Re: [Cfrg] [CFRG] PAKE / Hash2Curve First Internet draft for balanced CPace subcomponent available

Björn Haase <bjoern.haase@endress.com> Wed, 08 January 2020 11:26 UTC

Return-Path: <bjoern.haase@endress.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 749E8120178 for <cfrg@ietfa.amsl.com>; Wed, 8 Jan 2020 03:26:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=endress.com header.b=ZLM9Ugzj; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=endress.com header.b=Ce8SXFp2
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xBYim4LEqeBs for <cfrg@ietfa.amsl.com>; Wed, 8 Jan 2020 03:26:41 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80054.outbound.protection.outlook.com [40.107.8.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB9931200A4 for <cfrg@irtf.org>; Wed, 8 Jan 2020 03:26:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=endress.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0JuBns7NVdI9vCDJrcm+yjh1WQAbxGYvHqmsveI6rgg=; b=ZLM9UgzjdzA7vRq43ajYyDc6+mVgwe9wASbImNosyqyGJtwaTe6YfBx3exATV//2Kdrzv8jgj62sXEBBg9tFf7XCYvW3Y5x/gzpGJEaJRhPxe054PyCtQK/ThvL/j6Dj/qxGFLRU0wOhr7c5e5g7DYFo4KUXYmKOV80XNuLpS3M=
Received: from HE1PR0501CA0026.eurprd05.prod.outlook.com (2603:10a6:3:1a::36) by AM0PR05MB4932.eurprd05.prod.outlook.com (2603:10a6:208:c3::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.9; Wed, 8 Jan 2020 11:26:38 +0000
Received: from AM5EUR03FT062.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e08::204) by HE1PR0501CA0026.outlook.office365.com (2603:10a6:3:1a::36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.9 via Frontend Transport; Wed, 8 Jan 2020 11:26:38 +0000
Authentication-Results: spf=pass (sender IP is 52.233.195.251) smtp.mailfrom=endress.com; irtf.org; dkim=fail (body hash did not verify) header.d=endress.com;irtf.org; dmarc=pass action=none header.from=endress.com;
Received-SPF: Pass (protection.outlook.com: domain of endress.com designates 52.233.195.251 as permitted sender) receiver=protection.outlook.com; client-ip=52.233.195.251; helo=iqsuite.endress.com;
Received: from iqsuite.endress.com (52.233.195.251) by AM5EUR03FT062.mail.protection.outlook.com (10.152.17.120) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2602.11 via Frontend Transport; Wed, 8 Jan 2020 11:26:37 +0000
Received: from mail pickup service by iqsuite.endress.com with Microsoft SMTPSVC; Wed, 8 Jan 2020 12:26:37 +0100
Received: from EUR03-DB5-obe.outbound.protection.outlook.com ([104.47.10.59]) by iqsuite.endress.com over TLS secured channel with Microsoft SMTPSVC(8.5.9600.16384); Wed, 8 Jan 2020 12:26:36 +0100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=P4Hx9Et+d2nMHC4hmSh7N7WK+Iaw0kPxnXE2gI+6R2ioXytnNCVslTrEzOAvaGnzR/18Rvz7V6EfK7gspwrI2jrKdjcqyVN0fGlDNrkqk5jZeM1i0qrH++hd3w+XTWubGrBuupfOuioctoLu/Day22/+QOxQbxupDIONPu9IILjx99wdogUe5GsrOsXUfJW6ncPT5CIo6UcMKg18FfnUG5fdOLjB1ATpbWLlBL37GZHpqviISYjRy216RAVjnL/H7Ag/+5LxrsZZmPkzQxNUbyTg570KZQ2EXmBklGKZ70harcnaH7xGyShx5WykQk5Ct5OGlqI2q/Yqi7OmyAkUmA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AfILOIjlcteb/Txs8HqvT4u00qCIidRczmTni/L9iX8=; b=Oabvbf1QSAFrbX2bu845pVf8fNyQsm5zup3M445OU3XbCFB8dM7vK0D3iDbdiVUKbpJIWxB3mXTuO+klarT8owsqjIkgQbyHboTJKI5hBZs49KmHc/PJLe4mJsExqBNdCeL/gxm5YzB/KccgUU7grQkfkvOAQha66f6DkWTNvFploDX8R8wn5mF7RjpFKWx2aA2sbFC0Hk+upzD2FuYUsGVDoR93cwUrcfK7ywcUyvOjE3dAxO2JJm+edjuAGYtE1G9sKhg7MAA7o72aMAQNBElqWouDbVC9XnM+S5PM+bPdIveJNStNmmqojRElgUYOKOO7WVwgrELSRA1f9XVAXQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=endress.com; dmarc=pass action=none header.from=endress.com; dkim=pass header.d=endress.