Re: [Cfrg] aPAKE Analysis / Why System-Level-View
Jonathan Hoyland <jonathan.hoyland@gmail.com> Wed, 18 September 2019 11:50 UTC
Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB758120220 for <cfrg@ietfa.amsl.com>; Wed, 18 Sep 2019 04:50:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MepMB-bXAlXA for <cfrg@ietfa.amsl.com>; Wed, 18 Sep 2019 04:50:35 -0700 (PDT)
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BADCE12004D for <cfrg@irtf.org>; Wed, 18 Sep 2019 04:50:34 -0700 (PDT)
Received: by mail-vs1-xe35.google.com with SMTP id b123so4249714vsb.5 for <cfrg@irtf.org>; Wed, 18 Sep 2019 04:50:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6zDqcLBVKYWz/ZOqqkV54L2O6Y3fcABrBAmDInlAyg8=; b=XM7RkIC1fRijCQirtKOw9oL0YjsEQpOPKqFgR7A3+d449aZ3qH9w6aG7VxmCJQEzRR 5G4Hyy+6y92NVCxHRrZ0l6s5oCrzVnS6686vTTxhO6OBtNYvWcosZJ4QIfYQyqK7j0ZR UoqbkxPJoiPMPHgwgBJRgDB/zVgDnSDutt1AAipgSLzl/YOy0uBK9wW92YOOvf3QmrhQ Xq48QeAifHKUFIqbdbRTUPhILT5sIp75td2hPRh6WrhgYvn0ivfAUbYtvBjyRAjDkEJ6 06y7f+dhUpK084SxZe5py212k0ftDg+B4J6b9/6K1o/bEpxkmPoM/REuWJ7nqqg1+XQC 8NCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6zDqcLBVKYWz/ZOqqkV54L2O6Y3fcABrBAmDInlAyg8=; b=Ovy8kdC8s1e4yD+bpFnPqxKAT90kEIbM/syNQXgAO2/Xfk3N4D221dyl8YaQi7IY1I r30Fq+mNAqmjjOEzThWdV+ooK5TaGc9WIlEB7i+imhgBMa7FxjAQCQQGZaVU3hcQ6z/9 +U6XWgkGfL+PHXhmEme2OYfvPJtJQnUQBiBUA01cOLAU3Xw+3qHlhqhXJPe6oYCNBmQ7 5/JyE40hoQtltQOecKPT96qOb0wyzZdFKa6bjV+gSjmAbhJlISRxfKnqYZbEOgL0QtQD 7lSpgEnx4fG4J2+cpoxy2CZdXAKrvjgY1RkvvTk5o00tsPwPhLsI6/vKQdxFrHpILKgt JVTw==
X-Gm-Message-State: APjAAAVc8iGIoZZ/t8beg3zJ1rgAxV28z1RvFNrrQep5FX3jIYkq59iH Faj/bvPKqgqs61Kb0n0Xj//4qT7a+/iEID4BSf4=
X-Google-Smtp-Source: APXvYqxlEFyn2nXMOsEORQ634sJIwUfnwP4L816tlmoDoj25hdf5Rj8kExfEQ65A4dXJqSap2eLN6JnklQf6IYB0NDY=
X-Received: by 2002:a67:ef5d:: with SMTP id k29mr1739207vsr.11.1568807433660; Wed, 18 Sep 2019 04:50:33 -0700 (PDT)
MIME-Version: 1.0
References: <VI1PR0501MB22558468E3C0549F452736CC838E0@VI1PR0501MB2255.eurprd05.prod.outlook.com>
In-Reply-To: <VI1PR0501MB22558468E3C0549F452736CC838E0@VI1PR0501MB2255.eurprd05.prod.outlook.com>
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Wed, 18 Sep 2019 12:50:22 +0100
Message-ID: <CACykbs2-4XVJKZU_f90QN42XH-ec1HoUx02ts19gd3=AjjYTCA@mail.gmail.com>
To: Björn Haase <bjoern.haase@endress.com>
Cc: Hugo Krawczyk <hugo@ee.technion.ac.il>, cfrg <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000cdedb00592d271c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/73xx-WotZ2VYzvMJjsc_byEmwqI>
Subject: Re: [Cfrg] aPAKE Analysis / Why System-Level-View
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2019 11:50:37 -0000
Hi Björn, I think the aPAKE candidates analysed in the UC model are taking the right approach. I think it would be valuable for as to give them composable features such that it is well defined how to bind them to other protocols, and how to bind other protocols to them. If we can define a channel binding for the aPAKE and further allow the aPAKE to commit to ancillary data then are well on our way to making it a useful primitive. In terms of integration with other systems like PAM, ActiveDirectory or even HTTP, I think it is better to go with a flexible design, rather than directly cater for specific use cases. Integrating TLS-PAKE with PAM doesn't strike me as likely to be challenging. Admittedly I have never written a PAM module before, but it would seem to be simple enough, at least with OPAQUE with Exported Authenticators (EAs). The PAM database would store `EnvU, PubS, PubU, kU, kV`, make the appropriate