IETF Logo Mail Archive

Re: [CFRG] Attack on a Real World SPAKE2 Implementation

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 07 May 2021 08:19 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C6E63A10B1 for <cfrg@ietfa.amsl.com>; Fri, 7 May 2021 01:19:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qivO4CNKBjjs for <cfrg@ietfa.amsl.com>; Fri, 7 May 2021 01:19:02 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B84E43A0E09 for <cfrg@irtf.org>; Fri, 7 May 2021 01:17:29 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2236.outbound.protection.outlook.com [104.47.71.236]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-92-w1a7VUBvPFCLAnpTz3gHLw-1; Fri, 07 May 2021 18:17:23 +1000
X-MC-Unique: w1a7VUBvPFCLAnpTz3gHLw-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SYXPR01MB1533.ausprd01.prod.outlook.com (2603:10c6:0:35::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.28; Fri, 7 May 2021 08:17:16 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9965:92dd:f5b:87a7]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9965:92dd:f5b:87a7%6]) with mapi id 15.20.4108.026; Fri, 7 May 2021 08:17:16 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Ruben Gonzalez <in+lists@ruben-gonzalez.de>, "cfrg@irtf.org" <cfrg@irtf.org>
CC: "rixxc@redrocket.club" <rixxc@redrocket.club>
Thread-Topic: [CFRG] Attack on a Real World SPAKE2 Implementation
Thread-Index: AQHXQxKPLhWoKZ6Z4k+p8DTDUQ+ZxarXquNS
Date: Fri, 07 May 2021 08:17:15 +0000
Message-ID: <SY4PR01MB625110F1F7633D989FCF183EEE579@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <2bfbd767-b93a-42bd-be7d-1dae9e32e555@ruben-gonzalez.de>
In-Reply-To: <2bfbd767-b93a-42bd-be7d-1dae9e32e555@ruben-gonzalez.de>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [14.1.79.139]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2914e7ce-f7c5-490b-dfa4-08d911308668
x-ms-traffictypediagnostic: SYXPR01MB1533:
x-microsoft-antispam-prvs: <SYXPR01MB1533696981F65CBA8CFF55BCEE579@SYXPR01MB1533.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: IgeVKibbuVeVhBk/nnApX3Lx+WvsbvJwpSVZetuyqEpA9CUpg9L7PGoFrulorNUlwMqxwvbRLv5OS7YjcWonM2v8Zh0lSFVeK9BFDsDCRdI9Xh65K512EIIqPtZ638V+YNyxXL/TPs7xDV+WJMs1IiC8tMJNsutBcGEoEieM6Z6tHhc/RvidRzWpPs72sQT8s1yFp3qo50VfHnbJC3Xgxc0dM+5j7oyfRy4QrSiZ9d67of3MP+vvpKXtXWahgkhon4kY1piUrJSYRiiVhlCoWh0jIofE6HOoKQpzgmRf+Fdxng9j7Lt5wDz11nzmOrVoLDgJRkiZv7v6y3EQEQIi8Xw/ui0aRcrnRux/Fbt6eENLIRZRTuORUfHd6i/Cy40mGYUXRtDt0wGpaZ3l3kIEaUitu/nFhCSyAueSMde4af5mGh+XgINUTT998fPzUCIIyDZaf5BqF8s1Zx6/ssNV1g4OQEFhqEZMc6e7R/5o+eHZn9L1SEaoRf/3u/KIBUQRZC36mgKgV5NmucWO35fo32cZXqjBy72vRsYhe6NlrgiqJiII/fXMM8A2w6ZLG6YCdSMHo67MRGCkYwg1dU9mgQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(376002)(346002)(136003)(39860400002)(396003)(5660300002)(55016002)(66476007)(478600001)(66446008)(8936002)(83380400001)(786003)(316002)(71200400001)(26005)(110136005)(52536014)(33656002)(64756008)(4326008)(186003)(4744005)(6506007)(38100700002)(9686003)(66556008)(86362001)(122000001)(7696005)(8676002)(76116006)(2906002)(66946007); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata: 