IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd

Watson Ladd <watsonbladd@gmail.com> Tue, 03 December 2013 16:12 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1745D1A1F66 for <tls@ietfa.amsl.com>; Tue, 3 Dec 2013 08:12:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Ws2wiH8AfPS for <tls@ietfa.amsl.com>; Tue, 3 Dec 2013 08:12:31 -0800 (PST)
Received: from mail-we0-x22d.google.com (mail-we0-x22d.google.com [IPv6:2a00:1450:400c:c03::22d]) by ietfa.amsl.com (Postfix) with ESMTP id C10661A1F19 for <tls@ietf.org>; Tue, 3 Dec 2013 08:12:30 -0800 (PST)
Received: by mail-we0-f173.google.com with SMTP id u57so8037181wes.4 for <tls@ietf.org>; Tue, 03 Dec 2013 08:12:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=ADn+W9v/RNQ8lQegi01Vzm3aE75Jirpz8NMX+8TBuOY=; b=frBSGZf486xY5mGZMgLc4v7Y6jKV2rpjxFd1id7QWmXb6vjIqjeq4F4eWJEV0g20R9 8xENV32CrMgeiVZaFKlJOpckVMoFuG9b18XZ0ZG5HLcHx8P5WNMToGKME+AQN2c2CZyV gHx2LWjWAku83szaBFKxCw0Mk+6346AdPy7QzHaVGp5p9drgo98z6ouELXPreV7He7RI p8AIszPz3iRRDOOsYk+FD5Cu/0J1ftQ0x+aux4IFWgmapLaEFt78EV/s8ZRlZ+Bo5lG1 oR2dNNy0zKXk0BBdyoSDtLGi3kHohLtPf08ztUK2yaRjl6DCS2YWmwCv6yuP/Hr5wn3R iHag==
MIME-Version: 1.0
X-Received: by 10.194.48.115 with SMTP id k19mr7905177wjn.47.1386087147652; Tue, 03 Dec 2013 08:12:27 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Tue, 3 Dec 2013 08:12:27 -0800 (PST)
In-Reply-To: <a4b1729af4966e99df1582943f02a0a8.squirrel@www.trepanning.net>
References: <3065D910-832C-47B6-9E0B-2F8DCD2657D2@cisco.com> <529C990D.3020608@gmail.com> <CACsn0cmtP_dF7N2op4DZUwR8t-fW30GmtdqQoteZ+9Y0oH3dUg@mail.gmail.com> <a4b1729af4966e99df1582943f02a0a8.squirrel@www.trepanning.net>
Date: Tue, 03 Dec 2013 08:12:27 -0800
Message-ID: <CACsn0cksrU2GErd6FkZPkXKXK4pSJhTbBoJ-0C-14jsM=UY2iQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Harkins <dharkins@lounge.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2013 16:12:33 -0000

