Re: [CFRG] Attack on a Real World SPAKE2 Implementation
Watson Ladd <watsonbladd@gmail.com> Sat, 08 May 2021 19:25 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DF353A0CC5 for <cfrg@ietfa.amsl.com>; Sat, 8 May 2021 12:25:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gbkwAdbLr4kI for <cfrg@ietfa.amsl.com>; Sat, 8 May 2021 12:25:33 -0700 (PDT)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87E6D3A0CBD for <cfrg@irtf.org>; Sat, 8 May 2021 12:25:33 -0700 (PDT)
Received: by mail-ed1-x532.google.com with SMTP id g14so14169925edy.6 for <cfrg@irtf.org>; Sat, 08 May 2021 12:25:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fumCG0V/ckaMjb7PeTL5FSXkfknA/mOnh0BDuoAxz2c=; b=ct3hAwc07+DVK/o8auP5QpFZselXy4IkO0TElr+Y1OEO/lNuh81El3O5hWs9TkrNus vhLVzYplVx6wTy/RtXWaEM+6HcYfR4vqLa+OHN28Of3thWAI9FZJVtWUbsaHHQsYi+x5 5KkpG0iz5Uz3k5TGKVQZZnTPHFmEPI7jQUL3FrP8UAW60CGidphcllDg1UReAHW4M3dp 7GhTG6S8G3kTau/C00FeZqrPj7yVVE/FX8kLVr0As7Z2K2qyxsNTUbKgt5fOWU4XpUOf Sckkm4laiHT5m/l7G7Ut4k4XIU9wTo0JzfT7gbREkXRSardyBEV6ub1Ro8Mp9iDfk8GA agPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fumCG0V/ckaMjb7PeTL5FSXkfknA/mOnh0BDuoAxz2c=; b=esg8foY4ByoXwgvIt3gJndAsGmfxm62Smy+Au8JN2eDn9C9r1BfcG5gfEFJpAkxsW2 q12vhnHAZQjSSF3Y1WtNPi9c/waqbuM+X8OyDmK2L12bG9OT8B8CxCTpqdcEfeMUPxoa f+AfljQeaXrYaaA1lGv9U9u2sTwUiwzsqEotEF3yvR/3lwep0VkE6CoF0Zj3wCgOJsuF qeo/3zCZsy+93mm1fH30XeQ+t46OBGgC8jqDQBNxL8iE8IO60z7YQmB+YniHUXbCMfR4 R5Js3xt5FbeAxP9wQcITq9PeO/sMX4zORjN8h7daW4IgCRWQ+PaguRvtFOhD+q2UqPWK pjsw==
X-Gm-Message-State: AOAM532wgGjl1qdbp5/QsakAkbD5iTIQIlFMxlXzESFbsg9z1rX1gWGX jc0AJvCo+RxTvX/ua+zHZMi+a18qa/FsrY5l39k=
X-Google-Smtp-Source: ABdhPJw9y+D1RILZ4xBqnWxqkOhbqmlspqVAO0NXtcNHSwTHtU4kV6s87D0n+A6vHV+Q8DTY4nPyuiP8w6oMz9aRUQk=
X-Received: by 2002:a05:6402:cac:: with SMTP id cn12mr20144763edb.238.1620501926783; Sat, 08 May 2021 12:25:26 -0700 (PDT)
MIME-Version: 1.0
References: <2bfbd767-b93a-42bd-be7d-1dae9e32e555@ruben-gonzalez.de> <SY4PR01MB625110F1F7633D989FCF183EEE579@SY4PR01MB6251.ausprd01.prod.outlook.com> <e88bae26-ff1f-42e3-babf-c5de3ee1d781@www.fastmail.com>
In-Reply-To: <e88bae26-ff1f-42e3-babf-c5de3ee1d781@www.fastmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sat, 08 May 2021 15:25:15 -0400
Message-ID: <CACsn0ckL25j+WDTgd0aQTp3eo5qRwMb-AjfXmq2zFNU-JqYr1g@mail.gmail.com>
To: Filippo Valsorda <filippo@ml.filippo.io>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Ruben Gonzalez <in+lists@ruben-gonzalez.de>, CFRG <cfrg@irtf.org>, rixxc@redrocket.club
Content-Type: multipart/alternative; boundary="000000000000b42d0a05c1d68153"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/AJFK1x4QJsPr6UTqPeUcgDYWNGc>
Subject: Re: [CFRG] Attack on a Real World SPAKE2 Implementation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 May 2021 19:25:38 -0000
On Fri, May 7, 2021, 7:52 PM Filippo Valsorda <filippo@ml.filippo.io> wrote: > 2021-05-07 04:17 GMT-04:00 Peter Gutmann <pgut001@cs.auckland.ac.nz>: > > Ruben Gonzalez <in+lists@ruben-gonzalez.de> writes: > > >We did not attack SPAKE2 directly, but a faulty implementation. > > Nice work! This is an example of what I once referred to as second-order > snake oil crypto, good crypto applied badly (first-order is bad crypto). > > > Snake oil is fraudulent. This is a broken implementation, for which > specification authors should at least consider sharing the blame. How did > the spec fail the implementers, who presumably were not trying to implement > something in a broken way? > The SPAKE2 draft postdates many if the deployed implementations. There is no evidence the authors consulted the draft which counting specified M and N to avoid exactly this failure. > > (I know, I know, SPAKE2 is a draft, not an RFC! But it's been a draft for > almost 7 years, and at some point people need to implement stuff.) > I think the failure to publish a secure protocol that is actually deployed and used in a timely manner is a problem. Thankfully it has at last gotten out of the CFRG. Part of the issue is that I had a dissertation to write and was not the most motivated all of the time. But the bigger issue imho is that very few implementors gave feedback or provided the prodding to advance it. Until Ben came along no one cared and kitten ended up doing its own thing because we were too slow. What happened to rough consensus and running code? > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [CFRG] Attack on a Real World SPAKE2 Implementati… Ruben Gonzalez
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Peter Gutmann
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… steve
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Dan Harkins
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Filippo Valsorda
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… steve
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Watson Ladd
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Björn Haase
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… steve
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Loup Vaillant-David
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Filippo Valsorda
- [CFRG] Modifying SPAKE2 draft for more curves (wa… Watson Ladd
- Re: [CFRG] Modifying SPAKE2 draft for more curves… Hao, Feng
- Re: [CFRG] Modifying SPAKE2 draft for more curves… Hao, Feng