Re: [CFRG] Attack on a Real World SPAKE2 Implementation
Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 07 May 2021 08:19 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C6E63A10B1 for <cfrg@ietfa.amsl.com>; Fri, 7 May 2021 01:19:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qivO4CNKBjjs for <cfrg@ietfa.amsl.com>; Fri, 7 May 2021 01:19:02 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B84E43A0E09 for <cfrg@irtf.org>; Fri, 7 May 2021 01:17:29 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01lp2236.outbound.protection.outlook.com [104.47.71.236]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-92-w1a7VUBvPFCLAnpTz3gHLw-1; Fri, 07 May 2021 18:17:23 +1000
X-MC-Unique: w1a7VUBvPFCLAnpTz3gHLw-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SYXPR01MB1533.ausprd01.prod.outlook.com (2603:10c6:0:35::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.28; Fri, 7 May 2021 08:17:16 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9965:92dd:f5b:87a7]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::9965:92dd:f5b:87a7%6]) with mapi id 15.20.4108.026; Fri, 7 May 2021 08:17:16 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Ruben Gonzalez <in+lists@ruben-gonzalez.de>, "cfrg@irtf.org" <cfrg@irtf.org>
CC: "rixxc@redrocket.club" <rixxc@redrocket.club>
Thread-Topic: [CFRG] Attack on a Real World SPAKE2 Implementation
Thread-Index: AQHXQxKPLhWoKZ6Z4k+p8DTDUQ+ZxarXquNS
Date: Fri, 07 May 2021 08:17:15 +0000
Message-ID: <SY4PR01MB625110F1F7633D989FCF183EEE579@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <2bfbd767-b93a-42bd-be7d-1dae9e32e555@ruben-gonzalez.de>
In-Reply-To: <2bfbd767-b93a-42bd-be7d-1dae9e32e555@ruben-gonzalez.de>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [14.1.79.139]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2914e7ce-f7c5-490b-dfa4-08d911308668
x-ms-traffictypediagnostic: SYXPR01MB1533:
x-microsoft-antispam-prvs: <SYXPR01MB1533696981F65CBA8CFF55BCEE579@SYXPR01MB1533.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: IgeVKibbuVeVhBk/nnApX3Lx+WvsbvJwpSVZetuyqEpA9CUpg9L7PGoFrulorNUlwMqxwvbRLv5OS7YjcWonM2v8Zh0lSFVeK9BFDsDCRdI9Xh65K512EIIqPtZ638V+YNyxXL/TPs7xDV+WJMs1IiC8tMJNsutBcGEoEieM6Z6tHhc/RvidRzWpPs72sQT8s1yFp3qo50VfHnbJC3Xgxc0dM+5j7oyfRy4QrSiZ9d67of3MP+vvpKXtXWahgkhon4kY1piUrJSYRiiVhlCoWh0jIofE6HOoKQpzgmRf+Fdxng9j7Lt5wDz11nzmOrVoLDgJRkiZv7v6y3EQEQIi8Xw/ui0aRcrnRux/Fbt6eENLIRZRTuORUfHd6i/Cy40mGYUXRtDt0wGpaZ3l3kIEaUitu/nFhCSyAueSMde4af5mGh+XgINUTT998fPzUCIIyDZaf5BqF8s1Zx6/ssNV1g4OQEFhqEZMc6e7R/5o+eHZn9L1SEaoRf/3u/KIBUQRZC36mgKgV5NmucWO35fo32cZXqjBy72vRsYhe6NlrgiqJiII/fXMM8A2w6ZLG6YCdSMHo67MRGCkYwg1dU9mgQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(376002)(346002)(136003)(39860400002)(396003)(5660300002)(55016002)(66476007)(478600001)(66446008)(8936002)(83380400001)(786003)(316002)(71200400001)(26005)(110136005)(52536014)(33656002)(64756008)(4326008)(186003)(4744005)(6506007)(38100700002)(9686003)(66556008)(86362001)(122000001)(7696005)(8676002)(76116006)(2906002)(66946007); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata: 