[Cfrg] Augmented PAKE review for use with TLS
Jonathan Hoyland <jonathan.hoyland@gmail.com> Sun, 15 September 2019 10:51 UTC
Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12A37120088 for <cfrg@ietfa.amsl.com>; Sun, 15 Sep 2019 03:51:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.754
X-Spam-Level:
X-Spam-Status: No, score=-0.754 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nitl2Jc6Qy7S for <cfrg@ietfa.amsl.com>; Sun, 15 Sep 2019 03:51:45 -0700 (PDT)
Received: from mail-ua1-x943.google.com (mail-ua1-x943.google.com [IPv6:2607:f8b0:4864:20::943]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAFFF12000F for <cfrg@irtf.org>; Sun, 15 Sep 2019 03:51:45 -0700 (PDT)
Received: by mail-ua1-x943.google.com with SMTP id b14so290081uap.6 for <cfrg@irtf.org>; Sun, 15 Sep 2019 03:51:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=KX/DXAokHUUFrhpk0fKg1FxSUtK7cxj1ymT0viZTCvY=; b=J+bNQ3NZmj1viUJNkQO6kvBnCYYzel5p3XtnQfSG7LtQfl40AbQf7w594o6Ttv/xkx fazDKy2CQfc7xm7G5LueYT5MpillPI1cvtNoOuf599mij4jXUNh50w5qweoZrxb4hXZo tN6ql1aksxaJ/aSQzodLr1QaoIi5pHhtT6ToK4ktfDEnSLLJlee7i+YtQtYYn68gDByl E3ewY+wwGFEMsq7xBezoxBA2w0xnkXtD96HxudEluCvULHNWVH2YfsLHYhrq0QOCJNRo OpHt9ToYZ+yzKHhU4OmftgJhBcARCeSiOjO9hIo22XY9TCD8hxCMry+0KvahIWArvVKn 3Hmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=KX/DXAokHUUFrhpk0fKg1FxSUtK7cxj1ymT0viZTCvY=; b=cUos9SDvLwE4r3E5SqOglJy6t8xMMkX+7VDS7gA2flYOcjEjA1+coHUTaLRLefEtyv Zokoc4uGPFWJLnhh3azY6BqW+IhGwP3wqCes8bicMk5exqkGeAtwWHxfVcQegMA/j8SC 3ftGrtDJ2LaiXX8XtTPAdR+UvVspVxTK3EU9XeVa4mrMTueWD65UPNE9BDSoenr7q3bf dUadMng1Vg0yivY87et7jG4GdcHJJc0JaOZok8E+gHSxsAzna4SkjjZVBd+nm8CurF+E qc7SWkxotumgntv1WEOTLa+DcNYISImaCeFFAtTV0w5sPbjzVATnFpWrn0kJu1N94kXB iiUA==
X-Gm-Message-State: APjAAAUUBox47Nx4qy7kWZFKfeCEFJKhJVFaIHxYNgD8dhHFUz87CBm7 pBeoObIVWUNJieWMpu0UNfnzSvJcdLQVmv7cNmI=
X-Google-Smtp-Source: APXvYqzskSY9OM5gXacLvhrZIUprJWcdWLhG1vOuBTiIrurcFtwIoTpYuCpF0HuYvidXUFtQ6RsMmOMgQ7lIl984xkw=
X-Received: by 2002:ab0:6550:: with SMTP id x16mr27676521uap.27.1568544704600; Sun, 15 Sep 2019 03:51:44 -0700 (PDT)
MIME-Version: 1.0
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Sun, 15 Sep 2019 11:51:33 +0100
Message-ID: <CACykbs1msV5ULiDFE7eSUTjyJ8uLmRgPhma+xvB=zeRLcbCvqw@mail.gmail.com>
To: smyshsv@gmail.com, cfrg <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000eea0d80592954544"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/FaY_3w5lWtygha0DTY5hJ9Yy7WU>
Subject: [Cfrg] Augmented PAKE review for use with TLS
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Sep 2019 10:51:48 -0000
Hi All, At Stanislav's request I have reviewed the four augmented PAKEs suitability for use with TLS, see below. I hope you find it useful. Apologies in advance for any mistakes. Regards, Jonathan ------------------------------------- *Review of the four candidate augemented PAKEs for their suitability for use with TLS.* 1. BSPAKE 2. OPAQUE 3. VTBPEKE 4. AuCPace ------------------------------ <http://127.0.0.1:9016/page/1#1.-bspake> 1. BSPAKE BSPAKE is a very short, rather underspecified, entry, making fair review somewhat challenging. As pointed out on the mailing list, BSPAKE can be viewed as a member of the OPAQUE family, so I will wrap it into my review of OPAQUE, and instantiations thereof. <http://127.0.0.1:9016/page/1#2.-opaque> 2. OPAQUE OPAQUE is a very comprehensive entry, with an attendant suggestion for how it is to be combined with TLS. OPAQUE is defined as a compiler that transforms an OPRF and an AKE into a SaPAKE. Thus it has numerous instantiations. Because OPAQUE is a 3 flow protocol initiated by the client, there is an obvious / naïve way of implementing OPAQUE with TLS, simply aligning the messages with the TLS messages in appropriate extensions. This has been specified in two ways in draft-sullivan-tls-opaque <https://tools.ietf.org/html/draft-sullivan-tls-opaque-00>. Either of the specified methods seems likely to have good security properties, however because one injects key material into the TLS key schedule, and the other removes the PKI-based certificates, the security properties are not trivially derivable. draft-sullivan-tls-opaque also specifies a third mechanism that has clearer security properties, using Exported Authenticators (EAs) to perform the authentication / OPRF protocol. At the cost of an extra round trip, the EA-based OPAQUE uses a standard TLS handshake, and then binds the OPRF on top. Because of the design of EAs the security properties of the TLS handshake and the OPRF protocol can be composed. The EA-based setup is probably the most practical solution, having clear security properties, and matching the current authentication flow used by many web applications. Further, it does not leak the user id, which all other candidates and the two naïve OPAQUE candidates do, which would constitute a *new* security risk, and is arguably a breach of TLS’ “Protection of endpoint identities” guarantee. <http://127.0.0.1:9016/page/1#3.-vtbpeke> 3. VTBPEKE VTBPEKE, in its vanilla form, does not appear to be resistant to pre-computation attacks, as the salt is sent to the client in the clear. However if paired with TLS the salt would be placed in an encrypted extension. This makes it resistant to passive, though not active, attackers. VTBPEKE does have a clear path to binding it to the TLS connection. In the second flow the server sends ε, a value chosen at random from {0,1}^k. This value could be replaced with a TLS exporter key labelled with a fixed string. Doing so would bind the authentication flow to a specific handshake, and allow for clear reasoning about the properties of TLS + VTBPEKE. VTBPEKE doesn’t come with a IETF style draft, and the notation in the paper is confusing at times, but the only obvious major obstacle to pairing it with TLS is the leaking of the user id to even a passive adversary. It is possible that one could use EAs in the same was as suggested by OPAQUE, but some thought would have to be given to working out the details. There are no suggested mitigations against user enumeration, but having the server construct Y using a random g if the user is unknown would seem to be effective. <http://127.0.0.1:9016/page/1#4.-aucpace> 4. AuCPace AuCPace is also a very comprehensive entry, and has an attendant suggestion for TLS integration. The updated strong AuCPace entry blinds the salt, which makes the entry secure against precomputation attacks. AuCPace’s decision to allow the client to select the salt seems hard to justify, because a lazy client may simply always use the same salt. Because the server identity is not included in the computation of w one can imagine clients that simply store a single w as their password, and effectively use the same password with all sites. This might be an especially tempting shortcut on low power devices. In Appendix D the authors suggest a method for TLS integration. Specifically, they suggest performing a pre-TLS handshake to establish a PRS, and then using a TLS + CPace design to authenticate the pre-handshake. This is an interesting suggestion, but may see practical difficulties with routing and session binding. It is also unclear how easy it would be to bind the TLS + CPace handshake back into the overall AuCPace flow. Specifically, it’s not clear to me that the weaker authentication guarantees offered by the PSK interface allow for secure composition of the two substeps. The TLS PSK handshake doesn’t use any asymmetric primitives, which means that authentication properties from prior handshakes might not compose, leaving the path open for a channel synchronization attack. Certainly it’s something that would require further evaluation. It is also not immediately obvious if you can efficiently use EAs in a similar manner to OPAQUE, because of the ordering requirement of the CPace substep and the AuCPace augmentation layer. The naïve method would add two round trips, and is almost certainly not the best solution. <http://127.0.0.1:9016/page/1#overall-recommendation> Overall recommendation All the candidates have things to recommend them, but overall I think OPAQUE with EAs is the best option, because it hides the user identity, something that is important with TLS. BSPAKE’s explicit inclusion of the client and server identities in the key derivation appeals to me, and might be something worth adding to OPAQUE, although I’d have to think carefully about whether it actually contributes anything. If user id hiding is not required then a variant of VTBPEKE with salt blinding would be a reasonable candidate, because the binding to the TLS handshake doesn’t change the guarantees of the underlying handshake like OPAQUE, or a require a pre-TLS flow like AuCPace. OPAQUE is also a reasonable candidate in the user revealing scenairo, although some effort would need to be expended to check whether it invalidated the current security proofs of TLS.
- [Cfrg] Augmented PAKE review for use with TLS Jonathan Hoyland