IETF Logo Mail Archive

Re: [Cfrg] aPAKE Analysis

Björn Haase <bjoern.m.haase@web.de> Sun, 22 September 2019 19:04 UTC

Return-Path: <bjoern.m.haase@web.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A44E412002E for <cfrg@ietfa.amsl.com>; Sun, 22 Sep 2019 12:04:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id frM_nCKaZAtQ for <cfrg@ietfa.amsl.com>; Sun, 22 Sep 2019 12:04:00 -0700 (PDT)
Received: from mout-xforward.web.de (mout-xforward.web.de [82.165.159.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94A8812004C for <cfrg@irtf.org>; Sun, 22 Sep 2019 12:03:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1569179030; bh=gpGwEcxuxAm5/WdUlkRyFZnsH3msXU9sSyKPKPhUHWU=; h=X-UI-Sender-Class:Subject:To:Cc:References:From:Date:In-Reply-To; b=KKjmuCX647w9YkROZd4U6v0AHrePl1Hn0E3dY6wTQNuM6UurZecn0h/LzwPAUYyjf vTBt+V7IwwMV3QAiziL2hhmH1Xg18GwSRO3UCBd5poaM/1H6sCIxZMWwsnKqKl/Qr0 JBpLdd8wc08npdR9rec5pWj4ZMCmnWfNhcLtUYa8=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [192.168.2.161] ([94.218.65.48]) by smtp.web.de (mrweb103 [213.165.67.124]) with ESMTPSA (Nemesis) id 0M5g0a-1i0vz32fcG-00xcTz; Sun, 22 Sep 2019 21:03:50 +0200
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>, Hugo Krawczyk <hugo@ee.technion.ac.il>
Cc: steve@tobtu.com, cfrg <cfrg@irtf.org>
References: <1000404210.104219.1568701269003@email.ionos.com> <CACykbs3Bk40DpPb56SRXZJMHstUQqsT-n-Gkntrb0bhNss=zPw@mail.gmail.com> <CADi0yUPMiMdgZa8k7bP5wW_bVqxoMFXaJp0u1r7ZFRVaEfZOSg@mail.gmail.com> <CACykbs0mDkgfY=3=Wd0F=w7YwXYs9bEXJyhdcM74CEvw7w6-=Q@mail.gmail.com>
From: Björn Haase <bjoern.m.haase@web.de>
Message-ID: <568ba75e-26fd-8b12-5974-67517bce23a4@web.de>
Date: Sun, 22 Sep 2019 21:03:44 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <CACykbs0mDkgfY=3=Wd0F=w7YwXYs9bEXJyhdcM74CEvw7w6-=Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:h2yvA2vb8pCDwMtJ6nrv+lMpyR3Kfbusx1cl/uZsHC5qpbNeMYW ph5MZCcpFEwi6Ny0xaJKNojgzuWHLo05RcIGRIvZdXDEfhqpufpSKNEzRtcULpnteEMI3of 2N2gXe/N661XhV7TboHn/DyDaeFEc4fjF2iauvxX+5/PKvEixgPO32Opx/+8C9qtCpFiAC5 OoNoYT8Xt+x17fHorNrvw==
X-UI-Out-Filterresults: junk:10;V03:K0:b1RStkypDaU=:ZagnbVCKca0BPc3IFvaI3kVh 6F1tgJOqpR+91PgCZ+EN33DuPwpu8l192YRdMhmf9j2g7AdcDvm++9ukaXkIAYwd0N9LUfPKP ufGQhpEgkXqasPfoOQ8G+H/v9wDPGdQG9Z0sfLAmc/+wM32qSVzistW4aSc47ZIvCK9jyNJKr YkE2/nX4LbB7WORp1n3wuer33pfptFHhN/2w6NbEqXDcx4vGoHGSYQBwayKhh0MD7hzCNmdfY U68xCEUjheTi+juRp+tUyhJywkDkDWyQrp+rz8JGUCos7lRwIlZwojLnOM1GK0ETV/Q0bFRZF OmtH0RH4VWeUoRKabaGwGabbtb5BXVLRx/65YW91aFcXH17qPJLC/VZWPUts0oZZK5T4LLluM yVjlsjVYDoi8eU7wv9M0clD+i0wkLIdmS5U5cNIQyQWA6QBPWfbdU5B2IUqfF1rl0T0SbCZWP yOwZtm2m8Ipsqc/zeHpuC8kwtSjvB01mKQ6pHn4MxcHE21RirxT6ZTt0izronRwVCMcr3Otr8 Iech4yDJtnnoYox4k7sXD/blsWqDH17iQmgzsbeezmDzOsl2BW4HTdp/Jnh4m0l2YntSZ27NM cneixeUncqMzwLfXB6db0LFKb9PWGt3nyKjapZfoMvrZlyU366py+hCs2uKa5SFVuKJKgcsZG kwZ3g7N601HcZ98UwyiYooAwuJMcZooTuPlfvvfbdHmpFWHD1AK5NmA7EbxiHGn42d+JfKgcs 4NNZ/7uKAbOCVohBlEvKpmkPYy8vv7qZwbM7LbaTlDX688o7fGiUzEnxi+iVjUO1+hXIXLnJJ IyBIjwRj9dtNrUxS/wn6+sDCxfJem30fOxeRleRxycdfc0EhGPMXd17RX7cVdtcuO9nqm3Kdh 504K1p0A6/G0C3Kd9Pg/iZwEV0yhY5v2W+Zko67NHMc0JvS7TebjliULH2+oJPgTzcpe9aF3M /CLeAyzN9SbG5ICLXY272/S1sjsEC08ojThq/+ZSYNneWMmjfAEAUxf7sjenBKZ1A3EkQNQZk MqH5HspabZ6PJAmUnVx5reg41nQ1dLpIE2ZzjyPl4IaXva87MXlc3vN1aUse3/l7Zg7CvCksq 674aAD5bcd59X3WeChevRncB7dIVTvkutzNFHIZqSD4urt7qDeAz0SHSy7mMkdIxCkmDdE+ND yWXQMb0yzGKLelc126wl5bnYYkJqiiA61Ew1tg69IEN3GG0l1Zl4E6zILFpxF3WRiXHNICsxS JyDFuIaglkFPpMJQJMbtd+nkXIpPQgnF+GwnuC6LfR2+5m9yomS5nDv5hk=
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/1VGeUI9OFYAL96tRXre8pvCcbjc>
Subject: Re: [Cfrg] aPAKE Analysis
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Sep 2019 19:04:03 -0000

