Re: [TLS] The PAKE question and PSK

Nico Williams <nico@cryptonector.com> Wed, 02 April 2014 16:46 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B7E61A0232 for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 09:46:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mw73m7iqZaXY for <tls@ietfa.amsl.com>; Wed, 2 Apr 2014 09:46:31 -0700 (PDT)
Received: from homiemail-a84.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 4A4001A0242 for <tls@ietf.org>; Wed, 2 Apr 2014 09:46:31 -0700 (PDT)
Received: from homiemail-a84.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a84.g.dreamhost.com (Postfix) with ESMTP id 980E31DE05D for <tls@ietf.org>; Wed, 2 Apr 2014 09:46:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=lrSsgqLlKxnftYSzTmT6 LhUFoSI=; b=cjZZXP+Wn6eFTvI4S1kWUL4e2HbKlTsvJjbi9jTLNvzmfllbVZPc +3pHiP1taSiqUmYsn2zizn3FxBt/PX86jIP0lskfuM9K4pfW69MizHSP6Bf58PME eKmC6XQi7Hxmp3MqbmKiG+CtHx8jLwDcyB2KjIztfYotEC82XsNQ0Ds=
Received: from mail-we0-f179.google.com (mail-we0-f179.google.com [74.125.82.179]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a84.g.dreamhost.com (Postfix) with ESMTPSA id 3EEBF1DE059 for <tls@ietf.org>; Wed, 2 Apr 2014 09:46:26 -0700 (PDT)
Received: by mail-we0-f179.google.com with SMTP id x48so524456wes.38 for <tls@ietf.org>; Wed, 02 Apr 2014 09:46:25 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.160.166 with SMTP id xl6mr3605167wib.42.1396457185704; Wed, 02 Apr 2014 09:46:25 -0700 (PDT)
Received: by 10.217.129.197 with HTTP; Wed, 2 Apr 2014 09:46:25 -0700 (PDT)
In-Reply-To: <7a41ee191d22df1f5924a68034c74a49.squirrel@www.trepanning.net>
References: <CACsn0cnBXvjo4cCN8htKvmakzhneqq4nXN9WfPdgkqjgBTNpGA@mail.gmail.com> <533BBC3C.6000704@gmx.net> <7a41ee191d22df1f5924a68034c74a49.squirrel@www.trepanning.net>
Date: Wed, 02 Apr 2014 11:46:25 -0500
Message-ID: <CAK3OfOinKSbsBotd8zFy9d4o+1so_gyFU7cc9GPAXLtsEjrGDw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/e9OR1DB-t0oiMEMRXMGPQVWkhUY
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] The PAKE question and PSK
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 16:46:35 -0000

On Wed, Apr 2, 2014 at 11:38 AM, Dan Harkins <dharkins@lounge.org> wrote:
>   One of the problems with EKE is that using it with ECC opens the
> exchange up to a partitioning attack.

Very much so.  For example, EKE with curve25519 allows eavesdroppers
to eliminate 7/8ths of possible passwords for each exchange observed
(that's a different 7/8ths of possible passwords in each exchange).
After a few exchanges the attacker can recover the password with very
high confidence.

For some ECC curves the solution is Elligator.  This is quite
convenient because EKE w/ ECC and Elligator is to a very high
likelihood not subject to any patents whatsoever.

Nico
--