CFRG Minutes IETF 96 Berlin, Germany July 20, 2016 14:00-15:30 Minutes based on etherpad notes taken by Jeff Hodges. Chairs: Kenny Paterson and Alexey Melnikov http://datatracker.ietf.org/rg/cfrg/documents/ https://datatracker.ietf.org/meeting/96/session/cfrg/ 14:00 CFRG status update from CFRG chairs (5 mins; Kenny Paterson) https://www.ietf.org/proceedings/96/slides/slides-96-cfrg-6.pdf Question from ????: can we expect further changes to draft-irtf-cfrg-eddsa-05? Kenny Paterson (kp): Chairs do not expect significant further changes to the spec; some nits are being discovered via Jim Schaad as he implements the schemes. Wendy Seltzer: will prod draft-irtf-cfrg-webcrypto-algorithms-00 editors to crank out update. dkg: what are the needed qualifications of reviewers for the proposed CFRG review panel? kp: different folks & skills; it's ok for folks to have subset of overall skills. Please send nominations, including self-nominations to cfrg chairs by September 9th; chairs will follow up on mailing list (see https://www.ietf.org/mail-archive/web/cfrg/current/msg08350.html). 14:05 Update on Argon 2 -- for password hashing and cryptocurrencies (15+10 mins; Dmitry Khovratovich) (dk) https://datatracker.ietf.org/doc/slides-96-cfrg-1/ Yaron Sheffer (ys): feedback: if this is moving from academic work to a spec, should firm up the things that are pluggable - ie nail them down; having stuff that's recent like this its a bit too new for actual deployment. Hanno Bock (hb): the salt should have minimum size to avoid collisions -- 8 bytes not enough; in openpgp we consider argon2, if the #passes will be frozen? dk: #passes frozen; can increase the salt length. Stephen Farrell (sf): nailing down choices will help adoption ?: any analyses of cache timing attacks on this? dk: in argon2d, if have a side-channel leakage it can be serious. (?) dkg: this is being adopted in openpgp. Fewer parameters better. dkg: wanting to use this is specific context so happy to chat with you about nailing down the choices for openpgp use case(s). 14:30 SESPAKE (10+10 mins; Stanislav V. Smyshlyaev) (ss) https://datatracker.ietf.org/doc/slides-96-cfrg-3/ Security Evaluated Standardized Password-Authenticated Key Exchange (SESPAKE) Protocol kp: do you have any security review from academic community? ss: yes, but it was inside Russian community. Rich Salz: Russia has strong math expertise so it is good to see this expertise being brought to the broader Internet community. Hannes Tschofenig: where might this be used? ss: this protocol can be used where there's remote storage of the keys, eg have a key server and private key is there, one could use this as the authentication scheme for key access. 14:50 HIMMO (10+10 mins; Oscar Garcia-Morchon) (ogm) https://datatracker.ietf.org/doc/slides-96-cfrg-2/ dk: the problems on which security is based, are they just conjectures? ogm: all are lattice based problems -- there are other "problems" too that an attacker would need to solve dk: any reviews or analyses of this work? obm: someone from LUX, ?, he found clever attack, we will update to address it. ???: is this a replacement for kerberos? ogm: [mentions IOT use cases] -- that is motivation for this work Bob Moskovitz (bm): have you presented this to IoT communications folks with highly constrained devices, they are struggling with key distribution issues, as well as larger security review -- other papers? ogm: Work has been presented in various fora, have had direct discussions with folks, we think it will be overall useful. sf: what's IPR situation? ogm: my employer has IPR -- someone will have to make the disclosure. 15:10 CrypTech update (5 mins; Rob Austein) (ra) https://datatracker.ietf.org/doc/slides-96-cfrg-4/ Eric Rescorla: what's the method for uploading new firmware? ra: can do over console. 15:15 Proxy re-encryption (5+5 mins; Phillip Hallam-Baker) (phb) https://datatracker.ietf.org/doc/slides-96-cfrg-5/ Matt Blaze did talk about this 20 yrs ago, most IPR expired, a couple of things that will expire in about 18 months; pub thinks this can be useful (see slides). dkg: a downside is that for current schemes anyone who controls a key being re-encrypted and who can also get access to the proxy encryption key on the central service can decrypt everything. phb: yes, that is a limitation -- we need to ask researchers about this and whether there are any solutions. OPEN MIC Kyle Rose: co-chair tcpinc: wants to revise RFC 4086 "Randomness Requirements for Security" -- supposedly BCP, but isn't written like one, and is from 2005, and the useful stuff is in Section 7 -- anyone want to update this spec? sf: Don Eastlake has offered to update this, talk with him? dkg: Thinks there's also room for guidance for system implementers, please don't throw that out. ripple guy: please come to ledger bof tomorrow -- also had to create/implement a multi-signature primitive -- CFRG folks may be interested in it, please come. kp: we're out of time.