IETF Logo Mail Archive

[CFRG] Review: "The OPAQUE Asymmetric PAKE Protocol"

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Sun, 05 September 2021 19:08 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E56083A1214 for <cfrg@ietfa.amsl.com>; Sun, 5 Sep 2021 12:08:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=ckkRh6a4; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=UMDSCv7G
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2mZhShw5fHxj for <cfrg@ietfa.amsl.com>; Sun, 5 Sep 2021 12:08:17 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B059E3A1211 for <cfrg@irtf.org>; Sun, 5 Sep 2021 12:08:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=17889; q=dns/txt; s=iport; t=1630868897; x=1632078497; h=from:to:subject:date:message-id:mime-version; bh=S64fEggcxpSQ2Wb1N9hksXRqJWQGJD09CeIMxVtaY0k=; b=ckkRh6a4peB1yL7lvFtUkf7V6AsoB/rZD1bJ5zzqByzjcv2/j5mAMizr zecus4XnuzZT0fowkBa1npjzwLOJ2XZaYw4vGMzu656ZkdV0UTKa3QJGv kp5U750/m81A7kqis7gOMshCqJOchav06HKhyLLnowlCb0t4bRjlga+GI 0=;
X-Files: ATT00001.txt : 151
X-IPAS-Result: A0B3CgBOFDVh/4MNJK1RCR4BAQsSDINsUQd3WjcxhEeDSAOFOYgFlVuFA4FCgREDVAQHAQEBDQEBKgEOCAQBAYQtRQIXgioCJTgTAQIEAQEBAQMCAwEBAQEFAQEFAQEBAgEGBIERE4VoAQyGQgEBAQEEARARChMBASkPEQEZBAEBKwIEJQsdCQEEEwgGFIJQglUDLwEOQp0sAYE6AoofeoExgQGCCAEBBgQEgTYBAwIOQQaCeRiCLQcDBoE6gn+Cf4ERAQGCbIJfgSYgHIFJRIEVQ4JmPoJiAQECAYEjDhQaFYMANoIuhk2BawQUPQKBBUAICgMEAQwBARYCCgQBGJFug2GIaIF0nXAKgyuFQoMIgXaUPBSnBZYcjESTPUeEZwIEAgQFAg4BAQaBMEgkgVlwFYMkURkPjiAMFoNQhRSFSnQCNgIGAQoBAQMJkS5eAQE
IronPort-PHdr: A9a23:IHg0iR/2sx3e6f9uWDnoyV9kXcBvk7TuIgBT7YAo2PpCcaWmqpLlO kGXpfBgl0TAUoiT7fVYw/HXvKbtVS1lg96BvXkOfYYKW0oDjsMbzA06HMDDDlf0f7bmaiUgF 5FEU1lot3iwLUlSHpP4YFvf6n2/5DIfAFPxLw1wc+/0AYXVyc+w0rPaxg==
IronPort-HdrOrdr: A9a23:njxsJqHFvLQ/w+LWpLqFV5HXdLJyesId70hD6qkvc31om52j+f xGws516fatskdqZJhSo6H8BEDgewKRyXcR2+ks1NiZLXHbUQeTXeRfBOjZsnLd8k/Fh5VgPM 5bGsAUYrCdfDsK7/oSizPIdOrIteP3iZxA8t2uqUuFIzsaD51I3kNcMEK2A0d2TA5JCd4SD5 yH/PdKoDKmZDA+ctm7LmNtZZmMm/T70LbdJTIWDR8u7weDyRmy7qThLhSe1hACFxtS3LYZ93 TfmQCR3NTjjxj78G6d64bg1eUVpDLT8KoHOCVKsLlQFtzYsHfqWG2mYczEgNl6mpDo1L9gqq ixn/5pBbUN15qWRBDtnfMosDOQiwrHLBTZuAelaDLY0LLEbSN/BMxbiY1DdBzFr0ImodFnya pOm3mUrpxNEHr77WzADvXzJmdXf3CP0DMfeC8o/g5ieJpbbKUUoZ0U/UtTHptFFCXm6Jo/GO 0rCM3H/v5ZfV6Tcnic5wBUsZaRd2V2Gg3DTlkJu8ST3TQTlHdlz1EAzMhamnsb7poyR5RN+u yBOKV1k7NFSNMQcMtGdaw8aNryDnaITQPHMWqUL1iiHKYbO2jVo5qy+7kx7PHCQu1+8HLzou W0bLp8jx9+R6vDM7z/4HR7yGG5fIzmZ0Wd9ih33ekLhoHB
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.85,269,1624320000"; d="txt'?scan'208,217";a="794488912"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 05 Sep 2021 19:08:16 +0000
Received: from mail.cisco.com (xbe-rcd-003.cisco.com [173.37.102.18]) by alln-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 185J8GTN006382 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK) for <cfrg@irtf.org>; Sun, 5 Sep 2021 19:08:16 GMT
Received: from xfe-aln-001.cisco.com (173.37.135.121) by xbe-rcd-003.cisco.com (173.37.102.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Sun, 5 Sep 2021 14:08:15 -0500
Received: from xfe-rcd-005.cisco.com (173.37.227.253) by xfe-aln-001.cisco.com (173.37.135.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Sun, 5 Sep 2021 14:08:15 -0500
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-005.cisco.com (173.37.227.253) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Sun, 5 Sep 2021 14:08:15 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GARnwpxGcn4627kChAu+AJ+z93h4pB2M5UvL7I97i5e90oUSLQ1vHxFt168LXUy4ignq4wbsf2GDfXI9PIiVT4gCeSo56UgP/+UKU1OnOrlJmRZBoSlu1dEh7PLNc96tqTO7HK3NXtpZxN+immFJIbYxSJgqZ5kJUuu9MBDYOiO+ozS62+XvE4FVIomsAG1S9kED6iCLHwrzrLOxHdM3D2UlhXRtmQtSpUCbsbieW88huFAXDZv+T4x38oQ6xRjdzKxXcdXGYPwyk85F3tKWSJOH/neiCc97CCizbHI5qUW/WGkl8swl382yXw/pJ98h09kREcr0flxZUb8AqzJNVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=+Pn0O3JMJMPXZJpTqE3SbtLrHk28809a8yx+IIEO5o8=; b=e+poJkGFfDHjh78LXgRMbM6w6KhtjzJ7Rzkm/u1Y0TsrTksnMe2eoxWT35ZlKbw3qWteAcOrcPMKhdo5FTz07P2/CtJBjX8nFyTf49DNtTXHpf0awrJgaJVEVL4MfRvu8pui250YYeicnjzGpMZ5tzGN2T3IX2IuIvMMxycj/jc90nscrnHgCZjaLhdxe0mb8v3RsoWuFZrboUM7G+Um66XySEGZYzTYe7GyY8jY4wpP48LuI+iWor4RuSsTBw5KDjod/i3/A42jB1WYkeXyEVKng0NNLpdJXXzk+Baqkozx5WV2Hhp0Eh7829gOAxtWJvqADiATN9+U+70cYm39xg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+Pn0O3JMJMPXZJpTqE3SbtLrHk28809a8yx+IIEO5o8=; b=UMDSCv7GEzo1v9KbhaAPleJfRhgQiiXGk/+GSdIA3zjQpUfO6JxFRgoR3uWr+4XQrzv8HvEwQsNF7T4yOymtuNbA+KMxxZH33D674uHIuAqPbeXfQOFQkSTdG5thL1jkALIXbUNfLE6Vl9fzHSUI4g/tp39OhxkyDtztY7h2/28=
Received: from BL3PR11MB5682.namprd11.prod.outlook.com (2603:10b6:208:33d::18) by BL0PR11MB3331.namprd11.prod.outlook.com (2603:10b6:208:65::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.25; Sun, 5 Sep 2021 19:08:14 +0000
Received: from BL3PR11MB5682.namprd11.prod.outlook.com ([fe80::45d:7053:cf61:45b3]) by BL3PR11MB5682.namprd11.prod.outlook.com ([fe80::45d:7053:cf61:45b3%4]) with mapi id 15.20.4478.025; Sun, 5 Sep 2021 19:08:13 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: Review: "The OPAQUE Asymmetric PAKE Protocol"
Thread-Index: AdeigaGStyS+dGyiTuiuHvfQXUiDcA==
Date: Sun, 05 Sep 2021 19:08:13 +0000
Message-ID: <BL3PR11MB5682E4FE6CD6D996D2137377C1D19@BL3PR11MB5682.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: irtf.org; dkim=none (message not signed) header.d=none;irtf.org; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cbb6b3b1-7c58-4b16-797d-08d970a082a1
x-ms-traffictypediagnostic: BL0PR11MB3331:
x-microsoft-antispam-prvs: <BL0PR11MB3331F05BA8A5DBD687E35F34C1D19@BL0PR11MB3331.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: laHxt3RPR2RdahZpUl24eG2ZOdU1BPZqm6ZZ5FbCahpT9nJ3xQecWX9Wk9LK9v1oqYpQN9m5owK26yqBDEQ3L6XGzcDp+Ecuzw+P4eB0UKy+gRtNu6oCADX2QOo0hUrVPEmu6PgPhAWd758nE9XCK4VR2YbnW2W90X5CsS9oTxB8mi9+L3Vjp6YKUuAaK1xgkOaK3rxUYc+wQe2BD7+yaFyxEq+mwSFWXyca3/nuN/cjl9XYpcryrlo5yOgt/c8IO+zLNhyKZp7sawNygqfr5/zv/L4LJZB6iQXfuAggHGfyHJYGF4FZv7GTNvMK7MN+V9zRr9CgpBZsjgNiPSviRTwHj52B6zG+5RcvmQri2Bpb4++HJWdvGlsiOZg7oR5/ZRS4DsI2ATqP+6WfYb2Ja+ELFmZ0etxNw1ynOf2Yny08GivMh1rkO0KUeMXbSE9o2LaOTvyTKGnLafDVL26SS9E5v4YfDUbAzO7kas4bKMW025SOPG8VkzIR9c1aWINyXd2WNTaQ3roCEF/E0sTZFt/IMxrHFEvdzlcRTSDI9Qk2QTvouA8G8ZpnxX4na7ZhJx3EBaVcWoPrsJfpL0VStjdTQ4AsQK3HyrhwV1695JcjxSHJ6nEkPQzhAptKC85IYVMZvJlQK4/zILNpwwezqenHpiThkwBuMNE7OZu5c0oyoGZzpQ9Z0IHkrgQ91JuXpd4KmsDiUrB4MzqW8mKjt9qyUYWhRIUO2cAlvpNwSjV5u8qNCVxnTre+yZFLcZTAD7gkQqdqoxmgfiTUveb0nv5GXgUqFO/iFKNPD0NfWc9XjLkNNLMDqz7JLgNKBy4APEc6CiZmSjtV4MIeQV10HwuBfnOfDpy+of8B7iEJARU=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL3PR11MB5682.