IETF Logo Mail Archive

Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE schemes

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Fri, 29 January 2016 05:19 UTC

Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 419791B3DD9 for <cfrg@ietfa.amsl.com>; Thu, 28 Jan 2016 21:19:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uttbkKXPPbMn for <cfrg@ietfa.amsl.com>; Thu, 28 Jan 2016 21:19:14 -0800 (PST)
Received: from mail-vk0-x233.google.com (mail-vk0-x233.google.com [IPv6:2607:f8b0:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F54E1B325F for <cfrg@irtf.org>; Thu, 28 Jan 2016 21:19:14 -0800 (PST)
Received: by mail-vk0-x233.google.com with SMTP id e6so36185779vkh.2 for <cfrg@irtf.org>; Thu, 28 Jan 2016 21:19:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vje/D9ZBH0WmPu2y0fuEasEdhJJwachFrNSnjt9KyZ8=; b=TtPdXvFlu+VIGYV5hXCvMjnsLcQrcwVFlnuwHXpWDYzRWg3KOPujNLVXQovBgR6GY/ AttE5Gk1VSk7+RNrsj3XGdkO95hO31TvV/p2ngLzvSWvY11wFVimAEMur9bq7xAwgvTM WJMm4772i7xeug7TbydZTSlC7eO2PoHfSy0PEuqe8ZCW8PSEBQHvN1NQ8hMbMaTKOU2d vHUIKSZsPlF6nL96lFXK5DRMyi4TqAfJhZmExecmk765Fh0NkRxCawgf5u5kTDUneqPs v5ZehjSPRz3rxK8M/6YJBIj4R/Qk40Nt2OD7NRPPC+AjITv/dQuweI8IeJmZVA2b5QH+ lmPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=vje/D9ZBH0WmPu2y0fuEasEdhJJwachFrNSnjt9KyZ8=; b=kBYAcfZWQqIpTAKI3ESnJHMMFw+qHe8CPNrqOGyop/9fzzy2L4+C3wsqIv04h6kgSa Rad6cV+5MND69OkWC1MNiLYolgs241rK3fFfWbXuIKiA8RTE70RAQ/2RtbTD2Squ1lAo UzZuGI0Wly3Z4kpkv93qibJkg8tFZhELnl9ERTUNnILfgMNbhtJheiQBt6AEjf5K3o05 54M5p5GCPJ1qPfNODvnw62xq41UV/CT+QXhhYUpr8bViAe4tRsds39AwYhpX7+JeJ8vH A3bDuZEQ7a1uKtB8XcROnb02FR6oZqIC6V8efpzLx+0ONphiNPA9qTXSS70XqW4/PA6+ rOew==
X-Gm-Message-State: AG10YOSKu4LcNl6Djrqu6bdN4inWke6A7ZsQChQkB8GFGGLWmbKp77BKKaC68G9U9F6TGshMvD1DYYnbavEgRg==
MIME-Version: 1.0
X-Received: by 10.31.5.134 with SMTP id 128mr4573674vkf.29.1454044753300; Thu, 28 Jan 2016 21:19:13 -0800 (PST)
Received: by 10.31.80.133 with HTTP; Thu, 28 Jan 2016 21:19:13 -0800 (PST)
In-Reply-To: <9c878c6b6b505414f71fa53442e4a33a@mail.tc26.ru>
References: <CAMr0u6=76q4n-u1Vpv5vWjSNgi4CtaOJoX0EmvcbXH+9C4w2mg@mail.gmail.com> <78D9D0BF-4ADE-4DDB-88A4-BF03DD6336BA@shiftleft.org> <9c878c6b6b505414f71fa53442e4a33a@mail.tc26.ru>
Date: Fri, 29 Jan 2016 08:19:13 +0300
Message-ID: <CAMr0u6nzV_Y87ghnAcmhgkzk4fgdKtC3Kj8NqPyawHrjhGVySg@mail.gmail.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
To: Mike Hamburg <mike@shiftleft.org>, Grigory Marshalko <marshalko_gb@tc26.ru>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="001a114415f40211cf052a722d54"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/52-Ga3Lmd-Jlru2yyQTojVH302o>
Subject: Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE schemes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2016 05:19:19 -0000

Hello, Mike and Grigory!

Mike, I definitely agree with you that it is impossible to choose a single
solution for all PAKE applications. For example, now in Russia for the
current moment we have two fields where SESPAKE is used:
- protection of a channel between a PC and a cryptographic token (mostly
for the case of Bluetooth-tokens);
- draft implementations of IKEv2 with Russian crypto.
We have distinct issues with counters of attempts here – as you mentioned,
DoS prevention is crucial for many protocols, for IKE v2 particularly.
However, this does not mean that counters should not be controlled at all –
the whole PAKE idea would be nearly useless in this case – this only means
that counters must be managed sensitively and accurately: some of the
counters can be optional or can be controlled at other levels.

