[curves] Use cases for PAKE?
Arlo Breault
arlolra at gmail.com
Wed Mar 19 11:44:16 PDT 2014
PANDA's an interesting use case for EKE2.
https://pond.imperialviolet.org/tech.html
https://github.com/agl/pond/blob/master/papers/panda/panda.tex
On Wed, Mar 19, 2014 at 11:30 AM, Trevor Perrin <trevp at trevp.net> wrote:
>
> Hi,
>
> One thing we could discuss is Elliptic Curve PAKEs (Password Authenticated
> Key Exchange).
>
> There's some ideas worth exploring due to expiry of Lucent patents;
> developments such as SPAKE2, J-PAKE, and AugPAKE; and "hashing to curve"
> algorithms like SWU and Elligator [1,2]. For example, Mike Hamburg's ideas
> in [3] seem promising.
>
> But are there good use cases to focus discussion? Possibilities -
>
> * PAKE for the web has been attempted in TLS (RFC 5054) with little
> interest from browsers or sites. Partly this is a layering problem
> (username in clear, too early in the connection, and the TLS terminator is
> the wrong place for client auth). But there are deeper UI problems:
> browsers would have to display an unspoofable dialog; users would have to
> be trained to enter certain passwords only into this dialog; and sites
> would lose control of login UI. Client auth for the web seems likely to
> evolve in other directions (e.g. password managers, 2-factor, federation).
>
> * SSH already has J-PAKE which (I think?) is rarely used, though I'm not
> sure why. If part of the reason is performance, is there room for
> improvement here?
>
> * IEEE 802.11s I think has standardized on "Simultaneous Authentication
> of Equals" (aka Dragonfly) as an EC PAKE. I don't know if it's seen real
> deployment, nor do I understand the "mesh networking" scenario it's being
> used for, which seems different from just authenticating a client to an AP.
> Anyone know more?
>
> * There are smaller, more specialized uses of PAKE for protocols like
> online backups or device pairing. E.g. I think Chrome is (using?
> investigating?) SPAKE2 for "chromoting", whatever that is.
>
> Anyways, it's not clear that there are strong-enough use cases to motivate
> a good discussion and keep it on track. Though I wish there were! PAKEs
> are cool, it seems like they should be useful somewhere.
>
> Other thoughts?
>
>
> Trevor
>
>
> [1] http://eprint.iacr.org/2009/340.pdf
> [2] http://elligator.cr.yp.to
> [3] http://www.ietf.org/mail-archive/web/cfrg/current/msg03840.html
>
>
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20140319/85045184/attachment.html>
More information about the Curves
mailing list