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=endress.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AfILOIjlcteb/Txs8HqvT4u00qCIidRczmTni/L9iX8=; b=Ce8SXFp2VN/0hvHXOt8u+iwzjZFSn/L8narlunSy5uG9uIWPGBZ+MjFHdbHhOfkUqyEbZ383pm/1A/hRbDFwLWia4T5sheC0DUVkSKCXgrl9ljFH46E9PQZEj1t62JESohVCpYZeUXCTlLzqS1wldQS/N2R/v0R6Cg0rgOAopvc=
Received: from VI1PR05MB6509.eurprd05.prod.outlook.com (20.179.25.86) by VI1PR05MB4893.eurprd05.prod.outlook.com (20.177.50.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2602.11; Wed, 8 Jan 2020 11:26:34 +0000
Received: from VI1PR05MB6509.eurprd05.prod.outlook.com ([fe80::c86b:8318:bcac:cd1b]) by VI1PR05MB6509.eurprd05.prod.outlook.com ([fe80::c86b:8318:bcac:cd1b%4]) with mapi id 15.20.2602.016; Wed, 8 Jan 2020 11:26:34 +0000
From: Björn Haase <bjoern.haase@endress.com>
To: "cfrgirtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] [CFRG] PAKE / Hash2Curve First Internet draft for balanced CPace subcomponent available
Thread-Index: AQHVxOxAr+5NGI6iTUiewYE6FzFV4afgnIIA
Content-Class:
Date: Wed, 08 Jan 2020 11:26:34 +0000
Message-ID: <VI1PR05MB6509E436FBA1792FEE223EA7833E0@VI1PR05MB6509.eurprd05.prod.outlook.com>
References: <trinity-caa25477-d476-4e61-ba8b-384eafcf5a82-1578354680136@3c-app-webde-bap14>
In-Reply-To: <trinity-caa25477-d476-4e61-ba8b-384eafcf5a82-1578354680136@3c-app-webde-bap14>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Enabled=True; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_SiteId=52daf2a9-3b73-4da4-ac6a-3f81adc92b7e; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Owner=bjoern.haase@endress.com; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_SetDate=2020-01-08T11:26:32.8263314Z; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Name=Not Protected; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Application=Microsoft Azure Information Protection; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_ActionId=546773fc-8b5f-4aef-a4c8-d169956b1fee; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Extended_MSFT_Method=Automatic
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=bjoern.haase@endress.com;
x-originating-ip: [93.240.145.106]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 3031d6c7-8caa-46b1-930b-08d7942da025
X-MS-TrafficTypeDiagnostic: VI1PR05MB4893:|AM0PR05MB4932:
X-Microsoft-Antispam-PRVS: <AM0PR05MB49321C8FFC3E2ABE4B1AE29A833E0@AM0PR05MB4932.eurprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
x-forefront-prvs: 02760F0D1C
