[CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13

"Hao, Feng" <Feng.Hao@warwick.ac.uk> Tue, 28 May 2024 21:19 UTC

Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4A74C151070 for <cfrg@ietfa.amsl.com>; Tue, 28 May 2024 14:19:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=warwick.ac.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4gZfe0_6Gg5U for <cfrg@ietfa.amsl.com>; Tue, 28 May 2024 14:19:12 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on0710.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0c::710]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C4E0C14CF17 for <cfrg@irtf.org>; Tue, 28 May 2024 14:19:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ATKzlS4BxjjkLK8HS2T5mJ5ZvraPeh3P0hsnQ7BkUQmzEzZhUL0T8COaF6N86ChRFteBpFRcW7z+7HKGRJmv6BjwKoJvzvtCS+d0xDX16OFUI9gLOUIkoi6mm9dtFy9Wi7fhT9tyQyswe4fhYQ6OaX2LKzyFwqM/AdwrS7pq6IMtwQ46e4f4Iu6tGun6hJdUrEgh8OEZ/sw/t75bnKUjr2xh1prxDzvi//GB+dQrTf5DyDyhmH8S6hgtXszBFb+g///yFjxyDsQWgNfTfntlgWJkUwP/I7wAxA8j9nfibsYLOxkijUiunfCE48wgBW4j0HAYrKceqAW+sqpm1l56WQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DCVK3rT/fuCyLYIwCpCBuK7OabWBThTFJ1nebfsea6Q=; b=hx+ChFqQihDgiBS92KQsi76oL0JbHyKJvvVNBM7Bu4svx5XPPBDvA/VurkJ48KYRId9PGDEgt53A0GpXCNm+cGaJ5RB6Z8PcoIUKcBUWTmkI7AoPAz5C3Qd/xWnsRXZNY0VhBy4tgKOTVEKF/M325C+3NaVIldZyKl05xSPE/RrIHFAYrzFEhY/c0/2bh6p0jdEttvEERoqWP4Mm1uUprasz5AZTSRfovZebzffNrj/0rJLsmluY+/KOc2Fest8v4syaBfwvCrtvrqvt5/Mxlg85kH8wmsAz9JD46K54ch1NiQhjPbRLELDf1bTn5kQLU+JY5zi2yVoYrbhdTNvAzw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=warwick.ac.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DCVK3rT/fuCyLYIwCpCBuK7OabWBThTFJ1nebfsea6Q=; b=OVudV5duPTarcFl+QK+4DQv3rcU5r9aHfWoq1tUJSfwHWBpsmZP+oFblRUvm3Ov+Dfdp0FFKqXwafG7Y6+4jtf4LMiRtnzWpG09s4dZaPQExgyrv0BwkiU3BDmGvjfRrii8l/+zUU4uSYUlTUFRU7/U+wL905iPZZL9naRuKKro=
Received: from GV1PR01MB8436.eurprd01.prod.exchangelabs.com (2603:10a6:150:1f::14) by AS4PR01MB9959.eurprd01.prod.exchangelabs.com (2603:10a6:20b:4f6::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7611.30; Tue, 28 May 2024 21:19:07 +0000
Received: from GV1PR01MB8436.eurprd01.prod.exchangelabs.com ([fe80::ad9e:98b7:f953:1388]) by GV1PR01MB8436.eurprd01.prod.exchangelabs.com ([fe80::ad9e:98b7:f953:1388%5]) with mapi id 15.20.7611.030; Tue, 28 May 2024 21:19:07 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: Kevin Lewi <lewi.kevin.k@gmail.com>
Thread-Topic: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
Thread-Index: AQHarVvG6MH7WAQd1EGEhrA7lhZ1xrGmOOUggABAPICABEp8ToAA0FmAgAADJcqAABChgIAAAmU5gAAKRACAAAJwgIABQXMAgAAuDqA=
Date: Tue, 28 May 2024 21:19:07 +0000
Message-ID: <GV1PR01MB84365706AFEA8749176AEF37D6F12@GV1PR01MB8436.eurprd01.prod.exchangelabs.com>
