IETF Logo Mail Archive

Re: [TLS] The PAKE question and PSK

Watson Ladd <watsonbladd@gmail.com> Wed, 02 April 2014 18:15 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E64A1A0375 for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 11:15:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwHBiFIfOt-w for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 11:15:46 -0700 (PDT)
Received: from mail-yh0-x233.google.com (mail-yh0-x233.google.com [IPv6:2607:f8b0:4002:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id 421E51A0370 for <tls@ietf.org>; Wed, 2 Apr 2014 11:15:46 -0700 (PDT)
Received: by mail-yh0-f51.google.com with SMTP id f10so597214yha.10 for <tls@ietf.org>; Wed, 02 Apr 2014 11:15:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=D2w8oa0NJ8aLacbuMAUa3rYKupXM9fJMxqfQ0eFxcnU=; b=KhhcKLsKl8bXaotTY/N/K+9qAtasPleCcqa3EzA08n25i8I63MwaV/UCYbKzPAemD3 3+PzTHbkhXFCefaTUMgt/frJwp/uJTgfMIWV4ZgV05cAYLc5WaM4QdHDbDh60h8uI3It 1gl18NjdrdvY9FNkux7Jm3n30w78dvPy5lfEIGdjVsQzvhQZZhs8EhTxMtNKabpE74Er uCDe39kwu7a4Ma+vQXjL3j4PQf5VDcZBT3jZsveBsFpPvDBhwGl6+VaSh8IhzAgBx1Bs m0qC0AIEbVm5ZwwzsHlX7y5h34biKBcXMEHnfHg7jMg3auTH+jfNvnznQZfA/Wq9aQ6X K8Fg==
MIME-Version: 1.0
X-Received: by 10.236.139.70 with SMTP id b46mr2600512yhj.63.1396462542220; Wed, 02 Apr 2014 11:15:42 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Wed, 2 Apr 2014 11:15:42 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Wed, 2 Apr 2014 11:15:42 -0700 (PDT)
In-Reply-To: <397fd5afead8db2b71444a0ad36196b2.squirrel@www.trepanning.net>
References: <CACsn0cnBXvjo4cCN8htKvmakzhneqq4nXN9WfPdgkqjgBTNpGA@mail.gmail.com> <533BBC3C.6000704@gmx.net> <7a41ee191d22df1f5924a68034c74a49.squirrel@www.trepanning.net> <533C3D12.7040802@gmx.net> <3a1e30958a4e240be96d8a822a1fcdae.squirrel@www.trepanning.net> <CAK3OfOj7Wfo+BbTHfJGnEJE+OOs9ba43tFH24GX6rVWbf868iQ@mail.gmail.com> <397fd5afead8db2b71444a0ad36196b2.squirrel@www.trepanning.net>
Date: Wed, 02 Apr 2014 11:15:42 -0700
Message-ID: <CACsn0cnDm=DL7YHQx6xLGiayS3Vqy0aOvgi3ZnyEK7nLPQsM3g@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: multipart/alternative; boundary="20cf303dd434c5728a04f613450d"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/H5Ku42FKK_AGNbuRjxg_wMsTFgA
Cc: tls@ietf.org
Subject: Re: [TLS] The PAKE question and PSK
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 18:15:52 -0000

On Apr 2, 2014 10:55 AM, "Dan Harkins" <dharkins@lounge.org> wrote:
>
>
> On Wed, April 2, 2014 10:26 am, Nico Williams wrote:
> > On Wed, Apr 2, 2014 at 12:18 PM, Dan Harkins <dharkins@lounge.org>
wrote:
> >>   EKE doesn't do RSA. And, as Nico pointed out, observing a single
> >> exchange
> >> can eliminate a large majority of the potential passwords. Even an
> >> infrequent
> >> use can give an adversary a high probability of successfully
determining
> >> the secret.
> >
> > But if you use Elligator then that problem goes away.  That's the key
> > point.
>
>   Yes, as I mentioned back in December on this list, EKE with Elligator
> would make a very good alternative to TLS-pwd. And if there was a mature
> draft ready for publication that specified such a scheme it would be worth
> considering. But there isn't. And we're 2+ years away from having such a
> thing. Probably more since we have not identified a stuckee willing to
> edit it.
>
>   As Cullen mentioned, the IETF is a volunteer organization and telling
> people that they should go write a draft specifying your alternative to
> their draft is not really productive.
>
>   I have received and resolved comments on the draft dealing with
> protection of the username from passive observers and on mitigating
> side channel attacks. There is no technical problem with TLS-pwd and it
> solves real problems right now. I see no reason why it should not ease
> away from the curb (and out of its parked position).

What about the complete absence of any positive security analysis? You've
known this was going to be an issue since you invented Dragonfly. I feel
completely uncompelled to be 'productive' at the expense of security.

Quit fussing and whining about how hard it is to write drafts. You could
have started with something provably secure and avoided wasting your
efforts.

Failing that, make AugPAKE work on ECC by grabbing the draft and fixing it,
then submit that instead.

Sincerely,
Watson Ladd
>
>   regards,
>
>   Dan.
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email