Re: [Cfrg] The SESPAKE protocol and PAKE requirements
"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Sat, 20 February 2016 08:36 UTC
Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A81C1A000B for <cfrg@ietfa.amsl.com>; Sat, 20 Feb 2016 00:36:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.001
X-Spam-Level: *
X-Spam-Status: No, score=1.001 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e13LxrhtPuF0 for <cfrg@ietfa.amsl.com>; Sat, 20 Feb 2016 00:36:09 -0800 (PST)
Received: from mail-vk0-x22d.google.com (mail-vk0-x22d.google.com [IPv6:2607:f8b0:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52D6E1A000F for <cfrg@irtf.org>; Sat, 20 Feb 2016 00:36:09 -0800 (PST)
Received: by mail-vk0-x22d.google.com with SMTP id e6so93815997vkh.2 for <cfrg@irtf.org>; Sat, 20 Feb 2016 00:36:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=SR47pQV809/o+lAJWwxnM4VlIXM/u8s/g8kyl9zYwyM=; b=q5wrq4tC7ISwphBzJldHf2xKsydwjRvlEZ8oPYIaBE1BXkPZbZxcdC2kafOUf2Mhwt /roOs58Nud/SqysKA1otmwKntySv4LT+XTRIlF5KQ8eU/fmw5IIvQdraI33GObdEoAJQ PKEd8jYKiSsU7Xm4bFpfXfyjQhXHlbl6OqABaHnVDR/YLPODXdpsAAKN5ldlSpy8LpSU YQTghtjTtlvHX3flt72UqchdFS3CeElonSAFzEajauyitPDGXxpX/YbytoJikRyldtCw dLf8PyECjN5hlQ/DyGELkMVyvF0n8wvDMpWVS3WpE1XLeGLDbIve8Vs6fU4SROJpye0F vrrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=SR47pQV809/o+lAJWwxnM4VlIXM/u8s/g8kyl9zYwyM=; b=JoxnAr2Wu/xGelVqYi8Cx/ADuz60FuKFoIdlGcrbmY3HcmB0UvhRxpSprqsbYSPXwU 3gNXV2IvMNFvSudnnSkCeVPMxIcwPKQquG83RHTK8YSMc9ORWz0ggkPJZIqu6JaU5GcR LhOLDBxgssWUMtOlE4rsmfg+FvUAhFN1ZxWlc5Z9AxDXYJts3dTZVwVaKMWf8cS0L0+n vBWbBAaFSD5kYZXNWdxXLzBdqfmzCLi5v6H4hmWWAwVhHMrOwCbuxWz6nqEVGq4pTfvT PMREkrOXm5eCEOSLlyPZXId8Q0xO/VM8A7tUGC6f0R+E63pXtkNdsWvnsKV265hMuOeC +vsA==
X-Gm-Message-State: AG10YOS3tixzSZf9ajrezzWNBIFaj3v7MZ8EhOm85IL+MpBj7sEcD7QDt9NL1Otb55QAd9ONQKYKLPlxwwZurA==
MIME-Version: 1.0
X-Received: by 10.31.5.71 with SMTP id 68mr14806104vkf.25.1455957368405; Sat, 20 Feb 2016 00:36:08 -0800 (PST)
Received: by 10.31.133.202 with HTTP; Sat, 20 Feb 2016 00:36:08 -0800 (PST)
In-Reply-To: <38634A9C401D714A92BB13BBA9CCD34F167B5300@mail-essen-01.secunet.de>
References: <CAMr0u6nu=0H8pi=rEC1i69y1nhGLStvbJUXukUX0uHaVperkSg@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F167B5300@mail-essen-01.secunet.de>
Date: Sat, 20 Feb 2016 11:36:08 +0300
Message-ID: <CAMr0u6=eKJyCVQwHpuBLzB2TrrUQrfP8ti9N+Ai108=iS9tkZA@mail.gmail.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
To: "Schmidt, Jörn-Marc" <Joern-Marc.Schmidt@secunet.com>
Content-Type: multipart/alternative; boundary="001a1143d2e0c0856b052c2f7d39"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/FD8SnAiA6lpD2Z6TwN9_3cX2cDE>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] The SESPAKE protocol and PAKE requirements
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Feb 2016 08:36:13 -0000
Dear Jörn! Thank you very much for your comment on R5! What do you think about defining a policy of algorithm usage in PAKE protocols? For example, in the current version of SESPAKE RFC draft we are based on Russian standards – GOST R 34.11-2012 hash and HMAC, but of course the document that refers only to GOSTs cannot become a CFRG document. Shouldn't we require multi-algorithm support – as in the PAKE requirements, as in our SESPAKE? Best regards, Stanislav С уважением, Станислав Смышляев, к.ф.-м.н., Начальник отдела защиты информации ООО «КРИПТО-ПРО» 2016-02-17 19:17 GMT+03:00 Schmidt, Jörn-Marc < Joern-Marc.Schmidt@secunet.com>: > Dear Stanislav, > > thank you for you evaluation. That covers exactly what I had in mind when > defining the requirements. > Only a minor comment on R5: my main concern was the mapping of a random > value or the password to a curve point, which is not required in SESPAKE . > > Best regards, > > Jörn > > -----Ursprüngliche Nachricht----- > Von: Stanislav V. Smyshlyaev [mailto:smyshsv@gmail.com] > Gesendet: Donnerstag, 11. Februar 2016 12:03 > An: cfrg@irtf.org; Schmidt, Jörn-Marc; alexey.melnikov@isode.com; > Paterson, Kenny; Mike Hamburg; Paul Lambert > Betreff: The SESPAKE protocol and PAKE requirements > > Dear colleagues, > > We'd like to specify the evaluation of the Standardized Password > Authenticated Key Exchange (SESPAKE) protocol by PAKE requirements in > accordance with [1]. > > > R1: A PAKE scheme MUST clearly state its features regarding > balanced/augmented versions. > Though one side (client) in SESPAKE protocol maintains the raw password as > a secret parameter and the other (server) maintains a password-based > computed point of the elliptic curve, actually the SESPAKE is not resistant > to Key Compromise Impersonation (KCI), which means that an adversary who > has successfully attacked server can automatically impersonate client > without offline dictionary attack. Given this, we can say that SESPAKE > protocol is balanced. > > R2: A PAKE scheme SHOULD come with a security proof and clearly state its > assumptions and models. > There is an article [2], in which the models and assumptions used in the > SESPAKE protocol are set out with the proof of the protocol security and > the cryptographic properties analysis. > > R3: It SHOULD be possible to implement the PAKE scheme in constant time. > The implementation of the SESPAKE protocol in constant time is achieved > with the common measures. These measures provide the computation in > constant time of some primary operations such as computation of a multiple > point or computation of the hash-function. > > R4: The authors MAY show how to protect an implementation of their PAKE > scheme in hostile environments. > --- > > R5: In case the PAKE scheme is intended to be used with ECC, the authors > SHOULD discuss their requirements for a potential mapping or define a > mapping to be used with the scheme. > When a point on an elliptic curve is given to an input of a hash function, > affine coordinates for short Weierstrass form are used: an x coordinate > value is fed first, an y coordinate value is fed second, both in > little-endian format. > > R6: A PAKE scheme MAY discuss its design choice with regard to > performance, i.e., its optimization goals. > > If the server has limited computing resources it can store a point Q_PW > instead of the password PW in order to skip a step of the time-consuming > computation of the point Q_PW. > > There is the optimized version of the SESPAKE protocol below (see Table > 1). We consider the case when the server and the client are the same on the > point of the computational resources: both store the same low-entropy value > Q_PW. If the actions are in the same row it means that these actions can > be implemented in the parallel manner. > H is a hash-function. According to the definition > HMAC_{K}(M)=H(K+opad||H(K+ipad||M)). Let E is a subgroup of prime order q > in a group of the used elliptic curve points. P is a generator of the > subgroup E, m is the order of the group of used elliptic curve points, 0_E > is an identity element of the subgroup E. > The step of the Pre-Computations assumes its implementation before the > interactive protocol execution. > > > Table 1: the SESPAKE protocol (optimized version) > > ----------------------------------------------------------------------------------- > Public information: E,P,m,q,TA,TB > > ----------------------------------------------------------------------------------- > A stores: | | B stores: > * Q_PW | | * Q_PW > * A_ID | | * B_ID > =============================================================== > A | | B > =============================================================== > Pre-Computations > | | > * a = random from {1,...,q-1} | | * b = random from > {1,...,q-1} > * u'_1 = a * P | | * u_2 = b * P + Q_PW > > ----------------------------------------------------------------------------------- > | A_ID | > |------->| > | B_ID | > |<-------| > * z_A = 0 | | * z_B = 0 > * u_1 = u'_1 - Q_PW | | > | u_1 | > |------->| > | | * if u_1 not on E => FINISH > | u_2 | > |<-------| > * if u_2 not on E => FINISH | | > * Q_A = u_2 - Q_PW | | * Q_B = u_1 + Q_PW > * if (m/q) * Q_A = 0_E => Q_A = P | | * if (m/q) * Q_B = 0_E => > Q_B = P > => z_A = 1 | | => z_B = 1 > * src = ( (m/q) * a mod q ) * Q_A | | * src = ( (m/q) * b mod q ) > * Q_B > * K_A = H(src) | | * K_B = H(src) > > ----------------------------------------------------------------------------------- > * srcA_MAC = TA||A_ID||ind||salt||u_1||u_2 > * srcB_MAC = TB||B_ID||ind||salt||u_1||u_2 > > ----------------------------------------------------------------------------------- > * M_A = HMAC_{K_A}( srcA_MAC ) | | * M'_A = HMAC_{K_B}( > srcA_MAC ) > | M_A | > |------->| > | | > | | > | | * if ( M'_A != M_A ) or ( > z_B != 0 ) > | | => FINISH > | | * M_B = HMAC_{K_B}( > srcB_MAC ) > | M_B | > |<-------| > * M'_B = HMAC_{K_A}( srcB_MAC ) | | > * if ( M'_B != M_B ) or ( z_A != 0 )| | > => FINISH | | > | | > > ----------------------------------------------------------------------------------- > > > Also the SESPAKE protocol can be optimized on the authentication step. > Indeed, on the step of the computation HMAC with tag srcA_MAC we can store > the result of the computations of the inside and outside compress functions > for the first block that depend on a key only. We will use these stored > values to compute the HMAC with the second tag srcB_MAC. > > R7: The authors of a scheme MAY discuss variations of their scheme that > allow the use in special application scenarios. In particular, techniques > that allow agreeing on a long-term (public) key are encouraged. > --- > > R8: A scheme MAY discuss special ideas and solutions on privacy protection > of its users. > The SESPAKE protocol doesn’t assume the privacy protection of its users. > However, this property can be achieved with some additional measures. The > first is the usage of the PKC (Public Key Cryptography) (the client just > encrypts on server’s public key its identifier and sends this encrypted > value to the server). The second is the storage of the additional long-term > values. For example, the server chooses the random value s, computes the > hash-value L1 = H ( s || A_ID ) and sends it to the client A on the stage > of initialization, so client every time just chooses the random value salt, > computes the hash-value L2 = H ( L1 || salt ) and sends a pair ( L2, salt > ) to the server instead of his identifier. The server searches A_ID among > stored identifiers by verifying the condition L2 = H ( H (s || A_ID) || > salt ). Both mechanisms can be implemented with the protocols that are > independent of the SESPAKE scheme. > > R9: The authors MUST declare the status of their scheme with respect to > patents. > This protocol is approved in the standardization system of the Russian > Federation, has no patent and is available for free use. > > XX: A PAKE scheme MUST include descriptions and usage recommendations of > the counters. > For the "online"-guessing every unsuccessful attempt leads to > disconnection caused by the validation failure according to the SESPAKE > protocol. The absence of the fail attempts limitation increases a > probability of "online"-guessing the password. That is the reason, why > there is a limitation of fail connections in a row, fail connections for > the particular password and a limitation of total successful and > unsuccessful connections in the SESPAKE protocol (for more detail see > Section 3.9.1 of the paper [2]). > > [1] Schmidt, J., "Requirements for PAKE schemes", Internet-Draft > draft-irtf-cfrg-pake-reqs-01, October 2015 > http://tools.ietf.org/html/draft-irtf-cfrg-pake-reqs-01 > [2] Stanislav V. Smyshlyaev, Igor B. Oshkin, Evgeniy K. Alekseev, Liliya > R. Ahmetzyanova, “On the Security of One Password Authenticated Key > Exchange Protocol” > http://eprint.iacr.org/2015/1237.pdf > > > > Best regards, > > Stanislav V. Smyshlyaev, Ph.D., > > Head of Information Security Department, > > CryptoPro LLC > >
- [Cfrg] The SESPAKE protocol and PAKE requirements Stanislav V. Smyshlyaev
- Re: [Cfrg] The SESPAKE protocol and PAKE requirem… Schmidt
- Re: [Cfrg] The SESPAKE protocol and PAKE requirem… Stanislav V. Smyshlyaev
- Re: [Cfrg] The SESPAKE protocol and PAKE requirem… Schmidt
- Re: [Cfrg] The SESPAKE protocol and PAKE requirem… Stanislav V. Smyshlyaev
- Re: [Cfrg] The SESPAKE protocol and PAKE requirem… Stanislav V. Smyshlyaev
- Re: [Cfrg] The SESPAKE protocol and PAKE requirem… Stanislav V. Smyshlyaev
- Re: [Cfrg] The SESPAKE protocol and PAKE requirem… Schmidt
- Re: [Cfrg] The SESPAKE protocol and PAKE requirem… Станислав Смышляев
- Re: [Cfrg] The SESPAKE protocol and PAKE requirem… Schmidt
- Re: [Cfrg] The SESPAKE protocol and PAKE requirem… Stanislav V. Smyshlyaev
- Re: [Cfrg] The SESPAKE protocol and PAKE requirem… Schmidt
- Re: [Cfrg] The SESPAKE protocol and PAKE requirem… Stanislav V. Smyshlyaev
- Re: [Cfrg] The SESPAKE protocol and PAKE requirem… Stanislav V. Smyshlyaev