Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd

Trevor Perrin <trevp@trevp.net> Thu, 05 December 2013 22:14 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD6861AE21D for <tls@ietfa.amsl.com>; Thu, 5 Dec 2013 14:14:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.208
X-Spam-Level:
X-Spam-Status: No, score=-1.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BN5Z6pSxWL1J for <tls@ietfa.amsl.com>; Thu, 5 Dec 2013 14:14:07 -0800 (PST)
Received: from mail-wg0-f48.google.com (mail-wg0-f48.google.com [74.125.82.48]) by ietfa.amsl.com (Postfix) with ESMTP id 2207E1AE218 for <tls@ietf.org>; Thu, 5 Dec 2013 14:14:06 -0800 (PST)
Received: by mail-wg0-f48.google.com with SMTP id z12so16985736wgg.3 for <tls@ietf.org>; Thu, 05 Dec 2013 14:14:03 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=NfozyQZFZSsRIF2o7f+LDcuoj9FsT9Ty2jwypLCK6SA=; b=W1hkVHhYjOL2vkshPdoiFVMf+0V7cyDCXXww9HOZ0SGPkbYhT+yORed2vqTQ8YJQHE p4HCg4NPVYplrV3oMf3h6IFzgOTSskBUcbv7zur1sGhgPMxVOqbqIX5fu/GNmHulh6O5 Op0BmXmaggvO8KSnihGEZLhF6B/0TCp5VY3b/BGU5qf7I0UzStm6XFPURb1O61a0jApr 8QMkC6bnRzGzGreVVQQD+mZPPtJ8y5J/u5GSGaRKXv9gPhsfXecX00kMEUNSWnY/fVZW n9geCxhAdRxloZ/J55kKAVjvJ4jFxid9OC3xW3Afrmf4MIs5nRAim9xtMjFUowgIGo8r cpWA==
X-Gm-Message-State: ALoCoQmunaoxif/A+aSZvjjSR/OQOjSaeILQzKlYRX8WDvVrJlqfMUOUDkFR+51fmB1hAJCQADrq
MIME-Version: 1.0
X-Received: by 10.194.104.66 with SMTP id gc2mr1613722wjb.75.1386281643163; Thu, 05 Dec 2013 14:14:03 -0800 (PST)
Received: by 10.216.214.134 with HTTP; Thu, 5 Dec 2013 14:14:03 -0800 (PST)
X-Originating-IP: [208.70.28.214]
In-Reply-To: <37a363d2bab1945c4d0bd71b6d9d14ae.squirrel@www.trepanning.net>
References: <3065D910-832C-47B6-9E0B-2F8DCD2657D2@cisco.com> <529C990D.3020608@gmail.com> <CACsn0cmtP_dF7N2op4DZUwR8t-fW30GmtdqQoteZ+9Y0oH3dUg@mail.gmail.com> <a4b1729af4966e99df1582943f02a0a8.squirrel@www.trepanning.net> <CACsn0cksrU2GErd6FkZPkXKXK4pSJhTbBoJ-0C-14jsM=UY2iQ@mail.gmail.com> <14e67efee74d2ec6d535f6750ed829db.squirrel@www.trepanning.net> <CACsn0c=PnB2CA8rpNtcOp6RRLNWHEPN-aN+AdWSF7FJM2wZOog@mail.gmail.com> <6d86c3be1741ed14992ec8662e0d32c7.squirrel@www.trepanning.net> <CADMpkcKTAARYK2id27T44eVyx6gF24mkt9nAkUZbSmwtEtd2gg@mail.gmail.com> <6c129fd89a9e5953ba844e4e1d1e6e98.squirrel@www.trepanning.net> <CAGZ8ZG0n7AFWc_WpxLzKbhnRxz8hkQAD-j8VDtX_GOHD5Nc6nw@mail.gmail.com> <7c8448fa356f5d764186ca62552efb1d.squirrel@www.trepanning.net> <CAGZ8ZG3HwTe0gvrrieYAVZZSd=xfU9GWYo1YHMHWmD9c+EsxbQ@mail.gmail.com> <37a363d2bab1945c4d0bd71b6d9d14ae.squirrel@www.trepanning.net>
Date: Thu, 5 Dec 2013 14:14:03 -0800
Message-ID: <CAGZ8ZG0ckgMrgfh0gW5PsTjPG3XAGEaqTZwFV_xDUK6_LWSNEg@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 22:14:09 -0000

On Thu, Dec 5, 2013 at 1:13 PM, Dan Harkins <dharkins@lounge.org> wrote:
>
>
> On Thu, December 5, 2013 12:42 pm, Trevor Perrin wrote:
>> On Thu, Dec 5, 2013 at 10:40 AM, Dan Harkins <dharkins@lounge.org> wrote:
>>>
>>>   Yes I am aware that the original EKE patent expired. But EKE cannot be
>>> used with elliptic curves.
>>
>> Not true, for example see Hamburg and Bernstein's Elligator 2 [1],
>> which could be used as the basis for a DH-EKE style PAKE.
>
>   Now THAT is an interesting alternative.
>
>   But, alas, the benefit of doing that is uncompelling to you so I don't
> know why you mention it. According to you the cryptographic difference
> provided by EKE using Elligator public keys has nothing to do with the
> architectural differences that you insist are behind the disinterest
> (according to you) of PAKE protocols in TLS.

That's true.  I wouldn't support any PAKE for TLS without some new
interest from TLS implementors.

But if that interest existed, and a PAKE could be integrated into a
TLS handshake in a way that hides the client's username; is simple,
efficient, and secure; and is "state-of-art" relative to alternatives,
that could be worth considering.


>> We should not standardize protocols which are inferior to existing
>> ones and to newer alternatives, have insufficient cryptographic
>> analysis, have no application, and have no support in the WG beside
>> the draft authors and the NSA [2].
>
>   That is just pathetic FUD and a really lame smear. You should be
> ashamed of yourself.

I reviewed the TLS and CFRG mailing lists, and while I found a great
deal of criticism of this draft, the only positive feedback I could
find, prior to Mohamad, was from Kevin Igoe, NSA employee and CFRG
chair [1,2].  I presume Kevin also provided the "verbal report" to our
chairs that CFRG considers this satisfactory.

I find Kevin's enthusiasm strikingly at odds with other expert review
(compare [1,2] vs. this entire thread).  Furthermore, it's well-known
that Kevin's employer expends considerable resources to "Influence
policies, standards, and specification" for commercial cryptography to
make it more "tractable" to cryptanalysis [3].

In these lights, I find Kevin's feedback a source of concern.

Trevor

[1] http://www.ietf.org/mail-archive/web/tls/current/msg08371.html
[2] http://www.ietf.org/mail-archive/web/cfrg/current/msg03383.html
[3] http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?_r=1&