For example, in our SESPAKE RFC draft (
https://www.ietf.org/id/draft-smyshlyaev-sespake-01.pdf) we stress (Section
4, notes 5 and 6) that different counters must be handled in different
ways.
The most important point here is that any PAKE security proof exploits
limitations of password trials – so the connected issues must be
represented in some way (with one or another level of strictness) in any
PAKE protocol description.

Therefore, I would correct my consideration on PAKE requirements slightly.
It is of highly importance to add the requirement: a description of a PAKE
protocol MUST include descriptions and usage recommendations of the
following counters:
-          counters of unsuccessful connections in a row,
-          counters of unsuccessful connections for the particular password,
-          counters of the total connections (successful and unsuccessful)
for the current password.


Best regards,
Stanislav V. Smyshlyaev, Ph.D.,
Head of Information Security Department,
CryptoPro LLC


2016-01-28 23:45 GMT+03:00 Grigory Marshalko <marshalko_gb@tc26.ru>:

> Hi, for these heuristics we can use approaches like fuzzy extractors and
> the corresponding theory in order to determine corresponding limitations.
> But this of cause would require training phases.
>
> Regards,
> Grigory Marshalko,
> expert,
> Technical committee for standardisation "Cryptography and security
> mechanisms" (ТC 26)
> www.tc26.ru
>
> 28 января 2016 г., 21:10, "Mike Hamburg" <mike@shiftleft.org
> <%22Mike%20Hamburg%22%20%3Cmike@shiftleft.org%3E>> написал:
>
> Hello Dr Smyshlyaev,
>
> It's worth noting that in many systems, the risk of DoS weighs against the
> risk of password guessing. The designers of these systems may not find it
> acceptable to hard lock an account based on a global count of attempts,
> especially if most of their adversaries are not powerful. For example,
> eBay doesn't want people to lock out the accounts of their competitors just
> by trying 10 times to log in.  In these systems, heuristics are used
> (based eg on IP, CAPTCHAs or browser metrics) to deter guessing.  The same
> sort of work is applicable to PAKE systems. So I don't think brute force
> prevention will be so one-size-fits-all.
> Cheers,
> -- Mike
>
> Sent from my phone.  Please excuse brevity and typos.
>
> On Jan 28, 2016, at 02:59, Stanislav V. Smyshlyaev <smyshsv@gmail.com>
> wrote:
>
>
>
> Good afternoon!
> The order of most security bounds of PAKE protocols is determined by the
> value  $q{send}/|D|$, where $D$ is a size of a password set and $q_{send}$
> is a number of the adversary’s active impacts on the channel. The active
> impact assumes that the adversary can intercept a data in the channel and
> change it. A PAKE protocol is secure if a little number of such impacts
> cannot lead to the adversary’s success for some threat. It means that for
> the secure protocol any active impact leads to the fail abortion of the
> protocol. The bounds of the security can be reflected in the particular
> values if there are limitations for the value $q_{send}$.  In practice it
> can be achieved with counters that limit the number of unsuccessful
> authentication attempts. These limitations are the essential part of the
> protocol as they define the final security. For example, their absence
> leads to the vulnerability of the protocol to the online password brute
> force attack.
> So we think that it is of highly importance to add the following
> requirement: the description of the protocol of the PAKE type MUST include
> the limitations and detailed description of the following counters:
> -          counters of the fail connections in a row,
> -          counters of the fail connections for the particular password,
> -          counters of the total connections (successful and unsuccessful)
> for the current password.
> Best regards,
> Stanislav V. Smyshlyaev, Ph.D.,
> Head of Information Security Department,
> CryptoPro LLC
> <seonghan.shin@aist.go.jp> wrote:
>
> Dear Jörn,
> Thank you for the document.
> Here are some comments:
> 1. It is somewhat misleading to differ balanced and augmented by a type of password storage in Section 3.1 because in balanced PAKE protocols passwords can be stored as elements generated with a one-way function. As you already wrote in the second paragraph, the difference is whether it is providing KCI or not.
> 2. In Section 3.3, “~ while the second one proposes a generic construction that allows transferring any two-party PAKE into a GPAKE protocol.”. However, there are other papers to convert 2-party PAKE to group PAKE (e.g., [ACGP11]).
> M. Abdalla et al., “Contributory Password-Authenticated Group Key Exchange with Join Capability,”' CT-RSA 2011
> Best regards,
> Shin
> ------------------------------------------------------------------------------
> SeongHan Shin
> Information Technology Research Institute (ITRI),
> National Institute of Advanced Industrial Science and Technology (AIST),
> 8F, AIST Tokyo Waterfront Bio-IT Research Building,
> 2-4-7 Aomi, Koto-ku, Tokyo, 135-0064, Japan
> Tel : +81-3-3599-8001
> E-mail : seonghan.shin@aist.go.jp
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>
>

v2.23.0 | Report a Bug | By Email