Re: [CFRG] On the properties of sid in CPace
Björn Haase <Bjoern.M.Haase@web.de> Sun, 19 September 2021 21:30 UTC
Return-Path: <Bjoern.M.Haase@web.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39CCC3A3FC0 for <cfrg@ietfa.amsl.com>; Sun, 19 Sep 2021 14:30:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.995
X-Spam-Level:
X-Spam-Status: No, score=-1.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c3-8VP8-6OL9 for <cfrg@ietfa.amsl.com>; Sun, 19 Sep 2021 14:30:24 -0700 (PDT)
Received: from mout.web.de (mout.web.de [212.227.17.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FC063A3FBC for <cfrg@irtf.org>; Sun, 19 Sep 2021 14:30:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1632087015; bh=8dPbebVPk8y4z4JAvaon8D3MPrALVGNolZFJk5Q9qGA=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=KMOBtpI01dsiDIV1vRU5tX5IlZJi5rWoHv7X1nyBnsWCHg/+8T6m6ipmaIYs9pbKm 3AQMd5NlTRX7tz9D1QzjUoDmoRupkxGGxNQwPJe99VtrHtnhjn4jYI6jkjrhbLJZs+ KUcQVhsvsEWcnwBq3/b8/4MR/nEQWW4hT47PDgfQ=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [109.90.104.251] ([109.90.104.251]) by web-mail.web.de (3c-app-webde-bap48.server.lan [172.19.172.48]) (via HTTP); Sun, 19 Sep 2021 23:30:14 +0200
MIME-Version: 1.0
Message-ID: <trinity-b33bfb79-7d54-465c-a87c-9916a61f4978-1632087014713@3c-app-webde-bap48>
From: Björn Haase <Bjoern.M.Haase@web.de>
To: Filippo Valsorda <filippo@ml.filippo.io>
Cc: cfrg@irtf.org
Content-Type: text/html; charset="UTF-8"
Date: Sun, 19 Sep 2021 23:30:14 +0200
Importance: normal
Sensitivity: Normal
In-Reply-To: <467d4f31-a4e4-444a-98c5-d84b7ff2f8ae@www.fastmail.com>
References: <03a81355-32e2-465e-b08a-e33d02112ab8@www.fastmail.com> <28627528-517a-368f-3482-ab8f768bdf75@gmail.com> <a8f60406-4b3e-4d69-823d-b27bd2130011@www.fastmail.com> <3374a131-8e54-411d-8d00-50f5acbaadf5@gmail.com> <e7182544-658c-42ce-9018-9c1948c54abf@www.fastmail.com> <34180d3d-0f7a-b567-d689-5654e4e3fad5@gmail.com> <258984cb-5c7b-48a6-b657-1f5c82862814@www.fastmail.com> <467d4f31-a4e4-444a-98c5-d84b7ff2f8ae@www.fastmail.com>
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K1:WgnpV8qczBP+DpqHsAB0E+jPorQ/Q/qK3YLH/WaGo8oLTzcFc0DKxWhzMEjZnl/MgJQuU VY2qkJ3gTRg5YpHhYkbR5qID9G+ggxgs6oRUKLdngt+IvCAIb70CeaCT488dN3sTNklvxaJoHlaF qrKahlm4mAkpQtWesc3zsU756Ny6T/8UpyUPwXbp6H7jJITr/7jeyu5DT8y/0cc7RLXBuWJxxymr YqGB+Vni73nuWrSBZMDZziakRDtsgKH0oeJBFL2MitPgtCUGWL0qAfm8Z6++OWUoj7UiaZDOIyvq PU=
X-UI-Out-Filterresults: notjunk:1;V03:K0:Z6q+QvmD4lA=:yTZa36ByUw9ICu03/ruuAV Ue6CCbzLdgK1O1GGJVFCEsIU6tbRYQS+ETi5r6HAPgCKpZw2vdeJYyK4q39KShvyYGFOSN6mS bcFaZAs1mpTo/6WxlOIHXH8B2gnbf1KNsQWkqhtscdu5EFJV0BztIavvfppZ715ffdm9deg6p y7J+p21OXWvZNUnUdCX82Mc/t1EwyLMGSAt7AmqMDH8XmA+EC8ReiDBwlalTnyuBqZBgv4gzh 6Dend+d1mqBZN6jo/6toaAa1XHi8ziuTPMvczFWKWojWja2JlkUwvRx5FTpUskUJwLDuVpbd7 5hiSJefwW0WR5tIQsPOFXrVio9JXCPEUko8kv7NxdXE6J7rz/CZDyHWhQGM56/vAImZVZ7Iqj k5JmIWtg2aUEAwRROPi/2YpnnElPsOI2kTDGVGuuf+mZfZpFLlXByeMz66DGPf8PSrhv0R0hW iPAYZED9EwnMgRrbqypUVIBZ/lz3nOiuPUEqT6vMedK+jpWq6lYUGPcO4OOy3gckTgxQDDa50 Mxsn0/SDi3kSWc6t+E1bZ1sNcykN3aTkxj85CJS4GUGU5HIqL36OkkzRVwGzi5/WTZjtJqDce 8OBglpGO18tWUrspJxDIdMNnWXORLynfQc2XMotHLKKysdKyDloXoexVU4BnPFDQPMrshcvBe OriuFQ1n2YH7lMPUG+vbLG+VaXSFqdPWLFa3t5qd10+YNBLgnMoxzOOm51/HdlHKV8gVUpVMl 0YiBtOF+dvGqkl1iYlZRkNIQEBXEeoy0xnpzikvwrAd0ozRpFWPXMheg/l0cA+RXX/fVFhc3c 7Wxld25
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/756N-LgPqZ82BbCeeFxPPcqK4-E>
Subject: Re: [CFRG] On the properties of sid in CPace
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Sep 2021 21:30:30 -0000
Von: "Filippo Valsorda" <filippo@ml.filippo.io>
An: cfrg@irtf.org
Betreff: Re: [CFRG] On the properties of sid in CPace
