Re: [TLS] Augmented PAKE (Re: New Version Notification for draft-shin-tls-augpake-01.txt)
SeongHan Shin <seonghan.shin@aist.go.jp> Tue, 04 February 2014 06:53 UTC
Return-Path: <seonghan.shin@aist.go.jp>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2356A1A0383 for <tls@ietfa.amsl.com>; Mon, 3 Feb 2014 22:53:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.678
X-Spam-Level:
X-Spam-Status: No, score=-3.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7necl-Rg-XWp for <tls@ietfa.amsl.com>; Mon, 3 Feb 2014 22:53:55 -0800 (PST)
Received: from na3sys010aog109.obsmtp.com (na3sys010aog109.obsmtp.com [74.125.245.86]) by ietfa.amsl.com (Postfix) with ESMTP id 069631A0382 for <tls@ietf.org>; Mon, 3 Feb 2014 22:53:54 -0800 (PST)
Received: from mail-la0-f51.google.com ([209.85.215.51]) (using TLSv1) by na3sys010aob109.postini.com ([74.125.244.12]) with SMTP ID DSNKUvCOgUYdxeopW3xlsfcxQj1n8lr7jCw1@postini.com; Mon, 03 Feb 2014 22:53:55 PST
Received: by mail-la0-f51.google.com with SMTP id c6so6041839lan.24 for <tls@ietf.org>; Mon, 03 Feb 2014 22:53:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ao0T1YO0zGsv1i5Ftld9N8jbaEgCU30sjZYQzU+UJMw=; b=Px2mR6oG0E5lw5TtIwgMFsyY2gq4/htaxO115M3H1/D23C+RtOOqOSIWLzdkJI0ViE ZQYHKiI9lcrlQESS12BkiWKy+ms07c9NKlfc/PnWGDTEHUkyvZumXdu1czlsYqShz8fD OsNXalUPJZgOxo6WC92mADJg2dKcMS150YGCc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ao0T1YO0zGsv1i5Ftld9N8jbaEgCU30sjZYQzU+UJMw=; b=DlAJ3SeM8z4rV3Yvc8aQWPkya+2fJSg/PbgMG4LuDQ5nm5yCoCAUwMno+FZfaMyUBF lCPSTZcBGiYZq8q7uKRZdh4hq9gF0nsfqNMAa1Rfj1jwrSyuKNzymXhIlsD/dpGPKw2+ jIOyHmNPPe9eljxoO2geW8upsAK25DeD18GUnKcztXF6MPPrixYSP1a7CDuP7bxV/mrP vX3/c1rbFuwG9OKVbxtlBZij0bvb7SGS6acES81V0Vk8qF+pOoNVSFsLJcKRZJ0xYASV ShZgVnZm3USJrlvk4Hfwxt+fXXNZut5gk61e1imaXB4lL81BRZrIWmdzi9nePIfvldqS NYEA==
X-Gm-Message-State: ALoCoQnr77S9UKyWzxBPlZf4CweIULBBkQuP0OGqIAVBupZD2350H3YMv8SbTMYVMqeFicyRRg3kYlgL1aB5GwXBhPeEP80jG1571EB3xLpLFqq1sYDH7e2eU7vgpTYNUm1IAJMK/ASYIBae6hFG42mgiyyMMTJzWg==
X-Received: by 10.112.97.173 with SMTP id eb13mr27568lbb.65.1391496832513; Mon, 03 Feb 2014 22:53:52 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.112.97.173 with SMTP id eb13mr27562lbb.65.1391496832376; Mon, 03 Feb 2014 22:53:52 -0800 (PST)
Received: by 10.112.164.35 with HTTP; Mon, 3 Feb 2014 22:53:52 -0800 (PST)
In-Reply-To: <07A9A949-2A96-4401-B640-A0E1C438A8E8@gmail.com>
References: <CAEKgtqmfHpzNye_DCgyzJ7PmsGRFWCHAtjX=HOLKo0OEoEi0gQ@mail.gmail.com> <CANOyrg-LzPbft+DMH8h3HatAJAwTqx6PRBG_n=3MrSfWHcMSqg@mail.gmail.com> <CAEKgtqnSgdouYAmSa5DbN1sME=65wi3PpM17b2+Bybsz8PzBow@mail.gmail.com> <07A9A949-2A96-4401-B640-A0E1C438A8E8@gmail.com>
Date: Tue, 04 Feb 2014 15:53:52 +0900
Message-ID: <CAEKgtqnMLD_N0F1ZG+=J8wzkK2bmannAxee_vyj65NbycSrVvA@mail.gmail.com>
From: SeongHan Shin <seonghan.shin@aist.go.jp>
To: Fabrice <fabrice.gautier@gmail.com>
Content-Type: multipart/alternative; boundary="001a1133e9dc6679d304f18f1a84"
Cc: 古原和邦 <k-kobara@aist.go.jp>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Augmented PAKE (Re: New Version Notification for draft-shin-tls-augpake-01.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 06:53:59 -0000
