Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
Watson Ladd <watsonbladd@gmail.com> Tue, 03 December 2013 16:12 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1745D1A1F66 for <tls@ietfa.amsl.com>; Tue, 3 Dec 2013 08:12:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Ws2wiH8AfPS for <tls@ietfa.amsl.com>; Tue, 3 Dec 2013 08:12:31 -0800 (PST)
Received: from mail-we0-x22d.google.com (mail-we0-x22d.google.com [IPv6:2a00:1450:400c:c03::22d]) by ietfa.amsl.com (Postfix) with ESMTP id C10661A1F19 for <tls@ietf.org>; Tue, 3 Dec 2013 08:12:30 -0800 (PST)
Received: by mail-we0-f173.google.com with SMTP id u57so8037181wes.4 for <tls@ietf.org>; Tue, 03 Dec 2013 08:12:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=ADn+W9v/RNQ8lQegi01Vzm3aE75Jirpz8NMX+8TBuOY=; b=frBSGZf486xY5mGZMgLc4v7Y6jKV2rpjxFd1id7QWmXb6vjIqjeq4F4eWJEV0g20R9 8xENV32CrMgeiVZaFKlJOpckVMoFuG9b18XZ0ZG5HLcHx8P5WNMToGKME+AQN2c2CZyV gHx2LWjWAku83szaBFKxCw0Mk+6346AdPy7QzHaVGp5p9drgo98z6ouELXPreV7He7RI p8AIszPz3iRRDOOsYk+FD5Cu/0J1ftQ0x+aux4IFWgmapLaEFt78EV/s8ZRlZ+Bo5lG1 oR2dNNy0zKXk0BBdyoSDtLGi3kHohLtPf08ztUK2yaRjl6DCS2YWmwCv6yuP/Hr5wn3R iHag==
MIME-Version: 1.0
X-Received: by 10.194.48.115 with SMTP id k19mr7905177wjn.47.1386087147652; Tue, 03 Dec 2013 08:12:27 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Tue, 3 Dec 2013 08:12:27 -0800 (PST)
In-Reply-To: <a4b1729af4966e99df1582943f02a0a8.squirrel@www.trepanning.net>
References: <3065D910-832C-47B6-9E0B-2F8DCD2657D2@cisco.com> <529C990D.3020608@gmail.com> <CACsn0cmtP_dF7N2op4DZUwR8t-fW30GmtdqQoteZ+9Y0oH3dUg@mail.gmail.com> <a4b1729af4966e99df1582943f02a0a8.squirrel@www.trepanning.net>
Date: Tue, 03 Dec 2013 08:12:27 -0800
Message-ID: <CACsn0cksrU2GErd6FkZPkXKXK4pSJhTbBoJ-0C-14jsM=UY2iQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Dan Harkins <dharkins@lounge.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2013 16:12:33 -0000
On Tue, Dec 3, 2013 at 12:50 AM, Dan Harkins <dharkins@lounge.org> wrote: > > On Mon, December 2, 2013 8:40 am, Watson Ladd wrote: >> On Mon, Dec 2, 2013 at 6:28 AM, Rene Struik <rstruik.ext@gmail.com> wrote: >>> Dear colleagues: >>> >>> I had a look at draft-ietf-tls-pwd-02. While I do appreciate the work >>> that >>> went into this draft, I have to concur with some other commenters (e.g., >>> Doug Stebila, Bodo Moeller) that it is unclear what makes this protocol >>> special compared to other contenders, both in terms of performance and >>> detailed cryptanalysis. One glaring omission is detailed security >>> evidence, >>> which is currently lacking (cross-referencing some other standards that >>> have >>> specified the protocol does not by itself imply the protocol is >>> therefore >>> secure). I am kind of curious what technical advantages the "Dragonfly" >>> protocol has over protocols that seem to have efficiency, detailed and >>> crypto community reviewed evidence, such as, e.g., AugPAKE (which is >>> another >>> TLS-aimed draft) and others. So, if the TLS WG has considered a feature >>> comparison, that would be good to share. >>> >>> I would recommend to ask CFRG to carefully review the corresponding >>> irtf-dragonfly-02 document (to my knowledge, there has been no LC and it >>> is >>> still a draft document there) and align the TLS document >>> draft-ietf-tls-pwd-02 document with whatever comes out of that effort >>> (currently, there are some security-relevant differences). This time >>> window >>> could also be used for firming up security rationale, thus aleviating >>> concerns on that front. >> I do not like the way this standard mixes algorithmic details with >> instantiation >> details. It makes it hard for me to understand what the protocol actually >> is. >> I also do not understand why H needs to be a random oracle as opposed to >> something we have in the standard model. > > It is difficult to understand how to act on this comment. The specification > is of a cipher suite added to an existing protocol and as such has to > "mix" the > details of the underlying key exchange with the structure and format of the > protocol it is being added to. It is not a high-level description of the > algorithm, > it is a description of how to implement the key exchange as a TLS cipher > suit. What protocol is this standard implementing? Where is it documented? Where is the security proof? > >> I also do not like the language of "commitment" used. What is sent is >> not a Pedersen commitment or any other recognizable commitment. >> It is very malleable in ways that make me question the informal security >> analysis. > > Of course it's a recognizable commitment because it allows the sender > to commit to a particular value (the password) without exposing it to > anyone else. The sender is committed to the password, but not to the value of the PE point. This is noted in the "security analysis" section, but absent a proof I can't tell you that it doesn't matter. The security analysis section reads