IETF Logo Mail Archive

Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE schemes

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Fri, 29 January 2016 06:26 UTC

Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81FF41A006F for <cfrg@ietfa.amsl.com>; Thu, 28 Jan 2016 22:26:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tepWhLQ3O4kv for <cfrg@ietfa.amsl.com>; Thu, 28 Jan 2016 22:26:43 -0800 (PST)
Received: from mail-vk0-x229.google.com (mail-vk0-x229.google.com [IPv6:2607:f8b0:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1892B1A006D for <cfrg@irtf.org>; Thu, 28 Jan 2016 22:26:43 -0800 (PST)
Received: by mail-vk0-x229.google.com with SMTP id n1so36858905vkb.3 for <cfrg@irtf.org>; Thu, 28 Jan 2016 22:26:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=xYwtF6pWhBwR3cC8MvgtxWnSKMyDf158HSzri4FFHBc=; b=IiQQYT2srlxsMsmOrIJzzzp89JTE8uXoEPvef7LwtYj22ncwsHGyTp76losIf/SIRD TR2PAEiBzHzNT6JSHruzmLx8gAuj1sAlVX4UnIpLsQJRXBAx7V2+JT1ml/6FwGSeO07a MCEDDTDv4/S4VdgOcvb0XkO0C9gErPKLdU4uA2FHTCMO1gv5PPUQSIDJwy41Pt1RhazJ td1SeSNYlUW0SwQ5Sm/yvHUSqPz/RF0em9sTDZ7JOVOeg4BY0HMvCWGVMY3nXLY0Dt8Z 8SuYY46bUK/59g3wxB2w0f+4MlHs9/8iyO1qF5Q+CvRfM3+pLs9qSFgKQYTK2UDAlipE vGgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=xYwtF6pWhBwR3cC8MvgtxWnSKMyDf158HSzri4FFHBc=; b=Kv4LaNAzCrqJl/pznd81EE++enMCn4nrGwyq9OSjZoqTIXkoyBG5oIScSROSzY8M2U Slo1nsh/T7DeTG4bWwTb6WpYKGRC+OV8CF9IQRCbXtQ2ikAD3/2kSY6fARa1JinGdvoV IomKPxuJlIETmDnEEeL/GxgQFEvcn2gxl+xIgpGj+jOfEFJ7sKb+dWcVqIVDgrm5CFE0 KbE/dd3XShatQ2IL8F62LWCvucvLN58P7XVuCLk8GEWJKmQdrewH36UMEWb29jMsGXM8 6cl5bLO9YXoTF2HrHB/X6bHZszFdDDPIQYKYKzlYNuQqBZvJKWrBJnrZtChSa6D11rba RC5A==
X-Gm-Message-State: AG10YOTYenTzGqwQY6ihnl2jklFj/oui45KMCnutLXbezl/cVOkG5oP04rnbgEYTuH9p+BWrfLo3s5EUrZ6AYg==
MIME-Version: 1.0
X-Received: by 10.31.52.133 with SMTP id b127mr4748835vka.77.1454048802108; Thu, 28 Jan 2016 22:26:42 -0800 (PST)
Received: by 10.31.80.133 with HTTP; Thu, 28 Jan 2016 22:26:42 -0800 (PST)
In-Reply-To: <CACsn0ckKX7pKZ5qU0y6cR3jyGV8JmL1V8EAUwU6b4ShDYVxmYw@mail.gmail.com>
References: <CAMr0u6=76q4n-u1Vpv5vWjSNgi4CtaOJoX0EmvcbXH+9C4w2mg@mail.gmail.com> <78D9D0BF-4ADE-4DDB-88A4-BF03DD6336BA@shiftleft.org> <9c878c6b6b505414f71fa53442e4a33a@mail.tc26.ru> <CAMr0u6nzV_Y87ghnAcmhgkzk4fgdKtC3Kj8NqPyawHrjhGVySg@mail.gmail.com> <CACsn0ckKX7pKZ5qU0y6cR3jyGV8JmL1V8EAUwU6b4ShDYVxmYw@mail.gmail.com>
Date: Fri, 29 Jan 2016 09:26:42 +0300
Message-ID: <CAMr0u6kvc1B8MY7Nqs2NLd1tHPU6wiv7ti9QDQ5gvu6iRgw+2g@mail.gmail.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="001a1144038655fb06052a731e7c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/2atJVnO41yeHlJsu2RCZX-uy5Mk>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE schemes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2016 06:26:47 -0000

