IETF Logo Mail Archive

[TLS] Re: Feedback on draft-bmw-tls-pake13-01.txt

Martin Thomson <mt@lowentropy.net> Tue, 25 March 2025 00:17 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 84F4B11D30A4 for <tls@mail2.ietf.org>; Mon, 24 Mar 2025 17:17:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="gMT0Sh05"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="dxgFOPUk"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N0NcgiKBd20V for <tls@mail2.ietf.org>; Mon, 24 Mar 2025 17:17:31 -0700 (PDT)
Received: from fout-a1-smtp.messagingengine.com (fout-a1-smtp.messagingengine.com [103.168.172.144]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 219CA11D309F for <tls@ietf.org>; Mon, 24 Mar 2025 17:17:31 -0700 (PDT)
Received: from phl-compute-07.internal (phl-compute-07.phl.internal [10.202.2.47]) by mailfout.phl.internal (Postfix) with ESMTP id 09FEE1384BBF; Mon, 24 Mar 2025 20:17:31 -0400 (EDT)
Received: from phl-imap-01 ([10.202.2.91]) by phl-compute-07.internal (MEProxy); Mon, 24 Mar 2025 20:17:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:cc:content-transfer-encoding:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:subject:subject:to:to; s=fm3; t=1742861851; x=1742948251; bh=MOUQbDo7HJEKNRqw7VPtUg+wcBw3UCXS 2PFZh2BcuBo=; b=gMT0Sh05K/pGEk65OFE20oHuqK9N5Or72oBK63Ml6uXvisaP ntWXhRJcNPBJv28z0P2wg+2wA0jHsJcZbe8fWMsflqwPIvsIjzbbSxPytzPPZRvG 4EhnkNbEYwrZJRC1QNV95R4vdFj+VKvjVHRS/tvKqKc9+MFb917O7gExMjQQsHse xGH9vNThb+3afJFC9Rgba0Oi7tohArE5BeNToQYify4iJmC4H0Uj2I4SNQzTSx/w tkyEHhPF6wY2fhkHuvcYcjrGyeEA+EIck1dUMWHBVLacVc3IVQa4CIhjHrnl3mX2 Z3UjgKWwiAADvkIQlc+AQRTD99/+ui0f5jrpYw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1742861851; x= 1742948251; bh=MOUQbDo7HJEKNRqw7VPtUg+wcBw3UCXS2PFZh2BcuBo=; b=d xgFOPUkNE5lETrOBCPyrxPApxfgSM+jdOzbBEp9j9OquPfvdRfmZYcwDUQU3yncS JwkTJ+BxjBsVDpPMUN01scBBdP0IcS5006r0M9IY9IuMcGVb0OE9V4l9A0w2V7qG Hq5SVMTCZcFbif/FIcx8UcNQ2lC8Yr0K5IPpxjdr5OpdiiIbznGjnDx+Ap+BOGDJ 2ZV0JGr5wnUhWbkyIHBWVg2SzIgujeP0Mh1HQ2vQkI1SEdplXN1KW+US+LvSMF4a zCmuuoX2Iwz59gONKutxXbGg/0Fa9m6bZ7tN0tTx2tQiKKLZhWia6va3xXbxUwti snmiuc0cC0oMSpGptV0HQ==
X-ME-Sender: <xms:GvbhZyjed6OFspeIJ2Wq0KWxMxTzxV2ti2NnsmusOYaAVF8GG9KwJA> <xme:GvbhZzCjdxDlaNYNDi_3QzJFII4uclR9PJMBTaYUoUU9tJn71BPbwmk5A6bKSFMtZ 7_s-r7F5xg3fVsIKJc>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduieduudelucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih gvnhhtshculddquddttddmnecujfgurhepofggfffhvfevkfgjfhfutgfgsehtjeertder tddtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnh htrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpedtvdetjeekgeelleelteekjefh teeivdekgfeujedvveduffehvdeftdevgefftdenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvghtpdhn sggprhgtphhtthhopeegpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehlpggsrg humhgrnhesrghpphhlvgdrtghomhdprhgtphhtthhopegtphgrthhtohhnsegtlhhouhgu fhhlrghrvgdrtghomhdprhgtphhtthhopehtlhhssehivghtfhdrohhrghdprhgtphhtth hopegvkhhrsehrthhfmhdrtghomh
