IETF Logo Mail Archive

Re: [Cfrg] The SESPAKE protocol and PAKE requirements

Schmidt, Jörn-Marc <Joern-Marc.Schmidt@secunet.com> Wed, 27 April 2016 07:23 UTC

Return-Path: <Joern-Marc.Schmidt@secunet.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 080B112B052 for <cfrg@ietfa.amsl.com>; Wed, 27 Apr 2016 00:23:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.896
X-Spam-Level:
X-Spam-Status: No, score=-2.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EQ1vG4Zixi0F for <cfrg@ietfa.amsl.com>; Wed, 27 Apr 2016 00:23:01 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CB6412B025 for <cfrg@irtf.org>; Wed, 27 Apr 2016 00:23:01 -0700 (PDT)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 0CB811A0754; Wed, 27 Apr 2016 09:22:58 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id s66dWwP_pG4e; Wed, 27 Apr 2016 09:22:56 +0200 (CEST)
Received: from mail-essen-02.secunet.de (unknown [10.53.40.205]) by a.mx.secunet.com (Postfix) with ESMTP id E400B1A074D; Wed, 27 Apr 2016 09:22:56 +0200 (CEST)
Received: from MAIL-ESSEN-01.secunet.de ([fe80::1c79:38b7:821e:46b4]) by mail-essen-02.secunet.de ([fe80::4431:e661:14d0:41ce%16]) with mapi id 14.03.0279.002; Wed, 27 Apr 2016 09:22:57 +0200
From: "Schmidt, Jörn-Marc" <Joern-Marc.Schmidt@secunet.com>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Thread-Topic: The SESPAKE protocol and PAKE requirements
Thread-Index: AQHRZLvFhinDbGCtJk6tX9iZaQMVS58v8CWwgASpHACABKX9YIADBHEAgFTOcwCAAFNukIAE1/CAgAZhuMCAAAkJgIABHDkA///zrgCAACP4cA==
Date: Wed, 27 Apr 2016 07:22:56 +0000
Message-ID: <38634A9C401D714A92BB13BBA9CCD34F23476FEB@mail-essen-01.secunet.de>
References: <CAMr0u6nu=0H8pi=rEC1i69y1nhGLStvbJUXukUX0uHaVperkSg@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F167B5300@mail-essen-01.secunet.de> <CAMr0u6=eKJyCVQwHpuBLzB2TrrUQrfP8ti9N+Ai108=iS9tkZA@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F167B8267@mail-essen-01.secunet.de> <CAMr0u6m7TD2Nx29q+gFOBEFRswSiSCzXmGoVP_AmZtNhs0vUFw@mail.gmail.com> <CAMr0u6=YnFXRDtXxHuz03g2-Dt74Z1HZ3Pa3GVYOa2_hPFsgrw@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F23472FB0@mail-essen-01.secunet.de> <CAMr0u6kU2r=xKwAwCW+oCcA=-BDAEb7E2pbx6Df=DDw2-OkGXQ@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F23476BA3@mail-essen-01.secunet.de> <20160426144049.5910610.54445.3223@gmail.com> <38634A9C401D714A92BB13BBA9CCD34F23476F97@mail-essen-01.secunet.de> <CAMr0u6nUUa78VZaF8DTUDvuXSrSHheWgmn10dkO+yYdbxWaKsQ@mail.gmail.com>
In-Reply-To: <CAMr0u6nUUa78VZaF8DTUDvuXSrSHheWgmn10dkO+yYdbxWaKsQ@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.208.1.80]
x-exclaimer-md-config: 2c86f778-e09b-4440-8b15-867914633a10
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_00FE_01D1A066.78641BB0"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/NjN93uzwvk2i4750uvBzEjmBbgM>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] The SESPAKE protocol and PAKE requirements
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2016 07:23:04 -0000

Hello Stanislav,

You're right, the two points are not precise enough - my sentence was too sloppy. I'll use your suggestion for the active adversary. I think it covers also passive adversaries - if eavesdropping leads to any information about the password, there is no "guess" needed. Which reminds me that "guess" is again not the best term - I'll use something like "interaction with legitimate parties"..

Thanks a lot!

Best regards,

Jörn

----
>Two points must be corrected in the sentence (2):
>- not "divided by the password length", but "divided by the cardinality of the set of possible passwords" (for example, if you use passwords of digits 0-9 of length 8, the probability of success for 3 trials is estimated not as 3/8, but as 3/(10^8)).
>- not "limited by [the number...divided...]", but something like "limited by [the number...divided...] plus a negligible value" (it is always a possibility with a negligible probability, that adversary breaks a CDH instance etc).


>Moreover, since the requirement (1) in your statement can be trivially achieved without any PAKE (if you just use simple DH without any passwords, it's OK for the case of a passive adversary), I'd prefer to modify your statement in this way:
>"In particular, the proof must show that the probability of an active adversary to (1) pass authentication or (2) to learn anything about the password or (3) to learn anything about the established key is limited by the number of guesses divided by the ...."

v2.23.0 | Report a Bug | By Email