3Q9ujU4sFuy7Sb59pr9OEFF7oEF4YhVnJn7S0NFgxvSs769ok/5yjAnRh8OkH9pBh4iHLP6pBtTdE+IXCB1Q8opYjcI1v0+0A2uzxJAZc7oGPf3sXppUoxz4yFncQ1V9cK/lENeuroUWB7xxrZo1wivW5ifavvcd9EFNWf7BehFhY7n0QOSk5Ls11aFrOfp0any11qVtYaOWjGl+cCbwjjscxMh3HnR8K/Ccc0haHEr0Nm4V6x9o6fNk42TxZE/3cMEY0h8KjsNBtyJPi55Osk3qiwVc0TeO4XdA8uhG6d9C1Yjr6eYkZuxReTsz71svHMGz8HySE2rOUNqHGCbvXZyHeaVKg0jnmbFt5LLsSmntpqiEC1mK/qThc0/ftt/FykNTfO92jEdNnilpxnWoNdoEnWV3/T5wRbXxLhj0IyUns2Pp/Qx3abboSpRoLvFbnTHK+27z9fT23DOdcXOJxUHlTYuHJtcZYRE5mHhPd6BQFIOwhtuLMOmTvn/0kss1On51VtcYJb+BpiEVwhHuBUmnGtigAbxGr7TjqKJ6rhrPbgGfNinKyggMxAzPlSId5WNodfvgA5LOjcdqRpsIzfiABfauQG1cQwZk5QmXZWSXHnVC+sfUbadZs62l25XAOuG/bZ0XPcxEHZo1dS4PEvnSB1FYzgJgyZpmC/dh/7MujiF5D8wfQ5Rr7jtCqfsjYZ3tA0swP558uKgVxixSKs4UlKB3ymuiigYKVo/JWRM0i9AZoE0hnSXtwTAL5Gn/0Z9CWPKrd4u0oZfJ1P8fJiYzL2m7d4a1AB1Trsvni4fycdSWD9/sRPxFGohq4LJ2eZ/HTTYezpf5AmHU3M9I1sHyZzBzRpgQJv8788IGCBQpZbNF7hrXebpsxjK1c0Q94wz8Rt1bTVxRlnHBR4tW3aMcaRMbL9plXvQi1VfJ2qURWO44oXo5OYGcuBUWH3ivWMuFT9boxY55SrTgFDI465qtJzOWjkUl79E0cNfb88TP9R86e4Q4qb+9uyJhrXSlxlX3M+dBN0SFYR69D42u1S2q+KSgeujIGQdZf+FtZMRB17jwQthd55bDRruZliroseIfy1g77DY9SiwQwYbXDe7gVQvujQVjqK7AvS6VY5xSoqXq2ICdyjW0+gJ47iQoIuKu/rxijySjUGO9vd8nYE6FWpIB+zpjIxmAmlKaW7Qcb52rPqe2BYpj5aqEgldquyies55HbDLGTMk9h/qxKV4LDsXiUOchgj1Yd/3T3vrotqKF5XINM+ZJRsi4kEX6MPz8cVcU44QPLCqdSzEKAAZSANbFATtqQpaZpuqj4z0=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2914e7ce-f7c5-490b-dfa4-08d911308668
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 May 2021 08:17:15.4087 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cg3KRisgOS8z4t2EFbVd7/2dD1FjxQttmmwjc51JZTCN4cKJdT00qZwIC0P0qiGljgLwucWjiOtAZySvyMzfKQsA10ou6WaD9CI4a6rKXQg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYXPR01MB1533
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CAU17A13 smtp.mailfrom=pgut001@cs.auckland.ac.nz
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/57Wfgwap4nDxZaqOlbpd3Lkw9Jk>
Subject: Re: [CFRG] Attack on a Real World SPAKE2 Implementation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2021 08:19:07 -0000
Ruben Gonzalez <in+lists@ruben-gonzalez.de> writes: >We did not attack SPAKE2 directly, but a faulty implementation. Nice work! This is an example of what I once referred to as second-order snake oil crypto, good crypto applied badly (first-order is bad crypto). It's also at least as deadly as first-order snake oil because now the attacker has a beacon to guide them to where the insecurities are: Ignoring the great mass of other code, look for where the crypto is done and then find the flaw in how it's applied. (This makes the job of doing crypto audits much, much easier, at least in the sense that it makes it easy to demonstrate the value of performing the audit to whoever commissioned it. Seeing AES-GCM or some other RC4-equivalent and ECDH practically guarantees a useful result). Peter.
- [CFRG] Attack on a Real World SPAKE2 Implementati… Ruben Gonzalez
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Peter Gutmann
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… steve
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Dan Harkins
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Filippo Valsorda
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… steve
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Watson Ladd
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Björn Haase
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… steve
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Loup Vaillant-David
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Filippo Valsorda
- [CFRG] Modifying SPAKE2 draft for more curves (wa… Watson Ladd
- Re: [CFRG] Modifying SPAKE2 draft for more curves… Hao, Feng
- Re: [CFRG] Modifying SPAKE2 draft for more curves… Hao, Feng