<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></a></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> wasa bee [mailto:wasabee18@gmail.com]
<br>
<b>Sent:</b> 20 March 2014 10:45<br>
<b>To:</b> Feng Hao<br>
<b>Cc:</b> Trevor Perrin; curves@moderncrypto.org<br>
<b>Subject:</b> Re: [curves] Use cases for PAKE?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">although the idea of using J-PAKE for end-to-end messaging with shared secret looks interesting, do you realistically believe users can set and remember different codes for different contacts?
<span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">No, I don’t. It’s the same issue as expecting the users to remember different passwords for different website.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal">would you then end up with same pwd for your wife and mistress :)
<span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">Reusing the same pwd is not a problem to the secrecy of the key as long as the attack is passive (due to the forward secrecy property of PAKE). Surely, you
need to know who you are talking to : )<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal">There's also been some research about PIN/code selection which shows it's not uniformly distributed so you might be able to just guess it. So do you plan to have an unbrute-force-able random shared secret stored on the phone, with the shared
secret possibly be exchanged face-to-face (or something along those lines)?<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">The PAKE key exchange only needs to be done once and you can choose to cache the key, but you can always choose to refresh it when
you want to. Users need to agree what is the shared password. They may speak over the phone: hey, do you still remember the day when we went to see that scary movie together? Let’s use that date as the password to start secure chatting now so no one will know
what we are talking about.<o:p></o:p></span></p>
<div>
<p class="MsoNormal">On Thu, Mar 20, 2014 at 10:23 AM, Feng Hao <<a href="mailto:feng.hao@newcastle.ac.uk" target="_blank">feng.hao@newcastle.ac.uk</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> * PAKE for the web has been attempted in TLS (RFC 5054) with little interest from browsers or sites. Partly this is a layering problem (username in clear, too early in the connection,
and the TLS terminator is the wrong place for client auth). But there are deeper UI problems: browsers would have to display an unspoofable dialog; users would have to be trained to enter certain passwords only into this dialog; and sites would lose control
of login UI. Client auth for the web seems likely to evolve in other directions (e.g. password managers, 2-factor, federation).<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">The web UI is indeed a major issue. It should be possible for the web browser to add a trusted UI
for entering passwords (e.g., possibly in the address bar next to the web address where you click to find out the certificate details). But still, the question is how to educate ordinary users to *only* use this trusted interface for password entry. If a phishing
website displays a password field in the web page and asks users to enter the password, then the PAKE mechanism is entirely bypassed and becomes useless.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0"> </span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> * SSH already has J-PAKE which (I think?) is rarely used, though I'm not sure why. If part of the reason is performance, is there room for improvement here?<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">I don’t think performance is any issue. I guess the main concern may be that J-PAKE has not been
formally standardized. I submitted an initial proposal (<a href="http://homepages.cs.ncl.ac.uk/feng.hao/files/RationaleForJPAKE.pdf" target="_blank">http://homepages.cs.ncl.ac.uk/feng.hao/files/RationaleForJPAKE.pdf</a>) to the UK standards committee meeting
last month in Feb, and it passed the preliminary review; next month, I’m going to present J-PAKE, as the UK input, to ISO/IEC at the international SC27 meeting (<a href="http://www.sc27.hk/" target="_blank">http://www.sc27.hk/</a>). I had hoped to get J-PAKE
published as an RFC in IETF, but it was slow and it is still not clear to me how the IETF process works.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> * IEEE 802.11s I think has standardized on "Simultaneous Authentication of Equals" (aka Dragonfly) as an EC PAKE. I don't know if it's seen real deployment, nor do I understand
the "mesh networking" scenario it's being used for, which seems different from just authenticating a client to an AP. Anyone know more?<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#0070C0">I don’t think the EC version of Dragonfly is fully specified. It is derived from SPEKE, and has the same issues as SPEKE when it comes to both DL and
EC implementations (the file in the above link gives a bit more details).</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> * There are smaller, more specialized uses of PAKE for protocols like online backups or device pairing. E.g. I think Chrome is (using? investigating?) SPAKE2 for "chromoting",
whatever that is.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">Do you know if there is any sample source code of SPAKE2 somewhere that people can view? I am curious
to learn how the two generators are actually implemented.</span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Anyways, it's not clear that there are strong-enough use cases to motivate a good discussion and keep it on track. Though I wish there were! PAKEs are cool, it seems like they
should be useful somewhere.<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#0070C0">I believe there are useful use cases in certain applications. Currently, I’m supervising an undergraduate
student project. The student is developing a secure messaging app for Android. The app establishes a secure E2E communication channel with another Android phone user via a google cloud after both users enter the same short code at two phones. The encryption
is end-to-end, so no third parties, including Google, ISP etc, are able to eavesdrop. The app is based on J-PAKE (using the existing boucycastle implementation). We plan to release the app for free when the project is done, possibly, in the next 2-3 months.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Other thoughts?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Trevor<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">[1]
<a href="http://eprint.iacr.org/2009/340.pdf" target="_blank">http://eprint.iacr.org/2009/340.pdf</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">[2]
<a href="http://elligator.cr.yp.to" target="_blank">http://elligator.cr.yp.to</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">[3]
<a href="http://www.ietf.org/mail-archive/web/cfrg/current/msg03840.html" target="_blank">
http://www.ietf.org/mail-archive/web/cfrg/current/msg03840.html</a><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Curves mailing list<br>
<a href="mailto:Curves@moderncrypto.org">Curves@moderncrypto.org</a><br>
<a href="https://moderncrypto.org/mailman/listinfo/curves" target="_blank">https://moderncrypto.org/mailman/listinfo/curves</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>