Re: [Cfrg] SPM2 -> was Re: SPAKE2+mbDH a PAKE+PKA
Dan Harkins <dharkins@lounge.org> Wed, 05 October 2016 06:09 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5783012940E for <cfrg@ietfa.amsl.com>; Tue, 4 Oct 2016 23:09:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qbiIyxonz0o6 for <cfrg@ietfa.amsl.com>; Tue, 4 Oct 2016 23:09:22 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id E00EC126B6D for <cfrg@irtf.org>; Tue, 4 Oct 2016 23:09:21 -0700 (PDT)
Received: from thinny.local (69-12-173-8.static.dsltransport.net [69.12.173.8]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by colo.trepanning.net (Postfix) with ESMTPSA id 45D2310224218; Tue, 4 Oct 2016 23:09:21 -0700 (PDT)
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
References: <D41831C3.A2964%paul@marvell.com> <CAMr0u6k4U0fsXV2jHxam6Lk0OmmDS1NkV9Z43QF3sjJinW7fPQ@mail.gmail.com> <CAMr0u6ngTf+_eW_qhVz0G_jUNHUqPEMyQO+4A3xrqCh2tRe6FQ@mail.gmail.com> <D418A094.A29E7%paul@marvell.com> <CAMr0u6mUWxjqZbFBriMv8wDnmsWU6g2SBm3vnvOhX=B2rRF3aQ@mail.gmail.com> <c5853319-cfa5-1180-38ce-3fb438df8151@lounge.org> <CAMr0u6kpt-bMw7NVj=bjE3_9pqJs_oHX0mD7A5NR+qqBc9nACQ@mail.gmail.com>
From: Dan Harkins <dharkins@lounge.org>
Message-ID: <ed455dee-2e1c-b2b3-8624-620acdc04410@lounge.org>
Date: Tue, 04 Oct 2016 23:09:20 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <CAMr0u6kpt-bMw7NVj=bjE3_9pqJs_oHX0mD7A5NR+qqBc9nACQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------D4BC45169F9B0E1B80545F7F"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/1SxJmG1uXHEsw2yIjYBGcQK2hoI>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] SPM2 -> was Re: SPAKE2+mbDH a PAKE+PKA
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Oct 2016 06:09:24 -0000
Hello Stanislav, On 10/4/16 10:55 PM, Stanislav V. Smyshlyaev wrote: > Hello, Dan! > > mbDH (without modifications to SPM2) allows mutual authentication by > private keys s_A and s_B in case the parties obtain trusted (i.e. > obtained by a well-authenticated channel before the mbDH itself, of > course) P_A and P_B – as well as ordinary authenticated DH. So the parties must have some pre-existing authenticated channel through which they exchanged and obtained trust in P_A and P_B? And if not, then mbDH provides no authentication whatsoever. Correct? > > The thing I am talking about is that SPM2 seems not to provide it – > Alice, who has a valid Bob's P_B, can be tricked by an adversary who > doesn't have a correct s_B and has only the password. That does seem to void one of the goals of SPM2. regards, Dan. > > > Regards, > Stanislav > > > > 2016-10-05 8:45 GMT+03:00 Dan Harkins <dharkins@lounge.org > <mailto:dharkins@lounge.org>>: > > > Privyet Stanislav, > > On 10/4/16 9:56 PM, Stanislav V. Smyshlyaev wrote: >> >> Dear Paul! >> >> >> Thank you very much for the corrections. >> >> >> I. In the sense of PAKE everything seems to be OK now: now the >> proposed protocol is at least as strong as SPAKE2 itself – since >> SPAKE2 + mbDH for certain values of parameters is reduced >> toSPAKE2. Since the first part of SPAKE2 (key agreement itself) >> is proven to be secure, we may say that SPM2 should be a secure >> PAKE. Nevertheless a separate accurate proof would be interesting >> anyway – but I think this is not the thing we should care now >> about SPM2, there seems to be a lot more important problem. >> >> II. The problem is SPM2 in the case of known password seems to be >> less secure than mbDH (it