IETF Logo Mail Archive

Re: [CFRG] Does OPRF/OPAQUE require full implementation of RFC 9380

Stefan Santesson <stefan@aaa-sec.com> Thu, 04 April 2024 21:18 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 571DDC14F68A for <cfrg@ietfa.amsl.com>; Thu, 4 Apr 2024 14:18:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aaa-sec.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f2SHSqqOQE6n for <cfrg@ietfa.amsl.com>; Thu, 4 Apr 2024 14:18:00 -0700 (PDT)
Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [93.188.3.37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1822C14F6B9 for <cfrg@irtf.org>; Thu, 4 Apr 2024 14:17:58 -0700 (PDT)
Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 39379300B937 for <cfrg@irtf.org>; Thu, 4 Apr 2024 23:17:56 +0200 (CEST)
Received: from s979.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with ESMTP id 288212E2CB2A; Thu, 4 Apr 2024 23:17:56 +0200 (CEST)
Received: from s898.loopia.se (unknown [172.22.191.5]) by s979.loopia.se (Postfix) with ESMTP id 26AFB10BC490; Thu, 4 Apr 2024 23:17:56 +0200 (CEST)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
Authentication-Results: s898.loopia.se (amavisd-new); dkim=pass (2048-bit key) header.d=aaa-sec.com
Received: from s934.loopia.se ([172.22.191.5]) by s898.loopia.se (s898.loopia.se [172.22.190.17]) (amavisd-new, port 10024) with UTF8LMTP id hewJGNSuYXoK; Thu, 4 Apr 2024 23:17:55 +0200 (CEST)
X-Loopia-Auth: user
X-Loopia-User: mailstore2@aaa-sec.com
X-Loopia-Originating-IP: 90.228.170.155
Received: from [10.10.0.158] (unknown [90.228.170.155]) (Authenticated sender: mailstore2@aaa-sec.com) by s934.loopia.se (Postfix) with ESMTPSA id 6F5017CEA3F; Thu, 4 Apr 2024 23:17:55 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aaa-sec.com; s=loopiadkim1707241022; t=1712265475; bh=FaXYtfql4EUKRqIuFfMPfv2QvmodzUODZE6EMMl7/+k=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=Z8aw+dCpriE79CQ2DJ516wcX225Z1Z5QWl/F9rq3HuBkQWW1D+pNJYUenJU5puU+I POWktfiUqUdNfKAjEkfKrmTffzpFZwO3oIrNBsV1LSoLcTQw0AJfKWxt7cvf3SknDa 2v+GdbhjiojmazMdZ/T5VlO+1CIkTUlGXAvD+vGJjk+7NeESWtDTD/dUyFsjfn7UCs whZsjAS+0zcMR1H757j9g6TUV8VRw3EbnuGeabyVKldKSK9yP0HanAySYk3/dGBtJ3 52XZudCjkZbLgn7fOp38f0WVa7Z8gRRjeykPfzM/e92BYPWmzZtwz3o6AwTRmcVsJB x6Aj2EH6Utz/Q==
Message-ID: <7031d026-0dfc-46b3-be16-7297eb25d2e8@aaa-sec.com>
Date: Thu, 04 Apr 2024 23:17:54 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird Beta
To: Hubert Kario <hkario@redhat.com>
Cc: Mike Hamburg <mike@shiftleft.org>, IRTF CFRG <cfrg@irtf.org>
References: <410a0800-78ff-422f-8ca3-5a0211478cbd@aaa-sec.com> <ZggHSDs5bRweThW5@localhost> <CAPC=aNUSTv=JtpkG71vhu25jgpVqzL5XS81543ntLMUuXcchqw@mail.gmail.com> <a5ec7b9e-62d3-4bd0-8bc9-ad23c9818e2b@aaa-sec.com> <739A462E-D02A-4B36-871E-19C282A09F90@shiftleft.org> <eb7dd447-adab-47cc-870a-51c31d4b42b4@aaa-sec.com> <4976080c-12eb-4bfe-8301-19fafb20661d@aaa-sec.com> <555b51d6-f9df-4e9c-a22e-d98effca48ad@redhat.com> <12d2505e-2700-4333-9dc8-22c7be779399@aaa-sec.com> <fbffd7a8-a4ed-402a-9241-1917bae3f2cb@redhat.com>
