Re: [Cfrg] Extractor for use with PAKE protocols (specifically J-PAKE) / unauthenticated nonces
Hugo Krawczyk <hugo@ee.technion.ac.il> Wed, 03 November 2010 22:57 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A1A4F3A67FE for <cfrg@core3.amsl.com>; Wed, 3 Nov 2010 15:57:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N01MJ5L8WOTf for <cfrg@core3.amsl.com>; Wed, 3 Nov 2010 15:57:08 -0700 (PDT)
Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by core3.amsl.com (Postfix) with ESMTP id 86A213A687D for <cfrg@irtf.org>; Wed, 3 Nov 2010 15:57:07 -0700 (PDT)
Received: by wwb17 with SMTP id 17so1246844wwb.19 for <cfrg@irtf.org>; Wed, 03 Nov 2010 15:57:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:sender:received :in-reply-to:references:from:date:x-google-sender-auth:message-id :subject:to:cc:content-type; bh=5F/r+0zS7sJAOx5egHk0CDJkkvoIVAzsV/J+yKmSw2w=; b=uZA2NnZDQJN8cH/YyGQDd8ChjNKeweNfmDmCBOJcpEBh+pZ/3VVHZaY3M8PabDaEmR 8CXOAEGavHKwPTU2UbqPvvG/WdoLvdRnzR1zE768toFWBSxV48D1gouht4hHcH/P2vZa Zm7HsagXgZVoTYtNailCfosTvMhXGm2g+KMGU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=StaOPQdhJ4wStZQ7C4PdAc/lBO/fZYEr0UV2Y8Dk2DtxZUg3w+874bdp0TvVUMkKWD XlWkmNFcVcGDNiLqjxYtCpulYrdJC39nnlRKwc6LkbcCyaungabZSGMC3pGyj0OJTtnt TR1Jj5o8rodfbuOZGwSJM5Bht2RjRdy6Dz3II=
Received: by 10.216.1.6 with SMTP id 6mr4901562wec.24.1288825034571; Wed, 03 Nov 2010 15:57:14 -0700 (PDT)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.216.70.196 with HTTP; Wed, 3 Nov 2010 15:56:54 -0700 (PDT)
In-Reply-To: <1805749247.264607.1288811257635.JavaMail.root@cm-mail03.mozilla.org>
References: <562344880.264071.1288809057558.JavaMail.root@cm-mail03.mozilla.org> <1805749247.264607.1288811257635.JavaMail.root@cm-mail03.mozilla.org>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Wed, 03 Nov 2010 18:56:54 -0400
X-Google-Sender-Auth: M8BVE-E940LK9FxjefYNN0cRyrI
Message-ID: <AANLkTinpgVSb2F52xZ-r2xDxHRhgprAUe1Y3oApuqE+Z@mail.gmail.com>
To: Brian Smith <bsmith@mozilla.com>
Content-Type: multipart/alternative; boundary="0016364d29bf5d406304942df684"
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Extractor for use with PAKE protocols (specifically J-PAKE) / unauthenticated nonces
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Nov 2010 22:57:09 -0000
If the nonces are NOT authenticated then it is better to use a fixed salt
value that cannot be chosen by the attacker. If the nonces are not
authenticated then the attacker can choose/influence their value. In
principle, though not necessarily a practical threat for common functions,
the attacker may be able to choose a salt value where the function is weak.
For example, imagine that AES under the all-zero key is weak (say, AES
outputs very non-random strings when keyed with all zeros). This would not
mean that AES is weak since the probability to choose the all-zero key in a
regular use would be 2^{-128} but it would be bad for the KDF application if
the attacker can force the all-zero salt.
As for TLS, the nonces would probably be authenticated via the finished
message. But if the key that you use to MAC the finish message is derived
using the nonces themselves then this MAC operation does NOT authenticate
the nonces (as the attacker may have chosen the nonces such that the salted
KDF will result in a predictable MAC key).
Does this answer your question?
Hugo
On Wed, Nov 3, 2010 at 3:07 PM, Brian Smith <bsmith@mozilla.com> wrote:
> In the J-PAKE paper [1], the authors suggest simply using using a hash
> function as an extractor following Diffie-Hellman key exchange. (The sample
> implementation [2] uses SHA-1 and the authors subsequently suggested using
> SHA-2.) My investigation of extractors has lead me to believe that it much
> better to use an extractor that is seeded/keyed by an authenticated nonce.
> But, in J-PAKE, we can authenticate the key exchange but we can't directly
> authenticate the nonce.
>
> I saw Hugo Krawczyk's response in the thread "CMAC for Extraction" [3] that
> said "If your protocol cannot exchange a nonce, or can exchange it but
> cannot authenticate it (in which case the nonce can be chosen by an
> attacker) then replace N with a fixed value that is defined and wired it
> into the protocol as a constant. Choose N to be any 'random' string of the
> length of a CMAC key." But, it isn't clear to me how to evaluate the
> security of this.
>
> In TLS, with static-static (EC)DH key exchange, nonces do not seem to be
> authenticated except indirectly through the client finished message. Would
> copying that design be better or worse than using a fixed N value instead of
> a nonce?
>
> Thanks,
> Brian Smith
>
> [1] http://eprint.iacr.org/2010/190
> [2] http://www.lightbluetouchpaper.org/2008/05/29/j-pake/ (see the updates
> section)
> [3] http://www.ietf.org/mail-archive/web/cfrg/current/msg02880.html
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>
- [Cfrg] Extractor for use with PAKE protocols (spe… Brian Smith
- Re: [Cfrg] Extractor for use with PAKE protocols … Dan Harkins
- Re: [Cfrg] Extractor for use with PAKE protocols … Hugo Krawczyk