Hi Fabrice, I'm sorry for this delay. >I haven't seen anything in the TLS1.3 flows document that would allow that. I meant that the cached domain parameter set is used on client because the server has the password verifier, computed with the parameter set. >I guess you could only require the extra round trip for the first connection and have the client cache the group parameters somehow. Thank you! >But then you probably need a way for the client to tell the server which parameter it is using, so it can signal if the parameters match without going through the whole handshake. One option may be to use the Supported Ellitpic Curves Extension [RFC4492] though I did not describe AugPAKE over elliptic curve groups yet ^^; >Also, your draft don't define new ciphersuites, like TLS-SRP does, so I don't think it's complete. New ciphersuites would be added later. Best regards, Shin On Fri, Nov 8, 2013 at 7:37 AM, Fabrice <fabrice.gautier@gmail.com> wrote: > On Nov 7, 2013, at 10:36, SeongHan Shin <seonghan.shin@aist.go.jp> wrote: > > Hi Fabrice, > > Thank you for your comment! > > Section 5.1 can be used in TLS 1.3 handshake (?) as in Eric's presentation > :) > > > I haven't seen anything in the TLS1.3 flows document that would allow that. > > > >How does the client knows which group to use ? > As you pointed out, we need to change Section 5.1 for the current tls > version. > A naive approach is to add one round exchange after ServerHello. > Any other good ideas? > > > I guess you could only require the extra round trip for the first > connection and have the client cache the group parameters somehow. > > But then you probably need a way for the client to tell the server which > parameter it is using, so it can signal if the parameters match without > going through the whole handshake. > > Also, your draft don't define new ciphersuites, like TLS-SRP does, so I > don't think it's complete. > > Fabrice > > > > Regards, > Shin > > > On Fri, Nov 8, 2013 at 1:20 AM, Fabrice Gautier <fabrice.gautier@gmail.com > > wrote: > >> Hi, >> >> How does the client knows which group to use ? >> >> As the client would need to know the group before sending the >> ClientHello, it seems that the client needs to remember the groups >> parameters along with the password, which seems impractical. >> >> >> -- Fabrice >> >> >> On Wed, Nov 6, 2013 at 11:25 AM, SeongHan Shin <seonghan.shin@aist.go.jp> >> wrote: >> > Dear all, >> > >> > For anyone who are interested in PAKE, pls see the below I-D regarding >> > augmented PAKE. >> > >> > IMO, two reasons that SRP was published as RFC 2945 and included in IEEE >> > 1363.2 and ISO/IEC 11770-4 are 1) SRP is an augmented PAKE and 2) the >> > server's computation cost of SRP is a minimum. >> > (Though SRP has no provable security) >> > >> > The AugPAKE in the below I-D is provably secure and more efficient than >> > other augmented PAKEs (including SRP and AMP). >> > >> > Of course, augmented PAKE provides additional security property over >> > (balanced) PAKE. >> > >> > Best regards, >> > Shin >> > >> > >> > On Wed, Sep 4, 2013 at 6:39 PM, SeongHan Shin <seonghan.shin@aist.go.jp >> > >> > wrote: >> >> >> >> Dear all, >> >> >> >> I submitted a new version of our I-D regarding augmented PAKE (AugPAKE) >> >> and its integration into TLS. >> >> I added some features of AugPAKE in Appendix. >> >> Any comments are welcome! >> >> >> >> Best regards, >> >> Shin >> >> >> >> ---------- Forwarded message ---------- >> >> From: <internet-drafts@ietf.org> >> >> Date: Wed, Sep 4, 2013 at 6:26 PM >> >> Subject: New Version Notification for draft-shin-tls-augpake-01.txt >> >> To: Kazukuni Kobara <kobara_conf-ml@aist.go.jp>, SeongHan Shin >> >> <seonghan.shin@aist.go.jp> >> >> >> >> >> >> >> >> A new version of I-D, draft-shin-tls-augpake-01.txt >> >> has been successfully submitted by SeongHan Shin and posted to the >> >> IETF repository. >> >> >> >> Filename: draft-shin-tls-augpake >> >> Revision: 01 >> >> Title: Augmented Password-Authenticated Key Exchange for >> >> Transport Layer Security (TLS) >> >> Creation date: 2013-09-04 >> >> Group: Individual Submission >> >> Number of pages: 19 >> >> URL: >> >> http://www.ietf.org/internet-drafts/draft-shin-tls-augpake-01.txt >> >> Status: >> http://datatracker.ietf.org/doc/draft-shin-tls-augpake >> >> Htmlized: http://tools.ietf.org/html/draft-shin-tls-augpake-01 >> >> Diff: >> >> http://www.ietf.org/rfcdiff?url2=draft-shin-tls-augpake-01 >> >> >> >> Abstract: >> >> This document describes an efficient augmented >> password-authenticated >> >> key exchange (AugPAKE) protocol where a user remembers a low-entropy >> >> password and its verifier is registered in the intended server. In >> >> general, the user password is chosen from a small set of dictionary >> >> whose space is within the off-line dictionary attacks. The AugPAKE >> >> protocol described here is secure against passive attacks, active >> >> attacks and off-line dictionary attacks (on the obtained messages >> >> with passive/active attacks), and also provides resistance to server >> >> compromise (in the context of augmented PAKE security). Based on >> the >> >> AugPAKE protocol, this document also specifies a new password-only >> >> authentication handshake for Transport Layer Security (TLS) >> protocol. >> >> >> >> >> >> >> >> >> >> Please note that it may take a couple of minutes from the time of >> >> submission >> >> until the htmlized version and diff are available at tools.ietf.org. >> >> >> >> The IETF Secretariat >> >> >> >> >> >> >> >> >> >> -- >> >> ------------------------------------------------------------------ >> >> SeongHan Shin >> >> Research Institute for Secure Systems (RISEC), >> >> National Institute of Advanced Industrial Science and Technology >> (AIST), >> >> Central 2, 1-1-1, Umezono, Tsukuba City, Ibaraki 305-8568 Japan >> >> Tel : +81-29-861-2670/5284 >> >> Fax : +81-29-861-5285 >> >> E-mail : seonghan.shin@aist.go.jp >> >> ------------------------------------------------------------------ >> > >> > >> > >> > >> > -- >> > ------------------------------------------------------------------ >> > SeongHan Shin >> > Research Institute for Secure Systems (RISEC), >> > National Institute of Advanced Industrial Science and Technology (AIST), >> > Central 2, 1-1-1, Umezono, Tsukuba City, Ibaraki 305-8568 Japan >> > Tel : +81-29-861-2670/5284 >> > Fax : +81-29-861-5285 >> > E-mail : seonghan.shin@aist.go.jp >> > ------------------------------------------------------------------ >> > >> > _______________________________________________ >> > TLS mailing list >> > TLS@ietf.org >> > https://www.ietf.org/mailman/listinfo/tls >> > >> > > > > -- > ------------------------------------------------------------------ > SeongHan Shin > Research Institute for Secure Systems (RISEC), > National Institute of Advanced Industrial Science and Technology (AIST), > Central 2, 1-1-1, Umezono, Tsukuba City, Ibaraki 305-8568 Japan > Tel : +81-29-861-2670/5284 > Fax : +81-29-861-5285 > E-mail : seonghan.shin@aist.go.jp > ------------------------------------------------------------------ > > -- ------------------------------------------------------------------ SeongHan Shin Research Institute for Secure Systems (RISEC), National Institute of Advanced Industrial Science and Technology (AIST), Central 2, 1-1-1, Umezono, Tsukuba City, Ibaraki 305-8568 Japan Tel : +81-29-861-2670/5284 Fax : +81-29-861-5285 E-mail : seonghan.shin@aist.go.jp ------------------------------------------------------------------
- [TLS] Augmented PAKE (Re: New Version Notificatio… SeongHan Shin
- Re: [TLS] Augmented PAKE (Re: New Version Notific… Fabrice Gautier
- Re: [TLS] Augmented PAKE (Re: New Version Notific… SeongHan Shin
- Re: [TLS] Augmented PAKE (Re: New Version Notific… Fabrice
- Re: [TLS] Augmented PAKE (Re: New Version Notific… SeongHan Shin