IETF Logo Mail Archive

Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.txt

"Dan Harkins" <dharkins@lounge.org> Tue, 04 February 2014 18:47 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 448651A01B7 for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 10:47:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.267
X-Spam-Level:
X-Spam-Status: No, score=-3.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_18=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id beTWPdxuB94o for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 10:47:00 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id D21711A019F for <cfrg@ietf.org>; Tue, 4 Feb 2014 10:47:00 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id E56F51022404A; Tue, 4 Feb 2014 10:47:00 -0800 (PST)
Received: from 199.127.104.10 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Tue, 4 Feb 2014 10:47:01 -0800 (PST)
Message-ID: <75e1e853dc391b418062ee5e51adeb2f.squirrel@www.trepanning.net>
In-Reply-To: <CACsn0cmDT-FAN8uMZ0w8TX6GKPAZjnrexLeFQd7QhRfoY6AGFQ@mail.gmail.com>
References: <20140203192451.6268.76511.idtracker@ietfa.amsl.com> <7af2f9df96e5867d493c614806235363.squirrel@www.trepanning.net> <CACsn0cm1f-P95je5AbEbZ02Ut3+HM7Hx28P6j46TqE-=06eZDg@mail.gmail.com> <52F00EF3.3040505@cisco.com> <CACsn0c=zS5GKex3eF_hKgTsL1kH=TiBi3iAP9oMrJ9hDQcT4Gw@mail.gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7DE5@SC-VEXCH2.marvell.com> <CACsn0cn0TaHsDkyN2ewOorxxBzXivCg=QGR-ZnBiC3nJhvhpRg@mail.gmail.com> <14AB44E0-4C90-4E4C-A656-885A31CF4C02@checkpoint.com> <CACsn0cmDT-FAN8uMZ0w8TX6GKPAZjnrexLeFQd7QhRfoY6AGFQ@mail.gmail.com>
Date: Tue, 04 Feb 2014 10:47:01 -0800
From: Dan Harkins <dharkins@lounge.org>
To: Watson Ladd <watsonbladd@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: cfrg@ietf.org, David McGrew <mcgrew@cisco.com>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 18:47:02 -0000

On Tue, February 4, 2014 8:01 am, Watson Ladd wrote:
> On Tue, Feb 4, 2014 at 12:20 AM, Yoav Nir <ynir@checkpoint.com> wrote:
>>
>> On Feb 4, 2014, at 3:08 AM, Watson Ladd <watsonbladd@gmail.com> wrote:
>>
>>> I would like to reverse the question.
>>> Watson, in your technical analysis of the
>>> protocol in its current form (draft-irtf-cfrg-dragonfly-03.txt),
>>> can you identify any exploitable security flaw specific to
>>> the protocol?
>>
>> Yes: an algorithm exists that guesses passwords in time 2^40. I can't
>> exhibit it, but it exists. JPAKE doesn't have this issue.
>>
>>
>> 2^40 times doing what?  Is it 2^40 calculations based on a single
>> observed
>> authentication?  Observing 2^40 successful authentications?  Actively
>> interacting 2^40 times with the authentication server?
>
> p calculations, where p is the number of passwords, after conducting
> one round with the authentication
> server.
>
> The algorithm takes the p discrete logarithms of the password elements
> with respect to some base, and uses them
> to identify the password that leads to the confirmation being sent.
> Concretely, the attacker sends g^x, receives g^y
> and guesses p that makes g^(xyp^{-1}) the key going into the confirmation.

  This is mentioned in section 6.3 of RFC 5931 (dragonfly as an EAP
method), knowledge of r where PE = r * G can enable a dictionary
attack. But knowledge of r requires doing a discrete logarithm. A discrete
logarithm is assumed to be "computationally infeasible" and you're talking
about doing 2^40 of them!?!

> For MODP groups maybe this can actually be turned into an exhibitable
> attack. I don't know: I've not thought about
> it enough. But it is still enough to cause issues as I will explain below.
>
> There is also the fact that in the CK model, where ephermental keys
> are leaked, dragonfly reveals the pssword
> element, and hence the password, in time p. This algorithm can be
> exhibited. It's slightly less interesting, because
> CK is very strong, but apparently people care.

  Well, just define Reveal() to only give the session key, that's what
AugPAKE does-- doing Reveal() does not give W = g^password. Not
that I have proved dragonfly is secure in the CK model, just that the CK
model let's the particular protocol define what is its "session state"
that gets revealed.

  Dan.

v2.23.0 | Report a Bug | By Email