-
Notifications
You must be signed in to change notification settings - Fork 10
/
ietf100.tex
124 lines (100 loc) · 3.81 KB
/
ietf100.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
\documentclass{beamer}
\usepackage{url}
\usetheme{Berlin}
\title{SPAKE2}
\author{Benjamin Kaduk}
\date{15 November 2017}
\begin{document}
\begin{frame}
\titlepage
\end{frame}
\section{Resuscitating draft-irtf-cfrg-spake2}
\begin{frame}
\frametitle{History}
\begin{itemize}
\item{Version -03 submitted in February 2016}
\item{Got comments from Greg Hudson and Alex Elsayed}
\item{No motion on the document afterwards}
\item{Reconstructed -04 submitted last month}
\item{New version coming soon!}
\end{itemize}
\end{frame}
\section{Use Cases}
\begin{frame}
\frametitle{Kerberos Pre-Authentication}
\begin{itemize}
\item{``Traditional'' Kerberos has the KDC send a ticket to any client that asks.}
\item{Users choose weak passwords}
\item{Modern deployments ```pre-authenticate''' users before sending a ticket,
but a passive observer still gets a ciphertext to brute-force}
\item{Other options (FAST, PKINIT) are hard to deploy}
\item{PAKE provides protection against offline attacks and also enables
second-factor protection without independent attacks on a single factor}
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{Kerberos Pre-Authentication}
Why is SPAKE2 good for Kerberos?
\begin{itemize}
\item{consistent with EC crypto}
\item{computes the shared key after just one message from each side}
\item{small number of group operations}
\end{itemize}
Please review \url{draft-ietf-kitten-krb-spake-preauth}!
\end{frame}
\begin{frame}[fragile]
\frametitle{Other use cases}
Authenticate file transfer via a password exchanged over the phone:
\verb+https://github.com/warner/magic-wormhole+
\end{frame}
\section{Open Issues}
\begin{frame}[fragile]
\frametitle{Greg Hudson's Review}
\url{https://www.ietf.org/mail-archive/web/cfrg/current/msg07928.html}
\begin{itemize}
\item{``SPAKE2+ doesn't use w0 or w1 in the derivation of $K'$'' --- closer to SPAKE1
than SPAKE2?}
\item{$M$ and $N$ generation is inconsistent between text and code:
non-overlapping vs. overlapping output from the hashing chain}
\item{cofactor check: prime order quotient vs. multiply-by-cofactor}
\item{(formatting and editorial nits)}
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{Alex Elsayed's review}
Points out that this PRF+-like scheme for arbitrary-length output via
repeated hashing is a little silly. HKDF instead?
As AGL notes, this is just for $M$ and $N$ generation, so it's not
really important how elegant it is, just that it's reproducible.
\end{frame}
\begin{frame}[fragile]
\frametitle{Older issues}
\begin{itemize}
\item{Dan Harkins pointed out that we need to be precise about how many
bytes we're taking as the ``initial sequence of bytes'' and whether
we preprend or overwrite with \verb+0x02+/\verb+0x03+}
\item{OIDs have both text and binary representations --- we use text, but should
more explictily say so}
\item{Nail down interaction between point format and picking group elements
from the iterative hashing scheme for $M$ and $N$}
\item{irtf-cfrg-curves support (ed448goldilocks and ed25519?): when that
comment was made, neither had a point format that admits addition; the
kitten document includes $M$ and $N$ for ed25519}
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{Any general PAKE topics to consider?}
\url{https://www.ietf.org/mail-archive/web/cfrg/current/msg08365.html}
Stanislav notes that we might consider moving up a level of abstraction,
to consider what use cases and requirements there can be for PAKE algorithms.
How would SESPAKE/SPAKE/etc. compare --- how many PAKEs do we need?
Do we need to consider the interaction of key confirmation and the
surrounding protocol (e.g., final $K'$ derivation for SPAKE2), or just
a raw primitive that could be used for TLS/IKE/etc.?
\end{frame}
\begin{frame}
\frametitle{Open Questions}
Any other concerns about the document?
More review needed?
\end{frame}
\end{document}