[CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13

"Hao, Feng" <Feng.Hao@warwick.ac.uk> Mon, 27 May 2024 10:11 UTC

Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C0E7C14F5FE for <cfrg@ietfa.amsl.com>; Mon, 27 May 2024 03:11:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=warwick.ac.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WlB7CSBRwPPH for <cfrg@ietfa.amsl.com>; Mon, 27 May 2024 03:11:49 -0700 (PDT)
Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02on20701.outbound.protection.outlook.com [IPv6:2a01:111:f403:2606::701]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D940C14F6A8 for <cfrg@irtf.org>; Mon, 27 May 2024 03:11:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Gi0sgJKVwW1XwUsH0/KnRuKgffd0VMGMHnc5mDtO+vZ/S1hAxz9kKAos/WR6tw8pr7W9WgzlEpmvD58/4XEnK9RaM0YE5qyHkkbKUATJUURK/4zjI0QMkQxAtpiR5A0ukpYhCBSg49EEuWBYV4B1cJwcy93bbqL5mpj07BIlFKYRVosqGR45tBTOwtUN2U8QEYwzNTqHVzvmHtNt7CT8LaSTZRQcJ3tigM8Ef6Wo/bAGFt4gAIPtSe0NHfCG+rYPXxrfZDQ+0FAG0N/aG5RUKbCo7BXRzG0JdK6sZGmxxfSZIH0AaR5XwlVyb+xZ8Q3YOJ2Z5ZpEBUnGIpGBA62vug==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0HCc8u5h5BRialXyeR1eqJWbCFdGtPxmQTqSUyWob2s=; b=LzUFXiCQj3p2BaESFBK8CPTPy5tnAwvsz/LxeGkkOVrpSN+tXCDhYxZxO4QfsEGnWZdabe1JpPZi3Wa3rmEEEZlBomgyC9UCLb5Z0GEIL2xUyR3w/J1A/g0GhTh6c45qandwkPa93sZJOvROh311ThQ8OmWCPQhNi9wX3KaD2gb80/ZdogCfGQulMb1IR5yudeLPBlzyelv9JcQ+xs30l8l+Znc3orjMSnvy62BVvlfK7fn/r6xO4k3THYDGNC4/lJngT6DAM6jqcaMJfHMtR9CujxgJPsMbkLf1ymQwxHNRhwJjpkNB7Hdc9vUsRIhEr2l9EH2Av5RN2r6VX4yaaw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=warwick.ac.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0HCc8u5h5BRialXyeR1eqJWbCFdGtPxmQTqSUyWob2s=; b=B4g30/2sGHizf+7hLdUCJhac5m7SbpmjqxwoPQvGcJwTko862mBUoYGl4xKsrC8caO7+jUZmjnqoc9tEaPulXBZ8I9wDVwEyuFjd4oLbPh8EmYYhGgZkviPiTkqem4TrvW54MUDg3MgLeeFMBkFt0tuP/H8pZQgaT8Wh38YS80k=
Received: from GV1PR01MB8436.eurprd01.prod.exchangelabs.com (2603:10a6:150:1f::14) by VI0PR01MB10582.eurprd01.prod.exchangelabs.com (2603:10a6:800:20b::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7611.29; Mon, 27 May 2024 10:11:44 +0000
Received: from GV1PR01MB8436.eurprd01.prod.exchangelabs.com ([fe80::ad9e:98b7:f953:1388]) by GV1PR01MB8436.eurprd01.prod.exchangelabs.com ([fe80::ad9e:98b7:f953:1388%5]) with mapi id 15.20.7611.025; Mon, 27 May 2024 10:11:43 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: "Riad S. Wahby" <riad@cmu.edu>
Thread-Topic: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
Thread-Index: AQHarVvG6MH7WAQd1EGEhrA7lhZ1xrGmOOUggABAPICABEp8Tg==
Date: Mon, 27 May 2024 10:11:43 +0000
Message-ID: <GV1PR01MB843618C88187FE124B1F142ED6F02@GV1PR01MB8436.eurprd01.prod.exchangelabs.com>
