Hey TLS folks,

As I mentioned in my brief presentation at IETF 101, Owen and I have been
thinking about how to bring PAKE back to TLS 1.3 (since earlier SRP
mechanisms don't really apply).

We've just published an I-D describing a proposed mechanism, and I've
implemented this mechanism in the `mint` TLS 1.3 stack:


We would love to hear any feedback on the approach proposed here, and on
whether other people here would be interested in working on a PAKE
mechanism for TLS in this working group.

To address the obvious "Which PAKE?" question: We did a brief survey of the
PAKE literature, and SPAKE2 seemed like a good candidate here for a few

- It allows a message pattern that aligns well with the TLS 1.3 handshake
- In particular, the key confirmation messages map pretty closely to the
TLS Finished MAC
- It doesn't require much in the way of exotic operations (just EC point
- It's gotten pretty robust review from CFRG


---------- Forwarded message ----------
From: <internet-dra...@ietf.org>
Date: Wed, Apr 11, 2018 at 10:45 AM
Subject: New Version Notification for draft-barnes-tls-pake-00.txt
To: Richard Barnes <r...@ipv.sx>, Owen Friel <ofr...@cisco.com>

A new version of I-D, draft-barnes-tls-pake-00.txt
has been successfully submitted by Richard Barnes and posted to the
IETF repository.

Name:           draft-barnes-tls-pake
Revision:       00
Title:          Usage of SPAKE with TLS 1.3
Document date:  2018-04-11
Group:          Individual Submission
Pages:          7
URL:            https://www.ietf.org/internet-drafts/draft-barnes-tls-pake-0
Status:         https://datatracker.ietf.org/doc/draft-barnes-tls-pake/
Htmlized:       https://tools.ietf.org/html/draft-barnes-tls-pake-00
Htmlized:       https://datatracker.ietf.org/doc/html/draft-barnes-tls-pake

   The pre-shared key mechanism available in TLS 1.3 is not suitable for
   usage with low-entropy keys, such as passwords entered by users.
   This document describes how the SPAKE password-authenticated key
   exchange can be used with TLS 1.3.

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat
TLS mailing list

Reply via email to