On Tue, Dec 3, 2013 at 12:50 AM, Dan Harkins <dharkins@lounge.org> wrote:
>
> On Mon, December 2, 2013 8:40 am, Watson Ladd wrote:
>> On Mon, Dec 2, 2013 at 6:28 AM, Rene Struik <rstruik.ext@gmail.com> wrote:
>>> Dear colleagues:
>>>
>>> I had a look at draft-ietf-tls-pwd-02. While I do appreciate the work
>>> that
>>> went into this draft, I have to concur with some other commenters (e.g.,
>>> Doug Stebila, Bodo Moeller) that it is unclear what makes this protocol
>>> special compared to other contenders, both in terms of performance and
>>> detailed cryptanalysis. One glaring omission is detailed security
>>> evidence,
>>> which is currently lacking (cross-referencing some other standards that
>>> have
>>> specified the protocol does not by itself imply the protocol is
>>> therefore
>>> secure). I am kind of curious what technical advantages the "Dragonfly"
>>> protocol has over protocols that seem to have efficiency, detailed and
>>> crypto community reviewed evidence, such as, e.g., AugPAKE (which is
>>> another
>>> TLS-aimed draft) and others. So, if the TLS WG has considered a feature
>>> comparison, that would be good to share.
>>>
>>> I would recommend to ask CFRG to carefully review the corresponding
>>> irtf-dragonfly-02 document (to my knowledge, there has been no LC and it
>>> is
>>> still a draft document there) and align the TLS document
>>> draft-ietf-tls-pwd-02 document with whatever comes out of that effort
>>> (currently, there are some security-relevant differences). This time
>>> window
>>> could also be used for firming up security rationale, thus aleviating
>>> concerns on that front.
>> I do not like the way this standard mixes algorithmic details with
>> instantiation
>> details. It makes it hard for me to understand what the protocol actually
>> is.
>> I also do not understand why H needs to be a random oracle as opposed to
>> something we have in the standard model.
>
>   It is difficult to understand how to act on this comment. The specification
> is of a cipher suite added to an existing protocol and as such has to
> "mix" the
> details of the underlying key exchange with the structure and format of the
> protocol it is being added to. It is not a high-level description of the
> algorithm,
> it is a description of how to implement the key exchange as a TLS cipher
> suit.
What protocol is this standard implementing? Where is it documented? Where is
the security proof?
>
>> I also do not like the language of "commitment" used. What is sent is
>> not a Pedersen commitment or any other recognizable commitment.
>> It is very malleable in ways that make me question the informal security
>> analysis.
>
>   Of course it's a recognizable commitment because it allows the sender
> to commit to a particular value (the password) without exposing it to
> anyone else.
The sender is committed to the password, but not to the value of the PE point.
This is noted in the "security analysis" section, but absent a proof I
can't tell you
that it doesn't matter. The security analysis section reads like a
bunch of attacks
were tried and failed. All that shows is *you* couldn't break it, not
that anyone else
couldn't.
>
>>> Two final comments:
>>> a) It is unclear why one should hard code in the draft that elliptic
>>> curves
>>> with co-factor h>1 would be ruled out. After all, this would make it
>>> much
>>> harder to extend the reach of the draft to prime curves with co-factor
>>> larger than one and to binary curves.
>> I think the authors wanted to specify secure curves and haddn't the
>> slightest to do it right.
>
>   (Note: I always like to have my intelligence questioned with a statement
> that has multiple grammatical errors).
It's not your intell
>
>   As I mentioned to Rene, the reason for limiting the curves to those
> over a prime field with a co-factor of 1 is to avoid the patent mine field.
What mine field? What is so patented about cofactor>1 over prime field?
For binary curves I agree. But why not use whatever curve TLS specifies?
Also, why not use the existing mechanisms to deal with implementation limits
caused by patents?
>
>> Weierstrauß form has big problems: Edwards is much better from an
>> implementation security
>> perspective. Cofactor isn't enough: you also need high embedding
>> degree, big discriminant,
>> or you could just use curves we agree are good instead of reinventing the
>> wheel.
>>
>> Higher order protocols should be group agnostic.This prevents a major
>> problem when
>> Joux comes up with something new.
>
>   It specifies a single group for interoperability purposes. It's "crypto
> agility" is inherited from TLS.
>
>   Dan.
>
>>> b) The probabilistic nature of the "hunting and pecking" procedure may
>>> be a
>>> recipe for triggering implementation attacks. Wouldn't one be much
>>> better
>>> off removing dependency on non-deterministic password-to-point mappings
>>> (e.g., AugPAKE, Icart map, German BSI-password protocol)?
>> Well, one could use Elligator to solve this problem.
>>>
>>> Best regards, Rene
>>>
>>>
>>> On 11/7/2013 8:11 PM, Joseph Salowey (jsalowey) wrote:
>>>>
>>>> This is the beginning of the working group last call for
>>>> draft-ietf-tls-pwd-01.   The underlying cryptographic protocol for
>>>> TLS-PWD
>>>> has been reviewed by the IRTF CFRG group with satisfactory results.
>>>> The
>>>> document needs particular attention paid to the integration of this
>>>> mechanism into the TLS protocol.   Please send comments to the TLS list
>>>> by
>>>> December 2, 2013.
>>>>
>>>> - Joe
>>>> (For the TLS chairs)
>>>> _______________________________________________
>>>> TLS mailing list
>>>> TLS@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>>
>>>
>>> --
>>> email: rstruik.ext@gmail.com | Skype: rstruik
>>> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
>>>
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>
>>
>>
>> --
>> "Those who would give up Essential Liberty to purchase a little
>> Temporary Safety deserve neither  Liberty nor Safety."
>> -- Benjamin Franklin
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
>



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email