Hi Hugo, I raised this issue because the IoT device bootstrapping/commissioning use case was the justification for developing OPAQUE and J-PAKE. J-PAKE seems to have met the requirements by companies working in the Thread Group working on their IEEE 802.15.4 mesh network*.
As someone on the microphone mentioned, the question is really about what the requirements are for IoT device bootstrapping. Ciao Hannes *: In the meanwhile the Thread Group has moved to a certificate-based model since the use of passwords was not very useful for commercial indoor lighting deployments and they didn’t want to have the user interaction needed by passwords. From: Hugo Krawczyk <[email protected]> Sent: Mittwoch, 27. März 2019 03:48 To: Hannes Tschofenig <[email protected]> Cc: [email protected] Subject: Re: [TLS] Elliptic Curve J-PAKE Hi Hannes, J-PAKE is a symmetric PAKE. Both parties store the same password. It is not suitable for most client-server scenarios where using J-PAKE would mean that an attacker that breaks into the server simply steals all plaintext passwords. OPAQUE is an asymmetric (or augmented) PAKE where user remembers a password (and nothing else, including no public key of the server) while the server stores a one-way image of the password. Security requires that if the server is compromised, the attacker needs to run an offline dictionary attack for each user in the database to find the password. If what you need is a symmetric PAKE then there are better candidates than J-PAKE such as SPAKE2 described in draft-irtf-cfrg-spake2-08. SPAKE2 is *much* more efficient than J-PAKE and while both J-PAKE and SPAKE2 have proofs of security, SPAKE2 is proven in a stronger security model relative to J-PAKE. I am not aware of any advantage of J-PAKE over SPAKE2 - but I may be missing something. Maybe the PAKE presentation in cfrg will clarify these issues further. Hugo On Tue, Mar 26, 2019 at 1:03 PM Hannes Tschofenig <[email protected]<mailto:[email protected]>> wrote: Hi all, in context of the OPAQUE talk by Nick today at the TLS WG meeting I mentioned that the Thread Group has used the Elliptic Curve J-PAKE for IoT device onboarding. Here is the draft written for TLS 1.2: https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 The mechanism is described in https://tools.ietf.org/html/rfc8236 @Nick & Richard: Have a look at it and see whether it fits your needs. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ TLS mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/tls IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
