IETF Logo Mail Archive

Re: [Cfrg] The SESPAKE protocol and PAKE requirements

Schmidt, Jörn-Marc <Joern-Marc.Schmidt@secunet.com> Wed, 27 April 2016 06:34 UTC

Return-Path: <Joern-Marc.Schmidt@secunet.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39BE512B04D for <cfrg@ietfa.amsl.com>; Tue, 26 Apr 2016 23:34:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.896
X-Spam-Level:
X-Spam-Status: No, score=-2.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ku02hKu_bek9 for <cfrg@ietfa.amsl.com>; Tue, 26 Apr 2016 23:34:29 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7805D12B017 for <cfrg@irtf.org>; Tue, 26 Apr 2016 23:34:28 -0700 (PDT)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id A04DD1A0754; Wed, 27 Apr 2016 08:34:25 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id EFt8AL7Snevi; Wed, 27 Apr 2016 08:34:22 +0200 (CEST)
Received: from mail-essen-02.secunet.de (unknown [10.53.40.205]) by a.mx.secunet.com (Postfix) with ESMTP id EC4CC1A074D; Wed, 27 Apr 2016 08:34:22 +0200 (CEST)
Received: from MAIL-ESSEN-01.secunet.de ([fe80::1c79:38b7:821e:46b4]) by mail-essen-02.secunet.de ([fe80::4431:e661:14d0:41ce%16]) with mapi id 14.03.0279.002; Wed, 27 Apr 2016 08:34:23 +0200
From: "Schmidt, Jörn-Marc" <Joern-Marc.Schmidt@secunet.com>
To: Станислав Смышляев <smyshsv@gmail.com>
Thread-Topic: The SESPAKE protocol and PAKE requirements
Thread-Index: AQHRZLvFhinDbGCtJk6tX9iZaQMVS58v8CWwgASpHACABKX9YIADBHEAgFTOcwCAAFNukIAE1/CAgAZhuMCAAAkJgIABHDkA
Date: Wed, 27 Apr 2016 06:34:22 +0000
Message-ID: <38634A9C401D714A92BB13BBA9CCD34F23476F97@mail-essen-01.secunet.de>
References: <CAMr0u6nu=0H8pi=rEC1i69y1nhGLStvbJUXukUX0uHaVperkSg@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F167B5300@mail-essen-01.secunet.de> <CAMr0u6=eKJyCVQwHpuBLzB2TrrUQrfP8ti9N+Ai108=iS9tkZA@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F167B8267@mail-essen-01.secunet.de> <CAMr0u6m7TD2Nx29q+gFOBEFRswSiSCzXmGoVP_AmZtNhs0vUFw@mail.gmail.com> <CAMr0u6=YnFXRDtXxHuz03g2-Dt74Z1HZ3Pa3GVYOa2_hPFsgrw@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F23472FB0@mail-essen-01.secunet.de> <CAMr0u6kU2r=xKwAwCW+oCcA=-BDAEb7E2pbx6Df=DDw2-OkGXQ@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F23476BA3@mail-essen-01.secunet.de> <20160426144049.5910610.54445.3223@gmail.com>
In-Reply-To: <20160426144049.5910610.54445.3223@gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.208.1.80]
x-exclaimer-md-config: 2c86f778-e09b-4440-8b15-867914633a10
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_00B9_01D1A05F.AF828980"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/G9CbZeYQ5vJqLl4Vu5dPd-pDFTw>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] The SESPAKE protocol and PAKE requirements
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2016 06:34:31 -0000

Hi Stanislav,

I think I got your point: it's necessary to explicitly point out what to proof, right?

What about adding something like "In particular, the proof must show that (1) a passive adversary cannot learn anything about the password by eavesdropping a key agreement and (2) the probability of an active adversary to succeed is limited by the number of guesses divided by the password-length." after the last sentence ("[...]assumptions and used models.")?

Best regards,

Jörn

-----Ursprüngliche Nachricht-----
Von: Станислав Смышляев [mailto:smyshsv@gmail.com] 
Gesendet: Dienstag, 26. April 2016 16:41
An: Schmidt, Jörn-Marc
Cc: cfrg@irtf.org
Betreff: Re: The SESPAKE protocol and PAKE requirements

‎Dear Jorn,

Thank you very much for your response.

That's my point: Eve obviously can always guess the password with a nonzero probability, but that doesn't mean that we do not need to address false authentication attacks at all - this only means that it has to be proven that for a certain PAKE protocol the probability of Eve's false authentication has the form of q/|D| + \nu(n), where D is the password set, n is the security parameter, q is the limit of trials (online) and \nu(n) is negligible if all used primitives are strong. ‎

A proof of a statement of this kind is crucial to evaluate the real security (in fact, probability of a false authentication or obtaining some info about a key) for a specific allowed limit of trials, password length and alphabet and adversary resources. 

‎Thus I think it is important to specify that the PAKE proposal must have a clear (and proven) security evaluation (kind of "Pr <= q/|D| + \nu(n)" ) for threats of 1) key distinguishing and 2) false authentication. 
‎
Best regards,
Stanislav‎
  Исходное сообщение  
От: Schmidt, Jörn-Marc
Отправлено: вторник, 26 апреля 2016 г., 15:22
Кому: Stanislav V. Smyshlyaev
Копия: cfrg@irtf.org
Тема: AW: The SESPAKE protocol and PAKE requirements

Hi Stanislav,

thank you for reviewing the document and your feedback. 


>Maybe it will be helpful to add in Section 4 (after it is stressed that "PAKE scheme should come with a security proof and also clearly state its assumptions and used models"), which threats are most relevant (and >thus which threats must be addressed in adversary models considered in secutiy proofs)? For instance, a threat of distinguishing a key from a random string and a threat of false authentication.


I'm not completely sure how to address this. My understanding of a proof for a PAKE scheme is that Eve must not learn more than that there was a key agreement when listening to one. In case she hits the password by guessing, she wins - that's something you cannot prevent. I tried to describe this in the Section 4: 
"That is, if Eve is unable to take information from a passive attack or a single active attack and enumerate through her dictionary then the only attack left is repeated guessing attacks. Eve learns one thing from a single active attack: whether her single guess is correct or not. In other words, the security of a PAKE scheme is based on the idea that Eve, who is trying to impersonate Alice cannot efficiently verify a password guess without interacting with Bob (or Alice) and hence is detected. "

Do you have a suggestion how to improve this section to underline specific threats? 

Best regards,


Jörn

v2.23.0 | Report a Bug | By Email