Re: [Cfrg] Using ephemeral DH in lieu of fresh nonces

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Mon, 22 June 2020 21:28 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA3053A11D1 for <cfrg@ietfa.amsl.com>; Mon, 22 Jun 2020 14:28:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.497
X-Spam-Level:
X-Spam-Status: No, score=-9.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=BZr6mnvL; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=BPBtPqgc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8KjdzlXuGmCZ for <cfrg@ietfa.amsl.com>; Mon, 22 Jun 2020 14:28:50 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66F443A11CF for <cfrg@ietf.org>; Mon, 22 Jun 2020 14:28:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=48226; q=dns/txt; s=iport; t=1592861330; x=1594070930; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=Fc9oyNb5X0fsCZ8YXgmx89P6ABMUYRPoxChCOqbTUoI=; b=BZr6mnvLFoE5JRVvHl//xFCNgk3Av2qaHk+5k5I3VTYsULkNa8LTlejm iFGfErlByHJfaIPepLczwiyfsl9VKM2dpYLsf5I9tdp2H948DZFPVRiqz SyaCIiB6IX67XmB4NAI4Pr3e2d1XjnbypEKJe/FG536LoiskZNBZplp+y c=;
IronPort-PHdr: =?us-ascii?q?9a23=3A7nm5BBNFGUqE+YpGuxQl6mtXPHoupqn0MwgJ65?= =?us-ascii?q?Eul7NJdOG58o//OFDEvK8x3lXNVI7Y4f9ekfuQuKflCiQM4peE5XYFdpEEFx?= =?us-ascii?q?oIkt4fkAFoBsmZQVb6I/jnY21ffoxCWVZp8mv9PR1TH8DzNFfWq3ax5zMIAA?= =?us-ascii?q?S5Pg1wdaz5H4fIhJGx0Oa/s5TYfwRPgm+7ZrV/ZBW7pAncrI8Ym4xnf60w0R?= =?us-ascii?q?DO5HBPfrdb?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DgAQDzIfFe/5RdJa1mDggFAQEBAQE?= =?us-ascii?q?BAQEFAQEBEgEBAQMDAQEBggqBIy8pKAdvWC8sCoQag0YDjUSBAZdTgUKBEAN?= =?us-ascii?q?QBQsBAQEMAQEYAQsFBAIEAQGERwIXghQCJDgTAgMBAQsBAQUBAQECAQYEbYV?= =?us-ascii?q?bDIVyAQEBAQECAQEQCAkKEwEBLAwPAgEGAhEEAQEBGAgBBgMCAgIlCxQJCAI?= =?us-ascii?q?EARIIGoMFgX5NAy4BDpsVkGgCgTmIYXaBMoMBAQEFgTYCg3oYgg4DBoE4gme?= =?us-ascii?q?GWFmBCCWBHhqBQT8ma0OBT0kHLj6BVIEIAQEBAQEWgREBEgEJGgMDDwgIBgk?= =?us-ascii?q?ZgkUzgi2OdgeDLIY6iymPSYECCoJaiEKRB4JxiSSSZo9cgU+KFZArhAgCBAI?= =?us-ascii?q?EBQIOAQEFgWoiZnBwFTuCaVAXAg2ISIUyJAkDF4ECAQ6CPYJQgkSFBAUBNwF?= =?us-ascii?q?0AgEBARIgAgYBBwEBAwl8jWyBDwGBEAEB?=
X-IronPort-AV: E=Sophos;i="5.75,268,1589241600"; d="scan'208,217";a="511930388"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 22 Jun 2020 21:28:49 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 05MLSmgR001190 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 22 Jun 2020 21:28:49 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 22 Jun 2020 16:28:48 -0500
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 22 Jun 2020 16:28:47 -0500
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 22 Jun 2020 16:28:47 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mHrMPimF1uALlCzPfNqhWlrHleqho+ph0YswoflKB2S8NolvmsZNfJVn2IXh6RV7ulSVsBlTloFXXWBk7LzhKa77zyxnioMnuXWoxPTfABdsRksJ0l7pMYvx3SPui/GTCgHQRn4KCvZSuIJ7eV9HwOIWWEsXBb0YpmxijWI9sH4vqjF565j/Jplsv1IC82Ix/HBbLzBt+AY83k1/EOCezphz2tbp8qY83mGmc0KaaXN0PAjitdseazmjLATX2ChAlo47+YIXk62ydSx79nksGJ9p1il057ZPc/2vZ04SaN/a94uy3llPgrWELAqOGwpDf3TowkaIblRG3aEIibcpRA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Fc9oyNb5X0fsCZ8YXgmx89P6ABMUYRPoxChCOqbTUoI=; b=dm7yIoc3prsGZo/skwAb9l8W2GrC2QwpogUXtGg6dQ7rcmdMHq6k9NeY2Jk8h8UvLJM600mPygXDXrM7YY3MQFW7b12AOBsLSv8Kdrng9Peb+fXKTJusWC7IlxZgn/KqJ0xWcoweTvgf1XjiL/E4+SGqlbRxW5g7BSONkm2sSwsjokN1CgkRUuLS1f50svx4fWhFWAQU/l0dhXDMl6wpbV+XXsX/uNZ0ljMFsSdmcdqdASeOTMZlPqV+ellX1a9MKjRsvFAQMpRlW4plDISsYFMZqG2HnUc74YkwSZ0dEqC6Cry+b8s3ZaKQR2MnAn5YwOfAbCxl6cC55guk3CMisw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Fc9oyNb5X0fsCZ8YXgmx89P6ABMUYRPoxChCOqbTUoI=; b=BPBtPqgc6WCJi8QreSS2J20xr2FznVxObjcZeAwEPdPAbWd8K5hE16cs/isY1IFnV1nm8z63Rx2Fvrpzl/ffssFAQKlJswTpilIfby9IAwdJmux/tFNj0Dw/y02NvBYujA52d4ZHYFsNd6vECHAd6ADTjx/mlI2nezj7Z9mR48g=