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(396003)(346002)(376002)(366004)(39860400002)(136003)(199004)(189003)(66946007)(66556008)(66446008)(66476007)(64756008)(966005)(33656002)(26005)(6916009)(478600001)(6506007)(85182001)(76116006)(7696005)(52536014)(71200400001)(2906002)(186003)(81166006)(8936002)(66574012)(5660300002)(8676002)(316002)(9686003)(85202003)(86362001)(55016002)(81156014); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR05MB4893; H:VI1PR05MB6509.eurprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: endress.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: kUQKSvnhw8gSYsLMqXNgedD86xp84Q0lpdEeS+3looybhuX7QW4QpnsRvVsAOboiesZ3yuyc+soH5wVQh35F0Kq/LgWGPDiMy4Rm8jq0EHaFKHAeFYAD3sfzhJnwPSyjsWE2INs5UModTDLIrbOXnqfZHsldKgMAynLksGTW/en8eJANHLGY4GixTm1MC47Z8LcD9GrRihrjJ6KaTgPcbmp2N07lp9G4BGVMxUV8ta7HRgmgN+0PKjiO53RH3fhX0JYBM58qNbMnLHzG9PITP4eRVoS2ECVxaRlbsRNoFGWi9MhFA3ffVAsTNthP8wnxeWwKfwJLZTHNeBFwLW67PtvgScmGG/UcbDvYWCjdkoqN8/OuJdeXtIuZyk37tO9V2VFJYd3yaDmEN7Jxy+KtE3WREE8rSRmNq4PkvFv5bJWe9NmG2oxb+R1gK2AANXU0rvvk2CxJ7CdEpbytZ0RVrANG19WFkULDneXU3E2H/3nI52qQXNyIm7SbgeUqAFxuoi7SFQXdFHAtgSfPaf3OvA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR05MB4893
X-OriginalArrivalTime: 08 Jan 2020 11:26:36.0020 (UTC) FILETIME=[7CA70B40:01D5C616]
X-Trailer: 1
X-GBS-PROC: UTz98IlpP+whl1yJNsBzO97k1tD4GfNOD7kddgSOLWY=
X-GRP-TAN: IQWE02@20D259EB0A5C499FBEEAFD4D6EB398F4
X-iqsuite-process: processed
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT062.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:52.233.195.251; IPV:; CTRY:NL; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(346002)(376002)(39860400002)(26234003)(199004)(189003)(70586007)(7696005)(6916009)(9686003)(55016002)(86362001)(85202003)(70206006)(966005)(5660300002)(478600001)(66574012)(52536014)(15974865002)(8676002)(316002)(81156014)(356004)(81166006)(8936002)(85182001)(2906002)(6506007)(26005)(336012)(186003)(33656002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR05MB4932; H:iqsuite.endress.com; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 3169cfe6-aca9-437b-c869-08d7942d9e2f
X-Forefront-PRVS: 02760F0D1C
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 1KPsELAri7f/uJcL5Urewm9R6IJIoiV0AnUwZAp6ZG8ks/E5rdXcjOQR/qaSxtxJZLKIReOaupRJoHSpz77Sn7wyZEDJ8yKqhDJCnBFSHuhb9UX2vy4hu5X1YnRIMIP6iJM/WCthipg20S+X+tQW7YtzPyUea1TK54TfI44BzNrhjovbz0Id0hD3fSYU8HqWJ2uSqT0u/2O04yJGfi47H34FJAMKkVRhE5ZRp1857dU+L/zQe/pBBLQ2csgz8Szl5UAOuwxEFQuB/VRMIWRPGUnLbaEY/EimIzxzepptfBS26MLTXP4bsdNiMujUg0VF/zjzJP7P3kZXJcrYl4kJwoU4ee//XIynqdeyGklSGcj7cHf1a033Bc7eLR5lajQPPBdutXgbPH/d58nWa98v2FPPyzHUe25IRSsEGWLrKZCihHGRCzQ2gCi07zPc8vP80QJyxbGlKgtiljL3g4r0zxL9bQnMnd8rQR17iDUOLY/HzFTZZgViF3J8/MBYWXZSBeW6s1g/WHAp34278ufrZAWFvqtqVCrnGe6fvmyHsh4=
X-OriginatorOrg: endress.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Jan 2020 11:26:37.7380 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3031d6c7-8caa-46b1-930b-08d7942da025
X-MS-Exchange-CrossTenant-Id: 52daf2a9-3b73-4da4-ac6a-3f81adc92b7e
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=52daf2a9-3b73-4da4-ac6a-3f81adc92b7e; Ip=[52.233.195.251]; Helo=[iqsuite.endress.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR05MB4932
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/0N2rfXVavISgubu9v14852xwNh8>
Subject: Re: [Cfrg] [CFRG] PAKE / Hash2Curve First Internet draft for balanced CPace subcomponent available
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 11:26:45 -0000