References: <CADi0yUNbiVTe9BaoCFgDaTC06Z1LMAx6q2hJDiWydpy6xFqtRQ@mail.gmail.com> <GV1PR01MB8436B6B6B75DEBC9F1FB30A9D6EA2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUNCkk8Y5dQJH6DjR33cP7KXXrQsmHfA0UDRxjGuoXCaLA@mail.gmail.com> <GV1PR01MB8436DBCC8F5B167B0B44490AD6EA2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUPcyc9oSM4NqWynkWuTPStnD9yqt4XwmAg7c=XjCtik4A@mail.gmail.com> <GV1PR01MB84364908B61E293E46012214D6EB2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUOtSBmCnQMP-MoyzzxF6LZQcrKfo03sN2cNuO6MS74NAg@mail.gmail.com> <GV1PR01MB84361129416DC8B621CAAEDFD6F42@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <y5y4iquyvrao7jtpyc2ycjtz4sg5dbzhrhddz5j6rv3eydyd2o@zy65yreteuoh> <GV1PR01MB8436B919FE24E2E022639155D6F52@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <2dhbnlfzwgllzqc7farahxqkct3zqcoi7wdj7vybivlzzwxrei@e7phsvy5i6ae> <GV1PR01MB843618C88187FE124B1F142ED6F02@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CACsn0c=M5OofNyG8YhO4vYOWwFvZW9yLpwMGMXkkDrXZ=Ty1jw@mail.gmail.com> <GV1PR01MB8436ACA18A87EA7AA8A4EA57D6F02@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CABcZeBP64AC_mSgyU-YyQwCz3bHrbvcqB0xk0TdXampdCtvu6A@mail.gmail.com> <GV1PR01MB8436DDBCAF9F00DDCF34D19BD6F02@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CABcZeBPsVUaSsX-WOV9ow2tTSaZqspzeAoBhxLBBjJAav71C0g@mail.gmail.com> <CADi0yUO5QjyXhkA7S5z7js79OTQWFdwBnhAiSkR7BFC3H+B1oA@mail.gmail.com> <CACitvs_ngWdAmfSDD-EJG=0XVhkOmhhr=tvYQ+KB7bYXwqwEEw@mail.gmail.com>
In-Reply-To: <CACitvs_ngWdAmfSDD-EJG=0XVhkOmhhr=tvYQ+KB7bYXwqwEEw@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=warwick.ac.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GV1PR01MB8436:EE_|AS4PR01MB9959:EE_
x-ms-office365-filtering-correlation-id: 863841c4-f14f-48bc-8591-08dc7f5bcf16
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230031|376005|1800799015|366007|38070700009;
x-microsoft-antispam-message-info: 5ePTqes6tzWNomMcXx3ZwJwhh114NH/50GPjYdb1X4ytCdX+wai7Menm0NWbAbAAXBaj1rXNzK0v4DEZZ3Twj2G4isqWQFz8dlI9q1nc8faMnU2WOZwRIkQ70qPkm+MgLSHT/9Wgh51vQBb6rPb5qVzY4jC1U7h5+uqVln73TCBkrN4Zl1EMXYMxjVF+JC+3y4Qg+wuErRw2BTothtHUbJfsZJnWJy6LGEbQwf3Ma5w3d2qU3+WqH8tM8K/susaCNpJqFEtcIBUmx4wvgOF/DelNxLDxRwXXVqwFzntydqZyeOvKqfi0kRIhKnw8Z5zjE1Fo08lSizSUhXbRR0BXMYtMB1sOvH6bl+7OX5STPDuvOwj8+tKLcL1CTRBQ8U4x7Fs40WdRoIV+I7eeTrzUXozMSsAj1reno/h384RzjscRc6ORn5iU2OnsDpOedlrxpYY+USaAIoNsUxLJ3jGZv9P/LrZYtA3fMFwSC9tk+QZcH7107XR0LXyCq65O/AH8Wx8u7il7pOnyWGso2o2vWsLuAb+mYBT+PFvKwCYb728tadLb+AG1chg5Ir/dPz28DdN3UuxjTzvgsJwixqwNVuxrlaaxA+H4eUi12ir+2qVGV/o1X4KOgaKahW0nypuU5W7TQbN3EvsNNicqUM4zwn1Rnqlf8owyPqFXQG4KI5gUe1QpWIV7St/br1WY/LeHvyG99LVeK/6uIEzMjPYz1xVt3sPOC62zeQb757S5ucANOoyF744DGpdcZyhCl858mulXiS1fFA1NfpjIaYiehQZ0DnRra3Fv2P467lPV9boVR2SBf/+4MWIOBPHSkGC2JzP0yirqg5hLkQHHeTYJ0q3MyWdwJTRUAEit03s+YjdywPmaPsykIKF/qRPzznjlm+sT4f2AojMkQgNlBN8v2odMle+gbPhTM8Adr++2shazm6wlpx6QXlePzOiaaTgvh3gW/lbZXULqX9T7mVfOD3f28K20QYMxUdEsQ66twTX2b6cmND0id21TUzAqCEY+sBcZyVGH6+9ykFsDHH3E3ntUjBVcuWtUatGIzyH8m3T+ZUn2O6bkNJImbCglZ8zJO0u/oiMNb/1MgmskQ3W+YuqxnC3qjPMVAhzBkRxZjUnXzYZzu/dxVvCq0Rz1rMsCV8JfGlIOzmrVcWq+cEbGNvAgS4Gl06V98NPXoGPhydwzPC+BWvaWXyIoUwzcLwGP5L6vOOAfi3OxE9O7SncHwvEkAEtx8qstKmX7XC6SzMkR1ZnMRIqLMsPEyZVlRXBLqMvHOMkxArPijNJBK+gjVg==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GV1PR01MB8436.eurprd01.