Re: [Cfrg] Fwd: New Version Notification for draft-harkins-pkex-03.txt

Ахметзянова Лилия Руслановна <lah@cryptopro.ru> Wed, 01 November 2017 16:59 UTC

Return-Path: <lah@cryptopro.ru>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43B8413F8EA for <cfrg@ietfa.amsl.com>; Wed, 1 Nov 2017 09:59:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EwnEFjmfCIpR for <cfrg@ietfa.amsl.com>; Wed, 1 Nov 2017 09:59:11 -0700 (PDT)
Received: from mx.cryptopro.ru (mx.cryptopro.ru [193.37.157.34]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C65E13F8DA for <cfrg@irtf.org>; Wed, 1 Nov 2017 09:59:07 -0700 (PDT)
Received: from orion.cp.ru (192.168.69.205) by pegas.cp.ru (192.168.68.231) with Microsoft SMTP Server (TLS) id 14.3.279.2; Wed, 1 Nov 2017 19:59:04 +0300
Received: from orion.cp.ru (192.168.69.205) by orion.cp.ru (192.168.69.205) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 1 Nov 2017 19:59:03 +0300
Received: from orion.cp.ru ([::1]) by orion.cp.ru ([::1]) with mapi id 15.00.1210.000; Wed, 1 Nov 2017 19:59:03 +0300
From: Ахметзянова Лилия Русла новна <lah@cryptopro.ru>
To: "ghudson@mit.edu" <ghudson@mit.edu>
CC: Смышляев Станислав Вита льевич <svs@cryptopro.ru>, Алексеев Евгений Конста нтинович <alekseev@cryptopro.ru>, "dharkins@lounge.org" <dharkins@lounge.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Fwd: New Version Notification for draft-harkins-pkex-03.txt
Thread-Index: AQHTUyBS+R2C6bkSxUm5nnV1FDGYA6L/ok8ggAAFcMD//86TgIAAMtAg///OHoCAAEVHwA==
Date: Wed, 01 Nov 2017 16:59:02 +0000
Message-ID: <778b5914e07343beb01c811c6ba23fe4@orion.cp.ru>
References: <148341961917.21855.12696727221580481006.idtracker@ietfa.amsl.com> <502ff23e-72d3-88ce-7f03-92e6aecde717@lounge.org> <CAMr0u6mF-yY1eYHj6rVctMNXWZqJzv8gSM28XS3ZJ6+kpq8DaA@mail.gmail.com> <a2f2041d-699f-ef00-9175-3cf4303cd5e4@mit.edu> <20171101144710.6041682.38708.7138@gmail.com> <40d078a7948c4d47ab35cc96a2d3aefa@orion.cp.ru> <f875b8a04b824b9a87b705d82ea4b832@orion.cp.ru> <0e6d5e0d9cef48c2900cd45899c0ce3a@orion.cp.ru> <0ac0efbba1c14d639cd77b30b33e17e7@orion.cp.ru>
In-Reply-To: <0ac0efbba1c14d639cd77b30b33e17e7@orion.cp.ru>
Accept-Language: ru-RU, en-US
Content-Language: ru-RU
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.168.84.134]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/N1pTSyVLrrnPwmPL2ei5UYwwzKg>
Subject: Re: [Cfrg] Fwd: New Version Notification for draft-harkins-pkex-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Nov 2017 08:32:25 -0000

Good evening, Greg!

Answering your questions:

>An active attack against this case (attempting to subvert the DH exchange as if there is no mask) succeeds with probability 1/q, which is no more likely than >attempting to subvert the DH exchange using any other specific mask value as an offset. Is that a sufficient reason to add an impossible-to-test special case?

	We agree that the absence of these checks is not critical for the protocol security.

>Similarly, what's the justification for adding this special case?

	Firstly, if we do not add these checks then we should define the result of mapping function F for the point at infinity.

	Also, in the case of using PKEX in the WiFi protocol, the adversary has the physical access to devices, that can authenticate their public keys using PKEX. 
	Suppose the adversary can affect the RNG of devices (for example, by changing the voltage). In our practice there were cases, when RNG produced a 	sequence of only zeros in the case of hardware failures. If PKEX correctly processes the case of point at infinity (waits for non-null multiplier), it will not 	be vulnerable to this kind of dictionary attacks.

Best regards,
Liliya Akhmetzyanova


On 11/01/2017 01:45 AM, Stanislav V. Smyshlyaev wrote:
> 4. The PKEX protocol translates code into an elliptic curve point in 
> the following way. The code is hashed within other parameters and the 
> hash value is used as a scalar which an elliptic curve point is 
> multiplied by. There exists small but still non-null probability that 
> this hash value turns to zero modulo q, where q is the order of the 
> used elliptic curve point group. If that happens, an ephemeral key is 
> not masked and the overall security of the PKEX protocol is violated.
> It seems useful to add checks here and introduce some algorithm that 
> changes zero hash value to a nonzero value in a deterministic way.

An active attack against this case (attempting to subvert the DH exchange as if there is no mask) succeeds with probability 1/q, which is no more likely than attempting to subvert the DH exchange using any other specific mask value as an offset. Is that a sufficient reason to add an impossible-to-test special case?

> 2. It seems useful to add checks of X' and Y' for not being equal to 
> the point at infinity.

Similarly, what's the justification for adding this special case?