2021-04-15 07:46 GMT+02:00 Julia Hesse <mailto:juliahesse2%40gmail.com" target="_blank" rel="nofollow">juliahesse2@gmail.com>:Hi Filippo,When you say a "one-time protocol", does that mean executing it onlyonce per password?it depends on whether the protocol uses the isolated sid or not. E.g.,in case it always uses sid,P,P' (where P,P' are identifiers of the twoparticipants), the current security analysis seems to hold for oneexecution per pair of identifiers. That means you and I could exchangeat most one key. Of course, we do not want such restrictions for thedraft. All I'm saying in this thread is that the current securityanalysis does not support more executions if sids are initiator-chosen.Hi Julia,Oh, so if I understand correctly one execution means one per identitiespair, which makes sense, thank you.Looking forward to hearing if you can get past that restriction, andthank you for walking me through it.Related note: the UC model, and therefore all security analyses ofCPace, assume that these party identifiers are known on both sides.However, this might be impractical for some applications. Let's say werecommend in the draft to choose identifiers as strings IP:PORT.Consider a setting where my computer runs two processes, one called AUTHhandling authentication requests, and one called MAIN handlingeverything else, for example network communication. While I would assumethat implementors can adapt the AUTH process to work with CPace, theymay not be able to touch the MAIN process. If MAIN internally rewritesIP:PORT pairs to another identifier PID1, then we are suddenly in asituation where both ends of CPace do not have any joint understandingof how they call themselves.To summarize: you are very right in being worried about loadingimplementors with instantiating the various CPace parameters. As I said,we are working on simplifications. For example, we are currently lookinginto completely removing party identifiers from hashes in the securityanalysis, such that we can change some parameters in the draft to beoptional.Indeed, this is why I opened this thread in the first place: I wastrying to get a better sense of how to map protocols (where we rarelyhave access to stable, shared, and unique identities) to CPaceparameters. I am glad to hear you are working on it!Oh, I am not suggesting using Ya and Yb as nonces, like in the originalthread. I am firmly on the engineering side, so if you folks are notcomfortable with it I am not going to mess with it :) I think mysuggestion is the same from a theoretical point of view, and if it isn'tI am failing to understand or explain something.What I'm saying is that currently any implementer or higher levelprotocol designer needs to figure out the difference between sid,identities, and additional data, and match them with parts of theirprotocol. My suggestion doesn't remove or repurpose anything, it justrewords everything in terms of a protocol transcript and what it mustinclude.Instead of hashing sid and CI into G, and maybe the transcript into CI,it says to hash the whole transcript, and that it must include uniquevalues from both sides, which means it includes the sid. Then insteadof hashing sid, Yas, and Ybs into ISK, it says to again hash the wholetranscript, which at this point will include the sid values from beforeCPace was run, and Yas and Ybs. Yas and Ybs are in transcript2 becausethey are already in the draft, not to replace sid.Ah, sorry for my misunderstanding. What you propose would clearlysimplify, but I don't feel able to discuss this without knowing theexact requirements for all the parameters in the draft,e.g., how theymap to the parameters used in the security analysis. Let me get back toyou when we are at that point.Best,Julia(This implies sending Yas and Ybs on the wire, which raises the questionof why the current draft sends Ya and Yb instead. Sending somethingdifferent from what's hashed in the transcript seems like asking fortrouble. Of course none of this would matter for a proper prime ordergroup such as ristretto255...)Besides being IMHO clearer about how to integrate in a protocol, thisvariant has two other advantages: it encourages the