3Q9ujU4sFuy7Sb59pr9OEFF7oEF4YhVnJn7S0NFgxvSs769ok/5yjAnRh8OkH9pBh4iHLP6pBtTdE+IXCB1Q8opYjcI1v0+0A2uzxJAZc7oGPf3sXppUoxz4yFncQ1V9cK/lENeuroUWB7xxrZo1wivW5ifavvcd9EFNWf7BehFhY7n0QOSk5Ls11aFrOfp0any11qVtYaOWjGl+cCbwjjscxMh3HnR8K/Ccc0haHEr0Nm4V6x9o6fNk42TxZE/3cMEY0h8KjsNBtyJPi55Osk3qiwVc0TeO4XdA8uhG6d9C1Yjr6eYkZuxReTsz71svHMGz8HySE2rOUNqHGCbvXZyHeaVKg0jnmbFt5LLsSmntpqiEC1mK/qThc0/ftt/FykNTfO92jEdNnilpxnWoNdoEnWV3/T5wRbXxLhj0IyUns2Pp/Qx3abboSpRoLvFbnTHK+27z9fT23DOdcXOJxUHlTYuHJtcZYRE5mHhPd6BQFIOwhtuLMOmTvn/0kss1On51VtcYJb+BpiEVwhHuBUmnGtigAbxGr7TjqKJ6rhrPbgGfNinKyggMxAzPlSId5WNodfvgA5LOjcdqRpsIzfiABfauQG1cQwZk5QmXZWSXHnVC+sfUbadZs62l25XAOuG/bZ0XPcxEHZo1dS4PEvnSB1FYzgJgyZpmC/dh/7MujiF5D8wfQ5Rr7jtCqfsjYZ3tA0swP558uKgVxixSKs4UlKB3ymuiigYKVo/JWRM0i9AZoE0hnSXtwTAL5Gn/0Z9CWPKrd4u0oZfJ1P8fJiYzL2m7d4a1AB1Trsvni4fycdSWD9/sRPxFGohq4LJ2eZ/HTTYezpf5AmHU3M9I1sHyZzBzRpgQJv8788IGCBQpZbNF7hrXebpsxjK1c0Q94wz8Rt1bTVxRlnHBR4tW3aMcaRMbL9plXvQi1VfJ2qURWO44oXo5OYGcuBUWH3ivWMuFT9boxY55SrTgFDI465qtJzOWjkUl79E0cNfb88TP9R86e4Q4qb+9uyJhrXSlxlX3M+dBN0SFYR69D42u1S2q+KSgeujIGQdZf+FtZMRB17jwQthd55bDRruZliroseIfy1g77DY9SiwQwYbXDe7gVQvujQVjqK7AvS6VY5xSoqXq2ICdyjW0+gJ47iQoIuKu/rxijySjUGO9vd8nYE6FWpIB+zpjIxmAmlKaW7Qcb52rPqe2BYpj5aqEgldquyies55HbDLGTMk9h/qxKV4LDsXiUOchgj1Yd/3T3vrotqKF5XINM+ZJRsi4kEX6MPz8cVcU44QPLCqdSzEKAAZSANbFATtqQpaZpuqj4z0=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2914e7ce-f7c5-490b-dfa4-08d911308668
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 May 2021 08:17:15.4087 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cg3KRisgOS8z4t2EFbVd7/2dD1FjxQttmmwjc51JZTCN4cKJdT00qZwIC0P0qiGljgLwucWjiOtAZySvyMzfKQsA10ou6WaD9CI4a6rKXQg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYXPR01MB1533
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CAU17A13 smtp.mailfrom=pgut001@cs.auckland.ac.nz
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/57Wfgwap4nDxZaqOlbpd3Lkw9Jk>
Subject: Re: [CFRG] Attack on a Real World SPAKE2 Implementation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2021 08:19:07 -0000

Ruben Gonzalez <in+lists@ruben-gonzalez.de> writes:

>We did not attack SPAKE2 directly, but a faulty implementation.

Nice work!  This is an example of what I once referred to as second-order
snake oil crypto, good crypto applied badly (first-order is bad crypto).  It's
also at least as deadly as first-order snake oil because now the attacker has
a beacon to guide them to where the insecurities are: Ignoring the great mass
of other code, look for where the crypto is done and then find the flaw in how
it's applied.

(This makes the job of doing crypto audits much, much easier, at least in the
sense that it makes it easy to demonstrate the value of performing the audit
to whoever commissioned it.  Seeing AES-GCM or some other RC4-equivalent and
ECDH practically guarantees a useful result).

Peter.

v2.23.0 | Report a Bug | By Email