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230031)(376005)(1800799015)(366007)(38070700009);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: uakajFiOBNnJ9w43cPWG2ev0+TjQHPAItBECP9k3ylH8StzDcu5qlQRdRpYLPACHWytA82dRfD7SLkRqOsMawLjVr9ITbWHXRj5MDfdLQMeKDK386xqolWouqRaDdlZi8/ww1aWcII51X0Y+GeUKVRCE2+ypZyZ91d8VTR+WW1y5+6Fnjnk9rx6IK6/4dQKYy7ETDICJO3S2DCyN007uZbGW1jkG/RaYSY6a2P/aZCpnx95CPyToyDAM5E2p84bKu9pZqM0YI3jZD7biG1l9FWsCmQDJxnZyYstOAJHB8T3ZwpqaIh5i/yg8eXLWiB59MYM5nyPhT1PUWFEtuLUSHIMnDyfbij0JKffk38EkH/np7y2DYhV52Efc0tNPQbHwVr6wQn3DJgyoBGsJs1YDLe8rEOtyE0RHObuGffq5rSIWM3m1t7/rmuI5ZmhQrl3i+i1k2xfRTJ24sTB7ZoKOArNj6Su6vPw9I95pGfVIzYym3/R8njsjZqjuNAbCmTvQkAyuzRIluFr/wMN42z8bmi6cU4h69fel+WhFp+AFIWt3dBNxYyDvcuwkJLfG2e+Q8z6H9j/BCS/Uv7f2S4EZyi00NQDoIeXJzIBYq1HrMjEuucKzcoGQ0DX1qVUVz3v+Y2+7jV64++EBmQPq4TLOp8PfNamHhLHosHwW/7ZU0rvBSwzr3xMkKScdEfOnNJayAfA190jtXSnfP+7wkteBfA1u8cVQmHwTjhEU4WqYrQTFGW76moQCuxY6zDeUstRWNZrJETuKOdU4WCHP4CNUXG4WoJTIPMlK3ZawetRXuV1E8oEucRihBVuGCbcDVHPa07rggH3IQ7657FC0vpUla19zvoYry0jJTOXJxYEpRQTjJ+CY4fvwSN2/egyrT5wY40lMlTA6YR0PNItfmaYxUFzgAZ4POOhV7g5CmpXgHMQwyN3CM8uA5yG/LykNVucHqi/npbAU09mpDtHy33r9HbWlHZOsHH1mtMxhUGIAe3pe889EqaoYS0Cq8R4NkQE1lsW0hC1gP3MCg1eHMsDcHh0umQxpujc+dz4jdhrWV0RQ6T2s2x/IEqCfD/cKC+UK9tJULAwLU/8hwII/EuX4gLeRODO0cPiBSSt6Zlg3WNbJfukVaxTjl86mMIQsbENzF3niQwmjaVLPe9q9n09tG4o8Tg4K1twkiK2/ljhNoxJi14Fxg5KGy2qVMyQZGesH+JgOkgciUv15fp8ZuHEf2TA0v6tzPF9UQUoIBVMlKFvkK1v+qXMlp7GboGEucELdTRVIwznBOBwDtpCpxCKPiv7QgONsAuiEd7B6Zt4UNG/JWKIJtokCWuMqGLiGsL20LrkpBxN7iojPH+LPUEaqeX5QuqdN2R8HyVPXdePkXUoshwNWTFC7xC7zwcFOzbo6k8QZr8u+WBK6t5rWYsQVU8iXIV4QXnqeDueEFzgMd+ByGlULR/pNHa5oDZypuE0D7kKCw9WpxKbPOJvWO36vf5/EP8bmQzjaFHH3CWQsl1QZB/QvdBV5ZrkQjcwXWJsB9W1gTmHobrxQjofgK7JBJxKYUnL9IMh+tZNLx/E5ANbsPPHqqrVz2iqXZPuyRs3eGFk/TqRQx2RccSI7plckvYPTfvyWKxpyvN5MJ2DoBuE=
Content-Type: multipart/alternative; boundary="_000_GV1PR01MB84365706AFEA8749176AEF37D6F12GV1PR01MB8436eurp_"
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GV1PR01MB8436.eurprd01.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 863841c4-f14f-48bc-8591-08dc7f5bcf16
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 May 2024 21:19:07.2262 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: px9UKpnn38iivWAxQgiKdYIFGfR9NkP0v7uR3UmWcAHD7nK32XDeoNfpI0aCXXW1Zus1RxBWMJp4NRcClVNcmYDNOV6hNZoA5nfTA3VDHvA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS4PR01MB9959
Message-ID-Hash: LL5QVPVY27RC2I227GHO4I64S3QXPFTX
X-Message-ID-Hash: LL5QVPVY27RC2I227GHO4I64S3QXPFTX
X-MailFrom: Feng.Hao@warwick.ac.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IRTF CFRG <cfrg@irtf.org>, Hugo Krawczyk <hugo@ee.technion.ac.il>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/7UwX-MFIr3ESzIHx3jLH83-w8b4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Hi Kevin,

Your description of the issue is accurate. Thanks for doing that.

As you may be aware, any system that follows this default countermeasure will risk causing the Denial of Service attack to its own legitimate users. For most businesses, I’m fairly certain that’s unacceptable.

I think you have done your best. There is probably nothing more you can do in the text.

Cheers,
Feng

From: Kevin Lewi <lewi.kevin.k@gmail.com>
Date: Tuesday, 28 May 2024 at 19:04
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Cc: Eric Rescorla <ekr@rtfm.com>, Hao, Feng <Feng.Hao@warwick.ac.uk>, IRTF CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
Hi all, some additional text has been added to the draft to address the above discussion, under the Implementation Considerations section on handling online guessing attacks:

"Additionally, note that a client participating in the online login stage
will learn whether or not authentication is successful after receiving the
`KE2` message. This means that the server should treat any client which fails to
send a subsequent `KE3` message as an authentication failure. This can be handled
in applications that wish to track authentication failures by, for example,
assuming by default that any client authentication attempt is a failure unless a `KE3`
message is received by the server and passes `ServerFinish` without error."

(see https://github.com/cfrg/draft-irtf-cfrg-opaque/pull/456)

We believe the right way forward is to address this by offering ways to mitigate the attacks through the server's actions rather than directly modify the OPAQUE protocol itself.

Hope this makes sense, and let us know if you think any of the wording should be adjusted.

Thanks,
Kevin

On Mon, May 27, 2024 at 3:54 PM Hugo Krawczyk <hugo@ee.technion.ac.il<mailto:hugo@ee.technion.ac.il>> wrote:
There is an even better reason not to go with what Feng proposes. His modified protocol is insecure. To achieve the property that the server learns first whether the password was wrong, you would need to move auth_tag to the fourth message and that modified protocol is insecure (in the real sense of insecure, not as Feng's "undetectable attack").

Let's move on.

Hugo

On Mon, May 27, 2024 at 6:47 PM Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:


On Mon, May 27, 2024 at 3:15 PM Hao, Feng <Feng.Hao@warwick.ac.uk<mailto:Feng.Hao@warwick.ac.uk>> wrote:
Hi Eric,

What I propose is to remove the key confirmation string sent by the server in the 2nd pass. The client sends its key confirmation in the 3rd pass, and the server only sends its key confirmation string in the 4th pass. This will be a revision in the protocol spec. I couldn’t see how adding a piece of text could properly address this issue.

Thanks for the explanation.

I don't see this as a realistic proposal, as it would mean that OPAQUE would not be able to fit into TLS 1.3 without significant surgery to the TLS 1.3 core, which is obviously undesirable for deployment reasons. It seems to me that we do want it to be possible to use PAKEs with TLS 1.3, and if the choices are to accept this property or to make big changes to TLS 1.3, then I think the right answer is probably to accept this property and document it in the specification.

-Ekr


Cheers,
Feng

From: Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>>
Date: Monday, 27 May 2024 at 23:00
To: Hao, Feng <Feng.Hao@warwick.ac.uk<mailto:Feng.Hao@warwick.ac.uk>>
Cc: Watson Ladd <watsonbladd@gmail.com<mailto:watsonbladd@gmail.com>>, IRTF CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: Re: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
Feng,

This has been a very long thread, with a lot of back and forth, but it's not clear to me what outcome you are looking for here.

Do you have a proposed piece of text that you think should be in the OPAQUE draft prior to it going to RFC? If so, what is that text?

-Ekr


On Mon, May 27, 2024 at 2:32 PM Hao, Feng <Feng.Hao=40warwick.ac.uk@dmarc.ietf.org<mailto:40warwick.ac.uk@dmarc.ietf.org>> wrote:
Hi Watson,

That will be a standard online dictionary attack which applies to any PAKE, and can be detected and “accurately” recorded by the server. Please have a look at Ding and Horster’s 1995 paper which I posted earlier. https://dl.acm.org/doi/pdf/10.1145/219282.219298 That paper explains the difference between a standard (detectable) online dictionary attack and an undetectable online dictionary attack. Similar attacks in various different protocol settings have been well studied in the past 30 years.

Cheers,
Feng

From: Watson Ladd <watsonbladd@gmail.com<mailto:watsonbladd@gmail.com>>
Date: Monday, 27 May 2024 at 21:49
To: Hao, Feng <Feng.Hao@warwick.ac.uk<mailto:Feng.Hao@warwick.ac.uk>>
Cc: Riad S. Wahby <riad@cmu.edu<mailto:riad@cmu.edu>>, IRTF CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: Re: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
On Mon, May 27, 2024 at 6:13 AM Hao, Feng
<Feng.Hao=40warwick.ac.uk@dmarc.ietf.org<mailto:40warwick.ac.uk@dmarc.ietf.org>> wrote:
>
> Hi Riad,
>
>
>
> The factual difference between OPAQUE and SRP-6a is that in OPAQUE, the server is authenticated first, whilst in SRP-6a, the client is authenticated first. The order of authentication has a profound implication in security here. For the case of OPAQUE, the server leaks password verification information via the key confirmation string in the 2nd pass before the client is authenticated. If the client drops out, the server can’t distinguish legitimate drop-outs from online guessing attacks. This means that the server has to deal with false positives (denying legitimate users hence causing the DoS attack to its own users) and false negatives (letting an attacker guess the password without being detected or logged). Managing the false positive and false negative can be complicated in practice.

Huh? An attacker can always carry out the full protocol to guess to
lock someone out. That a query amounts to a guess doesn't really
change this.

--
Astra mortemque praestare gradatim
_______________________________________________
CFRG mailing list -- cfrg@irtf.org<mailto:cfrg@irtf.org>
To unsubscribe send an email to cfrg-leave@irtf.org<mailto:cfrg-leave@irtf.org>
_______________________________________________
CFRG mailing list -- cfrg@irtf.org<mailto:cfrg@irtf.org>
To unsubscribe send an email to cfrg-leave@irtf.org<mailto:cfrg-leave@irtf.org>
_______________________________________________
CFRG mailing list -- cfrg@irtf.org<mailto:cfrg@irtf.org>
To unsubscribe send an email to cfrg-leave@irtf.org<mailto:cfrg-leave@irtf.org>