Hey TLS folks, As I mentioned in my brief presentation at IETF 101, Owen and I have been thinking about how to bring PAKE back to TLS 1.3 (since earlier SRP mechanisms don't really apply).
We've just published an I-D describing a proposed mechanism, and I've implemented this mechanism in the `mint` TLS 1.3 stack: https://github.com/bifurcation/mint/pull/193 We would love to hear any feedback on the approach proposed here, and on whether other people here would be interested in working on a PAKE mechanism for TLS in this working group. To address the obvious "Which PAKE?" question: We did a brief survey of the PAKE literature, and SPAKE2 seemed like a good candidate here for a few reasons: - It allows a message pattern that aligns well with the TLS 1.3 handshake - In particular, the key confirmation messages map pretty closely to the TLS Finished MAC - It doesn't require much in the way of exotic operations (just EC point addition) - It's gotten pretty robust review from CFRG Thanks, --Richard ---------- Forwarded message ---------- From: <internet-dra...@ietf.org> Date: Wed, Apr 11, 2018 at 10:45 AM Subject: New Version Notification for draft-barnes-tls-pake-00.txt To: Richard Barnes <r...@ipv.sx>, Owen Friel <ofr...@cisco.com> A new version of I-D, draft-barnes-tls-pake-00.txt has been successfully submitted by Richard Barnes and posted to the IETF repository. Name: draft-barnes-tls-pake Revision: 00 Title: Usage of SPAKE with TLS 1.3 Document date: 2018-04-11 Group: Individual Submission Pages: 7 URL: https://www.ietf.org/internet-drafts/draft-barnes-tls-pake-0 0.txt Status: https://datatracker.ietf.org/doc/draft-barnes-tls-pake/ Htmlized: https://tools.ietf.org/html/draft-barnes-tls-pake-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-barnes-tls-pake Abstract: The pre-shared key mechanism available in TLS 1.3 is not suitable for usage with low-entropy keys, such as passwords entered by users. This document describes how the SPAKE password-authenticated key exchange can be used with TLS 1.3. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls