Re: [CFRG] Attack on a Real World SPAKE2 Implementation

Watson Ladd <> Sat, 08 May 2021 19:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6DF353A0CC5 for <>; Sat, 8 May 2021 12:25:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gbkwAdbLr4kI for <>; Sat, 8 May 2021 12:25:33 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 87E6D3A0CBD for <>; Sat, 8 May 2021 12:25:33 -0700 (PDT)
Received: by with SMTP id g14so14169925edy.6 for <>; Sat, 08 May 2021 12:25:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fumCG0V/ckaMjb7PeTL5FSXkfknA/mOnh0BDuoAxz2c=; b=ct3hAwc07+DVK/o8auP5QpFZselXy4IkO0TElr+Y1OEO/lNuh81El3O5hWs9TkrNus vhLVzYplVx6wTy/RtXWaEM+6HcYfR4vqLa+OHN28Of3thWAI9FZJVtWUbsaHHQsYi+x5 5KkpG0iz5Uz3k5TGKVQZZnTPHFmEPI7jQUL3FrP8UAW60CGidphcllDg1UReAHW4M3dp 7GhTG6S8G3kTau/C00FeZqrPj7yVVE/FX8kLVr0As7Z2K2qyxsNTUbKgt5fOWU4XpUOf Sckkm4laiHT5m/l7G7Ut4k4XIU9wTo0JzfT7gbREkXRSardyBEV6ub1Ro8Mp9iDfk8GA agPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fumCG0V/ckaMjb7PeTL5FSXkfknA/mOnh0BDuoAxz2c=; b=esg8foY4ByoXwgvIt3gJndAsGmfxm62Smy+Au8JN2eDn9C9r1BfcG5gfEFJpAkxsW2 q12vhnHAZQjSSF3Y1WtNPi9c/waqbuM+X8OyDmK2L12bG9OT8B8CxCTpqdcEfeMUPxoa f+AfljQeaXrYaaA1lGv9U9u2sTwUiwzsqEotEF3yvR/3lwep0VkE6CoF0Zj3wCgOJsuF qeo/3zCZsy+93mm1fH30XeQ+t46OBGgC8jqDQBNxL8iE8IO60z7YQmB+YniHUXbCMfR4 R5Js3xt5FbeAxP9wQcITq9PeO/sMX4zORjN8h7daW4IgCRWQ+PaguRvtFOhD+q2UqPWK pjsw==
X-Gm-Message-State: AOAM532wgGjl1qdbp5/QsakAkbD5iTIQIlFMxlXzESFbsg9z1rX1gWGX jc0AJvCo+RxTvX/ua+zHZMi+a18qa/FsrY5l39k=
X-Google-Smtp-Source: ABdhPJw9y+D1RILZ4xBqnWxqkOhbqmlspqVAO0NXtcNHSwTHtU4kV6s87D0n+A6vHV+Q8DTY4nPyuiP8w6oMz9aRUQk=
X-Received: by 2002:a05:6402:cac:: with SMTP id cn12mr20144763edb.238.1620501926783; Sat, 08 May 2021 12:25:26 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Watson Ladd <>
Date: Sat, 08 May 2021 15:25:15 -0400
Message-ID: <>
To: Filippo Valsorda <>
Cc: Peter Gutmann <>, Ruben Gonzalez <>, CFRG <>,
Content-Type: multipart/alternative; boundary="000000000000b42d0a05c1d68153"
Archived-At: <>
Subject: Re: [CFRG] Attack on a Real World SPAKE2 Implementation
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 08 May 2021 19:25:38 -0000

On Fri, May 7, 2021, 7:52 PM Filippo Valsorda <> wrote:

> 2021-05-07 04:17 GMT-04:00 Peter Gutmann <>:
> Ruben Gonzalez <> writes:
> >We did not attack SPAKE2 directly, but a faulty implementation.
> Nice work!  This is an example of what I once referred to as second-order
> snake oil crypto, good crypto applied badly (first-order is bad crypto).
> Snake oil is fraudulent. This is a broken implementation, for which
> specification authors should at least consider sharing the blame. How did
> the spec fail the implementers, who presumably were not trying to implement
> something in a broken way?

The SPAKE2 draft postdates many if the deployed implementations. There is
no evidence the authors consulted the draft which counting specified M and
N to avoid exactly this failure.

> (I know, I know, SPAKE2 is a draft, not an RFC! But it's been a draft for
> almost 7 years, and at some point people need to implement stuff.)

I think the failure to publish a secure protocol that is actually deployed
and used in a timely manner is a problem. Thankfully it has at last gotten
out of the CFRG.

Part of the issue is that I had a dissertation to write and was not the
most motivated all of the time. But the bigger issue imho is that very few
implementors gave feedback or provided the prodding to advance it. Until
Ben came along no one cared and kitten ended up doing its own thing because
we were too slow.

What happened to rough consensus and running code?

> _______________________________________________
> CFRG mailing list