Dear CFRG community.

after posting the draft, I have also sent my questions in the draft to several persons. I'd like to share with you one first preliminary response regarding the hash operation for generating the input of the map algorithm that I have received from a secure-element expert in an off-the-list discussion.

----------
"Regarding your question in the draft: Your assessment is completely right. Hash functions on secure elements have to be used with ‘care’. Typically these functions are *not* hardened. I.e. they are leaking inputs and/or outputs. If ever, there is one implementation of one hash function, mostly SHA256, which has less leakage. However this function shall only be used with specific constraints. The constraints limit the number of permissible invocations of the function to X iterations with equal secret-part of the input, often with small X.

A construction like SHA256(DSI1 || PRS || ZPAD || sid || CI) is likely to be particularly bad in this context because it is possible to trigger with the known components ‘CPace-P256-1’ or ZPAD on the secret to extract, PRS. My suggestion would be to use a CMAC-PRF instead of the hash function, for instance RFC4615."
----------

From this I draw the conclusion, that for the use-case of password blinding, a construction such as HMAC and/or the HKDF construction, where the key enters the hash function 
several times might actually not be good candidates if used for protecting low-entropy secrets in a hostile environment where side-channels become relevant (as described e.g. in RFC 8125). The keying information enters the operations very often in the nested hash function invocations ☹.

(RFC8125: 
  "If a device operates in a potentially hostile environment, such as a smart card,
   other side channels like power consumption and electromagnetic
   emanations or even active implementation attacks have to be taken
   into account as well.")

One consequence for the hash_to_curve draft architecture might be, that we possibly should better not standardize the encode_to_curve(s) operation with a specific mandatory hash operation.? It seems that at least as soon as side-channel resilience is to be considered, that this complexity might better be left over to the consideration of the higher-level protocol that makes use of the encoded point.

I expect to be receiving more detailed input next week from experts with a stronger background than I could be providing from discussions at the Brainpool meeting. I will keep you synchronized.

Yours,

Björn.




Mit freundlichen Grüßen I Best Regards 

Dr. Björn Haase 

Senior Expert Electronics | TGREH Electronics Hardware
Endress+Hauser Conducta GmbH+Co.KG | Dieselstrasse 24 | 70839 Gerlingen | Germany
Phone: +49 7156 209 377 | Fax: +49 7156 209 221
bjoern.haase@endress.com |  www.conducta.endress.com 





Endress+Hauser Conducta GmbH+Co.KG
Amtsgericht Stuttgart HRA 201908
Sitz der Gesellschaft: Gerlingen
Persönlich haftende Gesellschafterin:
Endress+Hauser Conducta Verwaltungsgesellschaft mbH
Sitz der Gesellschaft: Gerlingen
Amtsgericht Stuttgart HRA 201929
Geschäftsführer: Dr. Manfred Jagiella

 
Gemäss Datenschutzgrundverordnung sind wir verpflichtet, Sie zu informieren, wenn wir personenbezogene Daten von Ihnen erheben.
Dieser Informationspflicht kommen wir mit folgendem Datenschutzhinweis (https://www.endress.com/de/cookies-endress+hauser-website) nach.

 



Disclaimer: 

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete the material from any computer. This e-mail does not constitute a contract offer, a contract amendment, or an acceptance of a contract offer unless explicitly and conspicuously designated or stated as such.
 



Von: Cfrg <cfrg-bounces@irtf.org> Im Auftrag von "Björn Haase"
Gesendet: Dienstag, 7. Januar 2020 00:51
An: cfrgirtf.org <cfrg@irtf.org>
Betreff: [Cfrg] [CFRG] PAKE / Hash2Curve First Internet draft for balanced CPace subcomponent available

Dear CFRG community,
 
I have just posted a first version of an RFC-style draft regarding the balanced subcomponent CPace.
 
https://datatracker.ietf.org/doc/draft-haase-cpace/
 
Any feedback would be appreciated!
 
A corresponding draft for the augmented protocol is in preparation.
 
Yours,
 
Björn.