IETF Logo Mail Archive

Re: [Cfrg] My review of the four balanced PAKE (SPAKE2, SPEKE, CPACE, J-PAKE)

Watson Ladd <watsonbladd@gmail.com> Fri, 06 September 2019 15:47 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42769120D2A for <cfrg@ietfa.amsl.com>; Fri, 6 Sep 2019 08:47:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4lMvGN-ult7K for <cfrg@ietfa.amsl.com>; Fri, 6 Sep 2019 08:47:20 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B38A21208BE for <cfrg@ietf.org>; Fri, 6 Sep 2019 08:47:19 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id q22so1865387ljj.2 for <cfrg@ietf.org>; Fri, 06 Sep 2019 08:47:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xXspi9eKYyhxmt47lnt2QWXUGi0rtvbWwF0Jqb4oojg=; b=fdHdpZuqv70qDks1shehUB1WlTT5qRCJ5/o/vYyhsw2UQZgN4ZSvJT1ygA0tr0FWDw Dmz6P8Uqu87p4x9MQAzsbL00NU/iwjT+WA3U7hHz28EoTLr8tL6pHvXmQpQcGoYJcA+C QUuUR8+7hbhjbL6m6SMDQo23majwaKiiJ2leDQc2+VXbw0yczInhMtJ05pxiBEPBuOpm arAdPzD9jEbjeS1XZY8QFsFHqwkUbm4ogByms7HWhX859mAL0oXv8r+5e8klhNct/Nje gQaqBmsA6C10A0fmjtJCLjyRIvx6lEaBMNeQbbXMsqKa6YDY17Z7kduUltu23WeQtoOI bVAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xXspi9eKYyhxmt47lnt2QWXUGi0rtvbWwF0Jqb4oojg=; b=USZpDMQJinEE8Fy4Gd53HHsN3QqjPuUuUC/7aDuAo4tmXhbqJWHVlWsd6/I9Xx2xjc TySVVZXvvJZ+sf594HglEG7MvjpInd+FttZRsZeg40aL6mAOplKEOt1ILWTqO5gz+oAD EMeMJsjjYGWOaGEiynUPSriJmYykpFACY5UKnD4fY2NmRhfQpSpCLeXfj/z6jBjNaCF9 pn3hho6lE9H4hmauPk2j49/5zqCUva+z2uJ8VHHAPy0eB/1/xWI1HvehPrYuz7HBZ07/ xfDZVN2L7ciNMlPm6gHmvgobZlMxsCv/TotEsV+QHIHiaylUkEhyP0AEnTwRQK8pk+3y KmMQ==
X-Gm-Message-State: APjAAAWSQdbQA6+VjqEEF3QfbaQeUVtxk+3L0+3gf5QYobsgbZs+0Nic XCN1FpVoH9BsllqUUc3lmNBbTPVZIAt20XGizJk=
X-Google-Smtp-Source: APXvYqzHRzgUcakF3t6GNdjODLJk+PFcYkkN7eCptXhXv4cV3keGs2B5GNtX1YhlUERQ41V9gU0NfgGHIHVjyKN0AxI=
X-Received: by 2002:a2e:7410:: with SMTP id p16mr6257093ljc.186.1567784837776; Fri, 06 Sep 2019 08:47:17 -0700 (PDT)
MIME-Version: 1.0
References: <BL0PR11MB31728AF40F9C9B7B65472AC1C1BB0@BL0PR11MB3172.namprd11.prod.outlook.com>
In-Reply-To: <BL0PR11MB31728AF40F9C9B7B65472AC1C1BB0@BL0PR11MB3172.namprd11.prod.outlook.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 06 Sep 2019 08:47:05 -0700
Message-ID: <CACsn0cmmxgSGumm-tPG52F4zs6jxFNcKTp1ERyAmwxdahxFCvg@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Cc: cfrg@ietf.org
Content-Type: multipart/alternative; boundary="000000000000570a690591e45a03"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Ckya68RYIQdpiJ47zH_htExMhds>
Subject: Re: [Cfrg] My review of the four balanced PAKE (SPAKE2, SPEKE, CPACE, J-PAKE)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Sep 2019 15:47:32 -0000

On Fri, Sep 6, 2019, 8:03 AM Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
wrote:

