[CFRG] Attack on a Real World SPAKE2 Implementation

Ruben Gonzalez <in+lists@ruben-gonzalez.de> Fri, 07 May 2021 07:25 UTC

Return-Path: <in+lists@ruben-gonzalez.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 6B02B3A0D63 for <cfrg@ietfa.amsl.com>; Fri, 7 May 2021 00:25:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id GZECHyAvzSdq for <cfrg@ietfa.amsl.com>; Fri, 7 May 2021 00:25:54 -0700 (PDT)
Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [IPv6:2001:67c:2050::465:202]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB3FE3A0D5A for <cfrg@irtf.org>; Fri, 7 May 2021 00:25:52 -0700 (PDT)
Received: from smtp1.mailbox.org (smtp1.mailbox.org []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4Fc26h4zsxzQjxW; Fri, 7 May 2021 09:25:48 +0200 (CEST)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp1.mailbox.org ([]) by spamfilter06.heinlein-hosting.de (spamfilter06.heinlein-hosting.de []) (amavisd-new, port 10030) with ESMTP id 2OI_I3iALrIE; Fri, 7 May 2021 09:25:44 +0200 (CEST)
To: cfrg@irtf.org
Cc: rixxc@redrocket.club
From: Ruben Gonzalez <in+lists@ruben-gonzalez.de>
Message-ID: <2bfbd767-b93a-42bd-be7d-1dae9e32e555@ruben-gonzalez.de>
Date: Fri, 07 May 2021 09:24:20 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-MBO-SPAM-Probability: ***
X-Rspamd-Score: 3.55 / 15.00 / 15.00
X-Rspamd-Queue-Id: 38F191894
X-Rspamd-UID: 9632e9
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/KtmqZS6CFUwCfkVTlieGw-ZFGfY>
Subject: [CFRG] Attack on a Real World SPAKE2 Implementation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2021 07:25:59 -0000

Hello CFRGers,

this is my first time posting on the mailing list. In case this is the 
wrong place for such a message, I apologize.

Aaron Kaiser (in CC) and I wrote a detailed blog post about a 
vulnerability Aaron found in a real world SPAKE2 implementation.

The blog post "Croc Full Plaintext Recovery - CVE-2021-31603" can be 
found here: https://redrocket.club/posts/croc/.

We did not attack SPAKE2 directly, but a faulty implementation. The blog 
post might still be relevant for authors of the standard, since it shows 
how developers can easily misunderstand it.

For questions or additional information, just drop us an email.

Kind regards,

Ruben Gonzalez