[CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13

Kevin Lewi <lewi.kevin.k@gmail.com> Tue, 28 May 2024 18:04 UTC

Return-Path: <lewi.kevin.k@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5E2DC1D8760 for <cfrg@ietfa.amsl.com>; Tue, 28 May 2024 11:04:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RC-ez3tS7ZAn for <cfrg@ietfa.amsl.com>; Tue, 28 May 2024 11:04:51 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAE51C1D4A8E for <cfrg@irtf.org>; Tue, 28 May 2024 11:04:51 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id 38308e7fff4ca-2e716e302bdso13534721fa.1 for <cfrg@irtf.org>; Tue, 28 May 2024 11:04:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716919489; x=1717524289; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Z6lUjxcx6GxkvG6OVWYaBMVZ0rEIGSbnXgP5MPCF6lE=; b=YsfoA8Jw5FUNeia8ilGGxVSx3pes5fRoxt5cUtyc0Dt+MNNdorF6T84R33azlf4spR ym6ifcBcFKUXNAz/H2g2KK5+V/Ml7Gh2wr2U5jM1D/xbN+kiI3asY2kfotfZ9hDWEOis rlf1NLg2QD+NfKdTXA4nc2wSf0ttLvZLse13SVD+jrOnBRbDVNWcsSUQFIhaLjFS/dXo JR5iHjiXZJ/UPsdg9n53RHdqRNDKyVboEWQvvRjS23H4vftGJ1qYU47MQ96uVDbQhJgQ /NxiM8oEutyYwEK6YaLIzvNxW9J72ZLfjuyHy5wd/ZUsdBBgJklreZlvPv+ZKIqD8sIT +opQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716919489; x=1717524289; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Z6lUjxcx6GxkvG6OVWYaBMVZ0rEIGSbnXgP5MPCF6lE=; b=jMekR4pvnJCXA26mJI+1bRzBCG91Qb5+PN4sTZy55Itq6epyXbPU2QmebdZAiqQyMr TTdElJXDr4vm0ZBOTh4F+aRzmGFrRwAEftkAiTBtspd2aOj1T9Oan+dLS75x748s++pu /f2C3HLEH5JC9MUTzv4kdiZgYFRid35T4IHVPiTnXYTAFWOMLzaa9KvgjPWgkxSz3ZH1 4L7mHoVDgcyOQRcDOCfcm0ZyraBduwdyKIOM+G0L7wukGUc/FYKFXAfvSyLZOKL/FI21 uanWo1IWW6rtM+prOiqT8aZ/34h51WRfJPc5ckC7Y0A9chnNRHdyTyh/ofxyC7Nf/R0n xZjw==
X-Forwarded-Encrypted: i=1; AJvYcCWxnvf6t63tgIKNjgqU9Y8mMCDBfrWODC6kTwfKrke2qeGwH0glBGIluGDQzHAPoogF3iryycutjtH0EFJb
X-Gm-Message-State: AOJu0YxyIpc3oN0Z/wHeNmYONJm1B6dJeKMttwKzL1I8L1uY8m2JAYoj AUL+SAFgMTRqBE54iUvC/CqLf05lQ9t9rLf2w38oEyCvEBreLCMJpwkOSeCXEN52U8UZOXogUvj lEsDb3uKiPvZrrgPa+66K3coQAqzQASbvV/0=
X-Google-Smtp-Source: AGHT+IG3cKK3v91Es+uD6/+LT9vgJqJ4damVBe2Nigl5Gu1sQjgyxNo3GebI0vk1/hk7AaorBUHms8Af4xuzE0Hv4IY=
X-Received: by 2002:a2e:9891:0:b0:2dc:9b50:eabb with SMTP id 38308e7fff4ca-2e95b0411bamr78546331fa.4.1716919488933; Tue, 28 May 2024 11:04:48 -0700 (PDT)
MIME-Version: 1.0
References: <CADi0yUNbiVTe9BaoCFgDaTC06Z1LMAx6q2hJDiWydpy6xFqtRQ@mail.gmail.com> <GV1PR01MB8436B6B6B75DEBC9F1FB30A9D6EA2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUNCkk8Y5dQJH6DjR33cP7KXXrQsmHfA0UDRxjGuoXCaLA@mail.gmail.com> <GV1PR01MB8436DBCC8F5B167B0B44490AD6EA2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUPcyc9oSM4NqWynkWuTPStnD9yqt4XwmAg7c=XjCtik4A@mail.gmail.com> <GV1PR01MB84364908B61E293E46012214D6EB2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUOtSBmCnQMP-MoyzzxF6LZQcrKfo03sN2cNuO6MS74NAg@mail.gmail.com> <GV1PR01MB84361129416DC8B621CAAEDFD6F42@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <y5y4iquyvrao7jtpyc2ycjtz4sg5dbzhrhddz5j6rv3eydyd2o@zy65yreteuoh> <GV1PR01MB8436B919FE24E2E022639155D6F52@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <2dhbnlfzwgllzqc7farahxqkct3zqcoi7wdj7vybivlzzwxrei@e7phsvy5i6ae> <GV1PR01MB843618C88187FE124B1F142ED6F02@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CACsn0c=M5OofNyG8YhO4vYOWwFvZW9yLpwMGMXkkDrXZ=Ty1jw@mail.gmail.com> <GV1PR01MB8436ACA18A87EA7AA8A4EA57D6F02@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CABcZeBP64AC_mSgyU-YyQwCz3bHrbvcqB0xk0TdXampdCtvu6A@mail.gmail.com> <GV1PR01MB8436DDBCAF9F00DDCF34D19BD6F02@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CABcZeBPsVUaSsX-WOV9ow2tTSaZqspzeAoBhxLBBjJAav71C0g@mail.gmail.com> <CADi0yUO5QjyXhkA7S5z7js79OTQWFdwBnhAiSkR7BFC3H+B1oA@mail.gmail.com>
In-Reply-To: <CADi0yUO5QjyXhkA7S5z7js79OTQWFdwBnhAiSkR7BFC3H+B1oA@mail.gmail.com>
From: Kevin Lewi <lewi.kevin.k@gmail.com>
Date: Tue, 28 May 2024 11:04:36 -0700
Message-ID: <CACitvs_ngWdAmfSDD-EJG=0XVhkOmhhr=tvYQ+KB7bYXwqwEEw@mail.gmail.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Content-Type: multipart/alternative; boundary="0000000000003ef86b06198778e4"
Message-ID-Hash: SSVZ523JKXULTCAV7X3HPQYDMINYYFCV
X-Message-ID-Hash: SSVZ523JKXULTCAV7X3HPQYDMINYYFCV
X-MailFrom: lewi.kevin.k@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Hao, Feng" <Feng.Hao@warwick.ac.uk>, IRTF CFRG <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/HZ82nfcDM4ldELL3FTVHyf4aitQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Hi all, some additional text has been added to the draft to address the
above discussion, under the Implementation Considerations section on
handling online guessing attacks:

"Additionally, note that a client participating in the online login stage
will learn whether or not authentication is successful after receiving the
`KE2` message. This means that the server should treat any client which
fails to
send a subsequent `KE3` message as an authentication failure. This can be
handled
in applications that wish to track authentication failures by, for example,
assuming by default that any client authentication attempt is a failure
unless a `KE3`
message is received by the server and passes `ServerFinish` without error."

(see https://github.com/cfrg/draft-irtf-cfrg-opaque/pull/456)

We believe the right way forward is to address this by offering ways to
mitigate the attacks through the server's actions rather than directly
modify the OPAQUE protocol itself.

Hope this makes sense, and let us know if you think any of the wording
should be adjusted.

Thanks,
Kevin

On Mon, May 27, 2024 at 3:54 PM Hugo Krawczyk <hugo@ee.technion.ac.il>
wrote:

> There is an even better reason not to go with what Feng proposes. His
> modified protocol is insecure. To achieve the property that the server
> learns first whether the password was wrong, you would need to move
> auth_tag to the fourth message and that modified protocol is insecure (in
> the real sense of insecure, not as Feng's "undetectable attack").
>
> Let's move on.
>
> Hugo
>
> On Mon, May 27, 2024 at 6:47 PM Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Mon, May 27, 2024 at 3:15 PM Hao, Feng <Feng.Hao@warwick.ac.uk> wrote:
>>
>>> Hi Eric,
>>>
>>>
>>>
>>> What I propose is to remove the key confirmation string sent by the
>>> server in the 2nd pass. The client sends its key confirmation in the 3rd
>>> pass, and the server only sends its key confirmation string in the 4th
>>> pass. This will be a revision in the protocol spec. I couldn’t see how
>>> adding a piece of text could properly address this issue.
>>>
>>
>> Thanks for the explanation.
>>
>> I don't see this as a realistic proposal, as it would mean that OPAQUE
>> would not be able to fit into TLS 1.3 without significant surgery to the
>> TLS 1.3 core, which is obviously undesirable for deployment reasons. It
>> seems to me that we do want it to be possible to use PAKEs with TLS 1.3,
>> and if the choices are to accept this property or to make big changes to
>> TLS 1.3, then I think the right answer is probably to accept this property
>> and document it in the specification.
>>
>> -Ekr
>>
>>
>>>
>>> Cheers,
>>>
>>> Feng
>>>
>>>
>>>
>>> *From: *Eric Rescorla <ekr@rtfm.com>
>>> *Date: *Monday, 27 May 2024 at 23:00
>>> *To: *Hao, Feng <Feng.Hao@warwick.ac.uk>
>>> *Cc: *Watson Ladd <watsonbladd@gmail.com>, IRTF CFRG <cfrg@irtf.org>
>>> *Subject: *Re: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
>>>
>>> Feng,
>>>
>>>
>>>
>>> This has been a very long thread, with a lot of back and forth, but it's
>>> not clear to me what outcome you are looking for here.
>>>
>>>
>>>
>>> Do you have a proposed piece of text that you think should be in the
>>> OPAQUE draft prior to it going to RFC? If so, what is that text?
>>>
>>>
>>>
>>> -Ekr
>>>
>>>
>>>
>>>
>>>
>>> On Mon, May 27, 2024 at 2:32 PM Hao, Feng <Feng.Hao=
>>> 40warwick.ac.uk@dmarc.ietf.org> wrote:
>>>
>>> Hi Watson,
>>>
>>>
>>>
>>> That will be a standard online dictionary attack which applies to any
>>> PAKE, and can be detected and “accurately” recorded by the server. Please
>>> have a look at Ding and Horster’s 1995 paper which I posted earlier.
>>> https://dl.acm.org/doi/pdf/10.1145/219282.219298 That paper explains
>>> the difference between a standard (detectable) online dictionary attack and
>>> an undetectable online dictionary attack. Similar attacks in various
>>> different protocol settings have been well studied in the past 30 years.
>>>
>>>
>>>
>>> Cheers,
>>>
>>> Feng
>>>
>>>
>>>
>>> *From: *Watson Ladd <watsonbladd@gmail.com>
>>> *Date: *Monday, 27 May 2024 at 21:49
>>> *To: *Hao, Feng <Feng.Hao@warwick.ac.uk>
>>> *Cc: *Riad S. Wahby <riad@cmu.edu>, IRTF CFRG <cfrg@irtf.org>
>>> *Subject: *Re: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
>>>
>>> On Mon, May 27, 2024 at 6:13 AM Hao, Feng
>>> <Feng.Hao=40warwick.ac.uk@dmarc.ietf.org> wrote:
>>> >
>>> > Hi Riad,
>>> >
>>> >
>>> >
>>> > The factual difference between OPAQUE and SRP-6a is that in OPAQUE,
>>> the server is authenticated first, whilst in SRP-6a, the client is
>>> authenticated first. The order of authentication has a profound implication
>>> in security here. For the case of OPAQUE, the server leaks password
>>> verification information via the key confirmation string in the 2nd pass
>>> before the client is authenticated. If the client drops out, the server
>>> can’t distinguish legitimate drop-outs from online guessing attacks. This
>>> means that the server has to deal with false positives (denying legitimate
>>> users hence causing the DoS attack to its own users) and false negatives
>>> (letting an attacker guess the password without being detected or logged).
>>> Managing the false positive and false negative can be complicated in
>>> practice.
>>>
>>> Huh? An attacker can always carry out the full protocol to guess to
>>> lock someone out. That a query amounts to a guess doesn't really
>>> change this.
>>>
>>> --
>>> Astra mortemque praestare gradatim
>>>
>>> _______________________________________________
>>> CFRG mailing list -- cfrg@irtf.org
>>> To unsubscribe send an email to cfrg-leave@irtf.org
>>>
>>> _______________________________________________
>> CFRG mailing list -- cfrg@irtf.org
>> To unsubscribe send an email to cfrg-leave@irtf.org
>>
> _______________________________________________
> CFRG mailing list -- cfrg@irtf.org
> To unsubscribe send an email to cfrg-leave@irtf.org
>