Re: [TLS] Elliptic Curve J-PAKE
Hugo Krawczyk <hugo@ee.technion.ac.il> Wed, 27 March 2019 02:49 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EB1A1201D3 for <tls@ietfa.amsl.com>; Tue, 26 Mar 2019 19:49:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.647
X-Spam-Level:
X-Spam-Status: No, score=-1.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id urHPiNG-z9rZ for <tls@ietfa.amsl.com>; Tue, 26 Mar 2019 19:49:08 -0700 (PDT)
Received: from mail-it1-f171.google.com (mail-it1-f171.google.com [209.85.166.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A6521201CA for <tls@ietf.org>; Tue, 26 Mar 2019 19:49:08 -0700 (PDT)
Received: by mail-it1-f171.google.com with SMTP id m137so23115737ita.0 for <tls@ietf.org>; Tue, 26 Mar 2019 19:49:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QRBwaGc7t7wFDCdE7Ckp808m10U68RGvsuTVSUqN14g=; b=WLc2yrDsG2Zb+hG3Ix3OR8dGBORyytQs0i/4w++K44O2xbkr7YJraFxCEGV/K5cx7D POufZ83ugLOaZo67V6gcQsXreBpZEnAGOlmQ3DCCU9OgWvRFkrBgCTAe3IO27WDddVcq uY2vqnnuYVtcTazSKgz743qzOaZFnzAI2q8uuL9eX8PEzo36W2B0oj2KbukSH/fPZlLP K4NUj94EVtFE3nLJ8e/6L6UKp0Zgm4uxcEA/JCKVpXO6szjdbm1Q6bM2kpC3foAagRIA 2H90aaprN+POTgSnI3rpCN57Ch/KzrXK3ar5B0gLrt8DtaKKbJXE9Teh864lQZOc7Y8P WHPQ==
X-Gm-Message-State: APjAAAW/Zh87ZWfKCjhxXNbItLpWf6jkVrCV6uXvtFdlKKWyXbhfXewx qFHSdjw+P80XrTPdS6JpLAqRj2Uvu+3WX8iRxFw=
X-Google-Smtp-Source: APXvYqzu32gZP1f3Gi27fZurkvHccS+wzqSOKtA4R/M8YALwp/BgCpZ/RhjYFlgytl7uc36rnvpl9cqDQqig6udETR8=
X-Received: by 2002:a24:ad0:: with SMTP id 199mr1858767itw.125.1553654947269; Tue, 26 Mar 2019 19:49:07 -0700 (PDT)
MIME-Version: 1.0
References: <VI1PR0801MB2112CFD46565F1BC8B3697D8FA5F0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR0801MB2112CFD46565F1BC8B3697D8FA5F0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Tue, 26 Mar 2019 22:48:24 -0400
Message-ID: <CADi0yUP+xwWzej7+uvQCaO5xzvJOdwZ-0c-Ot7WF30R25jRxjQ@mail.gmail.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003c511c05850a7bdf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WoVbzAppS1_V-u4GA0AvaCvnfTg>
Subject: Re: [TLS] Elliptic Curve J-PAKE
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 02:49:11 -0000
Hi Hannes, J-PAKE is a symmetric PAKE. Both parties store the same password. It is not suitable for most client-server scenarios where using J-PAKE would mean that an attacker that breaks into the server simply steals all plaintext passwords. OPAQUE is an asymmetric (or augmented) PAKE where user remembers a password (and nothing else, including no public key of the server) while the server stores a one-way image of the password. Security requires that if the server is compromised, the attacker needs to run an offline dictionary attack for each user in the database to find the password. If what you need is a symmetric PAKE then there are better candidates than J-PAKE such as SPAKE2 described in draft-irtf-cfrg-spake2-08. SPAKE2 is *much* more efficient than J-PAKE and while both J-PAKE and SPAKE2 have proofs of security, SPAKE2 is proven in a stronger security model relative to J-PAKE. I am not aware of any advantage of J-PAKE over SPAKE2 - but I may be missing something. Maybe the PAKE presentation in cfrg will clarify these issues further. Hugo On Tue, Mar 26, 2019 at 1:03 PM Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote: > Hi all, > > in context of the OPAQUE talk by Nick today at the TLS WG meeting I > mentioned that the Thread Group has used the Elliptic Curve J-PAKE for IoT > device onboarding. > Here is the draft written for TLS 1.2: > https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 > > The mechanism is described in https://tools.ietf.org/html/rfc8236 > > @Nick & Richard: Have a look at it and see whether it fits your needs. > > Ciao > Hannes > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] Elliptic Curve J-PAKE Feng Hao
- [TLS] Elliptic Curve J-PAKE Hannes Tschofenig
- Re: [TLS] Elliptic Curve J-PAKE Hugo Krawczyk
- Re: [TLS] Elliptic Curve J-PAKE Hannes Tschofenig
- Re: [TLS] Elliptic Curve J-PAKE Feng Hao
- Re: [TLS] Elliptic Curve J-PAKE Watson Ladd
- Re: [TLS] Elliptic Curve J-PAKE Watson Ladd
- Re: [TLS] Elliptic Curve J-PAKE Hao, Feng
- Re: [TLS] Elliptic Curve J-PAKE Watson Ladd