Content-Language: sv-SE, en-GB
From: Stefan Santesson <stefan@aaa-sec.com>
Autocrypt: addr=stefan@aaa-sec.com; keydata= xsDNBGB0SQwBDADRZIRQH2PciJEmsZ7noEFV8jdtUoB/3AiNPg5CYWJz3YlB1ZyqizIYRXlY EzhIcHRCdn+NrJvReq3Xi3kvycqvhUrrxMIxMYY7YZEripjrbyleFbbZjX4oCu+CTRj8y1Wo V6h9fLlpdqEriXwQ1brs1F/4KmHXTli4FIAmRTzdGBDWgD9sg2UmuloC4+A3d2Zoo6D6Tbjv Piyy3hwqdxjOF0tXSrtH9OXkyoIlmOdaHKLT3hB7nRlurq7dWZYGsnWIIg6YIMwA/eo6OHry nq9OpQ2Zktz40r6WaOARM4RTJgBI45BgR0IVXGJG3ie05lrORYxfLKJ9//JR+4VqY/6RC85C L5Ch6KH7smzraNZXZWPlDjrs25O0X2PwEwv676vJ9tDY7oLN0RHpVMYFx2GOKAYtH0K1BAwY yFlSNRmLbSjNPnGN4yk6ad5J6HB/Z9A0On/Ud2R8eXR5ZJVBNDdcCjM2L2WleRoTbh52DmhX yisi1loEROOZjaqfBf03jlsAEQEAAc0lU3RlZmFuIFNhbnRlc3NvbiA8c3RlZmFuQGFhYS1z ZWMuY29tPsLBDwQTAQgAORYhBKkgqX8QoC/CtVBH1S8bGjmXZjPRBQJgdEkMBQkFo5qAAhsD BQsJCAcCBhUICQoLAgUWAgMBAAAKCRAvGxo5l2Yz0S+7C/94cy3pZYEK9E1PCSwtSYcVrpuJ FwEioeoswoCVU5JzCdiyv4kSP3+lY35Z71Dw1pzoBrSsLb7xbRLrEdoM05AQqRK3eaioI/8R nbPg5M+H86m7Y7bxYzBpcJ+ipNCvA2BbE+2YLSmHEEA0nTWbXtamqib+5jWRd0i/DTtTCzaP /IVSxy7PVcyB8KEF09Go5LFeZOJquIyfHU1KVjG+8UxKSjcyO3Rku5Rdt1D4tX7M6G5d1PMj BqLZPFYUvi5hB2sftMcmZzy9QLkP+2oLlo0R+vc50JO5jpUC1czAXRdp6Rr2r0mFbz1mV6Je AvN4PcFoepTwq97c0lg+zZL5swfcNSAEFKXWZgKJxo6b2iby2wDqaWORjQSNlqKETFOUeQDH dcqLPioQbW95MPa8DtfHGYbdKjk5esyY/PFQw0xR4XvrZx7CeIb6gwGgQByZqTP/lbzWnPHE zpL0DslrtBdfF+i90xGlz0FB4GVQVmygfB4g/l0bajzCb06cyjMiqTrOwM0EYHRJDAEMALsD BRBzhRH3qTcPvO3sFG3VvWlNlKiAKW5XlVp3yw/mBdaVhg0BMb0LlmEamz4HHMoL5hmfUDLS 4TJfJhZMY3ZufvGwVYsiZpl5YtebkH3M8ik5dfUz15xg0ievm3foJLjOwAutS1BKRJSrEnMt YjPqS8APSYs3pd1s1zPfvwaTYy5MrNE6mS2LDqbKA4nJVdq3LpEaBmSW+njfQAIZTRKmgxsb 6kxn4JWVseVRKKDMbqSHZpm8a4RO194FOqdXEz9fTVz2Zn8nJ1zJZTNWzcsHq3gBtM84kwUo NghYDqExuIHahojUHXHntfjZ5ZDW4/ZbOcCrVRDNWWoIoxBvxz10+TPgM+/ytA8VFr4Sglnj 1pnnRFs7aUXa5zIoFUC7NKWCR158ujnYD6S6Ap4nkDhdovL54azvt+/ChWiuQqoQSPE2ihLo vkM8cR9UNPjBVAuLA+pr6RPeg8LrjMRD86lBCfc5KkiP22oTOVzZal+jGgdgiYvD13KM2jUd VB8H9QARAQABwsD8BBgBCAAmFiEEqSCpfxCgL8K1UEfVLxsaOZdmM9EFAmB0SQ0FCQWjmoAC GwwACgkQLxsaOZdmM9Gc3wv/Wyquulv2Y7kUPXITDs/oLugd2Lx6KhFfPOhaoe2amQqhWk8H Hhauqb2Qx8rMFeDmaqzfxLsRpM0FMjtovH3XswPuZoZ3mLw0XuHGgU5QVS/zL6NrNVdwq8dv OV5m6QCm0RomI1cPRAB8P6/bbJy+FUBWvqqCUbQo5T5KXYgNwA/m1Y/S5cej/Wz3V7/Ixwkl 2t63TTrhnXBBGkAz5ApBT/YJ7L89eHLZJUMJJXaNewfhb3dIcZgza705BU5jHchpmJtTzgnS PaYqhKciMQUxd8/8jJ/XqlNVw7XxY77mNK+9BDf7y2EG6bRrzQExhS08vtuPexOE66IXdRId kENY+UQeopSb6EXU6eRD7BsXHLRfxzvs0+wMU7lRUigiONMUv54p6PqBa8PMFV4Jv8NcB9Qu Phy/7YtaBjmJn0FDTKpbDYILwh0WNoxjFqWI3jMo2ZTVjKY0aJMndJ0MxB3eAHjhQLkeKtIL 4831tbIM6eKC9gY3xUsE4vSV/CPdPKjV
Organization: 3xA Security AB
In-Reply-To: <fbffd7a8-a4ed-402a-9241-1917bae3f2cb@redhat.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/E1JcQRM9fG9wLb5poHaCnSmqVnw>
Subject: Re: [CFRG] Does OPRF/OPAQUE require full implementation of RFC 9380
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 21:18:04 -0000

Point taken

Thanks!

On 2024-04-04 18:30, Hubert Kario wrote:
> On Thursday, 4 April 2024 17:25:35 CEST, Stefan Santesson wrote:
>> Hubert,
>>
>> Fully understood! and I fully agree.
>>
>> I just want to make clear that this is just a hypothetical discussion 
>> and not any form of proposal of any kind.
>>
>> I'm exploring what you could do if side channel attacks of this kind 
>> is not an issue.
>>
>> Theoretically. Is there any other reasons why try-and-increment is 
>> bad. It seems not.
>
> My wider point is that a cryptographic algorithm that is very
> hard to implement in side-channel way, or worse still, algorithm
> that inherently leaks information useful to the attacker outside
> the cryptographic library boundary is a very bad cryptographic
> algorithm. That's precisely why RSAES-PKCS#1-v1.5 is a very bad
> algorithm.
>
> But yes, as long as the reason why the ultimately chosen value
> was accepted doesn't leak through timing, then try-and-increment schemes
> aren't inherently vulnerable to side-channel attacks.
> I know at least of one RFC6979 implementation that I'm comfortable
> claiming is side-channel secure.
>
>> Being "almost perfect" does have some advantage in that it requires 
>> more samples to draw any conclusions as the information leakage is 
>> less, but it still leaks.
>
> I don't think that being vulnerable only to persistent attackers
> is much of a consolation to the people that got hacked.
>
> So, unless the number of samples necessary isn't specified using
> exponents of two at least three digits long, then it's not
> really any protection.
>
>> /Stefan
>>
>>
>>
>>
>> On 2024-04-04 14:38, Hubert Kario wrote:
>>> Please note that as Marvin[1] showed, doing "almost" exactly the 
>>> same amount
>>> of work doesn't work for side-channel protection. The code needs
>>> to execute the same instructions, with the same memory accesses, in the
>>> same order, irrespective of any checks performed.
>>>
>>> Differences as small as individual clock cycles are realistically 
>>> detectable
>>> even over network, with multiple routers between the victim and the 
>>> attacker.
>>>
>>> 1 - https://people.redhat.com/~hkario/marvin/
>>>
>>> On Thursday, 4 April 2024 00:01:54 CEST, Stefan Santesson wrote:
>>>> I just have to post a correction. That experimental test I posted 
>>>> is not correct. There is no reason to reveal through the Y value if 
>>>> you succeeded on an odd or even attempt.
>>>>
>>>> The correct version of the algorithm we tested was:
>>>>
>>>> loop a fixed amount (e.g. 0 -> 64) {
>>>>
>>>>  test and increment {
>>>>
>>>>      compressed (y,x) = hkdf(hash(pw), counter) ...
>>>
>>
>>
>>
>

v2.23.0 | Report a Bug | By Email