> Review of Balanced PAKEs:
>
> Summary: I have reviewed the security of the four balanced PAKEs, and
> other than potential vulnerabilities due to lack of input validation (which
> I have highlighted in the detailed reviews), I could not find any issues
> with the protocols as presented.
>
> In addition, I have reviewed the security proofs; the J-PAKE proof appears
> to be valid, while the proofs provided with the other protocols (SPAKE2,
> SPEKE, CPACE) appear to be flawed.  These flaws all stem from the same
> basic source; these proofs are based on simulations, where the proof starts
> with the actual protocol, and constructs a series of increasingly idealized
> versions of the protocol, running each version on a simulator, and attempt
> to prove that each version of the protocol is indistinguishable (or has a
> small quantifiable delta in security) to the next version, and the last
> version is trivially secure.  The problem is that these simulations have a
> model of what the adversary is allowed to do, and I managed to find
> potential actions that an adversary might try to accomplish that is not
> accounted for by the simulator’s adversary model (and hence the security
> proof would not be valid when facing such an adversary).
>
> As such, J-PAKE is the only one that appears to have a valid security
> proof – however, it is considerably more costly in practical terms.  The
> CFRG will need to decide whether the existence of a security proof (and
> generally more conservative design) outweighs the practical considerations.
>
> Now, the detailed reviews:
>
>
>
> SPAKE2
>
> Documents reviewed:
>
> Original SPAKE2 paper: *www.di.ens.fr/~pointche/Documents/Papers/2005_rsa.pdf
> <http://www.di.ens.fr/~pointche/Documents/Papers/2005_rsa.pdf>*
>
> SPAKE2 draft: *https://tools.ietf.org/html/draft-irtf-cfrg-spake2-08
> <https://tools.ietf.org/html/draft-irtf-cfrg-spake2-08>*
>
> The first issue with SPAKE2 is that it is backdoorable (in the same sense
> that the DUAL-EC DRBG is backdoorable).  That is, SPAKE2 incorporates
> internal constants (N and M) that, if they are generated in a secret
> manner, would allow the creators of N, M special access (in this case,
> allow a server to check the entire contents of their dictionary as the
> result of a single exchange).
>
> Now, it appears that the SPAKE2 draft avoids such suspicion; that draft
> includes values of N and M for all supported curves, and a procedure that
> was used to generate them.  This procedure would create values without
> anyone knowing the secret relationship between P and N or M (and thus
> preventing anyone from knowing the backdoor).  I have able to only
> partially verify that these N, M values were generated by this procedure.
> It would appear necessary that someone fully validate them.
>
> On the other hand, if the CFRG does endorse SPAKE2, it needs to recognize
> that it is endorsing a standard with a potential backdoor (even if the
> designers prove that they did not attempt to insert anything).  In
> addition, this potential backdoor may become a high value target for an
> early Quantum Computer (as solving one discrete log problem would give them
> the back door to everyone using SPAKE2 with that specific parameter set;
> such a back door exists, all the public generation procedure shows is that
> the initial authors do not know it).  None of the proposed candidates are
> fully resistant to a Quantum Computer, however none of the others have this
> ‘solve one discrete log, weaken everyone’ property.
>

How much harder are many logs then one on a quantum computer? Not very.

> The second big issue: the security proof.  The proof given in the paper
> (Theorem 12) would appear to be invalid; one error appears to be in Exp3
> (which appears in Theorem 8 but is used essentially unchanged in Theorem
> 12); here, they replace the public oracle H (which converts the transcript
> and the computed point into the shared secret) with a secret one (that is,
> one the adversary does not have access to).  However, they have not ruled
> out active attacks at this point, and hence they do not consider the
> possibility that an active attacker (addressed in Exp4) may access the H
> function multiple times after a single exchange (without necessarily
> solving the CDH problem, as that applies only to passive attackers that
> can’t influence either input; in this case, the attacker can provide a
> value that influences one of the inputs to the DH).
>
> The draft lists the protocol in a fair amount of detail (which is good;
> the CFRG will need to publish a detailed specification of the approved
> protocol, and this draft is a decent start).  However, there are an issue
> with the protocol they give.
>
> The issue is that they do not specify the input checking properly.  They
> specify only that the received S, T values are not the neutral element when
> multiplied by h (the cofactor).  This is insufficient; it is important that
> the protocol verifies that S and T are members of the group (that is, are
> solutions to the elliptic curve equation).  If the point is received as an
> (x, y) pair, then they must be verified as solutions to the equation; if
> they are in compressed form, then the application must fail if given an x
> value which x^3+ax+b does not have the appropriate square root; if given a
> single x value (e.g. Curve25519), you must verify that the x value is on
> the curve and not on the twist.  This received S or T value is added to a
> point which is on the curve, and I don’t know of any guarantees you can
> give if you add a point on the curve to a point which is not (and then
> multiply the sum by something).  The security considerations in the draft
> does mention this; however, it is missing from the actual specified
> protocol.
>
> This protocol relies on standard operations (ECC point addition and
> multiplication), without using any password to point mapping, and thus is
> easy to make constant time with standard methods.
>
> While the SPAKE2 paper makes no reference to a key confirmation pass, the
> draft insists on it.  It is not clear if the draft requires the key
> confirmation to be an extra round before you use the actual shared secret
> (Ke), or if you can use Ke to encrypt the message which also includes the
> key confirmation.
>
> Further notes:
>
> One difference between the draft and the original SPAKE2 paper is that the
> original paper specifically assumed that each user would have their own M
> value; the draft has a global M value for all users.  It is not clear that
> security is reduced by using a single M value for everyone; however, that
> is a difference.
>
> Typographical error: the draft often says P-512 when it means P-521.
>

Thanks for the review. We will of course specify point validation
explicitly in the next version.

There is also an issue with composite order groups we will fix in the next
draft. (Perhaps with Ristretto?)

I will look at the paper in more detail to understand the comment. Thank
you for doing this very thorough review.

Sincerely,
Watson

v2.23.0 | Report a Bug | By Email