IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd

Trevor Perrin <trevp@trevp.net> Tue, 03 December 2013 22:59 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3EE41ADF22 for <tls@ietfa.amsl.com>; Tue, 3 Dec 2013 14:59:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uEXO4qYAXWke for <tls@ietfa.amsl.com>; Tue, 3 Dec 2013 14:59:24 -0800 (PST)
Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) by ietfa.amsl.com (Postfix) with ESMTP id C02871AE1A8 for <tls@ietf.org>; Tue, 3 Dec 2013 14:59:23 -0800 (PST)
Received: by mail-wi0-f181.google.com with SMTP id hq4so7333586wib.8 for <tls@ietf.org>; Tue, 03 Dec 2013 14:59:20 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=y3GNd/q3IU8HmTOOLx5RrOYStJVw0bB4qVnGWczepPM=; b=J1s6Fw2Z8Njc9lkjfrRSzJV1oG3N8t9VbGjxyDrpKacmKiA4FNvzL3Ab2GUJ6qPoSA YqoNM7LAmTu3SsBjiV7NcbJqd5tBAHnOrH53EHxZ74D0ttpJFUREskpxXXyAwE0Zhj+G /7UuViNoZ8tsQF9e3+8gB4pTnrkDSV96ygbCLRJyLjvQmpQ65oM67CKn/ss3wwFxBFOt PN8SfC0wKEkKSBjKOPPzai04YF9SVJAdyEIIt3+gx1WqZw1droQCqEVgTR5gNbPwVU9w rwYrpl4ew3v+XIkGY0mUf6+yKR2rV5x8EmQnoW9K/Dx0PZExvs3TGH+OjjWi/Yt9pA6B rXng==
X-Gm-Message-State: ALoCoQk6mJ3sH+HJbe/x6TMF9JErO1YyybXtJI3jSl8JrAvUFelVDKy9N2f5Cwn7ImQf0XS49jkf
MIME-Version: 1.0
X-Received: by 10.180.108.162 with SMTP id hl2mr4584952wib.56.1386111560569; Tue, 03 Dec 2013 14:59:20 -0800 (PST)
Received: by 10.216.214.134 with HTTP; Tue, 3 Dec 2013 14:59:20 -0800 (PST)
X-Originating-IP: [166.137.185.82]
In-Reply-To: <6b51bc68470b316cf6d38c7033c0d451.squirrel@www.trepanning.net>
References: <3065D910-832C-47B6-9E0B-2F8DCD2657D2@cisco.com> <529C990D.3020608@gmail.com> <6b51bc68470b316cf6d38c7033c0d451.squirrel@www.trepanning.net>
Date: Tue, 03 Dec 2013 14:59:20 -0800
Message-ID: <CAGZ8ZG0PuiVCYrGSLVAEF7qd+V1bBgWyxnWLfuDzhHdg3GdH1Q@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-pwd
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2013 22:59:25 -0000

On Tue, Dec 3, 2013 at 12:27 AM, Dan Harkins <dharkins@lounge.org> wrote:
>
>   Dear Rene,
>
> On Mon, December 2, 2013 6:28 am, Rene Struik wrote:
>> Dear colleagues:
>>
>> I had a look at draft-ietf-tls-pwd-02. While I do appreciate the work
>> that went into this draft, I have to concur with some other commenters
>> (e.g., Doug Stebila, Bodo Moeller) that it is unclear what makes this
>> protocol special compared to other contenders, both in terms of
>> performance and detailed cryptanalysis. One glaring omission is detailed
>> security evidence, which is currently lacking (cross-referencing some
>> other standards that have specified the protocol does not by itself
>> imply the protocol is therefore secure). I am kind of curious what
>> technical advantages the "Dragonfly" protocol has over protocols that
>> seem to have efficiency, detailed and crypto community reviewed
>> evidence, such as, e.g., AugPAKE (which is another TLS-aimed draft) and
>> others. So, if the TLS WG has considered a feature comparison, that
>> would be good to share.
>
>   dragonfly is a balanced PAKE kind of exchange and it has certain
> advantages over augmented PAKE schemes like TLS-SRP

Wait, what?

"Augmented PAKE" is of course better than "Balanced PAKE", as it
allows the server to store non-usable credentials.

TLS already has an "Augmented PAKE" - TLS/SRP (RFC 5054) which is
implemented in OpenSSL and elsewhere.

It's not used on the web, or widely, as the TLS layer is generally the
wrong place for user authentication (e.g. leaks username, terminated
at front-end machines without access to user credentials, etc).

However, what little demand exists for a TLS PAKE seems like it's
being adequately served by TLS-SRP.

Why is the WG considering another PAKE with worse properties (non-augmented)?


Trevor

v2.23.0 | Report a Bug | By Email