A major number of cryptography failures follows from incorrect embedding of
lower-level protocols to high-level ones – if you prove the security of
PAKE under specific assumtions on counter handling and then someone
implements it without knowledge of them, you have a practical
vulnerability. We do not create protocols for vacuum, we make them for
practice and must write security considerations (a specific "Security
considerations" section in RFC can be used for discussing these issues, if
someone thinks that they are not important enough to be in the main part).

To be more concrete: if one increments "insuccessful login attemps" counter
only after the full protocol (agreement + key confirmation) in case of key
confirmation failure and forgets to increment it in case of protocol
interruption after agreement, a password guessing technique that is based
on zero point can be easily applied.

You don't have to specify concrete scenarios, but you must at least give
recommendations that are based on the assumptions you have in the security
proof.


Best regards,
Stanislav V. Smyshlyaev, Ph.D.,
Head of Information Security Department,
CryptoPro LLC




2016-01-29 8:34 GMT+03:00 Watson Ladd <watsonbladd@gmail.com>:

> On Thu, Jan 28, 2016 at 9:19 PM, Stanislav V. Smyshlyaev
> <smyshsv@gmail.com> wrote:
> > Hello, Mike and Grigory!
> >
> > Mike, I definitely agree with you that it is impossible to choose a
> single
> > solution for all PAKE applications. For example, now in Russia for the
> > current moment we have two fields where SESPAKE is used:
> > - protection of a channel between a PC and a cryptographic token (mostly
> for
> > the case of Bluetooth-tokens);
> > - draft implementations of IKEv2 with Russian crypto.
> > We have distinct issues with counters of attempts here – as you
> mentioned,
> > DoS prevention is crucial for many protocols, for IKE v2 particularly.
> > However, this does not mean that counters should not be controlled at
> all –
> > the whole PAKE idea would be nearly useless in this case – this only
> means
> > that counters must be managed sensitively and accurately: some of the
> > counters can be optional or can be controlled at other levels.
> >
> > For example, in our SESPAKE RFC draft
> > (https://www.ietf.org/id/draft-smyshlyaev-sespake-01.pdf) we stress
> (Section
> > 4, notes 5 and 6) that different counters must be handled in different
> ways.
> > The most important point here is that any PAKE security proof exploits
> > limitations of password trials – so the connected issues must be
> represented
> > in some way (with one or another level of strictness) in any PAKE
> protocol
> > description.
> >
> > Therefore, I would correct my consideration on PAKE requirements
> slightly.
> > It is of highly importance to add the requirement: a description of a
> PAKE
> > protocol MUST include descriptions and usage recommendations of the
> > following counters:
> > -          counters of unsuccessful connections in a row,
> > -          counters of unsuccessful connections for the particular
> password,
> > -          counters of the total connections (successful and
> unsuccessful)
> > for the current password.
>
> Upper-layer protocols and applications can limit the number of login
> attempts. PAKEs that limit offline guessing and force online are
> sufficient, as most protocols already implement login limits. I don't
> see why site-specific policy needs to be put in an RFC.
>
> >
> >
> > Best regards,
> > Stanislav V. Smyshlyaev, Ph.D.,
> > Head of Information Security Department,
> > CryptoPro LLC
> >
> >
> > 2016-01-28 23:45 GMT+03:00 Grigory Marshalko <marshalko_gb@tc26.ru>:
> >>
> >> Hi, for these heuristics we can use approaches like fuzzy extractors and
> >> the corresponding theory in order to determine corresponding
> limitations.
> >> But this of cause would require training phases.
> >>
> >> Regards,
> >> Grigory Marshalko,
> >> expert,
> >> Technical committee for standardisation "Cryptography and security
> >> mechanisms" (ТC 26)
> >> www.tc26.ru
> >>
> >> 28 января 2016 г., 21:10, "Mike Hamburg" <mike@shiftleft.org> написал:
> >>
> >> Hello Dr Smyshlyaev,
> >>
> >> It's worth noting that in many systems, the risk of DoS weighs against
