Re: [TLS] The PAKE question and PSK

Dear all,

>> Failing that, make AugPAKE work on ECC by grabbing the draft and fixing
>> it, then submit that instead.
>
>  You should stop telling people to do things you are unwilling to do
>yourself.

In the next version, I would include ECC version of AugPAKE.

Best regards,
Shin

On Thu, Apr 3, 2014 at 3:52 AM, Dan Harkins <dharkins@lounge.org> wrote:

>
> On Wed, April 2, 2014 11:15 am, Watson Ladd wrote:
> > On Apr 2, 2014 10:55 AM, "Dan Harkins" <dharkins@lounge.org> wrote:
> >>
> >>
> >> On Wed, April 2, 2014 10:26 am, Nico Williams wrote:
> >> > On Wed, Apr 2, 2014 at 12:18 PM, Dan Harkins <dharkins@lounge.org>
> > wrote:
> >> >>   EKE doesn't do RSA. And, as Nico pointed out, observing a single
> >> >> exchange
> >> >> can eliminate a large majority of the potential passwords. Even an
> >> >> infrequent
> >> >> use can give an adversary a high probability of successfully
> > determining
> >> >> the secret.
> >> >
> >> > But if you use Elligator then that problem goes away.  That's the key
> >> > point.
> >>
> >>   Yes, as I mentioned back in December on this list, EKE with Elligator
> >> would make a very good alternative to TLS-pwd. And if there was a mature
> >> draft ready for publication that specified such a scheme it would be
> >> worth
> >> considering. But there isn't. And we're 2+ years away from having such a
> >> thing. Probably more since we have not identified a stuckee willing to
> >> edit it.
> >>
> >>   As Cullen mentioned, the IETF is a volunteer organization and telling
> >> people that they should go write a draft specifying your alternative to
> >> their draft is not really productive.
> >>
> >>   I have received and resolved comments on the draft dealing with
> >> protection of the username from passive observers and on mitigating
> >> side channel attacks. There is no technical problem with TLS-pwd and it
> >> solves real problems right now. I see no reason why it should not ease
> >> away from the curb (and out of its parked position).
> >
> > What about the complete absence of any positive security analysis? You've
> > known this was going to be an issue since you invented Dragonfly. I feel
> > completely uncompelled to be 'productive' at the expense of security.
>
>   You're overstating things a bit. There is no formal proof but that
> doesn't
> mean there is a complete absence of any positive security analysis.
>
>   Being uncompelled and upset at the lack of a formal proof are not
> technical comments, they are just whines.
>
> > Quit fussing and whining about how hard it is to write drafts. You could
> > have started with something provably secure and avoided wasting your
> > efforts.
>
>   "Quit fussing and whining" works both ways. You've been fussing and
> whining since you joined this list and it might be a good time to quit.
>
>   To be clear, I have not said that it is hard to write a draft, I said it
> is time
> consuming. And I already have a draft (and running code) that solves the
> problems I have identified. I have no reason to volunteer to write another
> draft to do something that you want and I don't think you can afford my
> consulting rate.
>
> > Failing that, make AugPAKE work on ECC by grabbing the draft and fixing
> > it, then submit that instead.
>
>   You should stop telling people to do things you are unwilling to do
> yourself.
>
>   Dan.
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

-- 
------------------------------------------------------------------
SeongHan Shin
Research Institute for Secure Systems (RISEC),
National Institute of Advanced Industrial Science and Technology (AIST),
Central 2, 1-1-1, Umezono, Tsukuba City, Ibaraki 305-8568 Japan
Tel : +81-29-861-2670/5284
Fax : +81-29-861-5285
E-mail : seonghan.shin@aist.go.jp
------------------------------------------------------------------