References: <CADi0yUNbiVTe9BaoCFgDaTC06Z1LMAx6q2hJDiWydpy6xFqtRQ@mail.gmail.com> <GV1PR01MB8436B6B6B75DEBC9F1FB30A9D6EA2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUNCkk8Y5dQJH6DjR33cP7KXXrQsmHfA0UDRxjGuoXCaLA@mail.gmail.com> <GV1PR01MB8436DBCC8F5B167B0B44490AD6EA2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUPcyc9oSM4NqWynkWuTPStnD9yqt4XwmAg7c=XjCtik4A@mail.gmail.com> <GV1PR01MB84364908B61E293E46012214D6EB2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUOtSBmCnQMP-MoyzzxF6LZQcrKfo03sN2cNuO6MS74NAg@mail.gmail.com> <GV1PR01MB84361129416DC8B621CAAEDFD6F42@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <y5y4iquyvrao7jtpyc2ycjtz4sg5dbzhrhddz5j6rv3eydyd2o@zy65yreteuoh> <GV1PR01MB8436B919FE24E2E022639155D6F52@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <2dhbnlfzwgllzqc7farahxqkct3zqcoi7wdj7vybivlzzwxrei@e7phsvy5i6ae>
In-Reply-To: <2dhbnlfzwgllzqc7farahxqkct3zqcoi7wdj7vybivlzzwxrei@e7phsvy5i6ae>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=warwick.ac.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GV1PR01MB8436:EE_|VI0PR01MB10582:EE_
x-ms-office365-filtering-correlation-id: 30638d0d-624e-4199-e237-08dc7e3568dd
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230031|366007|376005|1800799015|38070700009;
x-microsoft-antispam-message-info: Z255MW1K61SOF1U2bjM2fpPZubgRpWkM3+Cj8EtiJj84Liub8elcJLYk+gzOfexHd+huHUveW/KoZi9uGqB35ZS7VeaGNhexgkf/HO3ajCDjf3PeHyBhlM9LlRIzGdRbkoac542AyWlg1vlIzaH+gFjW8UtFN9UXVesb9F9NU1ST32CXTBdXzJEIXh2v8mrsfPii8lAIpUGJFetbUl5Df7OhQdhJY0bN9Vlr5fnR1DuIvv1c4Nc1O5a/7d7r6ypyi24gflb0cBJ+drGcD7uJINPGcNJrVouSl6xxPxFE+T8vlTBhr/vBO9lLi8LvIuwqcd6E8eo2qLhX6SQciUJrFJnsjc18/IIy22rYZwVpv4/Epu7j3Irt1sPH/moPqL/+tVL4GmnuXGj6wqapKejBApulDpFL2HsxYcAtwRaZ2u7pRWS54V/uA6cv/TgEymZSna06FXkgiTK6xx4HZkryO8bXRgtwj2ebXxa8UVWnRD4UNyff1RMx36mE0JXc1oNyIvrtN4Rx38Ctn1pWbcrGRZTa6k492mrRwz+AFibTjNWo144Kin/aZ6pj6ajSXEFZ2odyjgbKT09hNunW7/VLPlkDnY2rfJbOZEZetcW+t9Wb++snFSSBidV9ZSmQhZpgmUP41unwxLth7hwe5RMGADgcl/UwSwirYWTJ/sL2icpK1oSjR+8uERhoOQ2Q+BFAetelont9RN1xo3hTJhK1RXA4OpHlmFD5ICzvKYw13Bqv+EZz9pmzwWo01zt3CC7Fm8M/3LE1tlh5s5aLT8tT7rlMozRWVDO6WFbe6ny0MOZeFNEYekCFioJLqz3pYJj6G2pLcBQCLCaXWePhd/Ex+Y82NQFaoxvtB8TA/QPnnTFiDk59TfbMC2arnLJR2+G5xa2ndAOXItPQCk6AVKCyeqkqDahvMdGcFfYRU5/wiGcZH8o/Mqn7YR8BOCLeCexKC5oDLaytjNMiJEd0Oc8Qy8hqUjJoNelL0aHc5dMNSE6qdZUs11bnul1gIGUKmaOQ9grGp9g7lLjscHbTEqToPnEYV1wBpVc2MWzd5Vj2WISWiahjq+Gukj91+MoSTMCiAMUqJIpzbnnJnwZhkZYehh4bxHecDvlAJ4qc4skP7BcN7iWixgoEWMuTBcie9CD2+HHpwqfQKxcycTEOs5dBDdHirls4cS8rTOBYcn9kOF+b3Vgjukyakdzxb0aKkmNPOtJKvkUd7GhJ1F1/AxjXo2q60eeExrhwhrXU50Eqi/G8lI9BC53KLm+acdrDWwkg0rUxeAsnrwmEIwxEIHpVvfndVHlJSUaYmaNWNx8d6wokjsx6KWVzfDZCm+qMhnPnSdLZXnBWV0I2gnCs0ptjWQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GV1PR01MB8436.eurprd01.