[CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13

"Hao, Feng" <Feng.Hao@warwick.ac.uk> Mon, 27 May 2024 21:32 UTC

Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71837C14F707 for <cfrg@ietfa.amsl.com>; Mon, 27 May 2024 14:32:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=warwick.ac.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WK6haIao0CT4 for <cfrg@ietfa.amsl.com>; Mon, 27 May 2024 14:32:19 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on20700.outbound.protection.outlook.com [IPv6:2a01:111:f403:2611::700]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8C6CC14CF17 for <cfrg@irtf.org>; Mon, 27 May 2024 14:32:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=n+Uz3nb1mI6m7Yx/DgNbsCL++ePIlRppdVuusC03EPivzdPGgRK0m6PL7viO/+WOoG/mdX7NbwVCYMnoUW9hmtL4vLSiAKsOYq0EdR0MPzOS9BgELkT3+tsvBpOkT91Dc8n553dZx6KIB0u/UqMjqAprzDmfufpy2aUX8lXJfKXNIMR7x77w9ZyNfROJO0O/Vt9VeV2hucjPX60GasnAeXn+46xYhsQxM/q+MCsaYOpNxCrNnX0lFrqzckTEjCm/nhjuEJR1Q/adhharRJiQ472+iuG0b7AKssTy4uaBH2Qr/5kokwBvgpRgxg7RS5dMkEtJ5h9JARDn5m1T3c1ibw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZE1jJFjiU+bMJFq7N5xFK8H56r3QunHrvj9N+ncBZF0=; b=JrOVZ+EQr2WPgol9iI7JZLsMoeHQXovQcXJRsnillgKWRk9vPeUZ3G+mxHOdKauyhUUfALSTY47982aR3f+HMR/EjuGCqYubs7T65vpg4XHNqUF1u9rY+KlrgT+G6uR7VPjOw47zoodv0nmuvWUi+fgGlSvZommJr7yJ9IgBf4IU6GbvumU60IICrnHlGMDblWbrKpOXGVG+um87ESqN2WJFCNaYNMdY6gHG6m1P3YUebqJM2QtqTlZtP5Q/O7dLy+d3AwjvsE0NsYqIhWk3PwFe/Z/GQVbPuZr/wA/5AJA5lljAoyFNWaJAd+3qMAyeYPPM3nRHuu0tHkzpjExY4g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=warwick.ac.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZE1jJFjiU+bMJFq7N5xFK8H56r3QunHrvj9N+ncBZF0=; b=J11ls2DKB43rP9Y0KdZilqc/vavZM0qGdsq+7Bo55l4v+xUQ9DFQ0Z1v1PxVF50g6TEvQpfu79Jq38TT21q+o+ZGz4cF/F6CuGzPeXetJbf9zwI7dNlJSBFPRAwC8qCvn5KyZzLEHos5Yl2ihNpI0IwWjibnqkn9PPgT3iTtTgQ=
Received: from GV1PR01MB8436.eurprd01.prod.exchangelabs.com (2603:10a6:150:1f::14) by VI1PR01MB7135.eurprd01.prod.exchangelabs.com (2603:10a6:800:17d::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7611.29; Mon, 27 May 2024 21:32:12 +0000
Received: from GV1PR01MB8436.eurprd01.prod.exchangelabs.com ([fe80::ad9e:98b7:f953:1388]) by GV1PR01MB8436.eurprd01.prod.exchangelabs.com ([fe80::ad9e:98b7:f953:1388%5]) with mapi id 15.20.7611.030; Mon, 27 May 2024 21:32:11 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
Thread-Index: AQHarVvG6MH7WAQd1EGEhrA7lhZ1xrGmOOUggABAPICABEp8ToAA0FmAgAADJco=
Date: Mon, 27 May 2024 21:32:11 +0000
Message-ID: <GV1PR01MB8436ACA18A87EA7AA8A4EA57D6F02@GV1PR01MB8436.eurprd01.prod.exchangelabs.com>