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(39860400002)(396003)(346002)(376002)(366004)(136003)(52536014)(76116006)(66616009)(66946007)(38070700005)(66556008)(66476007)(9686003)(166002)(38100700002)(316002)(122000001)(6916009)(71200400001)(86362001)(33656002)(64756008)(966005)(83380400001)(55016002)(6506007)(53546011)(5660300002)(7696005)(8676002)(186003)(8936002)(99936003)(26005)(478600001)(66446008)(2906002)(15940465004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Qmb2b2+Kf6irdQpEbLjB9HtrvIU0O4v5dTTzbj9A6yXuaYsltFwcK9CTypL4PXtr1T9R+W9lpvBUFUWKy8WQSGCVbrUHOWro/Nj+TgyIVJo/tTvRTKhIHWXcUNeRBGulfBZ5uXzIlRNTN1OzrSuRFLKQLoof5R1WOGvKOkPebJ/Es8RwB40lydTmMO4L/zZhBrbb282ilSeW6cw7ZZV2C3sGpUqhAT9Y1tMvZyVqXxjsXLHN8k9E0tks5duaWoMxQHaJPZ9zL1ilYHB0up5NDcMJUwixuKT5ijCHpWYEyvXMPai8e4anN4b+QJ0JQqyQzcNTYM/zCxpoGpGBRnDtKwMptmkvJaPENA8Ow7ai99iQeodaRWR/T7xFqCUdITcuJkta2uvwnNPtJHHgZRvWSDKRqY9x1PGY/miPhxQilztODBjkfwyiEVVrG8R33AZElcAaL9NabjfSsHMla+AJVmdzp4w9mW9uXVpPrgifUw7hGAKFshfxC+C8JzcPLzXDeFRgr+s6lPc70hzylFtTxdwNyUIpGnRdI56YlI3rXxbZJEgO6XKGh3oFHRjdE6WGD8AhIoR2TZB0p5ZmOaUH3KUkjC1C/e0R4qRgbDiWuNmt1nKhWlx+3t8FM5YQH7qFMNOzy2V+ofdPWRyMqvJole7+KPwQ7eWMjTT6XR3bYLJZ+3DmeOeuCWYCJ3pHQv2wIt6e3kucrSMkxOjc3s005cBeafdVuyF8TPNdMje/6ga9R4KBlIcdjaCsX4D2vuZ0PjTfZ80aIfviyDMfjVuU8Ug8qe0oeeyeUUuQ24NmAciaAirsvLkSI/b9s9vKU/e8ZgH+T0Jrxr+K4HZxtiBWAwAxZib9wjVffKhQ8ciBoeIMX/HA+kBJUdbcxDOHOcXbblsMXHGcPSifVkgCANlV7HfuDO8uiBVqoaYSiSRTjjZ38RymhWmPNMTnHI6NuwWxf1hyWWym6ifZG+wrqPXZNVCUOdeyYVLu8slLDseZRPTADrLRfjg6c7jAVIHi2JbHd3M+UKOeU0xvsi49oQR0bagCK4wt/lDecChj/vbDfXFjRH8SqcRUmfxceHl2jMno/JOLIKCoIDTMfoF3qdk9y9Vd2KErSZk1gALNmYs6tOPbQQf7lOTo4y4HOLwYFp0ys/us4HZHYcFMoIFXWScJJqRmQK8p1bGXWhR1KO8egnUrDeYhrgeZ1Fdb3YDFUaDr2y7Y/iqdP9FgwV05vLSlbhts7EFGzcgomynehgA3areAosGpd0HC3xoK1gt44iCHgeFHSf7UBETe8P4HRsoxFoevK0i6oOBM/8Mwhld/zMVZ2Bqr3ZQG07zX+KVzM+nX
x-ms-exchange-transport-forked: True
Content-Type: multipart/mixed; boundary="_004_BL3PR11MB5682E4FE6CD6D996D2137377C1D19BL3PR11MB5682namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL3PR11MB5682.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cbb6b3b1-7c58-4b16-797d-08d970a082a1
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Sep 2021 19:08:13.6313 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rvTVrljEKoIkoHAlp3o5HFplxu3iAWKSVpo5pnAYPxrAtK0lRKscD5jV6Uz1f2bZ3yYQQnJgL1JZhxLhan5wPw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3331
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.18, xbe-rcd-003.cisco.com
X-Outbound-Node: alln-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/DnSsUVXjYlUt843dMVjCSMy0Emg>
Subject: [CFRG] Review: "The OPAQUE Asymmetric PAKE Protocol"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Sep 2021 19:08:24 -0000

