Re: [TLS] Elliptic Curve J-PAKE
Feng Hao <feng.hao@newcastle.ac.uk> Wed, 27 March 2019 18:56 UTC
Return-Path: <feng.hao@newcastle.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC8F4120368 for <tls@ietfa.amsl.com>; Wed, 27 Mar 2019 11:56:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id axTw3LPN1PyP for <tls@ietfa.amsl.com>; Wed, 27 Mar 2019 11:56:31 -0700 (PDT)
Received: from mailhub-mx4.ncl.ac.uk (mailhub-mx4.ncl.ac.uk [128.240.234.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9814812035D for <tls@ietf.org>; Wed, 27 Mar 2019 11:56:29 -0700 (PDT)
Received: (Haraka outbound); Wed, 27 Mar 2019 18:56:27 +0000
Authentication-Results: mailhub-mx4.ncl.ac.uk; spf=pass smtp.mailfrom=newcastle.ac.uk
X-Haraka-RcptSummary: valid=0/0 invalid=0/0 unverified=0/0 relay=2/2 norelay=0/0
X-Haraka-Relay: true
Received-SPF: Pass (mailhub-mx4.ncl.ac.uk: domain of newcastle.ac.uk designates 10.3.192.254 as permitted sender) receiver=mailhub-mx4.ncl.ac.uk; identity=mailfrom; client-ip=128.240.234.84; helo=mailhub-ncl3.ncl.ac.uk; envelope-from=<feng.hao@newcastle.ac.uk>
X-Haraka-Fail-Pre: defendermx/rdns
Received: from mailhub-ncl3.ncl.ac.uk ([10.3.192.254]) by mailhub-mx4.ncl.ac.uk (DefenderMX/2.7.3) with ESMTPS id 0A620B69-D705-482C-A4FF-AC0900D55E6D.1 envelope-from <feng.hao@newcastle.ac.uk> (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 verify=FAIL); Wed, 27 Mar 2019 18:56:27 +0000
Received: from exmail02.ncl.ac.uk ([128.240.234.169] helo=exmail02.campus.ncl.ac.uk) by mailhub-ncl3.ncl.ac.uk with esmtp (Exim 4.89) (envelope-from <feng.hao@newcastle.ac.uk>) id 1h9Dis-0001HS-4v; Wed, 27 Mar 2019 18:56:26 +0000
Received: from exmail01.campus.ncl.ac.uk (128.240.234.168) by exmail02.campus.ncl.ac.uk (128.240.234.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1591.10; Wed, 27 Mar 2019 18:56:25 +0000
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (104.47.13.51) by exhub.ncl.ac.uk (128.240.234.168) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1591.10 via Frontend Transport; Wed, 27 Mar 2019 18:56:25 +0000
Received: from DB7PR07MB4010.eurprd07.prod.outlook.com (52.134.100.32) by DB7PR07MB3867.eurprd07.prod.outlook.com (52.134.99.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.14; Wed, 27 Mar 2019 18:56:24 +0000
Received: from DB7PR07MB4010.eurprd07.prod.outlook.com ([fe80::49a9:c374:3b12:dfee]) by DB7PR07MB4010.eurprd07.prod.outlook.com ([fe80::49a9:c374:3b12:dfee%4]) with mapi id 15.20.1750.014; Wed, 27 Mar 2019 18:56:24 +0000
From: Feng Hao <feng.hao@newcastle.ac.uk>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Elliptic Curve J-PAKE
Thread-Index: AQHU5EeLrEnYH1f1QcqOKBM2BXjMhaYfx9+A
Date: Wed, 27 Mar 2019 18:56:24 +0000
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.7.170905
x-originating-ip: [86.1.47.16]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 66f57208-11b0-42b3-ae50-08d6b2e5e8bb
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:DB7PR07MB3867;
x-ms-traffictypediagnostic: DB7PR07MB3867:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <DB7PR07MB38678BCCF482788E810D9ECDD4580@DB7PR07MB3867.eurprd07.prod.outlook.com>
x-forefront-prvs: 0989A7979C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(396003)(376002)(366004)(39860400002)(136003)(189003)(199004)(40434004)(53754006)(44832011)(82746002)(58126008)(14454004)(966005)(99286004)(8936002)(316002)(97736004)(786003)(256004)(6486002)(2906002)(74482002)(446003)(5024004)(5660300002)(53546011)(7736002)(76176011)(26005)(86362001)(102836004)(6506007)(186003)(6116002)(486006)(476003)(3846002)(236005)(33656002)(25786009)(53936002)(4326008)(478600001)(14444005)(53946003)(74826001)(83716004)(71190400001)(81166006)(606006)(6916009)(229853002)(6512007)(105586002)(81156014)(6436002)(68736007)(106356001)(36756003)(6246003)(71200400001)(66066001)(6306002)(9686003)(8676002)(9326002)(54896002)(579004); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR07MB3867; H:DB7PR07MB4010.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: newcastle.ac.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: SDEBVk9u3Q4UU93LWbGooMtOOVtlIfGObn7ZHDINIsfpgKyrQF9ASjq1g19NZcRSC5jpFFjWupkmYhBUmnJKpuqHdWtJDSNQVt5g9k/iMsIK4aUh/qbYYCMNZIm+n0j6h7uCQm4hduMHNmgJ6gI8fHh8fWeAQKjptnULJheCIGwFN9zufdnmhi1wv7KrQz9AxECeBOmFcBhB2zn9iEqlWKf0aHX7cJ+IIagNaYe+n7tnMV3fdWYf9C2ZPD9QYMGmVStudhlcCuNmgEDuw+W022PZw/1YG9Wq1nCOV4o8SGLestSP9gAjy+7CgsMI1VPuL+UaLGUcqbet8O2A7JaeP5FcUG6irOSvjXWtlx/8/b8voDKkyH2sKcJcZXav1gckdqblAVf79eiKA48kSq/yiHueeFLEuKWymBWLFQxl4iI=
Content-Type: multipart/alternative; boundary="_000_6ADEC907127341AFA96468E654103645nclacuk_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 66f57208-11b0-42b3-ae50-08d6b2e5e8bb
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2019 18:56:24.0992 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c5012c9-b616-44c2-a917-66814fbe3e87
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB3867
X-NCL-mrate: cflags=() mflags=()
X-Haraka-Syntax: mail_case=upper mail_leading_spaces=N mail_trailing_spaces=N mail_missing_brackets=N rcpt_case=upper rcpt_leading_spaces=N rcpt_missing_brackets=N rcpt_trailing_spaces=N
X-Haraka-GeoIP-Received: 86.1.47.16:undefined
X-Haraka-HostID: 10.3.192.254
X-Haraka-SenderAuth: 10.3.192.254 newcastle.ac.uk
X-Haraka-AccessMap: connect:10 OK
X-Haraka-Domain-Info: domain="newcastle.ac.uk" last_update=1 primary_ns="dns0.ncl.ac.uk" serial=2019032615 refresh=10800 retry=3600 expiration=604800 minimum=3600 flags="SOA_UPDATE_1"
X-Haraka-SubjectNonLatin: 0
X-Haraka-NonLatin: 0
References: <VI1PR0801MB2112CFD46565F1BC8B3697D8FA5F0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CADi0yUP+xwWzej7+uvQCaO5xzvJOdwZ-0c-Ot7WF30R25jRxjQ@mail.gmail.com> <WM!3b68eb47588f67d9aaca229cf8c9e30dd2ddb828af3905daaa86a4172d790fff2ad158c5fb15a70a4484183790470a68!@mailhub-mx4.ncl.ac.uk> <6ADEC907-1273-41AF-A964-68E654103645@ncl.ac.uk>
Message-Id: <WM!624962044e5b7753628d65d82a819fc287f20b66b28b7326bc1508f7f7d97f90cbf3d0c6dc796efa81e820d8dab51428!@mailhub-mx4.ncl.ac.uk>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/iWvtrq_sVIxx7KxhTOdp3tiOtlU>
Subject: Re: [TLS] Elliptic Curve J-PAKE
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 18:56:35 -0000
Hi Hugo, Thanks for your comments. Just to clarify the difference between SPAKE2 and J-PAKE - The proof of SPAKE2 depends on the assumption of a trusted setup: the discrete logarithm between the two group generators must be unknown by anyone. If a powerful adversary (3 letter agency) gathers sufficient resources and time (say 1 year) to break one instance of discrete logarithm, it will be a class attack, breaking all instances of SPAKE2 without anyone knowing it. By contrast, they can only break one session in J-PAKE, since by design the randomness is refreshed in every session rather than being built into a static setup. This explain why J-PAKE requires more computation than SPAKE2. Hope it clarifies. Regards, Feng From: TLS <tls-bounces@ietf.org<mailto:tls-bounces@ietf.org>> on behalf of Hugo Krawczyk <hugo@ee.technion.ac.il<mailto:hugo@ee.technion.ac.il>> Date: Wednesday, 27 March 2019 at 02:49 To: Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> Cc: "tls@ietf.org<mailto:tls@ietf.org>" <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] Elliptic Curve J-PAKE Hi Hannes, J-PAKE is a symmetric PAKE. Both parties store the same password. It is not suitable for most client-server scenarios where using J-PAKE would mean that an attacker that breaks into the server simply steals all plaintext passwords. OPAQUE is an asymmetric (or augmented) PAKE where user remembers a password (and nothing else, including no public key of the server) while the server stores a one-way image of the password. Security requires that if the server is compromised, the attacker needs to run an offline dictionary attack for each user in the database to find the password. If what you need is a symmetric PAKE then there are better candidates than J-PAKE such as SPAKE2 described in draft-irtf-cfrg-spake2-08. SPAKE2 is *much* more efficient than J-PAKE and while both J-PAKE and SPAKE2 have proofs of security, SPAKE2 is proven in a stronger security model relative to J-PAKE. I am not aware of any advantage of J-PAKE over SPAKE2 - but I may be missing something. Maybe the PAKE presentation in cfrg will clarify these issues further. Hugo On Tue, Mar 26, 2019 at 1:03 PM Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes..Tschofenig@arm.com>> wrote: Hi all, in context of the OPAQUE talk by Nick today at the TLS WG meeting I mentioned that the Thread Group has used the Elliptic Curve J-PAKE for IoT device onboarding. Here is the draft written for TLS 1.2: https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 The mechanism is described in https://tools.ietf.org/html/rfc8236 @Nick & Richard: Have a look at it and see whether it fits your needs. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] Elliptic Curve J-PAKE Feng Hao
- [TLS] Elliptic Curve J-PAKE Hannes Tschofenig
- Re: [TLS] Elliptic Curve J-PAKE Hugo Krawczyk
- Re: [TLS] Elliptic Curve J-PAKE Hannes Tschofenig
- Re: [TLS] Elliptic Curve J-PAKE Feng Hao
- Re: [TLS] Elliptic Curve J-PAKE Watson Ladd
- Re: [TLS] Elliptic Curve J-PAKE Watson Ladd
- Re: [TLS] Elliptic Curve J-PAKE Hao, Feng
- Re: [TLS] Elliptic Curve J-PAKE Watson Ladd