References: <CADi0yUNbiVTe9BaoCFgDaTC06Z1LMAx6q2hJDiWydpy6xFqtRQ@mail.gmail.com> <GV1PR01MB8436B6B6B75DEBC9F1FB30A9D6EA2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUNCkk8Y5dQJH6DjR33cP7KXXrQsmHfA0UDRxjGuoXCaLA@mail.gmail.com> <GV1PR01MB8436DBCC8F5B167B0B44490AD6EA2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUPcyc9oSM4NqWynkWuTPStnD9yqt4XwmAg7c=XjCtik4A@mail.gmail.com> <GV1PR01MB84364908B61E293E46012214D6EB2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUOtSBmCnQMP-MoyzzxF6LZQcrKfo03sN2cNuO6MS74NAg@mail.gmail.com> <GV1PR01MB84361129416DC8B621CAAEDFD6F42@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <y5y4iquyvrao7jtpyc2ycjtz4sg5dbzhrhddz5j6rv3eydyd2o@zy65yreteuoh> <GV1PR01MB8436B919FE24E2E022639155D6F52@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <2dhbnlfzwgllzqc7farahxqkct3zqcoi7wdj7vybivlzzwxrei@e7phsvy5i6ae> <GV1PR01MB843618C88187FE124B1F142ED6F02@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CACsn0c=M5OofNyG8YhO4vYOWwFvZW9yLpwMGMXkkDrXZ=Ty1jw@mail.gmail.com>
In-Reply-To: <CACsn0c=M5OofNyG8YhO4vYOWwFvZW9yLpwMGMXkkDrXZ=Ty1jw@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=warwick.ac.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GV1PR01MB8436:EE_|VI1PR01MB7135:EE_
x-ms-office365-filtering-correlation-id: 8a0a69e0-a11a-40d5-3fd8-08dc7e947816
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230031|1800799015|376005|366007|38070700009;
x-microsoft-antispam-message-info: bZr/wgXUjvdA50eYNASZZL7Bx/puvjGPfKPWMu01PCe+CgcoBjR6xoi+zeVO9q6RUw2Etg91vFpyRLLB7gXnvdeKYxKq3kklri+T/V3ZCQpNj0dXzhYx8UT1zkujqI20F+s7mbQ/wpOjmlNYm4lF4Vy6+ZDYNAZud25G5LUwbVisqNeTOI+PVFv202t/wE1Cw/PKLj1EPJA+tPfTStPT6xHjPsReosr8SMCJX1BqB+UdqSJrERbp6oPZhkvugrtThZVOixSq7LQYyr3YvuRTZS/JBbrpU90Lwgx1rUOg5HOqqmRV3rQqCKMhCvlBR1fEmuXKCKZdP8xf1k4M9HvWtCn4jnjKNj2w5IaV/g5Ijbgj+oTxzMaELLwOG8CWoLBpr2yV2njI30Do2QbUoup/GPW/WQvkwk0PmBfcl1IOZB8VCx8qLmme2gYtdb4qfizd1P7JDfwOU1OajVROFJsZYle+wkWIg71yjQWAjTkhADmrDdheDGGUQT3LXv8pdVVkq9h3QogiqqXyakH7F9SetY+OI5vkK8ZHMuVTJ32B0at8nTOaSo6zrfwTCG2mkaqVSYdv9A8fYvBUwicJbo4ycZsofaFFstDzRMIoN0p3u10inoottIXPMqDJU4Q759Ch+Lln83D1t/5OYeAJWT4FQBxJbsDoJUiWwUZPddmF6QGvFpIsDkbtO9MlwZXocu72KY8pWDfIZpWM7TXRUQNSBW4xE9N4nG9+Y3QF5hBdkPl8caPvvghk/wK3NAChHvlBcPmSn1Kh3MTBSpGhjf4bgXstCp4xhYMbELh130pvlcFgRV6Ct6CmSoAcWeA+G7UchXPIzUGlAC2VjzRqoiU0PI23P7Hc0yVW3GbUYgFVnpGyz1/OKjxGtXYvwmFsn7TjsLokYsonldfRtN/3wA0O99ngl8jRB3hkgb6XIsbY5e6PWMPnxfaFU/VJcAORC0a+Aroj9B/kq02R1yWean+jifjzodgh0YUmAQftf7gywTBe/k529FHCnQv3mK7Bl3BvHawc4o//0B2oZeW2weeWdw4QUmpRPhowvpBMFBEyr2QDbzpaB8ihFOftVbVukV4Eouii3++dfo2/CQpxD5YQYsD7U30QwHNr411jyMNiOE8vcNBrK/KDxe+cI5oof68W558UQh3p1uZnozcnjbxARXdOZWO0z2mqk1R/cU0g2UBVAKv0fRocGIlaxdlGGrjscjUtQEuafBIISIvUxGWy6pGHSqE/uEIdd4zEfeR4mIEljenhFXg6fPYzG8Ha4Jbnc50XR6cRXIsjwaifL5EURQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GV1PR01MB8436.eurprd01.