> the
> >> risk of password guessing. The designers of these systems may not find
> it
> >> acceptable to hard lock an account based on a global count of attempts,
> >> especially if most of their adversaries are not powerful. For example,
> eBay
> >> doesn't want people to lock out the accounts of their competitors just
> by
> >> trying 10 times to log in.  In these systems, heuristics are used
> (based eg
> >> on IP, CAPTCHAs or browser metrics) to deter guessing.  The same sort of
> >> work is applicable to PAKE systems. So I don't think brute force
> prevention
> >> will be so one-size-fits-all.
> >> Cheers,
> >> -- Mike
> >>
> >> Sent from my phone.  Please excuse brevity and typos.
> >>
> >> On Jan 28, 2016, at 02:59, Stanislav V. Smyshlyaev <smyshsv@gmail.com>
> >> wrote:
> >>
> >>
> >>
> >> Good afternoon!
> >> The order of most security bounds of PAKE protocols is determined by the
> >> value  $q{send}/|D|$, where $D$ is a size of a password set and
> $q_{send}$
> >> is a number of the adversary’s active impacts on the channel. The active
> >> impact assumes that the adversary can intercept a data in the channel
> and
> >> change it. A PAKE protocol is secure if a little number of such impacts
> >> cannot lead to the adversary’s success for some threat. It means that
> for
> >> the secure protocol any active impact leads to the fail abortion of the
> >> protocol. The bounds of the security can be reflected in the particular
> >> values if there are limitations for the value $q_{send}$.  In practice
> it
> >> can be achieved with counters that limit the number of unsuccessful
> >> authentication attempts. These limitations are the essential part of the
> >> protocol as they define the final security. For example, their absence
> leads
> >> to the vulnerability of the protocol to the online password brute force
> >> attack.
> >> So we think that it is of highly importance to add the following
> >> requirement: the description of the protocol of the PAKE type MUST
> include
> >> the limitations and detailed description of the following counters:
> >> -          counters of the fail connections in a row,
> >> -          counters of the fail connections for the particular password,
> >> -          counters of the total connections (successful and
> unsuccessful)
> >> for the current password.
> >> Best regards,
> >> Stanislav V. Smyshlyaev, Ph.D.,
> >> Head of Information Security Department,
> >> CryptoPro LLC
> >> <seonghan.shin@aist.go.jp> wrote:
> >>
> >> Dear Jörn,
> >> Thank you for the document.
> >> Here are some comments:
> >> 1. It is somewhat misleading to differ balanced and augmented by a type
> of
> >> password storage in Section 3.1 because in balanced PAKE protocols
> passwords
> >> can be stored as elements generated with a one-way function. As you
> already
> >> wrote in the second paragraph, the difference is whether it is
> providing KCI
> >> or not.
> >> 2. In Section 3.3, “~ while the second one proposes a generic
> construction
> >> that allows transferring any two-party PAKE into a GPAKE protocol.”.
> >> However, there are other papers to convert 2-party PAKE to group PAKE
> (e.g.,
> >> [ACGP11]).
> >> M. Abdalla et al., “Contributory Password-Authenticated Group Key
> Exchange
> >> with Join Capability,”' CT-RSA 2011
> >> Best regards,
> >> Shin
> >>
> >>
> ------------------------------------------------------------------------------
> >> SeongHan Shin
> >> Information Technology Research Institute (ITRI),
> >> National Institute of Advanced Industrial Science and Technology (AIST),
> >> 8F, AIST Tokyo Waterfront Bio-IT Research Building,
> >> 2-4-7 Aomi, Koto-ku, Tokyo, 135-0064, Japan
> >> Tel : +81-3-3599-8001
> >> E-mail : seonghan.shin@aist.go.jp
> >>
> >>
> ------------------------------------------------------------------------------
> >>
> >>
> >>
> >> _______________________________________________
> >> Cfrg mailing list
> >> Cfrg@irtf.org
> >> https://www.irtf.org/mailman/listinfo/cfrg
> >
> >
> >
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
> >
>
>
>
> --
> "Man is born free, but everywhere he is in chains".
> --Rousseau.
>

v2.23.0 | Report a Bug | By Email