IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd

"Dan Harkins" <dharkins@lounge.org> Tue, 03 December 2013 08:50 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C22B91AE0D2 for <tls@ietfa.amsl.com>; Tue, 3 Dec 2013 00:50:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Level:
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 263aP5rkU1DC for <tls@ietfa.amsl.com>; Tue, 3 Dec 2013 00:50:43 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 43D8D1AE0D1 for <tls@ietf.org>; Tue, 3 Dec 2013 00:50:43 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 093ED10224008; Tue, 3 Dec 2013 00:50:40 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Tue, 3 Dec 2013 00:50:40 -0800 (PST)
Message-ID: <a4b1729af4966e99df1582943f02a0a8.squirrel@www.trepanning.net>
In-Reply-To: <CACsn0cmtP_dF7N2op4DZUwR8t-fW30GmtdqQoteZ+9Y0oH3dUg@mail.gmail.com>
References: <3065D910-832C-47B6-9E0B-2F8DCD2657D2@cisco.com> <529C990D.3020608@gmail.com> <CACsn0cmtP_dF7N2op4DZUwR8t-fW30GmtdqQoteZ+9Y0oH3dUg@mail.gmail.com>
Date: Tue, 03 Dec 2013 00:50:40 -0800
From: Dan Harkins <dharkins@lounge.org>
To: Watson Ladd <watsonbladd@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: tls@ietf.org
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2013 08:50:44 -0000

On Mon, December 2, 2013 8:40 am, Watson Ladd wrote:
> On Mon, Dec 2, 2013 at 6:28 AM, Rene Struik <rstruik.ext@gmail.com> wrote:
>> Dear colleagues:
>>
>> I had a look at draft-ietf-tls-pwd-02. While I do appreciate the work
>> that
>> went into this draft, I have to concur with some other commenters (e.g.,
>> Doug Stebila, Bodo Moeller) that it is unclear what makes this protocol
>> special compared to other contenders, both in terms of performance and
>> detailed cryptanalysis. One glaring omission is detailed security
>> evidence,
>> which is currently lacking (cross-referencing some other standards that
>> have
>> specified the protocol does not by itself imply the protocol is
>> therefore
>> secure). I am kind of curious what technical advantages the "Dragonfly"
>> protocol has over protocols that seem to have efficiency, detailed and
>> crypto community reviewed evidence, such as, e.g., AugPAKE (which is
>> another
>> TLS-aimed draft) and others. So, if the TLS WG has considered a feature
>> comparison, that would be good to share.
>>
>> I would recommend to ask CFRG to carefully review the corresponding
>> irtf-dragonfly-02 document (to my knowledge, there has been no LC and it
>> is
>> still a draft document there) and align the TLS document
>> draft-ietf-tls-pwd-02 document with whatever comes out of that effort
>> (currently, there are some security-relevant differences). This time
>> window
>> could also be used for firming up security rationale, thus aleviating
>> concerns on that front.
> I do not like the way this standard mixes algorithmic details with
> instantiation
> details. It makes it hard for me to understand what the protocol actually
> is.
> I also do not understand why H needs to be a random oracle as opposed to
> something we have in the standard model.

  It is difficult to understand how to act on this comment. The specification
is of a cipher suite added to an existing protocol and as such has to
"mix" the
details of the underlying key exchange with the structure and format of the
protocol it is being added to. It is not a high-level description of the
algorithm,
it is a description of how to implement the key exchange as a TLS cipher
suit.

> I also do not like the language of "commitment" used. What is sent is
> not a Pedersen commitment or any other recognizable commitment.
> It is very malleable in ways that make me question the informal security
> analysis.

  Of course it's a recognizable commitment because it allows the sender
to commit to a particular value (the password) without exposing it to
anyone else.

>> Two final comments:
>> a) It is unclear why one should hard code in the draft that elliptic
>> curves
>> with co-factor h>1 would be ruled out. After all, this would make it
>> much
>> harder to extend the reach of the draft to prime curves with co-factor
>> larger than one and to binary curves.
> I think the authors wanted to specify secure curves and haddn't the
> slightest to do it right.

  (Note: I always like to have my intelligence questioned with a statement
that has multiple grammatical errors).

  As I mentioned to Rene, the reason for limiting the curves to those
over a prime field with a co-factor of 1 is to avoid the patent mine field.

> Weierstrauß form has big problems: Edwards is much better from an
> implementation security
> perspective. Cofactor isn't enough: you also need high embedding
> degree, big discriminant,
> or you could just use curves we agree are good instead of reinventing the
> wheel.
>
> Higher order protocols should be group agnostic.This prevents a major
> problem when
> Joux comes up with something new.

  It specifies a single group for interoperability purposes. It's "crypto
agility" is inherited from TLS.

  Dan.

>> b) The probabilistic nature of the "hunting and pecking" procedure may
>> be a
>> recipe for triggering implementation attacks. Wouldn't one be much
>> better
>> off removing dependency on non-deterministic password-to-point mappings
>> (e.g., AugPAKE, Icart map, German BSI-password protocol)?
> Well, one could use Elligator to solve this problem.
>>
>> Best regards, Rene
>>
>>
>> On 11/7/2013 8:11 PM, Joseph Salowey (jsalowey) wrote:
>>>
>>> This is the beginning of the working group last call for
>>> draft-ietf-tls-pwd-01.   The underlying cryptographic protocol for
>>> TLS-PWD
>>> has been reviewed by the IRTF CFRG group with satisfactory results.
>>> The
>>> document needs particular attention paid to the integration of this
>>> mechanism into the TLS protocol.   Please send comments to the TLS list
>>> by
>>> December 2, 2013.
>>>
>>> - Joe
>>> (For the TLS chairs)
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>
>>
>>
>> --
>> email: rstruik.ext@gmail.com | Skype: rstruik
>> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>
>
>
> --
> "Those who would give up Essential Liberty to purchase a little
> Temporary Safety deserve neither  Liberty nor Safety."
> -- Benjamin Franklin
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email