IETF Logo Mail Archive

Re: [Cfrg] Key establishment advice (say, for TLS): How about MQV?

Feng Hao <feng.hao@newcastle.ac.uk> Thu, 06 March 2014 09:44 UTC

Return-Path: <feng.hao@newcastle.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B8B91A0189 for <cfrg@ietfa.amsl.com>; Thu, 6 Mar 2014 01:44:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.601
X-Spam-Level:
X-Spam-Status: No, score=-3.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UdcPSeKRDRs3 for <cfrg@ietfa.amsl.com>; Thu, 6 Mar 2014 01:44:07 -0800 (PST)
Received: from cheviot12.ncl.ac.uk (cheviot12.ncl.ac.uk [128.240.234.12]) by ietfa.amsl.com (Postfix) with ESMTP id 9A6FF1A0188 for <cfrg@irtf.org>; Thu, 6 Mar 2014 01:44:06 -0800 (PST)
Received: from exhubvm02.ncl.ac.uk ([128.240.234.9] helo=EXHUBVM02.campus.ncl.ac.uk) by cheviot12.ncl.ac.uk with esmtp (Exim 4.63) (envelope-from <feng.hao@newcastle.ac.uk>) id 1WLUqQ-00046W-9s; Thu, 06 Mar 2014 09:44:02 +0000
Received: from EXMBDB02.campus.ncl.ac.uk ([fe80::c039:e17:9d60:9f3]) by EXHUBVM02.campus.ncl.ac.uk ([2002:80f0:ea09::80f0:ea09]) with mapi id 14.03.0158.001; Thu, 6 Mar 2014 09:43:44 +0000
From: Feng Hao <feng.hao@newcastle.ac.uk>
To: Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: [Cfrg] Key establishment advice (say, for TLS): How about MQV?
Thread-Index: Ac83z0llZtT/vCOFQoawCOkdH1P3UQAQfBCAABBwelAAHU/XgAAVu440
Date: Thu, 06 Mar 2014 09:43:43 +0000
Message-ID: <B15015334706B5489C2DCD6698A3D6CC11370E@EXMBDB02.campus.ncl.ac.uk>
References: <CF3B7563.125D8%uri@ll.mit.edu> <CACsn0c=V0bakFm+bn-6V3aQud=MbUDvTsiRnZw7SapEZ1pnVHw@mail.gmail.com> <B15015334706B5489C2DCD6698A3D6CC112461@EXMBDB02.campus.ncl.ac.uk>, <CACsn0cnZVLD8hf58B4qFv0zLXK3y9WRqz+0qiNTMGKKzRjHzow@mail.gmail.com>
In-Reply-To: <CACsn0cnZVLD8hf58B4qFv0zLXK3y9WRqz+0qiNTMGKKzRjHzow@mail.gmail.com>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.4.160.6]
Content-Type: multipart/alternative; boundary="_000_B15015334706B5489C2DCD6698A3D6CC11370EEXMBDB02campusncl_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/3-tw9j5ZT5lwsYVmP24DvEoZ4DA
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Key establishment advice (say, for TLS): How about MQV?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 09:44:12 -0000

Hi Watson,

i cc CFRG as other people may have the similar question.

________________________________
From: Watson Ladd [watsonbladd@gmail.com]
Sent: Wednesday, March 05, 2014 11:11 PM
To: Feng Hao
Subject: RE: [Cfrg] Key establishment advice (say, for TLS): How about MQV?


On Mar 5, 2014 2:49 AM, "Feng Hao" <feng.hao@newcastle.ac.uk<mailto:feng.hao@newcastle.ac.uk>> wrote:
>
> Hi,
>
> >However, one does need (F?)HMQV, because the unkown-key share attack
> >on MQV can be mounted if private key possession is not proved. In some
> >of the environments TLS will run this is an essential property. The
> >anonymous variant has been analyzed: it's the ACE protocol that Tor is
> >considering using.
>
> Sorry to be nitpicking, but the UKS attack on MQV was not because of the reason mentioned above (it still works even if PoP is done properly by the CA). It was because the user identities were not included in the key exchange flows [1]. In the original MQV, the user identities are only included in the explicit key confirmation phase. Hence, the UKS attack only works on the 2-pass MQV (i.e., without explicit key confirmation), but not on the 3-pass MQV (with explicit key confirmation).
>
> In any case, this shows a weakness in the original MQV. In [2], a variant of the MQV is described, which includes the user identities into the key derivation function (see Sec 2.2, K = H(.., A, B)).  Thus, the 2-pass MQV is immune to UKS attack as well, but it brings a subtle issue: two users need to agree whose identity comes first. This would imply at least in theory, the protocol is no longer one-round. (Yes, I know we can fix it by using K = H(... Min(A,B), Max(A,B)), though it won't look pretty.)
>
> HMQV was designed with motivation for "provable security". However, calling it as hash variant of MQV would be a bit misleading, as it is actually more than that. On one hand, it does the right thing by including user identities within the key exchange flows using a hash function, hence preventing the UKS attack. On the other hand, it explicitly drops two important safeguards: 1) during CA registration, it doesn't require CA to validate the submitted public key other than checking the value is not 0; 2) during key exchange, it doesn't require validating the received ephemeral public key, hence accepting any key even when it is apparently invalid (say a small subgroup element). The HMQV author presents formal proofs to argue two safeguards are redundant. However, I have reserved opinions on dropping those two safeguards (despite the proofs) and I wrote a paper on this subject in 2010 [3] (a journal version of the paper with more details can be found in [4]). It is fair to say when implementing HMQV, one needs to at least be aware of these issues.
>

Would using exponents that kill the cofactor solve this?


Not entirely. In the prime field mod p, there is always at least one small subgroup (size 2), hence the need to check it.


In the EC setting, one needs to at least check if the public key is a valid point on the curve (rather than a random string). If the EC group has co-factor > 1, one also needs to check if the public key on the curve has the proper order.


As u can see, the cost of validating public keys varies according to different group settings, from very expensive to almost negligible. But the main point here is the need, rather than the cost, of doing such security checks.


In some very specialized applications (which are not clear to me at the moment), you might want to remove all these checks altogether as said in the HMQV paper. But one will need to be cautious – especially considering that the security environments may change over time (and they often do).


> As I understand it, one practical issue with MQV is that it was patented. However, I am not sure what the current patent status of MQV (and ECMQV) is.
>
> [1] B. Kaliski, "An unknown key-sharing attack on the MQV key agreement protocol," ACM Transactions on Information and System Security, Vol. 4. No. 3, 2001, pp. 275-288.
>
> [2] A. Menezes, B. Ustaoglu, "On the importance of public-key validation in the MQV and HMQV key agreement protocols," INDOCRYPT'06, LNCS 4329, pp. 133-147, 2006.
>
> [3] F. Hao, "On Robust Key Agreement Based on Public Key Authentication", Proceedings of the 14th International Conference on Financial Cryptography and Data Security (FC'10), Tenerife, Spain, LNCS 6052, pp. 383-390, 2010.
>
> [4] F, Hao, "On Robust Key Agreement Based on Public Key Authentication," Security and Communication Networks, Special issue on Design and Engineering of Cryptographic Solutions for Secure Information Systems, Wiley, 2012
>
> Cheers,
> Feng

v2.23.0 | Report a Bug | By Email