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230031)(1800799015)(376005)(366007)(38070700009);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 0jV91Ufl5tb0AGwPOcB+x/bawotgFFuqbUPPyRKAHm7WYL0oU5WSbo6qdXixAiWftrVVM6K8XPegxLdkIbEbnayrReFYLdkbLBCpqzSmYLMAo/WDEXsj4WoX1je+ganaaOuspDT8SeqDTVXIomAX49lW2DVoFVx+35OUXZL/73yNHdmw5L04Jzl5aW0hVoQsT5SFXbWIG/j1NMlEVqT5QDiLI3HqIAozJbDBrGYaJIzAs+rX7kfh7CNflteVxSMv8pmFJdWUfM/+PU++pMnjm/t5PsVZZ2a25xN69bOb8YQPwEWgDO1OKANIWjDT86DTHTtJXsMtMgaJE1hegOCnya4cwqVsOgEl7zTB27oQ3kFyKxGzlKaej2K7R2ZuoKQufwbtiUs0Ih176oliUIYCRdzZtnPJvU2F60hyOD0uvfbvh272rY4FyAgE3sme+g4kyW/d5kI+XuiMwJXis7AzE9EzYRGIk73CLDxORW2xtnKEQ0idCKWnETfSKwCqgmluznGBXZoCX6FFQQ1yRJKsLs7W8jdODKjqzK4FBdyRuuxqJPFNIeA2kAE0/QWxKcrC/HPIlBaWUA90IaS8Fi6jxO/HFzvfgvHmbKyGrN0PscH+Lb39Znk5isKgmC4mQHZS/KmeKWFzKMZDLtqSgo+zuAUQI+aCobapNl7JB5NdlnVc3HGi+saTvofYwTEGUbsJmlNA/orB6HD+VkWwQblFWcukhVwhvbZx8r47uhwbG+KLROt+lYGnpGmX257rhOkdhbE8KebQCdBq/YqzWNeJDngyIArp4Hvp0gzGX5Jxtj7HIRkKLJA8FgYF0SN9T79xDU2f17MGfGrOJkjcvJ4OVdBKk2TWlBicBZGdJKATOqAebnfVt8abdec4GrvamrDOvdKuvJsYhykmGXUk2l9CLJjT8PxUKVYTb33V0OXN/4bFkkb/hGF0YsSXVYZ0BpXrofKlbzZ6IbTdxHXOSiKFH23JuhyURsJ1RMKZiZtGobyRRuAsMFHlbb4lMLo+8JIY4RMCxjGYn57ckvYm71RPwT1I0YyZHd+vigimRmdYCs6NndCAw1KivxSFnVPxIV15hABVh9hFswD0E6fLx5Cz5tVyTZ+O93N9bfXln4cvX445EWj4zcQxWXHla89nJMG8Wgj0d9bVuy8MMU8Mp4sDYWMATZACmR+4jot2212Mk7gvn32RI7yxtQSNG5U8UUzBkvAwvGEU5rOL2F5c63bDIX2KdXqMnvNKeSJ9x9nxVMnCUydLkblAZCqQuISQ9GYj7bEO/6a4dc1ZGo8v8OE9Z4wd9NPXobxh63LXdX4T94RtPx/wMKhP+6Oj2A4ZWG93GFZ3mXxpPXjPnVdgDB3X+3vQTjjAuZeoJHru2WNh3au1wFCDUUZtRg3y04KP9Z/seH4A5tEgfaviZxjlT3WVfCLXXmDpTqtTXlhpvq+Prqb3GZh4XWF6e3VMUMJUzljI/B/LmhkL0RqGq+xcxjioAIRM/w1uAVcGibuHWsgbfgIjX3TJW0z8e+owyRfIPc/E5rbOKMKm/6sLl4yw7DLGNVHsiMKMFmbTGL0qlFB1le7R5CRqJE/0RUX16ZLrG52m+4T4PXvLrtIlmA3eNWUGJSxmBFjsMMscA5gYqB3cVwc=
Content-Type: multipart/alternative; boundary="_000_GV1PR01MB8436ACA18A87EA7AA8A4EA57D6F02GV1PR01MB8436eurp_"
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GV1PR01MB8436.eurprd01.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8a0a69e0-a11a-40d5-3fd8-08dc7e947816
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 May 2024 21:32:11.4516 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TiWw7oi4qUGWJn2L04mjaknEjf7kIbdh4O7aJBXyBtOLXxArDK9GeZwdkW1fTjwUKBiho4DPTLlP9osqx4AAfeWzHJin3f21XtZ9doK/ebk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR01MB7135
Message-ID-Hash: TSZNOYTTKKYISLLE6OZF5NKVMULMKLU5
X-Message-ID-Hash: TSZNOYTTKKYISLLE6OZF5NKVMULMKLU5
X-MailFrom: Feng.Hao@warwick.ac.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IRTF CFRG <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/P-lPCuCNhgainRT7B01hauSiDvc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Hi Watson,

