Re: [Cfrg] The SESPAKE protocol and PAKE requirements

Schmidt, Jörn-Marc <Joern-Marc.Schmidt@secunet.com> Wed, 17 February 2016 16:17 UTC

Return-Path: <Joern-Marc.Schmidt@secunet.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB3DA1A882A for <cfrg@ietfa.amsl.com>; Wed, 17 Feb 2016 08:17:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.094
X-Spam-Level: *
X-Spam-Status: No, score=1.094 tagged_above=-999 required=5 tests=[BAYES_50=0.8, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.006] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id keFauEb6BXJm for <cfrg@ietfa.amsl.com>; Wed, 17 Feb 2016 08:17:38 -0800 (PST)
Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F2EC1A7013 for <cfrg@irtf.org>; Wed, 17 Feb 2016 08:17:37 -0800 (PST)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 419861A04A7; Wed, 17 Feb 2016 17:17:35 +0100 (CET)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id s9YIZueNHaBx; Wed, 17 Feb 2016 17:17:33 +0100 (CET)
Received: from mail-essen-02.secunet.de (unknown [10.53.40.205]) by a.mx.secunet.com (Postfix) with ESMTP id 0B8F01A04A3; Wed, 17 Feb 2016 17:17:33 +0100 (CET)
Received: from MAIL-ESSEN-01.secunet.de ([fe80::1c79:38b7:821e:46b4]) by mail-essen-02.secunet.de ([fe80::4431:e661:14d0:41ce%16]) with mapi id 14.03.0266.001; Wed, 17 Feb 2016 17:17:32 +0100
From: "Schmidt, Jörn-Marc" <Joern-Marc.Schmidt@secunet.com>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Thread-Topic: The SESPAKE protocol and PAKE requirements
Thread-Index: AQHRZLvFhinDbGCtJk6tX9iZaQMVS58v8CWw
Date: Wed, 17 Feb 2016 16:17:31 +0000
Message-ID: <38634A9C401D714A92BB13BBA9CCD34F167B5300@mail-essen-01.secunet.de>
References: <CAMr0u6nu=0H8pi=rEC1i69y1nhGLStvbJUXukUX0uHaVperkSg@mail.gmail.com>
In-Reply-To: <CAMr0u6nu=0H8pi=rEC1i69y1nhGLStvbJUXukUX0uHaVperkSg@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.208.1.80]
x-exclaimer-md-config: 2c86f778-e09b-4440-8b15-867914633a10
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_04C5_01D169A7.24479160"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/IruF68-SACHD2RMw3PSdwj_UpQc>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] The SESPAKE protocol and PAKE requirements
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2016 16:17:41 -0000

Dear Stanislav,

thank you for you evaluation. That covers exactly what I had in mind when defining the requirements.
Only a minor comment on R5: my main concern was the mapping of a random value or the password to a curve point, which is not required in SESPAKE . 

Best regards,

Jörn

-----Ursprüngliche Nachricht-----
Von: Stanislav V. Smyshlyaev [mailto:smyshsv@gmail.com] 
Gesendet: Donnerstag, 11. Februar 2016 12:03
An: cfrg@irtf.org; Schmidt, Jörn-Marc; alexey.melnikov@isode.com; Paterson, Kenny; Mike Hamburg; Paul Lambert
Betreff: The SESPAKE protocol and PAKE requirements

Dear colleagues,

We'd like to specify the evaluation of the Standardized Password Authenticated Key Exchange (SESPAKE) protocol by PAKE requirements in accordance with [1]. 


R1: A PAKE scheme MUST clearly state its features regarding balanced/augmented versions.
Though one side (client) in SESPAKE protocol maintains the raw password as a secret parameter and the other (server) maintains a password-based computed point of the elliptic curve, actually the SESPAKE is not resistant to Key Compromise Impersonation (KCI), which means that an adversary who has successfully attacked server can automatically impersonate client without offline dictionary attack. Given this, we can say that SESPAKE protocol is balanced.

R2: A PAKE scheme SHOULD come with a security proof and clearly state its assumptions and models.
There is an article [2], in which the models and assumptions used in the SESPAKE protocol are set out with the proof of the protocol security and the cryptographic properties analysis.

R3: It SHOULD be possible to implement the PAKE scheme in constant time. 
The implementation of the SESPAKE protocol in constant time is achieved with the common measures. These measures provide the computation in constant time of some primary operations such as computation of a multiple point or computation of the hash-function.

R4: The authors MAY show how to protect an implementation of their PAKE scheme in hostile environments.
---

R5: In case the PAKE scheme is intended to be used with ECC, the authors SHOULD discuss their requirements for a potential mapping or define a mapping to be used with the scheme.
When a point on an elliptic curve is given to an input of a hash function, affine coordinates for short Weierstrass form are used: an x coordinate value is fed first, an y coordinate value is fed second, both in little-endian format.

R6: A PAKE scheme MAY discuss its design choice with regard to performance, i.e., its optimization goals.

If the server has limited computing resources it can store a point Q_PW instead of the password PW in order to skip a step of the time-consuming computation of the point Q_PW.

There is the optimized version of the SESPAKE protocol below (see Table 1). We consider the case when the server and the client are the same on the point of the computational resources: both store the same low-entropy value Q_PW.  If the actions are in the same row it means that these actions can be implemented in the parallel manner. 
H is a hash-function. According to the definition HMAC_{K}(M)=H(K+opad||H(K+ipad||M)). Let E is a subgroup of prime order q in a group of the used elliptic curve points. P is a generator of the subgroup E, m is the order of the group of used elliptic curve points, 0_E is an identity element of the subgroup E.
The step of the Pre-Computations assumes its implementation before the interactive protocol execution.
                   

                Table 1: the SESPAKE protocol (optimized version)
-----------------------------------------------------------------------------------
                      Public information: E,P,m,q,TA,TB                                        
-----------------------------------------------------------------------------------  
 A stores:                          |        | B stores:                            
 * Q_PW                             |        | * Q_PW                          
 * A_ID                             |        | * B_ID                             
===============================================================
                 A                  |        |                   B                             
===============================================================
                                Pre-Computations                                       
                                    |        |                                      
 * a = random from {1,...,q-1}      |        | * b = random from {1,...,q-1}        
 * u'_1 = a * P                     |        | * u_2 = b * P + Q_PW                  
-----------------------------------------------------------------------------------
                                    |  A_ID  |                                      
                                    |------->| 
                                    |  B_ID  |                                       
                                    |<-------| 
 * z_A = 0                          |        | * z_B = 0                                                                 
 * u_1 = u'_1 - Q_PW                |        |                                      
                                    |  u_1   |                                      
                                    |------->|                                      
                                    |        | * if u_1 not on E => FINISH          
                                    |  u_2   |                                      
                                    |<-------|                                      
 * if u_2 not on E => FINISH        |        | 
 * Q_A = u_2 - Q_PW                 |        | * Q_B = u_1 + Q_PW                  
 * if (m/q) * Q_A = 0_E => Q_A = P  |        | * if (m/q) * Q_B = 0_E => Q_B = P    
   => z_A = 1                       |        |   => z_B = 1                         
 * src = ( (m/q) * a mod q ) * Q_A  |        | * src = ( (m/q) * b mod q ) * Q_B    
 * K_A = H(src)                     |        | * K_B = H(src)                   
-----------------------------------------------------------------------------------
                     * srcA_MAC = TA||A_ID||ind||salt||u_1||u_2                           
                     * srcB_MAC = TB||B_ID||ind||salt||u_1||u_2                         
-----------------------------------------------------------------------------------
 * M_A = HMAC_{K_A}( srcA_MAC )     |        | * M'_A = HMAC_{K_B}( srcA_MAC )      
                                    |  M_A   |                                      
                                    |------->|                                      
                                    |        |                                       
                                    |        |                                      
                                    |        | * if ( M'_A != M_A ) or ( z_B != 0 ) 
                                    |        |   => FINISH                            
                                    |        | * M_B = HMAC_{K_B}( srcB_MAC )       
                                    |  M_B   |                                      
                                    |<-------|                                      
* M'_B = HMAC_{K_A}( srcB_MAC )     |        |                                      
* if ( M'_B != M_B ) or ( z_A != 0 )|        |                                      
   => FINISH                        |        |                                      
                                    |        |
-----------------------------------------------------------------------------------


Also the SESPAKE protocol can be optimized on the authentication step. Indeed, on the step of the computation HMAC with tag srcA_MAC we can store the result of the computations of the inside and outside compress functions for the first block that depend on a key only. We will use these stored values to compute the HMAC with the second tag srcB_MAC. 

R7: The authors of a scheme MAY discuss variations of their scheme that allow the use in special application scenarios. In particular, techniques that allow agreeing on a long-term (public) key are encouraged.
---

R8: A scheme MAY discuss special ideas and solutions on privacy protection of its users.
The SESPAKE protocol doesn’t assume the privacy protection of its users. However, this property can be achieved with some additional measures. The first is the usage of the PKC (Public Key Cryptography) (the client just encrypts on server’s public key its identifier and sends this encrypted value to the server). The second is the storage of the additional long-term values. For example, the server chooses the random value s, computes the hash-value L1 = H ( s || A_ID ) and sends it to the client A on the stage of initialization, so client every time just chooses the random value salt, computes the hash-value  L2 = H ( L1 || salt ) and sends a pair ( L2, salt ) to the server instead of his identifier. The server searches A_ID among stored identifiers by verifying the condition L2 = H ( H (s || A_ID) || salt ). Both mechanisms can be implemented with the protocols that are independent of the SESPAKE scheme.

R9: The authors MUST declare the status of their scheme with respect to patents.
This protocol is approved in the standardization system of the Russian Federation, has no patent and is available for free use.

XX: A PAKE scheme MUST include descriptions and usage recommendations of the counters.
For the "online"-guessing every unsuccessful attempt leads to disconnection caused by the validation failure according to the SESPAKE protocol. The absence of the fail attempts limitation increases a probability of "online"-guessing the password. That is the reason, why there is a limitation of fail connections in a row, fail connections for the particular password and a limitation of total successful and unsuccessful connections in the SESPAKE protocol (for more detail see Section 3.9.1 of the paper [2]).

[1] Schmidt, J., "Requirements for PAKE schemes", Internet-Draft draft-irtf-cfrg-pake-reqs-01, October 2015
http://tools.ietf.org/html/draft-irtf-cfrg-pake-reqs-01 
[2] Stanislav V. Smyshlyaev, Igor B. Oshkin, Evgeniy K. Alekseev, Liliya R. Ahmetzyanova, “On the Security of One Password Authenticated Key Exchange Protocol”
http://eprint.iacr.org/2015/1237.pdf 



Best regards,

Stanislav V. Smyshlyaev, Ph.D.,

Head of Information Security Department,

CryptoPro LLC