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230031)(366007)(376005)(1800799015)(38070700009);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: o0wyFCe7RSILFZtoVsW55k9GIYV65ZkhrbgpBzjMReJFN0xRRleh6VX7p/1HAtvLHieacEVdVNmQLYxCgTyt8a+IuNUXknbmhr5qHTblFD/I8XlZNwNk0rp7gusuPq9zMPHdR/14JWI+/UGZVixSfJ3w654C1vTItJLxsF8E2Twt75C79kcu8EcigNZFl6advZgWc7+I4Gqy6dNIG2lD9HmtFQIpo7PQyHh5e03nR6NWue7OXptdsPpXJc7UIPtLL865WjiVaaTWtqIIYbZiel/CGzE2Zor14cKQBwImPhbnKX/G4KE7tWDylgX6dCxunt/y0c+y/NaR4KFlxYZHvMYay9P1FXgmH/FIm+jhta9VKIeFWfpChII0I46ZjmlVMSc7gXtA9NN7ryeyiS7PNjljF6FJo52izhgntsF91rhOIsp+1sGv+16SwIT9L4Tk5BxXYFRyMsgV1ULGbYCQi6YZDJzqgjfGKZAPfns7/ZhQ0cNlxsTbckJI/UrRCIMIPvxPDdfaaQ+61/sqk4PoWtoNtdHRsJdOQblnHVZPSBySMxlO3y+OdGY0rJIILRdnd232LfNP26F3+hjO2cRo6HrJcNVoPOtY6OFgp9zbEfB8bR8BztHi0ePpsUe7igxJIVtREK1vA3raH32SzBBwEwBXu67A8C5WDlDEQ4ol3VkIUGDEsPT7i+Zy+hTkY0l0Unj5FWptZBNi4ZFT3gjQTBJ4dnz58BxaY/Hy0Xjt9EHrflAbSxfMhzSZjmFSzMf1GeTJu/l2qqCr3lvesg4KRMp6AJ7s8ZyUGThB/e2GmJo61o52UnwB3/VzZXBJ6PokPq6VDlXTD/7B0sbnEy/rq5HkB5g86xQQAPHVBChy9dyS4snZA1EHguslyNQqn/nh7bks6Q0MDzckIPLZNPOVBMlb8NwK3M8u1rIKx25H37kFWIwJYtUGqVznYdICidDg7P/NGcPnHMPlkYOIupIXRkKrr7Rvk+KvMhb/bpK4kEDY3fwDrIezEpTPWq8oATvagBqtfjhWNz2/IR89N7zEAX/C/cXRnk305s1M2dn/JkLNOdIl8v9Uy1JPLIibPWuqmKo9wsoKXJpN03E3fWW0MSXnPTG+IYRDwe1a/1MsdyCwiYbmaJMaQ5GdNyvCz0x2b1lwRTg8E+g5RZARbwixYNZxtF7U96WtIscKdz5GnhIgDfNu3Hjcr0Y58L05xEzCznSjYJmUoLht1N1ODcUAQVsr5eS4hS8L/OJbHAKhSeqVR1nHKN/eHCfOMc6MxzYRmPhQ2ak1J39bXIeWx/R28c6yjfHRTr/+/XDs/wHWI7UE/Ctlstr3iDc2CCnsCbEZ8+fVi6cvFrocZ1GYo6YKGSPbwlku5VoyTh5ukKIvEJdTRjK7ePv783PLtOcIAMqQpK0hHmgdXgzLaXmIzaVl0Cw8cJi3RZBejhVP+dxYAEGKz9abqbpPdj2TOv/Je4QpwpWJ3L/DnihjXrkrBVdObmDuxIVrGXyVnnjuXx6gF3yAFb742y+QcPxbdVc64xAO9YUTjRFYwVpJ8vEPuHa50WFerSin3DO5l9gnV0ULGBVqm1A8ohUc7GUyvsGjezDVYg8zgdxBhaNRuklE/FmS6zIpllHYi5dzxiojB1mIass=
Content-Type: multipart/alternative; boundary="_000_GV1PR01MB843618C88187FE124B1F142ED6F02GV1PR01MB8436eurp_"
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GV1PR01MB8436.eurprd01.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 30638d0d-624e-4199-e237-08dc7e3568dd
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 May 2024 10:11:43.7105 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lo9iKCl78hi6iT0koCioHaBezdvig2n68EzZ0DvJSeNNHWIMtkl53bHhMpUwNmWAJBMAx5Y+EpbXLsRl10Q6UqrsTJBD/TtV22Dh6wuUE00=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI0PR01MB10582
Message-ID-Hash: 2N4EJA4H4ESCXDR7NAZA4ZIJOHVGID5O
X-Message-ID-Hash: 2N4EJA4H4ESCXDR7NAZA4ZIJOHVGID5O
X-MailFrom: Feng.Hao@warwick.ac.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IRTF CFRG <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Nup2MYj1LjpnWdChGdEtQ6ZQAzA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Hi Riad,

The factual difference between OPAQUE and SRP-6a is that in OPAQUE, the server is authenticated first, whilst in SRP-6a, the client is authenticated first. The order of authentication has a profound implication in security here. For the case of OPAQUE, the server leaks password verification information via the key confirmation string in the 2nd pass before the client is authenticated. If the client drops out, the server can’t distinguish legitimate drop-outs from online guessing attacks. This means that the server has to deal with false positives (denying legitimate users hence causing the DoS attack to its own users) and false negatives (letting an attacker guess the password without being detected or logged). Managing the false positive and false negative can be complicated in practice.

By comparison, in SRP-6a, the protocol ensures the client be authenticated first. The server doesn’t leak any password verification info in the 2nd pass. If the client drops out after the 2nd pass, it doesn’t learn anything useful about the password stored at the server.  The server can precisely distinguish an online dictionary attack from drop-outs or network errors. An authentication failure is defined entirely based on the fact that the password from the client doesn’t match that on the server. In other words, there is no false positive or false negative regardless of the network conditions.

For your information, the concept of “an undetectable online dictionary attack” is not my invention. It’s an established technical term that has existed in the literature for nearly 30 years. For example, see Ding and Horster’s 1995 paper at ACM SIGOPS [1]. This is a realistic attack. Calling this marketing is not appropriate.

We showed that that the original 2-pass OPAQUE protocol in the 2018 OPAQUE paper was vulnerable to this undetectable online dictionary attack (as well as another problem that the protocol leaks the password update information to a passive attacker). This result was published in a peer-reviewed paper at FC’24. I noticed that the OPAQUE paper had been recently updated, requiring 3 passes instead of 2. I had initially assumed that this changed was motivated by addressing the undetectable online dictionary attack. However, after several rounds of discussions with Hugo (with initial confusion on my part), it has become clear to me that the OPAQUE authors were not aware of this attack, the change from 2-pass to 3-pass was done for a different reason, and that the 3-pass OPAQUE as defined in the latest OPAQUE paper and the current IETF draft remains vulnerable to this attack (because the server still leaks password verification information in the 2nd pass). This issue needs to be addressed.

Last but not least, may I suggest you strictly limit your comments to technical discussions only? I’m here trying to clarify technical facts. Your response and the suggested text for the Security Considerations indicate that you may have misunderstood the technical issue being discussed here.

[1] Ding, Yun, and Patrick Horster. "Undetectable on-line password guessing attacks." ACM SIGOPS Operating Systems Review 29.4 (1995): 77-86.

Cheers,
Feng


From: Riad S. Wahby <riad@cmu.edu>
Date: Friday, 24 May 2024 at 15:52
To: Hao, Feng <Feng.Hao@warwick.ac.uk>
Cc: Kevin Lewi <lewi.kevin.k@gmail.com>, IRTF CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
Hello Feng,

"Hao, Feng" <Feng.Hao@warwick.ac.uk> wrote:
> @Riad, please note that the undetectable online dictionary attack is
> different from the (standard) online dictionary attack. The "completely
> standard attack detection heuristic" applies to the latter only.

This is false. Your "undetectable online dictionary attack" is just a
marketing term that's used to make a minor optimization sound important.

Of course it's detectable, and in exactly the same way that all online
attacks are detectable: the server just counts all authentication attempts
against the rate limit, whether they drop out before completion or not.
As I previously argued, that's the correct behavior no matter which PAKE
you use; it completely dispenses with your "undetectable" attack; and by
the way it is already standard practice.

If there's something to be added to the Security Considerations of OPAQUE
(and indeed, any PAKE document), it's just this: authentication attempts
must be strictly rate limited because passwords are subject to guessing.
That's been the completely standard advice roughly forever, but it doesn't
hurt to remind the reader lest they become confused by silly marketing.

Let's please stop flogging this dead horse. The concern trolling over easily
detected "undetectable" attacks has long since become embarrassing.

-=rsw