Hi Richard, A few nits.
* In the introduction you have the sentence > DISCLAIMER: This is a work-in-progress draft of MLS and has not yet seen significant security analysis. Iiuc this draft has no connection to MLS, and this is a typo. * In the setup you define > o A DH group "G" of order "p*h", with "p" a large prime and > o A password "p" The variable "p" has two different meanings, which is a bit confusing, especially later on. * The document doesn't explicitly state that X and Y need to be non-zero. The requirement is in "I-D.irtf-cfrg-spake2", but it would be nice if the warning was carried through. * In terms of security properties, iiuc an active adversary can do online password guessing attacks, but a passive adversary cannot derive the password from observing the messages. If that is the case perhaps a warning about rate-limiting connection attempts is appropriate. Regards, Jonathan On Mon, 16 Apr 2018 at 10:50 Tony Putman <tony.put...@dyson.com> wrote: > Hi Richard, > > I don't think that you can protect against server compromise with SPAKE2. > The server can store w*N as you suggest, but it also has to store w*M > because it must calculate y*(T-w*M). An attacker that learns w*M and w*N > from a compromised server can then impersonate a client. > > The rest of your comments I agree with (though they are not all addressed > in the updated draft). > > Tony > > > From: Richard Barnes [mailto:r...@ipv.sx] > > Sent: 13 April 2018 19:50 > > > > Hey Tony, > > > > Thanks for the comments. Hopefully we can adapt this document to tick > more boxes for you :) > > Since I had noticed some other errors in the document (e.g., figures not > rendering properly), > > I went ahead and submitted a new version that takes these comments into > account. > > > > https://tools.ietf.org/html/draft-barnes-tls-pake-01 > > > > Some responses inline below. > > Dyson Technology Limited, company number 01959090, Tetbury Hill, > Malmesbury, SN16 0RP, UK. > This message is intended solely for the addressee and may contain > confidential information. If you have received this message in error, > please immediately and permanently delete it, and do not use, copy or > disclose the information contained in this message or in any attachment. > Dyson may monitor email traffic data and content for security & training. > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
