Javascript disabled? Like other modern websites, the IETF Datatracker relies on Javascript. Please enable Javascript for full functionality.
Minutes for CFRG at IETF-96
minutes-96-cfrg-1

Versions:
Meeting Minutes		Crypto Forum (cfrg) RG
Date and time		2016-07-20 12:00 Meeting Local UTC
Title		Minutes for CFRG at IETF-96
State		Active
Other versions		plain text
Last updated		2016-07-23
minutes-96-cfrg-1
CFRG Minutes
IETF 96 Berlin, Germany
July 20, 2016  14:00-15:30

Minutes based on etherpad notes taken by Jeff Hodges.

Chairs:  Kenny Paterson and Alexey Melnikov

  http://datatracker.ietf.org/rg/cfrg/documents/
  https://datatracker.ietf.org/meeting/96/session/cfrg/

14:00 CFRG status update from CFRG chairs
       (5 mins; Kenny Paterson)
https://www.ietf.org/proceedings/96/slides/slides-96-cfrg-6.pdf

Question from ????: can we expect further changes to draft-irtf-cfrg-eddsa-05?
Kenny Paterson (kp): Chairs do not expect significant further changes to the
spec; some nits are being discovered via Jim Schaad as he implements the
schemes.

Wendy Seltzer: will prod draft-irtf-cfrg-webcrypto-algorithms-00 editors to
crank out update.

dkg: what are the needed qualifications of reviewers for the proposed CFRG
review panel? kp:  different folks & skills; it's ok for folks to have subset
of overall skills. Please send nominations, including self-nominations to cfrg
chairs by September 9th; chairs will follow up on mailing list (see
https://www.ietf.org/mail-archive/web/cfrg/current/msg08350.html).

14:05 Update on Argon 2 -- for password hashing and cryptocurrencies
       (15+10 mins; Dmitry Khovratovich) (dk)
https://datatracker.ietf.org/doc/slides-96-cfrg-1/

Yaron Sheffer (ys): feedback: if this is moving from academic work to a spec,
should firm up the things that are pluggable - ie nail them down; having stuff
that's recent like this its a bit too new for actual deployment.

Hanno Bock (hb): the salt should have minimum size to avoid collisions -- 8
bytes not enough; in openpgp we consider argon2, if the #passes will be frozen?
dk:  #passes frozen; can increase the salt length. Stephen Farrell (sf):
nailing down choices will help adoption

?: any analyses of cache timing attacks on this?
dk: in argon2d, if have a side-channel leakage it can be serious. (?)

dkg: this is being adopted in openpgp. Fewer parameters better.

dkg: wanting to use this is specific context so happy to chat with you about
nailing down the choices for openpgp use case(s).

14:30 SESPAKE
       (10+10 mins; Stanislav V. Smyshlyaev)  (ss)
https://datatracker.ietf.org/doc/slides-96-cfrg-3/
Security Evaluated Standardized Password-Authenticated Key Exchange
(SESPAKE) Protocol

kp:  do you have any security review from academic community?
ss:  yes, but it was inside Russian community.

Rich Salz: Russia has strong math expertise so it is good to see this expertise
being brought to the broader Internet community.

Hannes Tschofenig: where might this be used?
ss:  this protocol can be used where there's remote storage of the keys, eg
have a key server and private key is there, one could use this as the
authentication scheme for key access.

14:50 HIMMO
       (10+10 mins; Oscar Garcia-Morchon)  (ogm)
https://datatracker.ietf.org/doc/slides-96-cfrg-2/

dk:  the problems on which security is based, are they just conjectures?
ogm: all are lattice based problems -- there are other "problems" too that an
attacker would need to solve dk:  any reviews or analyses of this work? obm:
someone from LUX, ?, he found clever attack, we will update to address it.

???: is this a replacement for kerberos?
ogm: [mentions IOT use cases] -- that is motivation for this work

Bob Moskovitz (bm): have you presented this to IoT communications folks with
highly constrained devices, they are struggling with key distribution issues,
as well as larger security review -- other papers? ogm: Work has been presented
in various fora, have had direct discussions with folks, we think it will be
overall useful.

sf: what's IPR situation?
ogm: my employer has IPR -- someone will have to make the disclosure.

15:10 CrypTech update
       (5 mins; Rob Austein)   (ra)
https://datatracker.ietf.org/doc/slides-96-cfrg-4/

Eric Rescorla: what's the method for uploading new firmware?
ra:  can do over console.

15:15 Proxy re-encryption
       (5+5 mins; Phillip Hallam-Baker)  (phb)
https://datatracker.ietf.org/doc/slides-96-cfrg-5/

Matt Blaze did talk about this 20 yrs ago, most IPR expired, a couple of things
that will expire in about 18 months; pub thinks this can be useful (see slides).

dkg: a downside is that for current schemes anyone who controls a key being
re-encrypted and who can also get access to the proxy encryption key on the
central service can decrypt everything. phb: yes, that is a limitation  -- we
need to ask researchers about this and whether there are any solutions.

OPEN MIC

Kyle Rose: co-chair tcpinc: wants to revise RFC 4086 "Randomness Requirements
for Security" -- supposedly BCP, but isn't written like one, and is from 2005,
and the useful stuff is in Section 7 -- anyone want to update this spec?

sf:  Don Eastlake has offered to update this, talk with him?

dkg: Thinks there's also room for guidance for system implementers, please
don't throw that out.

ripple guy: please come to ledger bof tomorrow -- also had to create/implement a
multi-signature primitive  -- CFRG folks may be interested in it, please come.

kp:  we're out of time.
Minutes for CFRG at IETF-96 minutes-96-cfrg-1

Minutes for CFRG at IETF-96
minutes-96-cfrg-1