challenge, which would be wrapped in the appropriate TLS EA frames by the TLS stack, the responding certificate would have the channel binding checked by the TLS stack, before passing the certificate to the PAM module to verify the signature proves knowledge of `PrivU`. Presumably if the PAM database is being upgraded / goes away then people won't be able to successfully authenticate, which is at least fail closed. If there were a reference PAM module then 'normal' application developers wouldn't need to implement any code, especially if support were built in to servers implementing TLS PAKE. Things like password updates are also simple, in as much as, you just repeat the registration step, with the application logic handling who is allowed to do what and when. Given that EAs are handled at the HTTP layer in the form of certificate frames, I imagine that TLS-OPAQUE would also be handled at the HTTP layer, so more complex logic would be done at the higher layers. The key thing I would say about separating off the aPAKE into a security subsystem is that we need to make sure that the binding to the TLS connection is strong, and in particular that there is no way to pass the aPAKE protocol between two different TLS connections. Consider the current system: A user, `A`, connects to a server `B` and reuses the same password that she established with server `C`. `B` can now take this password and use it to impersonate `A` to `C`. Now consider a system where an aPAKE is simply run inside a TLS connection with no attempt to bind it to the underlying TLS session: A user, `A`, connects to a server `B` and reuses the same password that she established with server `C`. `B`, instead of running the aPAKE honestly opens a new connection to `C` and simply forwards the messages back and forth. The protocol succeeds, because in this scenario we assume that `A` is not checking consistency between the TLS connection and the aPAKE protocol. `C` might now, incorrectly, assume that the owner of the TLS connection, `B`, has successfully authenticated himself as `A`. The key established between `A` and `C` is not used to authenticate any future data on the connection, and `B` can now perform any action for which `A` is authorized. All this to say, a strictly compartmentalized approach to constructing TLS-PAKE is unlikely to be secure. Specifically, the inner and outer protocols not only need to be aware of each other, they need to interact. If by security subsystem you only meant a way to separate application data and aPAKE data then defining a new TLS record type for authentication messages sent over TLS would be fairly trivial. If we select a PAKE that is easy to compose with other protocols then it should be versatile enough to handle anything we need it to. Second-factor authentication would be a good example of a protocol that would be bound to a PAKE, and we should design bindings accordingly, such that we don't need to consider second-factor directly. I think OPAQUE-EA has good composition properties, but all of the candidates have scope. Regards, Jonathan >
- Re: [Cfrg] aPAKE Analysis / Why System-Level-View Björn Haase
- Re: [Cfrg] aPAKE Analysis / Why System-Level-View Jonathan Hoyland
- Re: [Cfrg] aPAKE Analysis / Why System-Level-View Natanael
- Re: [Cfrg] aPAKE Analysis / Why System-Level-View Björn Haase
- Re: [Cfrg] aPAKE Analysis / Why System-Level-View Björn Haase
- [Cfrg] patent situation regarding hash2curve as u… Björn Haase
- Re: [Cfrg] aPAKE Analysis / Why System-Level-View Natanael