On Fri, 30 Aug 2019, Dan Harkins wrote:
Sure we can. We could do the thing that was done in TLS-pwd. When the client registers his username and password she gets a static DH public key of the server (TLS-pwd made this be a p256 curve for its compact representation and adequate strength for the purpose of identity protection). The scheme then is if the client wants to protect its identity it uses the server's DH public key and does a static-ephemeral exchange, gets a secret, encrypts its identity and sends its ephemeral DH key (in compact representation, it's 33 octets) plus the encrypted identity in one "identity payload". If it doesn't care about identity protection it just sends its identity.
EAPTLS already uses like 8 round trips. So anything that has PAKE using less than 8 seems like a win already :P So I am fine adding a few roundtrips for whatever PAKE we come up with if that avoids all of this extra complexity. Especially if this complexity is something that is added to the client provisioning. Remember this PAKE stuff is meant for those scenarios where we have an enduser with _only_ a username/password. If this requires installing additional client configuration, those clients might as well go to X.509/EAPTLS or even something weird like PSK/EAPTLS, or an EAP method supporting OTPs. Administrators doing site-to-site VPNs are better of using a true random strong PSK instead of a weaker PAKE. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