use of transcriptseven further, and it eliminates the difference between CI and sid, whichis still not clear to me.Quick question: what is the difference between Ya and Yas here?Yas = strip_sign_information(Ya)It's the x or u coordinate without the sign bit for the other coordinate.Thanks for the proposal! We are currently in the process of reviewing the contents of the draft, including revisiting the roles of DSI,CI,sid,party identifiers etc., and we will take your proposal into account.Best,JuliaWhat do you think?Cheers,Filippo2021-04-12 21:51 GMT+02:00 Julia Hesse <mailto:juliahesse2%40gmail.com" target="_blank" rel="nofollow">juliahesse2@gmail.com>:Dear Filippo,thank you for opening this topic, which certainly needs discussion. Iplanned to write about sid establishment in general for a while, so I'mhappy you are finally forcing me :) First, let me try tocomplement/structure some prior information given on this list aboutsession identifiers in UC.From the side of UC, there are 2 requirements on the sid of a protocol(for the purpose of this email, it's okay to think of a 2-party keyexchange protocol):(1) uniqueness(2) known in advanceBoth properties are assumptions made by the UC framework, which is whyprotocols formulated in UC terminology never check uniqueness of the sidgiven to them. It is simply an assumption, meaning that it is notpossible to model protocol executions with session identifiers are notunique or not known in advance. As Ran explained here[https://mailarchive.ietf.org/arch/msg/cfrg/fgwMYLfaa1ZbF_UgKcurse211KE/" target="_blank" rel="nofollow">https://mailarchive.ietf.org/arch/msg/cfrg/fgwMYLfaa1ZbF_UgKcurse211KE/],he chose these mechanisms for the proper modeling of interactiveprocesses in dynamic systems.Okay. But who choses sid's, and how?Combining both properties, for a two-party protocol our options areessentially as follows:(1) sid is given as input to initiator, the responder obtains the sidwith the initiator's first message and outputs it to the application.(2) sid is given as input to both parties.In both cases, the application needs to ensure uniqueness of the sid forproven UC guarantees to hold even if the protocol is executed multipletimes. For (2), one could let both parties contribute their ownrandomness in an interactive protocol that is run *as part of theapplication*. A non-interactive way is to let both parties' applicationprocesses derive a unique sid from the application's session's values,e.g. sid=(IP-A,IP-B,application-transcript). There might be ways tonicely integrate such sid establishment into application protocols(e.g., TLS or HTTPS) by piggybacking messages etc., but they all exploitproperties of the specific application protocol. What I want to say isthat, imo, there is no way of telling what the best sid establishmentmethods for CPace or OPAQUE are without considering the concreteapplication protocols.If we want to provide and analyze an application-independent method forsession identifier establishment, we need to switch to a multi-sessionversion of, e.g., key exchange (as hinted by Ran in his post already). Apractical example of such a multi-session protocol is the DH keyexchanges within TLS1.3 (essentially, all of them, seen as one singleprotocol execution that runs since the deployment of TLS1.3). Since thisprotocol is started only once and runs during the lifetime of TLS1.3, wecan simply set sid=DHKE_TLS1.3. In this protocol, it is up to theparties to keep track of and distinguish their different attempts toexchange keys. Thus, any multi-session key exchange protocol will haveto incorporate a mechanism to establish unique joint identifiers(``sub-session identifiers'') whenever two parties want to exchange a key.What does this mean for CPace, which is analyzed and drafted as asingle-session key exchange? Let me try to answer some of your questions:>> First, how does the security of CPace degrade upon sid reuse? If it> were to> happen due to birthday bounds, how catastrophic would it be?