X-ME-Proxy: <xmx:GvbhZ6HzLYcJyT-12cZ5-CFhel-71pofj-Lxa3B5cLrQFkxp1Qpceg> <xmx:GvbhZ7TNwlIasRE7cs24_4n-gBS1NXVj7VpsIp_5eH-FQW35bWw0Fg> <xmx:GvbhZ_wR9TfZjzhDJckiQYzp0ax3c9SCGr9jYnUnYlH63dqU0gYKLg> <xmx:GvbhZ56st56s803KjScamhqhbnLhEJCTTHMoi8vOvCpuRYzrbMvcmw> <xmx:G_bhZ__HYYRSNMugeGmoXZkEkaf_V9KDM6D__Q7IOd4bYfMvi4AtfgmC>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id B3AFB336007C; Mon, 24 Mar 2025 20:17:30 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: Tc37ea6594d469521
Date: Tue, 25 Mar 2025 11:17:10 +1100
From: Martin Thomson <mt@lowentropy.net>
To: Eric Rescorla <ekr@rtfm.com>, Christopher Patton <cpatton@cloudflare.com>
Message-Id: <9324aa4f-c742-411a-90c3-712b65f5a3a0@betaapp.fastmail.com>
In-Reply-To: <CABcZeBM4v3TPgKzkUybbjcn8VPJhqdCASW3GyLPxtmd6kOeigA@mail.gmail.com>
References: <05B28816-9AA9-4035-B451-8ACFFBE2D4DE@apple.com> <CAG2Zi20JgNC0Y+B2ANqdf5O-uFXOkYXeqc8S7u7=4fWGDRiirw@mail.gmail.com> <CABcZeBPvmw5O8Xhx7iCqH7a9mgZ-T8qCkeAs3Ts16CgB15WZaA@mail.gmail.com> <CAG2Zi20OGx2zAdH0uqiOy9P6YTQ2t3CCndr-GEfCeNrGK_pBnw@mail.gmail.com> <CABcZeBM4v3TPgKzkUybbjcn8VPJhqdCASW3GyLPxtmd6kOeigA@mail.gmail.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Message-ID-Hash: BGP46BJINHFNIKQ4HUH54JASUJ7SEUIC
X-Message-ID-Hash: BGP46BJINHFNIKQ4HUH54JASUJ7SEUIC
X-MailFrom: mt@lowentropy.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Laura Bauman <l_bauman@apple.com>, tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Feedback on draft-bmw-tls-pake13-01.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Hy3PCfrT-I7biQxjnVFWs87CLXk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Tue, Mar 25, 2025, at 02:37, Eric Rescorla wrote:
> 1. Getting PQ resistance for free even with non-PQ PAKEs.
> 2. Reducing the combinatoric explosion of "groups"

I don't know that you are really getting PQ resistance if your PAKE remains vulnerable.  You might maintain confidentiality for that single connection, but if there is a possibility of impersonation (are you relying on the PAKE for authentication of the server?) then you lose.

Avoiding the combinatoric problem seems like a pretty high complexity tax.  Sure, we are already in the position where we have N (number of ECC groups) x M (number of PQ groups) groups.  Adding a PAKE makes that N x M x P (number of PAKEs).  However, these are all small numbers.  Building a parallel extension is relatively straightforward if you model it like key exchange and use the obvious combiner.  But then, why did we not do that with PQ as well?

v2.31.3 | Report a Bug | By Email | System Status