That will be a standard online dictionary attack which applies to any PAKE, and can be detected and “accurately” recorded by the server. Please have a look at Ding and Horster’s 1995 paper which I posted earlier. https://dl.acm.org/doi/pdf/10.1145/219282.219298 That paper explains the difference between a standard (detectable) online dictionary attack and an undetectable online dictionary attack. Similar attacks in various different protocol settings have been well studied in the past 30 years.

Cheers,
Feng

From: Watson Ladd <watsonbladd@gmail.com>
Date: Monday, 27 May 2024 at 21:49
To: Hao, Feng <Feng.Hao@warwick.ac.uk>
Cc: Riad S. Wahby <riad@cmu.edu>, IRTF CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
On Mon, May 27, 2024 at 6:13 AM Hao, Feng
<Feng.Hao=40warwick.ac.uk@dmarc.ietf.org> wrote:
>
> Hi Riad,
>
>
>
> The factual difference between OPAQUE and SRP-6a is that in OPAQUE, the server is authenticated first, whilst in SRP-6a, the client is authenticated first. The order of authentication has a profound implication in security here. For the case of OPAQUE, the server leaks password verification information via the key confirmation string in the 2nd pass before the client is authenticated. If the client drops out, the server can’t distinguish legitimate drop-outs from online guessing attacks. This means that the server has to deal with false positives (denying legitimate users hence causing the DoS attack to its own users) and false negatives (letting an attacker guess the password without being detected or logged). Managing the false positive and false negative can be complicated in practice.

Huh? An attacker can always carry out the full protocol to guess to
lock someone out. That a query amounts to a guess doesn't really
change this.

--
Astra mortemque praestare gradatim