seems to be unsecure at all in this case). >> > > What security properties do you believe mbDH has beyond simple > DH-- i.e. > unauthenticated key agreement? > > Dan. > >> >> Consider the following attack (thanks to my colleague Liliya >> Ahmetzyanova for the description) >> >> Let the adversary who tries to impersonate himself as B, knows >> password w, but doesn't possess private key s_B and wants to make >> honest party A believe that he does it for some fixed value of P_B. >> >> >> >> 1.A sends the valuesR_A, Y_A, where >> >> R_A = x_A * G + w * M_A; (according to the protocol description) >> >> Y_A = y_A * P_A = y_A * s_A * G; (according to the protocol >> description) >> >> 2.The adversary calculates for random x_B andy_Bthe values >> >> Y_B = y_B * P_B; >> >> R_B = x_B * G + w * M_B *– Y_B*; >> >> K = x_B * (R_A – w * M_A) + x_B * Y_A ( = x_B * >> (x_A * G) + x_B * (y_A * s_A * G)); >> >> Then all actions are made according to the protocol. >> >> 3.A calculates K according to the protocol: >> >> K = (x_A + y_A * s_A)(R_B – w * M_B + Y_B) ( = (x_A + >> y_A * s_A)(x_B * G) ); >> >> The key Kis equal to the key of adversary = > decryption will be >> correct => the check >> >> assertY_B == y_B * P_Bwill be successful; >> >> >> Thus SPM2 is not secure in the same case as mbDH is – it loses >> all private-key-related security when the password is known. >> >> Again, Paul, please correct me if I missed something. >> >> >> >> Best regards, >> Stanislav Smyshlyaev >> >> >> 2016-10-04 10:44 GMT+03:00 Paul Lambert <paul@marvell.com >> <mailto:paul@marvell.com>>: >> >> >> >> >> Dear Stanislav, >> >> >> Just a small remark: I'm sure that in the second message >> you wanted to send "encrypt( key=sk_BA, ((y_B, P_B), ...) >> )", not "encrypt( key=sk_BA, ((x_B, P_B), ...) )" (and >> "y_A, P_A" correspondigly). Otherwise you would obtain >> exactly the same problem as before. >> >> >> Thanks! I missed making this variable change … appreciate >> your catching this error. >> >> This update also made the shared key calculation more exactly >> match the SPAKE2 RFC and I missed changing the terms in this >> hash in a couple places. >> >> These are now fixed in: >> https://mentor.ieee.org/802.11/dcn/16/11-16-1329-01-00ai-pkex-alternatives.ppt >> <https://mentor.ieee.org/802.11/dcn/16/11-16-1329-01-00ai-pkex-alternatives.ppt> >> >> >> Best Regards, >> >> Paul >> >> >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org <mailto:Cfrg@irtf.org> >> https://www.irtf.org/mailman/listinfo/cfrg >> <https://www.irtf.org/mailman/listinfo/cfrg> >
- [Cfrg] SPM2 -> was Re: SPAKE2+mbDH a PAKE+PKA Paul Lambert
- Re: [Cfrg] SPM2 -> was Re: SPAKE2+mbDH a PAKE+PKA Stanislav V. Smyshlyaev
- Re: [Cfrg] SPM2 -> was Re: SPAKE2+mbDH a PAKE+PKA Stanislav V. Smyshlyaev
- Re: [Cfrg] SPM2 -> was Re: SPAKE2+mbDH a PAKE+PKA Paul Lambert
- Re: [Cfrg] SPM2 -> was Re: SPAKE2+mbDH a PAKE+PKA Stanislav V. Smyshlyaev
- Re: [Cfrg] SPM2 -> was Re: SPAKE2+mbDH a PAKE+PKA Dan Harkins
- Re: [Cfrg] SPM2 -> was Re: SPAKE2+mbDH a PAKE+PKA Stanislav V. Smyshlyaev
- Re: [Cfrg] SPM2 -> was Re: SPAKE2+mbDH a PAKE+PKA Dan Harkins
- Re: [Cfrg] SPM2 -> was Re: SPAKE2+mbDH a PAKE+PKA Stanislav V. Smyshlyaev
- [Cfrg] FW: SPM2 -> was Re: SPAKE2+mbDH a PAKE+PKA Paul Lambert
- Re: [Cfrg] FW: SPM2 -> was Re: SPAKE2+mbDH a PAKE… Andy Lutomirski
- Re: [Cfrg] FW: SPM2 -> was Re: SPAKE2+mbDH a PAKE… Paul Lambert
- Re: [Cfrg] FW: SPM2 -> was Re: SPAKE2+mbDH a PAKE… Dan Harkins