Dear Jonathan,

Am 18.09.2019 um 12:09 schrieb Jonathan Hoyland:
> Björn: The specific issue I have with AuCPace is that the AuCPace
> substep has to happen before the CPace substep, which means that you
> need to have a roundtrip before you start TLS.

I understand your concerns but still I am convinced that this is a
problem that we will be having anyway. In my perception we will have to
face the situation that the method for authentication to use is up to
the choice of the server within the most important application settings.

In my perception we will be having at least the settings
1.) "Password over certificate-authenticated TLS"
2.) "aPAKE authenticated TLS"
3.) "aPAKE + 2FA TLS".

Depending on the actual setting of the server, which the HMI client will
not be knowing beforehand (at least for the case of the https://
web-server) the client side will not be able to provide all of the
required information in the first client hello.

As pointed out in my slides

https://github.com/BjoernMHaase/fe25519/blob/master/Concept_For_Modularized_PAKE_integration_into_TLS_20190726.pdf

on page 22, I also don't see any performance issue for the HMI interface.

My suggestion on what could best be implemented is the following approach.

The Client tries a conventional Web-PKI-based TLS connection attempt as
usual with its ClientHello. In this ClientHellow it informs the server
that it also supports "aPAKE" and "aPAKE with 2FA".

In case of today's webservers, the server replies with a ServerHello as
normal. In case of a "aPAKE" or "aPAKE with 2FA" requirement by the
server, the server responds with a "HelloRetry" message in which he
answers which variant of aPAKE it needs. This first round could also be
used for establishing an ephemeral session ID on both sides by using the
random fields.

Then the "aPAKE" or "aPAKE with 2FA"  authentication protocol is started
and exchanges one ore more message rounds. (For identifying the
sessions, one could use the session ID as established beforehand.) For
this purpose, we need an extension to TLS for tunneling these protocol
messages, which are completely ignored by the TLS layer but transferred
as opaque payload. In case of "aPAKE with 2FA", the data required for
the second factor is also transmitted in addition to the messages needed
by the aPAKE sub-component.

At some spot the external layers will come up with a "PRS" string. In
the case of the "aPAKE with 2FA", this PRS string will also include data
from the second factor. Once this value is there, one could resume the
TLS operation by sending a "ClientHello" with the appropriate SID and
PRS information.

- We keep the TLS state machine as simple as it is today.
- We handle the case of balanced and augmented PAKE with the same
feature set
- We allow for extensability and flexibility (e.g. 2FA) without blowing
up the TLS complexity
- We keep the notoriously complex user-interface components out of TLS

Note that once we have this "tunnel mechanism" that could exchange data
between both sides for implementing use-cases such as password-changes,
etc. .

> I think that the pre-TLS phase is going to be difficult to actually
> implement and deploy, will probably have unacceptable performance,

I don't quite see where you identify a performance problem. Do you
consider the same application context as I did on slide 22 (as mentioned
above?)

> and leaks the username, which is a far more serious vulnerability than
> lack of quantum annoyingness.

Note that the username is leaked in clear text in *all* nominations to
an adversary impersonating the server! There is nothing I see that we
can do against it. At least for the case of an industrial plant, in my
assessment this is the far more critical case and easier to mount than a
passive adversary which is eavesdropping on the network. In this light,
I personally don't see a very significant advantage of using PAKE over
an un-authenticated but encrypted link.

> I think if there was a construction that let you use a balanced PAKE
> first and then do an augmentation step second, then simply integrating
> a balanced PAKE into TLS might be an acceptable solution.
Unfortunately, doing so will make it impossible (IMO) to use memory-hard
password hashing without rainbow tables :-(.
> The other option is to run the AuCPace and CPace substeps over a TLS
> connection, once it has been established, and do some sort of channel
> binding on top, which adds two roundtrips.
> I'll specifically address the subsystem question in the other thread.
>

v2.23.0 | Report a Bug | By Email