Re: [Cfrg] Reviews for augmented PAKEs (BSPAKE, AuCPace, OPAQUE, VTBPEKE)
Björn Haase <bjoern.m.haase@web.de> Sun, 15 September 2019 11:08 UTC
Return-Path: <bjoern.m.haase@web.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E015120026 for <cfrg@ietfa.amsl.com>; Sun, 15 Sep 2019 04:08:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3PRbubArHaON for <cfrg@ietfa.amsl.com>; Sun, 15 Sep 2019 04:08:30 -0700 (PDT)
Received: from mout.web.de (mout.web.de [212.227.17.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA93F12000F for <cfrg@irtf.org>; Sun, 15 Sep 2019 04:08:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1568545701; bh=mgXl/WR1vNZivHwiC/S4OUi/lEBgXZ+XAy/5e5qNIhg=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=Bo4aGqNIwF1wcyzvMak7yevWhGd6hucU8WosAnQcw2oncVbbAVU4BmRa79jC4EOs7 jqbt9M7g7/rGu3kDj4QnlkS5b3LkMsMirSCkKeQtYqI1nVLCy0BMB/l8amY6n3+UxV 1KCRlSPd7yhJIWFVg7Yu8cLwa2s4/1W54PQCjgzc=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [192.168.2.161] ([92.75.65.225]) by smtp.web.de (mrweb102 [213.165.67.124]) with ESMTPSA (Nemesis) id 0McnuP-1hsCWL3YaP-00I0GY for <cfrg@irtf.org>; Sun, 15 Sep 2019 13:08:21 +0200
To: cfrg@irtf.org
References: <CACitvs8oJM8mMEOcTkWAiWhut7gqncgmvuMGhB_zXrTYrFaHzw@mail.gmail.com>
From: Björn Haase <bjoern.m.haase@web.de>
Message-ID: <95491fd6-05d5-e95c-f764-c9dc7ec4f0fc@web.de>
Date: Sun, 15 Sep 2019 13:08:16 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <CACitvs8oJM8mMEOcTkWAiWhut7gqncgmvuMGhB_zXrTYrFaHzw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:g6+n9pYYMs3cKc+q15x+/gWdlFdHj4n2hhG7WDDCcvAlXnFuev7 hNdTRhHigR8YyUulxLaVvBBrhpMsqkKGYok3e9Av7AHrCoA6Ggq94Ur/Tx8YIDlN9Wzt5y0 7u6qPjixZ/GssUHyZ0SuJGXabjUWcJMLkXpJVwWq/3u97OIazQkeLCgWGE+NNhKYtr9JnZS MIjzL4hN/ofvhvzXXKB0Q==
X-UI-Out-Filterresults: notjunk:1;V03:K0:/FmlKxVYBTY=:UkXQSwdlvdZ3bMm4j16qac /DC1Hwi4bOKT2uMlBrf2LQ+vyLOXgvXqC+KshoUZabiyETpz7Ui8ZsXV8ilulkpZPVs5f9cx5 3mk9st+/edDqjc4I1mPvaYWjQbbq5Ml9O+4ym0joHHpfKMrewD3zIL/Mk7oMlzPAsJ6TZFU0J ed7MJ/4Tg+DZ08taJNvcrLYVPaDZ0eNt2ULjz10Cw6t5t/hAYPDpb9A78cXb+lmZxY7MEXfFg MUs0Suw5qL6o7YWGo9xRAsrom+tOLH3aA9lZsFq2UoOqMBrtdXgcHc1Oiq9QIIVgqbIrjqRVa a9uk4jNlN3l+jn0AWGSVreF5m6DLRl6QojktiCrT7+TSDG+MAxBv/tn9Ua7RGOOAeunm/r/FW igl+uT6FTEEwJzmiHd7XzfO92dwYGeP9ZiFFqL1whza+Rlj3Us7UdX/bs7j2y6wvdA1x+TxTr dl/mVtLLTCtcLmHYE0moGqmk4S6i2/RhPha1niKgIdcsPxT3DfSf5WBWqmjT5rmFB6ZgCM8Tc M0ngOnm5w6Vtd9plUCwHNMIBG/03p4K5LQe2CUGYiQBL/NmEc0gxZkSM1zQmbw+UL3yNIdtb8 yaRMKbusDGtKs1gm8iL0bnv3fMHSFRJvdoaJpMO9sK7+Uqy4SuLTjaDa6ZaXEQOPcq7hjlXUF Wx3L/frh+xJrEPeiHcYukb/XLZyDp7Lw9Ueodjaa+EjAnYcwzVQx9KHcI4O/xPlaEDwbopaCm 2wtBXwEnuDOhefz/yb6u0Ysn98KkUu62NPv8rzkjkMsGWhre0oyPNjCRkMabtzljJkcjDvDIf fmzbTQx12lyGfgBgIWXfMSaKdOT9iVT5dvfri0w9MzSyX75yxeEZtWJ/IFgA+UOkDYkPCL6TG 22Yb5LqcIdEPJ+tHuXEVVyCog34iT5SeqQvq6KYj4I9VqfMGr+qJf64GpZD+0ZYMPEcjEQfww IcU1wHymQb/vp4vuUeDz6dN5iLf9Zm7VgbCBWKJawoQZnu7aSoH+DJ7eotd+RWt54VAsHkmWI qga8E1XRliojlDyseANZDZX2GM2ohx0tjmgL5rFVPPVdpXxHlC2XVXWKeR7r1ASKgi05jLDCx 7FxA25hbUo2SVmgJ4xA3jEYNEBPNgq3aCJhPNVDIsE/ghV/EsYNYliO+iHiC/S87xVxhHTU4w C6IkwKxVb9g5XQaErFcnWlwC5mZSfoP/y9UoiWi8jX4hQww7OEG2XfEFImmFHY0evtG3cZm6h VERmSjmlJ34pY0sKzy2G4fIbI2VzV7s/VBTpLqpRv2ZfidN/3lK+r9/eBNUg=
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/AIkY16C-6k3wVc7QmeAVOenkCRk>
Subject: Re: [Cfrg] Reviews for augmented PAKEs (BSPAKE, AuCPace, OPAQUE, VTBPEKE)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Sep 2019 11:08:32 -0000
Dear Kevin, you obviously have missed the fact that there is also a "Strong AuCPace" specified in the paper (Appendix C) which allows for pre-computation attack resistance if desired for the application setting. The difference between OPAQUE and BSPEKE is, that AuCPace may also run in a non-pre-computation attack resistant mode depending on the application's need. Obviously, you'd be choosing the pre-computation attack resistant "Strong AuCPace". There might, on the other hand be other applications that don't want the "strong option". Imagine for instance that you want to use AuCPace with the user credential database on some system that today has a password database using a fixed salt that does not have the required structure for the OPRF. If