IETF Logo Mail Archive

Re: [TLS] The PAKE question and PSK

"Dan Harkins" <dharkins@lounge.org> Wed, 02 April 2014 18:52 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A68C1A03A2 for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 11:52:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Level:
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oqPdcIEt_rWN for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 11:52:29 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id BB40E1A0370 for <tls@ietf.org>; Wed, 2 Apr 2014 11:52:29 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 5C026A888016; Wed, 2 Apr 2014 11:52:25 -0700 (PDT)
Received: from 24.120.218.98 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Wed, 2 Apr 2014 11:52:26 -0700 (PDT)
Message-ID: <3eea5a90ed4b766b00589e61c30d6137.squirrel@www.trepanning.net>
In-Reply-To: <CACsn0cnDm=DL7YHQx6xLGiayS3Vqy0aOvgi3ZnyEK7nLPQsM3g@mail.gmail.com>
References: <CACsn0cnBXvjo4cCN8htKvmakzhneqq4nXN9WfPdgkqjgBTNpGA@mail.gmail.com> <533BBC3C.6000704@gmx.net> <7a41ee191d22df1f5924a68034c74a49.squirrel@www.trepanning.net> <533C3D12.7040802@gmx.net> <3a1e30958a4e240be96d8a822a1fcdae.squirrel@www.trepanning.net> <CAK3OfOj7Wfo+BbTHfJGnEJE+OOs9ba43tFH24GX6rVWbf868iQ@mail.gmail.com> <397fd5afead8db2b71444a0ad36196b2.squirrel@www.trepanning.net> <CACsn0cnDm=DL7YHQx6xLGiayS3Vqy0aOvgi3ZnyEK7nLPQsM3g@mail.gmail.com>
Date: Wed, 02 Apr 2014 11:52:26 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Watson Ladd <watsonbladd@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/dJtaMPft24XY03EdA77-8DuXwm8
Cc: tls@ietf.org
Subject: Re: [TLS] The PAKE question and PSK
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 18:52:34 -0000

On Wed, April 2, 2014 11:15 am, Watson Ladd wrote:
> On Apr 2, 2014 10:55 AM, "Dan Harkins" <dharkins@lounge.org> wrote:
>>
>>
>> On Wed, April 2, 2014 10:26 am, Nico Williams wrote:
>> > On Wed, Apr 2, 2014 at 12:18 PM, Dan Harkins <dharkins@lounge.org>
> wrote:
>> >>   EKE doesn't do RSA. And, as Nico pointed out, observing a single
>> >> exchange
>> >> can eliminate a large majority of the potential passwords. Even an
>> >> infrequent
>> >> use can give an adversary a high probability of successfully
> determining
>> >> the secret.
>> >
>> > But if you use Elligator then that problem goes away.  That's the key
>> > point.
>>
>>   Yes, as I mentioned back in December on this list, EKE with Elligator
>> would make a very good alternative to TLS-pwd. And if there was a mature
>> draft ready for publication that specified such a scheme it would be
>> worth
>> considering. But there isn't. And we're 2+ years away from having such a
>> thing. Probably more since we have not identified a stuckee willing to
>> edit it.
>>
>>   As Cullen mentioned, the IETF is a volunteer organization and telling
>> people that they should go write a draft specifying your alternative to
>> their draft is not really productive.
>>
>>   I have received and resolved comments on the draft dealing with
>> protection of the username from passive observers and on mitigating
>> side channel attacks. There is no technical problem with TLS-pwd and it
>> solves real problems right now. I see no reason why it should not ease
>> away from the curb (and out of its parked position).
>
> What about the complete absence of any positive security analysis? You've
> known this was going to be an issue since you invented Dragonfly. I feel
> completely uncompelled to be 'productive' at the expense of security.

  You're overstating things a bit. There is no formal proof but that doesn't
mean there is a complete absence of any positive security analysis.

  Being uncompelled and upset at the lack of a formal proof are not
technical comments, they are just whines.

> Quit fussing and whining about how hard it is to write drafts. You could
> have started with something provably secure and avoided wasting your
> efforts.

  "Quit fussing and whining" works both ways. You've been fussing and
whining since you joined this list and it might be a good time to quit.

  To be clear, I have not said that it is hard to write a draft, I said it
is time
consuming. And I already have a draft (and running code) that solves the
problems I have identified. I have no reason to volunteer to write another
draft to do something that you want and I don't think you can afford my
consulting rate.

> Failing that, make AugPAKE work on ECC by grabbing the draft and fixing
> it, then submit that instead.

  You should stop telling people to do things you are unwilling to do
yourself.

  Dan.

v2.23.0 | Report a Bug | By Email