Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-cfrg-dragonfly document status)
Paul Lambert <paul@marvell.com> Thu, 09 October 2014 16:55 UTC
Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C63CE1AC7E7 for <cfrg@ietfa.amsl.com>; Thu, 9 Oct 2014 09:55:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.967
X-Spam-Level:
X-Spam-Status: No, score=-1.967 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KquD_z2y0k9q for <cfrg@ietfa.amsl.com>; Thu, 9 Oct 2014 09:55:44 -0700 (PDT)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68B481AD369 for <cfrg@irtf.org>; Thu, 9 Oct 2014 09:55:36 -0700 (PDT)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id s99GtTXf022892; Thu, 9 Oct 2014 09:55:29 -0700
Received: from sc-owa.marvell.com ([199.233.58.135]) by mx0b-0016f401.pphosted.com with ESMTP id 1pwsx8rxuk-17 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 09 Oct 2014 09:55:29 -0700
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA.marvell.com ([::1]) with mapi; Thu, 9 Oct 2014 09:55:27 -0700
From: Paul Lambert <paul@marvell.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "\"Schmidt, Jörn-Marc\"" <Joern-Marc.Schmidt@secunet.com>, Alexey Melnikov <alexey.melnikov@isode.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Date: Thu, 09 Oct 2014 09:55:25 -0700
Thread-Topic: [Cfrg] PAKEs in general (was; Re: draft-irtf-cfrg-dragonfly document status)
Thread-Index: Ac/j4dMvkUIRrTTaR3+oVa9eS2pQvA==
Message-ID: <D05BF8A4.50927%paul@marvell.com>
References: <54357A2A.2010800@isode.com> <38634A9C401D714A92BB13BBA9CCD34F13E26818@mail-essen-01.secunet.de> <54366BA1.1010603@cs.tcd.ie>
In-Reply-To: <54366BA1.1010603@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.4.140807
acceptlanguage: en-US
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.12.52, 1.0.28, 0.0.0000 definitions=2014-10-09_07:2014-10-09,2014-10-09,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1410090125
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/q16KPx0cHXOAbnnPU6fmrbTxprY
Subject: Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-cfrg-dragonfly document status)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Oct 2014 16:55:53 -0000
X-List-Received-Date: Thu, 09 Oct 2014 16:55:53 -0000
On 10/9/14, 4:04 AM, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wrote: > > >On 09/10/14 09:31, Schmidt, Jörn-Marc wrote: >>> 1) keep in mind that CFRG chairs believe that the RG should work on >>> PAKE requirements and after that on other PAKE proposals. This was >>> suggested by our previous co-chair David McGrew >>>> http://www.ietf.org/mail-archive/web/cfrg/current/msg03723.html >> >> So why don't we start right now with a discussion on the requirements >> (independent from the current dragonfly draft)? > >I'll just note that there were also voices (incl. mine) saying: >"I really don't care about work on PAKEs. Seems like a waste of >time to me. But go ahead and spend time on that if you wish." +1 mostly. Shared passwords are architecturally problematic. They are more useable ways to authenticate. As a community we should be spending time on forward looking opportunities. The Œmostly' is that the Dragonfly draft should be published so it can be used a little better in a couple of specific environments where it is already being wired into systems. Specifically, IEEE 802.11 has the SAE protocol which uses the Dragonfly exchange for mesh networks. There are other peer-to-peer wireless applications that could use Dragonfly soon. In particular, the Wi-Fi industry also has a long standing issue with password based authentication being subject to brute-force attacks in the WPA2=Personal authentication (aka 4-way handshake). Dragonfly in the form of SAE will potentially be dropped in as a replacement for the current hash based exchange. J-PAKE is also a Œnice¹ looking PAKE algorithm with a good credentials. Someone should take the time to continue it¹s documentation and progression Š but I would NOT want to be using any PAKE directly in the future as a primary means of authentication. A PAKE-like construct might be incorporated as a building block in some non-password based authentication system, but is not a pressing industry need at this level of abstraction. J-PAKE is NOT a viable near term replacement for Dragonfly in the wireless market. It takes many hundreds of hours of work and years of effort to push real industry adoption of a technology in markets that involve multiple interoperating vendors. Applications, like Mozilla, can push fast and wide adoption of mechanisms like J-PAKE without having to deal with the sluggish nature of broader interoperability forums (like Wi-Fi). Dragonfly is in it¹s 8th trimester of birth. It¹s been pointed out that while it appears to be completely healthy, there is no Œproof¹ that it¹s genetic structure can be proven to be Œhealthy¹. No unresolved flaws have been identified. A vocal zealot from the Church of Formal Reduction insists that it be aborted because it has not been blessed. This Œbaby¹ may not be as cute as others, but it has a planned and ready forum for adoption. Dragonfly should be published. This does not prevent other PAKE¹s from emerging (which they should). Publishing Dragonfly is not a recommendation that it is the best PAKE, or the long term answer for global warming. Publishing Dragonfly provides a stable reference versus a transient draft. The cfrg review has helped to create a clear and correct specification that should be published. >My own logic for that is that such work seems to me to be fine >cryptographic work, but of no use at all for IETF protocols. And >yes, I know there are some folks who disagree with that in general, >or who see specific niches cases where PAKEs might be useful. As >it happens, I don't, but like I say just that's a personal opinion >and not something with IETF consensus, so don't take my comment as >being "from the IETF" or similar. Yes. Standalone PAKEs are not good general solutions for IETF protocols, but the nature of Œgood general solutions' are not worth debating without the context of specific usage. Starting new debate on new mechanisms is not relevant to the discussion of the clarity and correctness of a proposed RFC. Dragonfly should be published. > >For my money, I'd much prefer to see the additional curves discussion >reach a conclusion. And to the extent that work on PAKEs distracts >from that, which is hard to evaluate, I see working on PAKEs as a >slight negative. Another reason to publish Dragonfly and move on. J-PAKE or other PAKEs will be brought to this forum for review, but involved development of requirements and comparisons of Œbest¹ is a waste of this forums time. Paul PS - my apologies to the list for posting my opinion again that Dragonfly be published as an RFC (oops did it again :-) I will back away for awhile to hear other voices on the list. Repetition of position does not help the consensus determination. > >S. > >_______________________________________________ >Cfrg mailing list >Cfrg@irtf.org >http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] draft-irtf-cfrg-dragonfly document status Alexey Melnikov
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Paul Lambert
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Paul Lambert
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Dan Harkins
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Peter Gutmann
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Dan Harkins
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Schmidt
- [Cfrg] PAKEs in general (was; Re: draft-irtf-cfrg… Stephen Farrell
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Paul Lambert
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Andy Lutomirski
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Mike Hamburg
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Alexey Melnikov
- [Cfrg] JPAKE and a few other things (was Re: draf… Alexey Melnikov
- [Cfrg] Writing proposals as drafts first (was Re:… Alexey Melnikov
- [Cfrg] PAKE requirements Alexey Melnikov
- Re: [Cfrg] draft-irtf-cfrg-dragonfly document sta… Watson Ladd
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Yoav Nir
- Re: [Cfrg] PAKEs in general (was; Re: draft-irtf-… Dan Harkins