like a bunch of attacks were tried and failed. All that shows is *you* couldn't break it, not that anyone else couldn't. > >>> Two final comments: >>> a) It is unclear why one should hard code in the draft that elliptic >>> curves >>> with co-factor h>1 would be ruled out. After all, this would make it >>> much >>> harder to extend the reach of the draft to prime curves with co-factor >>> larger than one and to binary curves. >> I think the authors wanted to specify secure curves and haddn't the >> slightest to do it right. > > (Note: I always like to have my intelligence questioned with a statement > that has multiple grammatical errors). It's not your intell > > As I mentioned to Rene, the reason for limiting the curves to those > over a prime field with a co-factor of 1 is to avoid the patent mine field. What mine field? What is so patented about cofactor>1 over prime field? For binary curves I agree. But why not use whatever curve TLS specifies? Also, why not use the existing mechanisms to deal with implementation limits caused by patents? > >> Weierstrauß form has big problems: Edwards is much better from an >> implementation security >> perspective. Cofactor isn't enough: you also need high embedding >> degree, big discriminant, >> or you could just use curves we agree are good instead of reinventing the >> wheel. >> >> Higher order protocols should be group agnostic.This prevents a major >> problem when >> Joux comes up with something new. > > It specifies a single group for interoperability purposes. It's "crypto > agility" is inherited from TLS. > > Dan. > >>> b) The probabilistic nature of the "hunting and pecking" procedure may >>> be a >>> recipe for triggering implementation attacks. Wouldn't one be much >>> better >>> off removing dependency on non-deterministic password-to-point mappings >>> (e.g., AugPAKE, Icart map, German BSI-password protocol)? >> Well, one could use Elligator to solve this problem. >>> >>> Best regards, Rene >>> >>> >>> On 11/7/2013 8:11 PM, Joseph Salowey (jsalowey) wrote: >>>> >>>> This is the beginning of the working group last call for >>>> draft-ietf-tls-pwd-01. The underlying cryptographic protocol for >>>> TLS-PWD >>>> has been reviewed by the IRTF CFRG group with satisfactory results. >>>> The >>>> document needs particular attention paid to the integration of this >>>> mechanism into the TLS protocol. Please send comments to the TLS list >>>> by >>>> December 2, 2013. >>>> >>>> - Joe >>>> (For the TLS chairs) >>>> _______________________________________________ >>>> TLS mailing list >>>> TLS@ietf.org >>>> https://www.ietf.org/mailman/listinfo/tls >>> >>> >>> >>> -- >>> email: rstruik.ext@gmail.com | Skype: rstruik >>> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 >>> >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >> >> >> >> -- >> "Those who would give up Essential Liberty to purchase a little >> Temporary Safety deserve neither Liberty nor Safety." >> -- Benjamin Franklin >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- Re: [TLS] Working Group Last Call for draft-ietf-… Douglas Stebila
- [TLS] Working Group Last Call for draft-ietf-tls-… Joseph Salowey (jsalowey)
- Re: [TLS] Working Group Last Call for draft-ietf-… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Love Hörnquist Åstrand
- Re: [TLS] Working Group Last Call for draft-ietf-… Love Hörnquist Åstrand
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Love Hörnquist Åstrand
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… oscar.koeroo
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Peter Sylvester
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Rene Struik
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Robert Ransom
- Re: [TLS] Working Group Last Call for draft-ietf-… Robert Ransom
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… CodesInChaos
- Re: [TLS] Working Group Last Call for draft-ietf-… Rene Struik
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Mohamad Badra
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Mohamad Badra
- Re: [TLS] Working Group Last Call for draft-ietf-… Eric Rescorla
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Bodo Moeller
- Re: [TLS] Working Group Last Call for draft-ietf-… Robert Ransom
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Mohamad Badra
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… SeongHan Shin
- Re: [TLS] Working Group Last Call for draft-ietf-… Watson Ladd
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… CodesInChaos
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Joseph Birr-Pixton
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… Manuel Pégourié-Gonnard
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Trevor Perrin
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins
- Re: [TLS] Working Group Last Call for draft-ietf-… Ralf Skyper Kaiser
- Re: [TLS] Working Group Last Call for draft-ietf-… Dan Harkins