Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd

Watson Ladd <watsonbladd@gmail.com> Mon, 02 December 2013 16:40 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A53661A1F4E for <tls@ietfa.amsl.com>; Mon, 2 Dec 2013 08:40:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iZQOfKZsbeXf for <tls@ietfa.amsl.com>; Mon, 2 Dec 2013 08:40:29 -0800 (PST)
Received: from mail-wg0-x22a.google.com (mail-wg0-x22a.google.com [IPv6:2a00:1450:400c:c00::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 672621ACC8A for <tls@ietf.org>; Mon, 2 Dec 2013 08:40:29 -0800 (PST)
Received: by mail-wg0-f42.google.com with SMTP id a1so4494027wgh.3 for <tls@ietf.org>; Mon, 02 Dec 2013 08:40:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=cNLREy0z8qwNeyFj9Mp48ZymRoPPY0puns5Kssf2v7E=; b=bO+g1UY6ML7rosrfV0jHlzX7BZTaIsmr4WzAyzUK/yU119yGEEKNBaHD3Mnb9jbiAo 3hd6W+0au7nOYBSJdb3odkT2spehcHabMYAW1zNLc9emLkZakJH5DvHOn3fmeK63akTV iIOMBToiTmQ6sSIoMHsuuPJqTsoGfLYWGEih2u0qPXFr717TfjDtX0w1YS9v0KtoYEMU 5odr2T0YndWeYUBjk1rdXlbaZBU+4sz1gQ/Y0G58JdhulqyEuaQfI0yJsomQTD6pFkp3 B4Om2JKf10yp9AKtgkjUvs4XlDhYI3Jsmx3oL0eU2vKp3ij259W/OJFLj/QsAl3+qAp5 lxTQ==
MIME-Version: 1.0
X-Received: by 10.194.1.139 with SMTP id 11mr36903882wjm.33.1386002426590; Mon, 02 Dec 2013 08:40:26 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Mon, 2 Dec 2013 08:40:26 -0800 (PST)
In-Reply-To: <529C990D.3020608@gmail.com>
References: <3065D910-832C-47B6-9E0B-2F8DCD2657D2@cisco.com> <529C990D.3020608@gmail.com>
Date: Mon, 02 Dec 2013 08:40:26 -0800
Message-ID: <CACsn0cmtP_dF7N2op4DZUwR8t-fW30GmtdqQoteZ+9Y0oH3dUg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Rene Struik <rstruik.ext@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2013 16:40:31 -0000

On Mon, Dec 2, 2013 at 6:28 AM, Rene Struik <rstruik.ext@gmail.com> wrote:
> Dear colleagues:
>
> I had a look at draft-ietf-tls-pwd-02. While I do appreciate the work that
> went into this draft, I have to concur with some other commenters (e.g.,
> Doug Stebila, Bodo Moeller) that it is unclear what makes this protocol
> special compared to other contenders, both in terms of performance and
> detailed cryptanalysis. One glaring omission is detailed security evidence,
> which is currently lacking (cross-referencing some other standards that have
> specified the protocol does not by itself imply the protocol is therefore
> secure). I am kind of curious what technical advantages the "Dragonfly"
> protocol has over protocols that seem to have efficiency, detailed and
> crypto community reviewed evidence, such as, e.g., AugPAKE (which is another
> TLS-aimed draft) and others. So, if the TLS WG has considered a feature
> comparison, that would be good to share.
>
> I would recommend to ask CFRG to carefully review the corresponding
> irtf-dragonfly-02 document (to my knowledge, there has been no LC and it is
> still a draft document there) and align the TLS document
> draft-ietf-tls-pwd-02 document with whatever comes out of that effort
> (currently, there are some security-relevant differences). This time window
> could also be used for firming up security rationale, thus aleviating
> concerns on that front.
I do not like the way this standard mixes algorithmic details with instantiation
details. It makes it hard for me to understand what the protocol actually is.
I also do not understand why H needs to be a random oracle as opposed to
something we have in the standard model.

I also do not like the language of "commitment" used. What is sent is
not a Pedersen commitment or any other recognizable commitment.
It is very malleable in ways that make me question the informal security
analysis.
>
> Two final comments:
> a) It is unclear why one should hard code in the draft that elliptic curves
> with co-factor h>1 would be ruled out. After all, this would make it much
> harder to extend the reach of the draft to prime curves with co-factor
> larger than one and to binary curves.
I think the authors wanted to specify secure curves and haddn't the
slightest to do it right.
Weierstrauß form has big problems: Edwards is much better from an
implementation security
perspective. Cofactor isn't enough: you also need high embedding
degree, big discriminant,
or you could just use curves we agree are good instead of reinventing the wheel.

Higher order protocols should be group agnostic.This prevents a major
problem when
Joux comes up with something new.
> b) The probabilistic nature of the "hunting and pecking" procedure may be a
> recipe for triggering implementation attacks. Wouldn't one be much better
> off removing dependency on non-deterministic password-to-point mappings
> (e.g., AugPAKE, Icart map, German BSI-password protocol)?
Well, one could use Elligator to solve this problem.
>
> Best regards, Rene
>
>
> On 11/7/2013 8:11 PM, Joseph Salowey (jsalowey) wrote:
>>
>> This is the beginning of the working group last call for
>> draft-ietf-tls-pwd-01.   The underlying cryptographic protocol for TLS-PWD
>> has been reviewed by the IRTF CFRG group with satisfactory results.  The
>> document needs particular attention paid to the integration of this
>> mechanism into the TLS protocol.   Please send comments to the TLS list by
>> December 2, 2013.
>>
>> - Joe
>> (For the TLS chairs)
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>
>
>
> --
> email: rstruik.ext@gmail.com | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin