IETF Logo Mail Archive

Re: [Cfrg] Requirements for PAKE schemes

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Tue, 09 February 2016 19:32 UTC

Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73EB31ACE48 for <cfrg@ietfa.amsl.com>; Tue, 9 Feb 2016 11:32:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.001
X-Spam-Level: *
X-Spam-Status: No, score=1.001 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mgWiwfm0bx-E for <cfrg@ietfa.amsl.com>; Tue, 9 Feb 2016 11:31:59 -0800 (PST)
Received: from mail-vk0-x230.google.com (mail-vk0-x230.google.com [IPv6:2607:f8b0:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26F2D1ACECF for <cfrg@irtf.org>; Tue, 9 Feb 2016 11:31:51 -0800 (PST)
Received: by mail-vk0-x230.google.com with SMTP id e185so124120102vkb.1 for <cfrg@irtf.org>; Tue, 09 Feb 2016 11:31:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fBWC4dUl01KK9KqWX9YJtFpBYJITOhvZ5lGBCxQPRhg=; b=pwIYrxCJqIwe3gk55zY3LHkNHDWs9wJd0a9lqu4WJsF1Mncljbaly6l2g/GWdsZaYx AfMWsV+OLCvTTTM/w2DlmvVvziGZWJVINR6680blCO3UDSmFm5Ncx+Eu/rf/BGDk+ZQU j4kYEYhcIE6h72Axs8Sjy8IRIEkN2pTv64xfcNNSJXb9v4vIPHJ6vqM38lSrHYY4Htl1 4bP4yfl+xqDAy3gnHmpE9t7ESGRWdXBhABWXh0HM3bNxRc9ihEk7834lB4EdNSAf5LuR AOmjUymvl26PIl0Npne4gGxMtmSp/zubEIjsYFt+lFoNB+SwRiSQ/iUjNmXZy6lKCDDq gMTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=fBWC4dUl01KK9KqWX9YJtFpBYJITOhvZ5lGBCxQPRhg=; b=BxhLQWlhmZssJ+V6Wk6tnT4p4lMzgj/XWKGi6r2bVP+nr/Zpu7ARn0lhcyYnB4uWwz yWKGmj4wUxgJ/TlMhD032vAYG4Cf6L/jhcQKXomLpA/WPw0t98SMsMUs/iG43WqIXQBk ONNFEJUTKIaFaZ/h6zjlmGX5+q99cZXt3RUZDiXgKMMWNOoD45Spht+BChk5x5uU+Kjl XJkEJNtaFPsYZYu4ry9+1WK889IdVw4c3qQdoRwbbyhIX/ierzlItWZ5QfIcPip/Bkd2 rpJXCjcYMj6/oHdGreOa2ti5XJpGrNN7EdnazstDM27UQoDLXQwCwPxg0tJFG/cROltd 9f1w==
X-Gm-Message-State: AG10YORl+300c4IavP0XowEgTdtIansAbC9b7LI/6/N/7ghjyQkL2DZPF7FkEFVAMlCz2AYn1ci8ekuik06dFw==
MIME-Version: 1.0
X-Received: by 10.31.5.134 with SMTP id 128mr26490056vkf.29.1455046310161; Tue, 09 Feb 2016 11:31:50 -0800 (PST)
Received: by 10.31.80.133 with HTTP; Tue, 9 Feb 2016 11:31:50 -0800 (PST)
In-Reply-To: <38634A9C401D714A92BB13BBA9CCD34F167B14F3@mail-essen-01.secunet.de>
References: <CAMr0u6=76q4n-u1Vpv5vWjSNgi4CtaOJoX0EmvcbXH+9C4w2mg@mail.gmail.com> <78D9D0BF-4ADE-4DDB-88A4-BF03DD6336BA@shiftleft.org> <9c878c6b6b505414f71fa53442e4a33a@mail.tc26.ru> <CAMr0u6nzV_Y87ghnAcmhgkzk4fgdKtC3Kj8NqPyawHrjhGVySg@mail.gmail.com> <CACsn0ckKX7pKZ5qU0y6cR3jyGV8JmL1V8EAUwU6b4ShDYVxmYw@mail.gmail.com> <CAMr0u6kvc1B8MY7Nqs2NLd1tHPU6wiv7ti9QDQ5gvu6iRgw+2g@mail.gmail.com> <930102DC-F5B3-4233-BF6B-1EC631B4ABF5@gmail.com> <56AB6787.1010302@htt-consult.com> <30BB5B38-9DC3-4DC1-968C-F3A2AC293E6F@gmail.com> <01a1b24557860d5e2afc8349d55d6ca5@mail.tc26.ru> <CAMr0u6mj7jczAZSwATcDSYyc7hpa2XxMH1QJYhS9ffgwxW-rmA@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F167B14F3@mail-essen-01.secunet.de>
Date: Tue, 09 Feb 2016 22:31:50 +0300
Message-ID: <CAMr0u6nzuE5eONOgYYkzP0JLGjcY742tBuTkpDxnk_cmjw_UxA@mail.gmail.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
To: "Schmidt, Jörn-Marc" <Joern-Marc.Schmidt@secunet.com>
Content-Type: multipart/alternative; boundary="001a114415f472f2e8052b5b5e1f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Jc2HatpC1ijE_6zora9d4ipLPFs>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Requirements for PAKE schemes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2016 19:32:01 -0000

Hello, Jorn!

Thank you very much for your opinion. I agree with you and think this is a
smart way to go - we'll stress the importance of these issues, but nobody
will be obliged to add unnecessary text if it isn't really needed.

P.S.: We'll write a post to the mailing list about the accordance of our
SESPAKE draft to the requirements in a few days - maybe some new questions
regarding the requirements (and/or our SESPAKE RFC draft) may occur then.

Best regards,
Stanislav

вторник, 9 февраля 2016 г. пользователь Schmidt, Jörn-Marc написал:

> Hi Stanislav,
>
> Please excuse my late answer.
>
> I think the draft contains the requirement to control the number of
> attempts implicitly in the "Security of PAKEs" section: Eve needs to
> interact with a legitimate party and cannot perform offline attacks.
> Maybe it would be worth adding a sub-clause in this section that mentions
> the tradeoff between security (minimal number of wrong tries) and risk of
> DoS attacks. This way, the statement is clear, but in the running text it
> would not cause the reader to skip the rest. What do you think?
>
> Best regards,
>
> Jörn
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Cfrg [mailto:cfrg-bounces@irtf.org <javascript:;>] Im Auftrag von
> Stanislav V. Smyshlyaev
> Gesendet: Samstag, 30. Januar 2016 13:27
> An: Grigory Marshalko
> Cc: cfrg@irtf.org <javascript:;>; Robert Moskowitz
> Betreff: Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE schemes
>
> ‎Hello, Yoav!
>
> Thank you for your opinion; you are absolutely right that no one needs
> trivial considerations like "number of login attempts MUST be controlled"
> in each RFC (as much as "users MUST NOT store their passwords on sheets of
> paper pinned on their monitors", "Dual EC DRBG MUST NOT be used for
> generating both confidential and public data" etc).
>
> Moreover, including such an obvious recommendation is harmful for the
> security of implementations. If one reads such a phrase, he'll probably
> stop reading "Security considerations" section and won't read really
> important info that should be there next: specific recommendations of
> handling login attempt counters‎ such as "counter value MUST be incremented
> before sending [i]-th message of the [xyz]PAKE protocol".
>
> General recommendations shouldn't be there, but specific ones must.
>
>
> Kind regards,
> Stanislav
>
>
>
>
>
>
>
> 2016-01-30 15:15 GMT+03:00 Grigory Marshalko <marshalko_gb@tc26.ru
> <javascript:;>>:
>
>
>
>         It is very important to have such security considerations be
> written somewhere, especially if they are common and obvious for security
> experts. The problem is that for many implementors they are not obvious,
> and this is always the root of flawed implementations.
>
>         Regards,
>         Grigory Marshalko,
>         expert,
>         Technical committee for standardisation "Cryptography and security
> mechanisms" (ТC 26)
>         www.tc26.ru
>
>         30 января 2016 г., 12:50, "Yoav Nir" <ynir.ietf@gmail.com
> <javascript:;> <mailto:%22Yoav%20Nir%22%20%3Cynir.ietf@gmail.com
> <javascript:;>%3E> > написал:
>
>
>
>
>                         On 29 Jan 2016, at 3:22 PM, Robert Moskowitz <
> rgm-sec@htt-consult.com <javascript:;>> wrote:
>
>
>                         On 01/29/2016 03:04 AM, Василий Долматов wrote:
>
>
>
>                                         29 янв. 2016 г., в 9:26, Stanislav
> V. Smyshlyaev <smyshsv@gmail.com <javascript:;>> написал(а):
>
>                                         A major number of cryptography
> failures follows from incorrect embedding of lower-level protocols to
> high-level ones – if you prove the security of PAKE under specific
> assumtions on counter handling and then someone implements it without
> knowledge of them, you have a practical vulnerability. We do not create
> protocols for vacuum, we make them for practice and must write security
> considerations (a specific "Security considerations" section in RFC can be
> used for discussing these issues, if someone thinks that they are not
> important enough to be in the main part).
>
>                                 I think that idea of moving these
> recommendations and notice about importance of correct setting of these
> counters to the «Security consideration» section is a good one.
>
>
>                         I agree.  It is the perfect use of "security
> considerations" for a security technlogy.  None of the old "this whole
> document is about security".  The security considerations should contain
> what the risks/threats to the technology is and point out what is done to
> address/mitigate them.
>
>
>                 I’m not sure about that. These considerations are true for
> any PAKE. In fact, they’re true for any kind of password scheme. You could
> even make the case that they’re true for any authentication scheme, because
> letting the opponent keep guessing is at least creating a DoS on the
> attacked authentication server.
>                 We generally write in the Security Considerations section
> stuff that is relevant for that particular scheme, not for a whole class of
> schemes. So it may be fine to have a BCP document for “Deploying Password
> Authentication on the Internet”, but I don’t think we need some boilerplate
> text that goes into the security considerations of any password-related RFC.
>                 Yoav
>
>
>

-- 
С уважением,
Станислав Смышляев, к.ф.-м.н.,
Начальник отдела защиты информации ООО "КРИПТО-ПРО"

v2.23.0 | Report a Bug | By Email