you want to get an aPAKE functional with such a "legacy" data base, you need a system that openly communicates the salt. On the other hand upon password changes of the users, you might want the user credential server to be switched to a more secure pre-computation attack resistant version. AuCPace allows for such a flexibility. In applications that want pre-computation attack resistance, you are free to use "Strong AuCPace" that comes with pre-computation attack resistance. Actually regarding the aspect (1) that you see for BSPEKE, it seems that I have missed some point. In my opinion all of BSPEKE, Strong AuCPace and OPAQUE should be *very* similar regarding the password registration phase. I agree with you that we should consider this aspect with great care. Actually unlike the other systems, for AuCPace we have tried to capture and consider this aspect in the security proof, while this substep is out of the scope of the security analysis for VTBPEKE and OPAQUE (to my best knowledge). At the same time, ln my opinion considerations for AuCPace could in my opinion directly be re-used for OPAQUE (and possibly BSPEKE, if a security analysis comes out there). Yours, Björn. Am 15.09.2019 um 10:49 schrieb Kevin Lewi: > I'm providing this review from the perspective of using these > augmented PAKE schemes in place of the existing account login protocol > for Facebook, in which a client sends a plaintext password over a > secure channel to a server. More details here: > https://mailarchive.ietf.org/arch/msg/cfrg/1QQ_FfRsOxvoLGqX0t48WLTMSNU > .. The points I cover in this review are more focused on the practical > implications of integrating an aPAKE into account registration/login, > and so I will defer to other experts to analyze the validity of the > security proofs and cryptographic assumptions underlying these > proposals. > > --- > > First, I've outlined some of the high-level concerns which I found to > be common across multiple candidate aPAKEs: > > (1) Unspecified / unsafe registration step > > In a password-based login protocol, there is a registration step > (where the client registers a username and password pair for account > creation) and an account login step. It is problematic when aPAKEs > assume that the server begins the protocol with some information > derived from the password. We would like to have the guarantee that > the password is also not vulnerable to the same kinds of attacks from > eavesdroppers, server compromise, etc. during the registration step as > well as the login step. > > > (2) Lack of protection against pre-computation attacks > > In the normal password-based login protocol, the account salt is kept > secret by the server, and when employed with a password hashing > function like scrypt/argon. If we are to replace this mechanism with > an augmented PAKE, we do not want to reduce security against > eavesdroppers, server compromise, etc. Indeed, it is already noted as > a requirement for augmented PAKEs to have pre-computation security > anyway. > > > (3) Client-only password hashing > > We want to support a large range of clients, from browsers to low-end > mobile phones. For augmented PAKE protocols which require password > hashing to be done on the client, it seems like we must make a > tradeoff between performance/usability on the client device and the > difficulty of brute-forcing password hashes after a server compromise. > This differs from the normal password-based login protocol, where > password hashing occurs on the server, and hence this tradeoff is not > as significant. > > > --- > > And here are the comments I have gathered specifically for each proposal: > > > BSPAKE: See (1); it seems like the server has to start with parameters > dependent on the password, but it isn't clear how to do this in > registration without sending a password-equivalent to the server. > Also, see (3). > AuCPace: See (2) and (3). > OPAQUE: See (3). > VTBPEKE: See (1); server needs to start with V^H(s, pw), and it is not > clear how to transmit this securely on account creation. Also, see (2) > and (3). > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >