Re: [CFRG] Attack on a Real World SPAKE2 Implementation
Filippo Valsorda <filippo@ml.filippo.io> Fri, 07 May 2021 23:52 UTC
Return-Path: <filippo@ml.filippo.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85E863A38F7 for <cfrg@ietfa.amsl.com>; Fri, 7 May 2021 16:52:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.019
X-Spam-Level:
X-Spam-Status: No, score=-2.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=filippo.io header.b=Ymp2cjPT; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Cgj19cBX
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H9qiZBnG8D4z for <cfrg@ietfa.amsl.com>; Fri, 7 May 2021 16:52:10 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8B4D3A38FA for <cfrg@irtf.org>; Fri, 7 May 2021 16:52:10 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 860BF5C00FF; Fri, 7 May 2021 19:52:09 -0400 (EDT)
Received: from imap1 ([10.202.2.51]) by compute3.internal (MEProxy); Fri, 07 May 2021 19:52:09 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=filippo.io; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type; s=fm3; bh=79C1r6Px2AMTgKXStfbG2XSXW3/A/yz 4mjj3h0nN/7s=; b=Ymp2cjPTZsG7yi8+vWpuOSYD7aJvCJJREkLWlvLMCNcTIJj S+LWjxMElIL83Nn7F0ImzLC8szDqFJLFvM702y3mSGHzYwgSNYbUmYTeCMaFAxoL 95xVKfNLyC2KvmGxRaaMyYh5AD3OdPGpLks3/A2c1RCCweSlzffs98451zsVX5nr 749+9kRUgx7ry8MZX1sKYzvAlplVQdvfke84m81ZtZJj4Zss7JztStZiYzm8Qg1p eOUG2tyQEg4nnPHV/msUJKnShOBXSP10b0MeENjSAhDA/iX1gBkrTS6ziBvC/XoY TTcp0u9K7fHZ9M3V+sEMrYztF9o8gyb5VMlzjDg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=79C1r6 Px2AMTgKXStfbG2XSXW3/A/yz4mjj3h0nN/7s=; b=Cgj19cBX4AVuXd2M3Jtjjq goRO6gJ+rMGyBCL6OsTGgsp+mBNByjQs9yxVIliEVj3iETqhVWLab1BmFckWD2FL iJK0K5pme/TBo+5e7en2aZqsQrymvAg6u4jxSwEf5ea885PqHzBp1RdqI33HOy4m l/CD/zw7VOm+idDOxgNMxJDgR3E9GBcTJg6TEcOF9DJwnpbW9o4NmgGNEiS179yF LdTjmAaehE/ZC1v0LD4TRaF+qtAWFfP2wLeBjoqkq2mwoUItOUfmI8UJoFsIlNOi qVVWF+xcwyW8KpM4qcMi5EsvUUqOHbi3o77+Ze4mcxF0FvEdEX6o+rio0JDhgYng ==
X-ME-Sender: <xms:qNKVYDIiql301xW9ggXOpb1s5HWmnWr8IABZ8SatEFHwwNrkgk46tQ> <xme:qNKVYHKXN-Zeha3yac-2hQLKMvqKdwYxYneXhQkgpFHdZyZ2rUHmv88yQolRwL0nn dxiW0QMm8Bz9fIuMQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdegfedgvdejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesrgdtreerreertdenucfhrhhomhepfdfhihhl ihhpphhoucggrghlshhorhgurgdfuceofhhilhhiphhpohesmhhlrdhfihhlihhpphhord hioheqnecuggftrfgrthhtvghrnhepgedtveelfedtjeekfeelgfeigeduieduleelgfev gfekieekiedtleffkeekuedtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpe hmrghilhhfrhhomhepfhhilhhiphhpohesmhhlrdhfihhlihhpphhordhioh
X-ME-Proxy: <xmx:qNKVYLs_NGhZiTWMnBR5wkTHm0TywOQEzb2Ja5svgRfhug-l7eGjOQ> <xmx:qNKVYMaQyH7GjW6pPkJT6jbFCpQUuasOjh3A5yN6Y7aiZKxIEL3q5w> <xmx:qNKVYKZMQ5QFc2XvdQBRChHzFFx4zeKr0OwS-dJfMGQDt3O4yRaFpQ> <xmx:qdKVYNyuuuty_4dOSrfBVz4Zgv8RHnNiOUtnWT9qJUX9koEGhOIuJw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 41FA5130005F; Fri, 7 May 2021 19:52:08 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-448-gae190416c7-fm-20210505.004-gae190416
Mime-Version: 1.0
Message-Id: <e88bae26-ff1f-42e3-babf-c5de3ee1d781@www.fastmail.com>
In-Reply-To: <SY4PR01MB625110F1F7633D989FCF183EEE579@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <2bfbd767-b93a-42bd-be7d-1dae9e32e555@ruben-gonzalez.de> <SY4PR01MB625110F1F7633D989FCF183EEE579@SY4PR01MB6251.ausprd01.prod.outlook.com>
Date: Fri, 07 May 2021 19:51:47 -0400
From: Filippo Valsorda <filippo@ml.filippo.io>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Ruben Gonzalez <in+lists@ruben-gonzalez.de>, "cfrg@irtf.org" <cfrg@irtf.org>
Cc: "rixxc@redrocket.club" <rixxc@redrocket.club>
Content-Type: multipart/alternative; boundary="4faaa7fb713c4b14a1b592c5e97eac9c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/FXrnsU5kUT0kFDCqEOcKRg0ieuo>
Subject: Re: [CFRG] Attack on a Real World SPAKE2 Implementation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2021 23:52:17 -0000
2021-05-07 04:17 GMT-04:00 Peter Gutmann <pgut001@cs.auckland.ac.nz <mailto:pgut001%40cs.auckland.ac.nz>>: > Ruben Gonzalez <in+lists@ruben-gonzalez.de <mailto:in%2Blists%40ruben-gonzalez.de>> writes: > > >We did not attack SPAKE2 directly, but a faulty implementation. > > Nice work! This is an example of what I once referred to as second-order > snake oil crypto, good crypto applied badly (first-order is bad crypto). Snake oil is fraudulent. This is a broken implementation, for which specification authors should at least consider sharing the blame. How did the spec fail the implementers, who presumably were not trying to implement something in a broken way? (I know, I know, SPAKE2 is a draft, not an RFC! But it's been a draft for almost 7 years, and at some point people need to implement stuff.)
- [CFRG] Attack on a Real World SPAKE2 Implementati… Ruben Gonzalez
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Peter Gutmann
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… steve
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Dan Harkins
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Filippo Valsorda
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… steve
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Watson Ladd
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Björn Haase
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… steve
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Loup Vaillant-David
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Filippo Valsorda
- [CFRG] Modifying SPAKE2 draft for more curves (wa… Watson Ladd
- Re: [CFRG] Modifying SPAKE2 draft for more curves… Hao, Feng
- Re: [CFRG] Modifying SPAKE2 draft for more curves… Hao, Feng