>> What happens if the sid can be attacker-controlled between two> otherwise honest> peers which both know the password?>No need to invoke the birthday bound, as it happens already when theresponder accepts any sid proposed by a malicious initiator (who can ofcourse also play man-in-the-middle with same sid on both sides). Notethat we are now kind of outside the UC model for single-session CPace,since in UC sid re-use "merges" CPace instances, while in reality we canhave different CPace executions with same sids.To answer your question formally, one would need to consider CPace asmulti-session protocol. If this protocol has a built-in mechanism tokeep parties from running different key exchanges with matching sids, Iwould bet that we can just use the same simulation strategy as insingle-session CPace, to simulate each subsession. If such mechanism ismissing, it seems the current proof strategy cannot be lifted tomultiple sessions: it breaks down upon re-use of sid for a pair ofparties P,P' exchanging two keys from same passwords. The individualsimulation strategies for those exchanges would attempt to program thepassword hash function at the same point (sid,P,P',pw) to differentvalues, and thus fail.This of course does not imply that there is a meaningful attack on themulti-session protocol level (a protocol that has not even beenspecified yet), nor that the conducted single-session proof is flawed.It does however suggest that method (1), which is also used in thecurrent version of the draft, is not the best choice for single-sessionCPace.> Is uniqueness its only requirement, or does it also have to be> unpredictable?>The proof of CPace does not rely on unpredictability. Of course,unpredictability could help ensuring uniqueness in a setting wheremultiple single-session CPace executions are spread in a distributedsystem that does not have any other mean for ensuring uniqueness.BestJulia_______________________________________________CFRG mailing listmailto:CFRG%40irtf.org" target="_blank" rel="nofollow">CFRG@irtf.orghttps://www.irtf.org/mailman/listinfo/cfrg" target="_blank" rel="nofollow">https://www.irtf.org/mailman/listinfo/cfrg_______________________________________________ CFRG mailing list CFRG@irtf.org https://www.irtf.org/mailman/listinfo/cfrg" target="_blank" rel="nofollow">https://www.irtf.org/mailman/listinfo/cfrg_______________________________________________CFRG mailing listmailto:CFRG%40irtf.org" target="_blank" rel="nofollow">CFRG@irtf.orghttps://www.irtf.org/mailman/listinfo/cfrg" target="_blank" rel="nofollow">https://www.irtf.org/mailman/listinfo/cfrg_______________________________________________ CFRG mailing list CFRG@irtf.org https://www.irtf.org/mailman/listinfo/cfrg" target="_blank" rel="nofollow">https://www.irtf.org/mailman/listinfo/cfrg_______________________________________________CFRG mailing listmailto:CFRG%40irtf.org" target="_blank" rel="nofollow">CFRG@irtf.orghttps://www.irtf.org/mailman/listinfo/cfrg" target="_blank" rel="nofollow">https://www.irtf.org/mailman/listinfo/cfrg_______________________________________________CFRG mailing listhttps://www.irtf.org/mailman/listinfo/cfrg" target="_blank" rel="nofollow">https://www.irtf.org/mailman/listinfo/cfrg
- [CFRG] On the properties of sid in CPace Filippo Valsorda
- Re: [CFRG] On the properties of sid in CPace Julia Hesse
- Re: [CFRG] On the properties of sid in CPace Filippo Valsorda
- Re: [CFRG] On the properties of sid in CPace Julia Hesse
- Re: [CFRG] On the properties of sid in CPace Filippo Valsorda
- Re: [CFRG] On the properties of sid in CPace Julia Hesse
- Re: [CFRG] On the properties of sid in CPace Filippo Valsorda
- Re: [CFRG] On the properties of sid in CPace Filippo Valsorda
- Re: [CFRG] On the properties of sid in CPace Björn Haase