[Cfrg] Potential vulnerabilities with OPAQUE

Julia Len <jlen@cs.cornell.edu> Thu, 19 March 2020 00:55 UTC

Return-Path: <jl3836@cornell.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 37E903A1F29 for <cfrg@ietfa.amsl.com>; Wed, 18 Mar 2020 17:55:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.362
X-Spam-Status: No, score=-3.362 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-1.463, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id zwD9HFHFFRJE for <cfrg@ietfa.amsl.com>; Wed, 18 Mar 2020 17:55:16 -0700 (PDT)
Received: from mail-il1-f178.google.com (mail-il1-f178.google.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F8993A1F28 for <cfrg@irtf.org>; Wed, 18 Mar 2020 17:55:16 -0700 (PDT)
Received: by mail-il1-f178.google.com with SMTP id w15so669900ilq.6 for <cfrg@irtf.org>; Wed, 18 Mar 2020 17:55:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=NQkT9DPFuyt8kIZKPXX+RY/kTpDg7w8QL9n3OZrD6UY=; b=ojUEbngJW7bSTO+X23YPP5FvmBImprGBOmjy9sk6o/khXfbUKUwDijEu7x6aBxQAgd /38udsEWTdUKOKaDCgcOur2Rn1pOPPfTJxUOid3ZEzjzVVJrJ+nicNO6Xh6nLkKv5It4 zNCej7IQaS+aOu/aghEq4TwQUWe+Q+/USi5vXQiY0dCxELtDdsSnX1jbk5IPyRhvZBSW NVbYbBM7CfL6gRWsreeV+XKQeMYpHjVf820+u1nO64cWoIf1kuYsg8LTiceYVj+XPA68 eSi19t69/9uaBNGEUS7vxCiGzUoZNq1Mgyaibx5HSMat7f1dReqDFVq56LBvVGshCjcE HH+g==
X-Gm-Message-State: ANhLgQ0jgqat9PulOEwD1Nut3S+6w+Xyf56uS/lvybi2oALMIMDVLyad Ks+uCP+LqrOeg3sUwGjyaI7NnwtofWvA3MKRJ1svaaJlOhc=
X-Google-Smtp-Source: =?utf-8?q?ADFU+vtfXYZJElYwWbL8SckgAekFETq1Ffb9ZGINyXoT?= =?utf-8?q?kyNHyaRDzpLzTNr2zE4c/MsNGPXK6ZGyivIjSaiXn2H0CKQ=3D?=
X-Received: by 2002:a92:8901:: with SMTP id n1mr903914ild.176.1584579315010; Wed, 18 Mar 2020 17:55:15 -0700 (PDT)
MIME-Version: 1.0
From: Julia Len <jlen@cs.cornell.edu>
Date: Wed, 18 Mar 2020 20:55:04 -0400
Message-ID: <CAK0e1Drh8khq7_v9jsYWHuAQ3XRnK2+2dNFOZQTyqVrbxk21MA@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="00000000000030a84305a12a9f64"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/2W9LoeeiRzAiTWVnDsyxvjYPPmo>
Subject: [Cfrg] Potential vulnerabilities with OPAQUE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2020 14:16:13 -0000

Dear CFRG,

I am a PhD student at Cornell studying applied cryptography; recently, I
have been analyzing the OPAQUE protocol along with my collaborators, Paul
Grubbs and Tom Ristenpart. We believe there are subtleties with the
protocol that should be given attention. In particular, it uses an
authenticated encryption (AE) scheme that needs to satisfy what the authors
call random-key robustness (RKR): intuitively, it should be hard to
construct an AE ciphertext that decrypts under multiple random keys.
However, the authors do not explain what attacks RKR prevents and are vague
in giving guidance about design choices for RKR AE.

If an RKR AE scheme is not used in OPAQUE, we have developed a theoretical
attack that results in an exponential speedup in online password guessing.
Though our attack is still theoretical (we are working on a
proof-of-concept now), we believe it is relevant to the ongoing aPAKE
standardization effort for two main reasons: first, because in the absence
of widespread library support for RKR secure schemes, practitioners are
likely to misunderstand or ignore the requirement (we have found several
implementations that do exactly this, see below). The second reason the
attack is relevant is that the guidance given in the current RFC, if
followed by practitioners in a natural way, will not necessarily prevent
the attack -- some of the recommended AE schemes have timing side channels
in decryption that enable the attack, even though they are RKR secure on

During client login, an attacker that impersonates the server can learn a
client’s password efficiently via an online guessing attack. More
specifically, the attacker can split the dictionary of passwords into two
sets of equal size and, using the fact that the AE scheme is not robust,
compute a ciphertext that can be decrypted by all the passwords in one set
but not the other. When the user attempts to log in, decryption of the AE
envelope will either succeed or fail depending on in which set the password
is, thereby allowing the attacker to narrow the set of potential passwords
by half. Continuing in this way, only log(n) impersonations are required to
learn a client’s password from a dictionary of size n.

There are already several implementations of OPAQUE, and a few do utilize
RKR AE, such as Encrypt-then-HMAC. However, many others do not. These
implementations use dedicated AEAD schemes implemented in popular libraries
such as libsodium. The schemes in these libraries are typically AES-GCM or
XSalsa20/Poly1305, neither of which is RKR-secure.

Currently, the RFC draft for OPAQUE does suggest a way to make GCM key
robust: append an all-zeros block to the end of the plaintext and check if
this block remains intact after decryption. However, the obvious way for
practitioners to implement this check results in a timing side channel that
allows detecting decryption failure, re-enabling the attack described
above. That is, the attacker could detect whether decryption failed because
decryption of the ciphertext itself failed or because decryption succeeded
but the zeros check failed. We believe this vulnerability is likely to
happen: practitioners will use libraries that already implement AES-GCM and
XSalsa20/Poly1305 and prevention requires modifying these libraries. Aside
from timing, other side channels, like application-level error messages (as
in the classical padding oracle attack) or cache-level access patterns,
could result in distinguishable decryption failures that enable the attack.

The attacks we outlined show that much of OPAQUE’s practical security
against online attacks hinges on RKR and, furthermore, RKR does not always
prevent these attacks. If OPAQUE is selected for standardization, then
there should be clear guidelines for practitioners about which AE schemes
are appropriate to use, as well as which are not, and an emphasis that
using these schemes is a necessity for secure deployment. While we are
still exploring the best ways to mitigate these attacks, we have some
suggestions. In particular, Encrypt-then-HMAC is RKR secure and should be
the only AE scheme recommended for use currently (the “fixed-string MAC”
transform described in the RFC does not guarantee RKR unless the MAC is
collision-resistant and, moreover, also suffers from side-channel attacks).
We are also working on a variant of GCM that we believe will be both RKR
and immune to the timing side channel attack we described above.

Julia Len