Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd

Rene Struik <rstruik.ext@gmail.com> Mon, 02 December 2013 14:28 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8000D1AE437 for <tls@ietfa.amsl.com>; Mon, 2 Dec 2013 06:28:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q6_dANloPzCg for <tls@ietfa.amsl.com>; Mon, 2 Dec 2013 06:28:36 -0800 (PST)
Received: from mail-ie0-x22d.google.com (mail-ie0-x22d.google.com [IPv6:2607:f8b0:4001:c03::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 6D2071AE434 for <tls@ietf.org>; Mon, 2 Dec 2013 06:28:36 -0800 (PST)
Received: by mail-ie0-f173.google.com with SMTP id to1so20785973ieb.18 for <tls@ietf.org>; Mon, 02 Dec 2013 06:28:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=3I9evhpX5corq9fQGuP/1TQRwFlifBhDlINIYKwYKlo=; b=sH/UX5dq1Nm/FCwquGPlqdHnWzXp4Y3Vxw3tGQ/dcVSje6vI69Do8FNsTHSYUPV3Lc qQtkBvVet9W30TqZY/obGNIb195tC9BDHbscGZ0R2hicc3ZUhaFq+bnTkAhePk+h9DGR 5Vz/VtHTiLHHaVI8x0Y2gR5LPs34kzOtNpBWMaTsgVo231WCDVfZF2V5XhxeVrYJfIfM Z1niqN26dwF/Y5K8/UZsQIyZBOS1nDeAgmC3PJEPCVcEe3Y6ZnhTtIbnBjJt4LGPfDQj APr2PpQc36G2ur14ZjlunrWBUuQU78jPKSsL+I2PDUdYCCM8B7PTHhkg6dlirXRaLghz vXLw==
X-Received: by 10.50.67.99 with SMTP id m3mr17799573igt.35.1385994514030; Mon, 02 Dec 2013 06:28:34 -0800 (PST)
Received: from [192.168.1.102] (CPE0013100e2c51-CM001cea35caa6.cpe.net.cable.rogers.com. [99.230.254.17]) by mx.google.com with ESMTPSA id da14sm26576978igc.1.2013.12.02.06.28.32 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 02 Dec 2013 06:28:32 -0800 (PST)
Message-ID: <529C990D.3020608@gmail.com>
Date: Mon, 02 Dec 2013 09:28:29 -0500
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>, "<tls@ietf.org>" <tls@ietf.org>
References: <3065D910-832C-47B6-9E0B-2F8DCD2657D2@cisco.com>
In-Reply-To: <3065D910-832C-47B6-9E0B-2F8DCD2657D2@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2013 14:28:38 -0000

Dear colleagues:

I had a look at draft-ietf-tls-pwd-02. While I do appreciate the work 
that went into this draft, I have to concur with some other commenters 
(e.g., Doug Stebila, Bodo Moeller) that it is unclear what makes this 
protocol special compared to other contenders, both in terms of 
performance and detailed cryptanalysis. One glaring omission is detailed 
security evidence, which is currently lacking (cross-referencing some 
other standards that have specified the protocol does not by itself 
imply the protocol is therefore secure). I am kind of curious what 
technical advantages the "Dragonfly" protocol has over protocols that 
seem to have efficiency, detailed and crypto community reviewed 
evidence, such as, e.g., AugPAKE (which is another TLS-aimed draft) and 
others. So, if the TLS WG has considered a feature comparison, that 
would be good to share.

I would recommend to ask CFRG to carefully review the corresponding 
irtf-dragonfly-02 document (to my knowledge, there has been no LC and it 
is still a draft document there) and align the TLS document 
draft-ietf-tls-pwd-02 document with whatever comes out of that effort 
(currently, there are some security-relevant differences). This time 
window could also be used for firming up security rationale, thus 
aleviating concerns on that front.

Two final comments:
a) It is unclear why one should hard code in the draft that elliptic 
curves with co-factor h>1 would be ruled out. After all, this would make 
it much harder to extend the reach of the draft to prime curves with 
co-factor larger than one and to binary curves.
b) The probabilistic nature of the "hunting and pecking" procedure may 
be a recipe for triggering implementation attacks. Wouldn't one be much 
better off removing dependency on non-deterministic password-to-point 
mappings (e.g., AugPAKE, Icart map, German BSI-password protocol)?

Best regards, Rene

On 11/7/2013 8:11 PM, Joseph Salowey (jsalowey) wrote:
> This is the beginning of the working group last call for  draft-ietf-tls-pwd-01.   The underlying cryptographic protocol for TLS-PWD has been reviewed by the IRTF CFRG group with satisfactory results.  The document needs particular attention paid to the integration of this mechanism into the TLS protocol.   Please send comments to the TLS list by December 2, 2013.
>
> - Joe
> (For the TLS chairs)
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363