Re: [Cfrg] Forward secrecy of SPAKE2
Wasa Bee <wasabee18@gmail.com> Mon, 09 September 2019 16:27 UTC
Return-Path: <wasabee18@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4DBE12007A for <cfrg@ietfa.amsl.com>; Mon, 9 Sep 2019 09:27:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.747
X-Spam-Level:
X-Spam-Status: No, score=-1.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29cvoV-YK0Xp for <cfrg@ietfa.amsl.com>; Mon, 9 Sep 2019 09:27:33 -0700 (PDT)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08B36120041 for <cfrg@irtf.org>; Mon, 9 Sep 2019 09:27:32 -0700 (PDT)
Received: by mail-qt1-x82e.google.com with SMTP id k10so16898681qth.2 for <cfrg@irtf.org>; Mon, 09 Sep 2019 09:27:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HPnNaFnICuCu1Qin6u6KbgA33QkhpmJ4p/jwRC56+Po=; b=iAQ51E4k1EkhXbLrPFJhnkVPmjyF9HgL6erwg0mN3uqbCw6Ol0LyMjMTgG81852ex6 lChXloKolyU3Vrx9DiS4xIAclS0fne4geDAXy1OnS1UHaFRrpYNPTYu7PEFPNCKR6oO1 T3k8Tk8ZEgGvRQnYNldYMgt0StKmt6gT8FN6ZEbRx6VM4dtvmTY7OI5e43k8oNnBCVPN +D+idshKMwLyoumnnTNPUHd6yeDnOFot8I/rCBLHavAl5PsdunsocmGxvx/cvZsEVI1y PzLkcRC6Usp9Lc2JMiSU6f8XBUUBg+R4kcxnaz809rHWc1TgviGwGQc2rZTXvnphF0HD UHDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HPnNaFnICuCu1Qin6u6KbgA33QkhpmJ4p/jwRC56+Po=; b=RojOasaXhlFsD++F2UhJ8BMEHgqXDA4EGA1f9FinPtNaFSeLoaGIDNK9cSV8cE6MF8 tCzm+cH1RE7a5Db+VoksX+i0JaGyfuOy9RYXNvA1s46eiH40GpLrumU+DRzeDz2tnLfi 80XM22ogHhy7iohFW4+CKWCx2b8rgYBdzvJwCSz6oFEtzxPmdySKbSrvuAL3ZhT592Rc FVvs2yd+dzirdVVSBvw569QlBl8I9FHG+XPYSmKDtd76H803Y+LASwQ2vDPkaQsaodUS zjoFBwkwzySGWBexEU2Fd5QVJGkerWJWcsPiNW8JVGtPE5F+Tz8GYQwbhRgZ7pgBgJ8m 7kBg==
X-Gm-Message-State: APjAAAX/fswcmVpQVkswUQSwaeo/azKqHvAP/akb6Szi9srt7AYtxAQW Yyp28AIZtmpynBoA9bRzvAzFWmYumkybfW9ykcw=
X-Google-Smtp-Source: APXvYqxUmB85009bEtXEslALxuPag+dbkXPw88hREJmAFnxOZaDbSzBxJK8uaLE+S305CbnL+9FkWltdcvF9vhKR8qQ=
X-Received: by 2002:ac8:734e:: with SMTP id q14mr24017042qtp.248.1568046452028; Mon, 09 Sep 2019 09:27:32 -0700 (PDT)
MIME-Version: 1.0
References: <CAN2QdAGAjr4Y9PCj3bdmdiHCEGNBgWYTA7n8AeS7UhTrLEfcqg@mail.gmail.com> <9f73101e-733c-0898-b8ef-459f8d352fd8@web.de>
In-Reply-To: <9f73101e-733c-0898-b8ef-459f8d352fd8@web.de>
From: Wasa Bee <wasabee18@gmail.com>
Date: Mon, 09 Sep 2019 09:27:21 -0700
Message-ID: <CAOnWvx9Mk_jxKK6y6xug454VoEM1gSiGSe9B7d1GX_c0NOJ0Ag@mail.gmail.com>
To: Björn Haase <bjoern.m.haase@web.de>
Cc: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000c3b89905922143ca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/5Kih1owg2jyfsrpiHbgXilQaN-c>
Subject: Re: [Cfrg] Forward secrecy of SPAKE2
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2019 16:27:35 -0000
Hi AFAIK, PFS has two components (I recall a presentation by Hugo Krawczyk but I don't remember which conference): - long term key compromise does not break the security of past communications. That's what the paper shows (long-term key = password) - short term key compromise (eg ephemeral DH private key, session key) does not break the security of future sessions. I don't think this holds for PFS-SPAKE2, i.e., an attacker who recovers the DL of the public DH share can recover the password, and impersonate the participants thereafter: 1) -> Imagine an attacker sends X* = g^x (instead of the intended X* = g^x.M^p, since he does not know the password p). 2) <- The victim Bob computes (X*/M^p)^y = g^xy / M^yp = K, and sends Y* = g^y - Note this is different from the original SPAKE2 where Bob sends g^y.N^p. Bob also sends the confirmation message H1(C, S, X∗, Y, K, p). If the attacker subsequently manages to recover the ephemeral exponent y for Y*, then he can offline brute force the password p, by trying all (low-entropy) passwords p_guess such that: H1 = H1_guess(C, S, X*, Y, g^xy/M^yp_guess, p_guess) C, S, X* and Y are publicly available x is generated by attacker so is known to him y is known as per assumption => only unknown is p The attacker now knows the password and can impersonate as Alice or Bob. Note this works because password have low entropy. Note that for the original SPAKE2, if y leaks, then there is a similar problem. However in the original SPAKE2 protocol, g^y in never transmitted. What's transmitted instead is g^y.N^p (by Bob, phase 2 above), so I don't think the attacker can recover y since he does not even sees g^y - at least it seems more difficult. So to me SPAKE2 can withstand a stronger attacker model in this scenario: an attacker must break into Bob's computer and recover his volatile memory to get y. At this point's it's probably easier for the adversary to recover p itself so this is an acceptable scenario, IMHO... Did I miss something? Any thoughts? On Wed, Sep 4, 2019 at 1:48 PM Björn Haase <bjoern.m.haase@web.de> wrote: > Dear Watson, > > >I overlooked https://eprint.iacr.org/2019/351.pdf in my > > >earlier discussions of SPAKE2. > > Yes. You might also have overlooked my post from July 19th :-). > > https://mailarchive.ietf.org/arch/msg/cfrg/28La-UQyKqpDyaLeIZ_ikD5ccoY > > Yours, Björn > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Forward secrecy of SPAKE2 Watson Ladd
- Re: [Cfrg] Forward secrecy of SPAKE2 Björn Haase
- Re: [Cfrg] Forward secrecy of SPAKE2 Wasa Bee