Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
"Dan Harkins" <dharkins@lounge.org> Tue, 03 December 2013 08:50 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C22B91AE0D2 for <tls@ietfa.amsl.com>; Tue, 3 Dec 2013 00:50:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Level:
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 263aP5rkU1DC for <tls@ietfa.amsl.com>; Tue, 3 Dec 2013 00:50:43 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 43D8D1AE0D1 for <tls@ietf.org>; Tue, 3 Dec 2013 00:50:43 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 093ED10224008; Tue, 3 Dec 2013 00:50:40 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Tue, 3 Dec 2013 00:50:40 -0800 (PST)
Message-ID: <a4b1729af4966e99df1582943f02a0a8.squirrel@www.trepanning.net>
In-Reply-To: <CACsn0cmtP_dF7N2op4DZUwR8t-fW30GmtdqQoteZ+9Y0oH3dUg@mail.gmail.com>
References: <3065D910-832C-47B6-9E0B-2F8DCD2657D2@cisco.com> <529C990D.3020608@gmail.com> <CACsn0cmtP_dF7N2op4DZUwR8t-fW30GmtdqQoteZ+9Y0oH3dUg@mail.gmail.com>
Date: Tue, 03 Dec 2013 00:50:40 -0800
From: Dan Harkins <dharkins@lounge.org>
To: Watson Ladd <watsonbladd@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: tls@ietf.org
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2013 08:50:44 -0000
On Mon, December 2, 2013 8:40 am, Watson Ladd wrote: > On Mon, Dec 2, 2013 at 6:28 AM, Rene Struik <rstruik.ext@gmail.com> wrote: >> Dear colleagues: >> >> I had a look at draft-ietf-tls-pwd-02. While I do appreciate the work >> that >> went into this draft, I have to concur with some other commenters (e.g., >> Doug Stebila, Bodo Moeller) that it is unclear what makes this protocol >> special compared to other contenders, both in terms of performance and >> detailed cryptanalysis. One glaring omission is detailed security >> evidence, >> which is currently lacking (cross-referencing some other standards that >> have >> specified the protocol does not by itself imply the protocol is >> therefore >> secure). I am kind of curious what technical advantages the "Dragonfly" >> protocol has over protocols that seem to have efficiency, detailed and >> crypto community reviewed evidence, such as, e.g., AugPAKE (which is >> another >> TLS-aimed draft) and others. So, if the TLS WG has considered a feature >> comparison, that would be good to share. >> >> I would recommend to ask CFRG to carefully review the corresponding >> irtf-dragonfly-02 document (to my knowledge, there has been no LC and it >> is >> still a draft document there) and align the TLS document >> draft-ietf-tls-pwd-02 document with whatever comes out of that effort >> (currently, there are some security-relevant differences). This time >> window >> could also be used for firming up security rationale, thus aleviating >> concerns on that front. > I do not like the way this standard mixes algorithmic details with > instantiation > details. It makes it hard for me to understand what the protocol actually > is. > I also do not understand why H needs to be a random oracle as opposed to > something we have in the standard model. It is difficult to understand how to act on this comment. The specification is of a cipher suite added to an existing protocol and as such has to "mix" the details of the underlying key exchange with the structure and format of the protocol it is being added to. It is not a high-level description of the algorithm, it is a description of how to implement the key exchange as a TLS cipher suit. > I also do not like the language of "commitment" used. What is sent is > not a Pedersen commitment or any other recognizable commitment. > It is very malleable in ways that make me question the informal security > analysis. Of course it's a recognizable commitment because it allows the sender to commit to a particular value (the password) without exposing it to anyone else. >> Two final comments: >> a) It is unclear why one should hard code in the draft that elliptic >> curves >> with co-factor h>1 would be ruled out. After all, this would make it >> much >> harder to extend the reach of the draft to prime curves with co-factor >> larger than one and to binary curves. > I think the authors wanted to specify secure curves and haddn't the > slightest to do it right. (Note: I always like to have my intelligence questioned with a statement that has multiple grammatical errors). As I mentioned to Rene, the reason for limiting the curves to those over a prime field with a co-factor of 1 is to avoid the patent mine field. > Weierstrauà form has big problems: Edwards is much better from an > implementation security > perspective. Cofactor isn't enough: you also need high embedding > degree, big discriminant, > or you could just use curves we agree are good instead of reinventing the > wheel. > > Higher order protocols should be group agnostic.This prevents a major > problem when > Joux comes up with something new. It specifies a single group for interoperability purposes. It's "crypto agility" is inherited from TLS. Dan. >> b) The probabilistic nature of the "hunting and pecking" procedure may >> be a >> recipe for triggering implementation attacks. Wouldn't one be much >> better >> off removing dependency on non-deterministic password-to-point mappings >> (e.g., AugPAKE, Icart map, German BSI-password protocol)? > Well, one could use Elligator to solve this problem. >> >> Best regards, Rene >> >> >> On 11/7/2013 8:11 PM, Joseph Salowey (jsalowey) wrote: >>> >>> This is the beginning of the working group last call for >>> draft-ietf-tls-pwd-01. The underlying cryptographic protocol for >>> TLS-PWD >>> has been reviewed by the IRTF CFRG group with satisfactory results. >>> The >>> document needs particular attention paid to the integration of this >>> mechanism into the TLS protocol. Please send comments to the TLS list >>> by >>> December 2, 2013. >>> >>> - Joe >>> (For the TLS chairs) >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >> >> >> >> -- >> email: rstruik.ext@gmail.com | Skype: rstruik >> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > > > > -- > "Those who would give up Essential Liberty to purchase a little > Temporary Safety deserve neither Liberty nor Safety." > -- Benjamin Franklin > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] Working Group Last Call for draft-ietf-… Douglas Stebila
- [TLS] Working Group Last Call for draft-ietf-tls-… Joseph Salowey (jsalowey)
- Re: [TLS] Working Group Last Call for draft-ietf-… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Love Hörnquist Åstrand
- Re: [TLS] Working Group Last Call for draft-ietf-… Love Hörnquist Åstrand
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Love Hörnquist Åstrand
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… oscar.koeroo
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Peter Sylvester
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Rene Struik
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Robert Ransom
- Re: [TLS] Working Group Last Call for draft-ietf-… Robert Ransom
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… CodesInChaos
- Re: [TLS] Working Group Last Call for draft-ietf-… Rene Struik
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Mohamad Badra
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Mohamad Badra
- Re: [TLS] Working Group Last Call for draft-ietf-… Eric Rescorla
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Robert Ransom
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Mohamad Badra
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… CodesInChaos
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Joseph Birr-Pixton
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… Manuel Pégourié-Gonnard
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins