[TLS] Symmetric PAKE for TLS

Schmidt, Jörn-Marc <Joern-Marc.Schmidt@secunet.com> Fri, 06 June 2014 09:25 UTC

Return-Path: <Joern-Marc.Schmidt@secunet.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 479401A0445 for <tls@ietfa.amsl.com>; Fri, 6 Jun 2014 02:25:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.95
X-Spam-Status: No, score=-2.95 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id RMArWW-jjRQJ for <tls@ietfa.amsl.com>; Fri, 6 Jun 2014 02:25:03 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D35191A0442 for <tls@ietf.org>; Fri, 6 Jun 2014 02:25:02 -0700 (PDT)
Received: from localhost (alg1 []) by a.mx.secunet.com (Postfix) with ESMTP id 4153A1A0071 for <tls@ietf.org>; Fri, 6 Jun 2014 11:24:54 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([]) by localhost (a.mx.secunet.com []) (amavisd-new, port 10024) with LMTP id MpIgx14EfFCh for <tls@ietf.org>; Fri, 6 Jun 2014 11:24:49 +0200 (CEST)
Received: from mail-gw-int (unknown []) by a.mx.secunet.com (Postfix) with ESMTP id 520611A0075 for <tls@ietf.org>; Fri, 6 Jun 2014 11:24:49 +0200 (CEST)
Received: from [] (port=17565 helo=mail-essen-02.secunet.de) by mail-gw-int with esmtp (Exim 4.80 #2 (Debian)) id 1WsqOH-0003dg-Mq for <tls@ietf.org>; Fri, 06 Jun 2014 11:24:49 +0200
Received: from MAIL-ESSEN-01.secunet.de ([fe80::1c79:38b7:821e:46b4]) by mail-essen-02.secunet.de ([fe80::4431:e661:14d0:41ce%16]) with mapi id 14.03.0181.006; Fri, 6 Jun 2014 11:24:49 +0200
From: =?iso-8859-1?Q?Schmidt=2C_J=F6rn-Marc?= <Joern-Marc.Schmidt@secunet.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: Symmetric PAKE for TLS
Thread-Index: Ac+BZl0orOotk0jDSUe2wzH1yJLRkA==
Date: Fri, 6 Jun 2014 09:24:48 +0000
Message-ID: <38634A9C401D714A92BB13BBA9CCD34F071673D1@mail-essen-01.secunet.de>
Accept-Language: de-DE, en-US
Content-Language: de-DE
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_38634A9C401D714A92BB13BBA9CCD34F071673D1mailessen01secu_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/l1ZQuRSdethtoaBhFc0B7zRfZVU
Subject: [TLS] Symmetric PAKE for TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jun 2014 09:25:05 -0000

Dear all,

I'd like to come back to a topic that has raised intensive discussions in the past: Introducing a symmetric PAKE scheme for TLS that supports ECC. I believe such a protocol is very useful, e.g. for enrollment of certificates on constrained devices like IP phones.

My proposal is to use PACE [1] with a flexible mapping to support Weierstrass as well as Montgomery and Edwards curves. The rationale behind this suggestion is:

- It's patent-free [2]

- It comes with a security proof [3]

- It received a lot of attention as it is used in European travel documents

I think the mapping of a random number to an ECC point that is used by the protocol should be very flexible, so that it is possible to use e.g. simplified SWU [4] for Weierstrass or Elligator [5] for Montgomery and Edwards. If you hold the appropriate license, you can even use Icart's function [6].

Cause of the intense previous discussion, I'd like to collect some opinions on the list before moving forward and writing a draft. Any feedback and thoughts are welcome.



[1] BSI TR-03110 Advanced Security Mechanisms for Machine Readable Travel Documents

[2] PACE has been used in travel documents for years without patent discussions - the only critical thing is the mapping.

[3] Security Analysis of the PACE Key-Agreement Protocol. Jens Bender, Marc Fischlin and Dennis Kügler

[4] Efficient Indifferentiable Hashing into Ordinary Elliptic Curves. Eric Brier et. al

[5] http://elligator.cr.yp.to/

[6] How to Hash into Elliptic Curves. Thomas Icart