His is my review of the version -06 of the Opaque draft

I did not find any smoking guns relating to security; I do have some questions about some of the design decisions (and if it’s too late to modify those design decisions, well, so be it)


  *   One plausible security goal is that an evesdropper listening to two authentications would not be able to determine whether they were for the same identity or not.  This protocol does appear to take some steps in that direction (by using the masking_key so that someone observing ke2 would be unable to determine that, at least, if all the client public keys and envelope data are the same length).  However, I cannot find any such protection for ke1 – adding such protection may be impossible (if the server can determine which client record to retrieve based on ke1 or data included with ke1, it would appear that an evesdropper should be able to as well, or at least well enough to determine whether two different records were being accessed).  Is such anonymity a security goal of this protocol (and if so, how does it achieve it)?  If that is not a security goal, what is the purpose of masking_key?
  *   I note that to encapsulate an envelope, Opaque uses a MAC and the ENCRYPT paradigm; is there a specific reason for this design decision?  Nowdays, it is generally recommended that people use an AEAD, and if they can’t, then we generally find that an ENCRYPT and then MAC paradigm to be less error prone.
  *   In protocol overview, it notes that registration requires “an authenticated and confidential channel”.  The requirement for authentication is obvious; is there a hard requirement for confidentiality?  Is there a known problem that could happen if confidentiality was not provided (possibly related to the anonymity question I have above)?  Does the proof of the protocol require confidentiality (even without a demonstration of a known exploit)?  Or, are the authors being cautious (if you have authentication, adding confidentiality is usually fairly easy)?

From: Crypto-panel <crypto-panel-bounces@irtf.org> On Behalf Of Stanislav V. Smyshlyaev
Sent: Wednesday, August 11, 2021 10:03 AM
To: crypto-panel@irtf.org
Cc: draft-irtf-cfrg-opaque@ietf.org; cfrg-chairs@ietf.org
Subject: [Crypto-panel] Request for review: "The OPAQUE Asymmetric PAKE Protocol"

Dear Crypto Panel Experts,

We've obtained a request for review of version -06 of the "The OPAQUE Asymmetric PAKE Protocol" draft, draft-irtf-cfrg-opaque-06 (https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-opaque-06).


The chairs would like to ask the Crypto Panel to provide a review of this document. The Crypto Panel experts reviewed OPAQUE a number of times during the PAKE Selection Process: during both Round 1, see https://github.com/cfrg/pake-selection#overall-reviews-by-crypto-review-panel, and  Round 2, see https://github.com/cfrg/pake-selection#reviews-by-crypto-review-panel-round-2. The draft was later adopted by the CFRG based on the results of the Selection Process.

The authors have provided a document with replies to the questions asked in previous reviews: https://docs.google.com/document/d/18B_nXbyjukTB9rR7qEj8-LiNAZDRssDxyhxT0-JzwPc/edit#heading=h.owtmbbgjiae1




Any volunteers?

Stanislav (on behalf of the CFRG Chairs)

v2.23.0 | Report a Bug | By Email