[Cfrg] Potential vulnerabilities with OPAQUE
Julia Len <jlen@cs.cornell.edu> Thu, 19 March 2020 00:55 UTC
Return-Path: <jl3836@cornell.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37E903A1F29 for <cfrg@ietfa.amsl.com>; Wed, 18 Mar 2020 17:55:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.362
X-Spam-Level:
X-Spam-Status: No, score=-3.362 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-1.463, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zwD9HFHFFRJE for <cfrg@ietfa.amsl.com>; Wed, 18 Mar 2020 17:55:16 -0700 (PDT)
Received: from mail-il1-f178.google.com (mail-il1-f178.google.com [209.85.166.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F8993A1F28 for <cfrg@irtf.org>; Wed, 18 Mar 2020 17:55:16 -0700 (PDT)
Received: by mail-il1-f178.google.com with SMTP id w15so669900ilq.6 for <cfrg@irtf.org>; Wed, 18 Mar 2020 17:55:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=NQkT9DPFuyt8kIZKPXX+RY/kTpDg7w8QL9n3OZrD6UY=; b=ojUEbngJW7bSTO+X23YPP5FvmBImprGBOmjy9sk6o/khXfbUKUwDijEu7x6aBxQAgd /38udsEWTdUKOKaDCgcOur2Rn1pOPPfTJxUOid3ZEzjzVVJrJ+nicNO6Xh6nLkKv5It4 zNCej7IQaS+aOu/aghEq4TwQUWe+Q+/USi5vXQiY0dCxELtDdsSnX1jbk5IPyRhvZBSW NVbYbBM7CfL6gRWsreeV+XKQeMYpHjVf820+u1nO64cWoIf1kuYsg8LTiceYVj+XPA68 eSi19t69/9uaBNGEUS7vxCiGzUoZNq1Mgyaibx5HSMat7f1dReqDFVq56LBvVGshCjcE HH+g==
X-Gm-Message-State: ANhLgQ0jgqat9PulOEwD1Nut3S+6w+Xyf56uS/lvybi2oALMIMDVLyad Ks+uCP+LqrOeg3sUwGjyaI7NnwtofWvA3MKRJ1svaaJlOhc=
X-Google-Smtp-Source: ADFU+vtfXYZJElYwWbL8SckgAekFETq1Ffb9ZGINyXoTkyNHyaRDzpLzTNr2zE4c/MsNGPXK6ZGyivIjSaiXn2H0CKQ=
X-Received: by 2002:a92:8901:: with SMTP id n1mr903914ild.176.1584579315010; Wed, 18 Mar 2020 17:55:15 -0700 (PDT)
MIME-Version: 1.0
From: Julia Len <jlen@cs.cornell.edu>
Date: Wed, 18 Mar 2020 20:55:04 -0400
Message-ID: <CAK0e1Drh8khq7_v9jsYWHuAQ3XRnK2+2dNFOZQTyqVrbxk21MA@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="00000000000030a84305a12a9f64"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/2W9LoeeiRzAiTWVnDsyxvjYPPmo>
Subject: [Cfrg] Potential vulnerabilities with OPAQUE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2020 14:16:13 -0000
Dear CFRG, I am a PhD student at Cornell studying applied cryptography; recently, I have been analyzing the OPAQUE protocol along with my collaborators, Paul Grubbs and Tom Ristenpart. We believe there are subtleties with the protocol that should be given attention. In particular, it uses an authenticated encryption (AE) scheme that needs to satisfy what the authors call random-key robustness (RKR): intuitively, it should be hard to construct an AE ciphertext that decrypts under multiple random keys. However, the authors do not explain what attacks RKR prevents and are vague in giving guidance about design choices for RKR AE. If an RKR AE scheme is not used in OPAQUE, we have developed a theoretical attack that results in an exponential speedup in online password guessing. Though our attack is still theoretical (we are working on a proof-of-concept now), we believe it is relevant to the ongoing aPAKE standardization effort for two main reasons: first, because in the absence of widespread library support for RKR secure schemes, practitioners are likely to misunderstand or ignore the requirement (we have found several implementations that do exactly this, see below). The second reason the attack is relevant is that the guidance given in the current RFC, if followed by practitioners in a natural way, will not necessarily prevent the attack -- some of the recommended AE schemes have timing side channels in decryption that enable the attack, even though they are RKR secure on paper. During client login, an attacker that impersonates the server can learn a client’s password efficiently via an online guessing attack. More specifically, the attacker can split the dictionary of passwords into two sets of equal size and, using the fact that the AE scheme is not robust, compute a ciphertext that can be decrypted by all the passwords in one set but not the other. When the user attempts to log in, decryption of the AE envelope will either succeed or fail depending on in which set the password is, thereby allowing the attacker to narrow the set of potential passwords by half. Continuing in this way, only log(n) impersonations are required to learn a client’s password from a dictionary of size n. There are already several implementations of OPAQUE, and a few do utilize RKR AE, such as Encrypt-then-HMAC. However, many others do not. These implementations use dedicated AEAD schemes implemented in popular libraries such as libsodium. The schemes in these libraries are typically AES-GCM or XSalsa20/Poly1305, neither of which is RKR-secure. Currently, the RFC draft for OPAQUE does suggest a way to make GCM key robust: append an all-zeros block to the end of the plaintext and check if this block remains intact after decryption. However, the obvious way for practitioners to implement this check results in a timing side channel that allows detecting decryption failure, re-enabling the attack described above. That is, the attacker could detect whether decryption failed because decryption of the ciphertext itself failed or because decryption succeeded but the zeros check failed. We believe this vulnerability is likely to happen: practitioners will use libraries that already implement AES-GCM and XSalsa20/Poly1305 and prevention requires modifying these libraries. Aside from timing, other side channels, like application-level error messages (as in the classical padding oracle attack) or cache-level access patterns, could result in distinguishable decryption failures that enable the attack. The attacks we outlined show that much of OPAQUE’s practical security against online attacks hinges on RKR and, furthermore, RKR does not always prevent these attacks. If OPAQUE is selected for standardization, then there should be clear guidelines for practitioners about which AE schemes are appropriate to use, as well as which are not, and an emphasis that using these schemes is a necessity for secure deployment. While we are still exploring the best ways to mitigate these attacks, we have some suggestions. In particular, Encrypt-then-HMAC is RKR secure and should be the only AE scheme recommended for use currently (the “fixed-string MAC” transform described in the RFC does not guarantee RKR unless the MAC is collision-resistant and, moreover, also suffers from side-channel attacks). We are also working on a variant of GCM that we believe will be both RKR and immune to the timing side channel attack we described above. Sincerely, Julia Len
- [Cfrg] Potential vulnerabilities with OPAQUE Julia Len
- Re: [Cfrg] Potential vulnerabilities with OPAQUE Hugo Krawczyk
- Re: [Cfrg] Potential vulnerabilities with OPAQUE Julia Len