.g., AugPAKE, Icart map, German BSI-password protocol)? >>>> Well, one could use Elligator to solve this problem. >>>>> >>>>> Best regards, Rene >>>>> >>>>> >>>>> On 11/7/2013 8:11 PM, Joseph Salowey (jsalowey) wrote: >>>>>> >>>>>> This is the beginning of the working group last call for >>>>>> draft-ietf-tls-pwd-01. The underlying cryptographic protocol for >>>>>> TLS-PWD >>>>>> has been reviewed by the IRTF CFRG group with satisfactory results. >>>>>> The >>>>>> document needs particular attention paid to the integration of this >>>>>> mechanism into the TLS protocol. Please send comments to the TLS >>>>>> list >>>>>> by >>>>>> December 2, 2013. >>>>>> >>>>>> - Joe >>>>>> (For the TLS chairs) >>>>>> _______________________________________________ >>>>>> TLS mailing list >>>>>> TLS@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/tls >>>>> >>>>> >>>>> >>>>> -- >>>>> email: rstruik.ext@gmail.com | Skype: rstruik >>>>> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 >>>>> >>>>> >>>>> _______________________________________________ >>>>> TLS mailing list >>>>> TLS@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/tls >>>> >>>> >>>> >>>> -- >>>> "Those who would give up Essential Liberty to purchase a little >>>> Temporary Safety deserve neither Liberty nor Safety." >>>> -- Benjamin Franklin >>>> _______________________________________________ >>>> TLS mailing list >>>> TLS@ietf.org >>>> https://www.ietf.org/mailman/listinfo/tls >>>> >>> >>> >> >> >> >> -- >> "Those who would give up Essential Liberty to purchase a little >> Temporary Safety deserve neither Liberty nor Safety." >> -- Benjamin Franklin >> > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- Re: [TLS] Working Group Last Call for draft-ietf-… Douglas Stebila
- [TLS] Working Group Last Call for draft-ietf-tls-… Joseph Salowey (jsalowey)
- Re: [TLS] Working Group Last Call for draft-ietf-… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Love Hörnquist Åstrand
- Re: [TLS] Working Group Last Call for draft-ietf-… Love Hörnquist Åstrand
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Love Hörnquist Åstrand
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… oscar.koeroo
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Peter Sylvester
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Rene Struik
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Robert Ransom
- Re: [TLS] Working Group Last Call for draft-ietf-… Robert Ransom
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… CodesInChaos
- Re: [TLS] Working Group Last Call for draft-ietf-… Rene Struik
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Mohamad Badra
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Mohamad Badra
- Re: [TLS] Working Group Last Call for draft-ietf-… Eric Rescorla
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Robert Ransom
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Mohamad Badra
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… CodesInChaos
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Joseph Birr-Pixton
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… Manuel Pégourié-Gonnard
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins