[Cfrg] Reviews for augmented PAKEs (BSPAKE, AuCPace, OPAQUE, VTBPEKE)
Kevin Lewi <klewi@cs.stanford.edu> Sun, 15 September 2019 08:49 UTC
Return-Path: <klewi@cs.stanford.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38A11120088 for <cfrg@ietfa.amsl.com>; Sun, 15 Sep 2019 01:49:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bah-0Q1rYCJH for <cfrg@ietfa.amsl.com>; Sun, 15 Sep 2019 01:49:25 -0700 (PDT)
Received: from smtp2.cs.Stanford.EDU (smtp2.cs.stanford.edu [171.64.64.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 650E812000F for <cfrg@irtf.org>; Sun, 15 Sep 2019 01:49:25 -0700 (PDT)
Received: from mail-oi1-f174.google.com ([209.85.167.174]:45704) by smtp2.cs.Stanford.EDU with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from <klewi@cs.stanford.edu>) id 1i9QDj-0004TU-Ia for cfrg@irtf.org; Sun, 15 Sep 2019 01:49:25 -0700
Received: by mail-oi1-f174.google.com with SMTP id o205so5947240oib.12 for <cfrg@irtf.org>; Sun, 15 Sep 2019 01:49:23 -0700 (PDT)
X-Gm-Message-State: APjAAAXApbrcycUDiU27Oxg+pt9W2wH1XTknVW6RA47N3SRgyxCRit+q maOB1RrekCI6OFZO2Hjd764kqAb+sCLe0/OcRC4=
X-Google-Smtp-Source: APXvYqz8cXgPj7uTgo7Kcj3jxtaCcfqF2kWZ3FEvhJmXsEK1SR8s3XYoTwuzEfEOWBevAw1hZhjOwrk15ExhSFSxrbY=
X-Received: by 2002:aca:2105:: with SMTP id 5mr9533291oiz.84.1568537363114; Sun, 15 Sep 2019 01:49:23 -0700 (PDT)
MIME-Version: 1.0
From: Kevin Lewi <klewi@cs.stanford.edu>
Date: Sun, 15 Sep 2019 01:49:12 -0700
X-Gmail-Original-Message-ID: <CACitvs8oJM8mMEOcTkWAiWhut7gqncgmvuMGhB_zXrTYrFaHzw@mail.gmail.com>
Message-ID: <CACitvs8oJM8mMEOcTkWAiWhut7gqncgmvuMGhB_zXrTYrFaHzw@mail.gmail.com>
To: IRTF CFRG <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
X-Scan-Signature: 5c460fe7d3aaafaf78d72307c0bc7e10
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/9E1owZANyjCEZW44IWj0u1Lze2I>
Subject: [Cfrg] Reviews for augmented PAKEs (BSPAKE, AuCPace, OPAQUE, VTBPEKE)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Sep 2019 08:49:27 -0000
I'm providing this review from the perspective of using these augmented PAKE schemes in place of the existing account login protocol for Facebook, in which a client sends a plaintext password over a secure channel to a server. More details here: https://mailarchive.ietf.org/arch/msg/cfrg/1QQ_FfRsOxvoLGqX0t48WLTMSNU . The points I cover in this review are more focused on the practical implications of integrating an aPAKE into account registration/login, and so I will defer to other experts to analyze the validity of the security proofs and cryptographic assumptions underlying these proposals. --- First, I've outlined some of the high-level concerns which I found to be common across multiple candidate aPAKEs: (1) Unspecified / unsafe registration step In a password-based login protocol, there is a registration step (where the client registers a username and password pair for account creation) and an account login step. It is problematic when aPAKEs assume that the server begins the protocol with some information derived from the password. We would like to have the guarantee that the password is also not vulnerable to the same kinds of attacks from eavesdroppers, server compromise, etc. during the registration step as well as the login step. (2) Lack of protection against pre-computation attacks In the normal password-based login protocol, the account salt is kept secret by the server, and when employed with a password hashing function like scrypt/argon. If we are to replace this mechanism with an augmented PAKE, we do not want to reduce security against eavesdroppers, server compromise, etc. Indeed, it is already noted as a requirement for augmented PAKEs to have pre-computation security anyway. (3) Client-only password hashing We want to support a large range of clients, from browsers to low-end mobile phones. For augmented PAKE protocols which require password hashing to be done on the client, it seems like we must make a tradeoff between performance/usability on the client device and the difficulty of brute-forcing password hashes after a server compromise. This differs from the normal password-based login protocol, where password hashing occurs on the server, and hence this tradeoff is not as significant. --- And here are the comments I have gathered specifically for each proposal: BSPAKE: See (1); it seems like the server has to start with parameters dependent on the password, but it isn't clear how to do this in registration without sending a password-equivalent to the server. Also, see (3). AuCPace: See (2) and (3). OPAQUE: See (3). VTBPEKE: See (1); server needs to start with V^H(s, pw), and it is not clear how to transmit this securely on account creation. Also, see (2) and (3).