Received: from BN7PR11MB2641.namprd11.prod.outlook.com (2603:10b6:406:b1::25) by BN8PR11MB3715.namprd11.prod.outlook.com (2603:10b6:408:85::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.22; Mon, 22 Jun 2020 21:28:46 +0000
Received: from BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::35bd:ecae:1e28:58f5]) by BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::35bd:ecae:1e28:58f5%5]) with mapi id 15.20.3109.027; Mon, 22 Jun 2020 21:28:46 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Dan Brown <danibrown@blackberry.com>, Hugo Krawczyk <hugo@ee.technion.ac.il>, Loup Vaillant-David <loup@loup-vaillant.fr>, "<cfrg@ietf.org>" <cfrg@ietf.org>
Thread-Topic: [Cfrg] Using ephemeral DH in lieu of fresh nonces
Thread-Index: AQHWSKYvujC5Bl0SoU+h9VgbiG3oEajkv8IAgAAbEYCAACWagIAAIKFQ
Date: Mon, 22 Jun 2020 21:28:46 +0000
Message-ID: <BN7PR11MB2641FB742590168DD714FFFDC1970@BN7PR11MB2641.namprd11.prod.outlook.com>
References: <326ebefc65c17f7fc11879b9b966a1e4585b1f16.camel@loup-vaillant.fr> <CADi0yUM6MQd0TPczK+YKSdbu1nzFaV+peC_0yf9Soat8d3+eLg@mail.gmail.com> <72d8587f17c94dfd8b67570f6a59037f@blackberry.com> <BN7PR11MB2641AC625A04DBFCFC2F4C11C1970@BN7PR11MB2641.namprd11.prod.outlook.com> <f79952a40fbe460e98b548f183bff1b9@blackberry.com>
In-Reply-To: <f79952a40fbe460e98b548f183bff1b9@blackberry.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: blackberry.com; dkim=none (message not signed) header.d=none;blackberry.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.76]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6d03732d-5a7e-4a7f-579d-08d816f33f43
x-ms-traffictypediagnostic: BN8PR11MB3715:
x-microsoft-antispam-prvs: <BN8PR11MB3715E1FD682C5524EE3E540FC1970@BN8PR11MB3715.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 0442E569BC
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Aw0e0xPYlIsmC8xy2Tmf2eslqVanw4Yf2X0OiAY9EzMxE+9sQMLezDGqcmnWQAUtYGXq8sKwNqusmMqcDFIN2/HjN+Pi224VxvXlcJE1bVn9WaHSHP20SLjWJ7DhvROl8ybPAPsIDWYnsTKkyv8JWw51gIvlBFUbpGXx3RsRgDHpTghU20aymrs50dbtxIyvkdRaGlJxE/Mg86wL++oLQetIUTCws6BQp7gZH4gF3vUoP0R0jxtRjaT2EskVxnuEJJVNITi8f2OEOPnDIfaVbUfKiDmKEvVDkIZ1pp3FbF/XXVAYwIWcl56op2i9Zan8TyqdLESVGYIRDwrZiyShcHE9pzhB1JF/ARoq59EzPBbffg50XZhSUhzRRgTptiACqJQB7CXY+OGoErrI1vXwofl/fsNTKGQuIj3gugL1uM0s3gWN5JjcJX1SFVspPPf7
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2641.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(366004)(346002)(396003)(39860400002)(136003)(2906002)(55016002)(7696005)(966005)(86362001)(478600001)(66574015)(26005)(71200400001)(6506007)(186003)(33656002)(53546011)(30864003)(66476007)(18074004)(166002)(52536014)(83380400001)(66946007)(76116006)(5660300002)(66446008)(64756008)(66556008)(9686003)(316002)(8936002)(8676002)(110136005)(491001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: N5LGLOYIXQHFpwFSo/4JbM05UOiPFtGRnXBBA+kJyZIBYjqG5+8tIG2micE1SltdXe9sEYnbdRDc5m7wlPl9OeGvvOouuJRaLhtWxp+aD9thOYXan/DtLL2qbm/WfV9bZc+SsdqBupPZBecLOaIzPo5SK9w8rgW1tHbAFrsR5BsY+EhQoo1oclMBhiOZVQry2XjhDpRtT8y8LOR1bkKpHcd+7MuuurvJvC0sD05RfzDHp3QVxJUskOD6dxjtaqHnQbnBnBIaRMmMJ6T7z6LxfSLVJGe5h0CmJzyMu+zVl/J5rfLuAs8HvvTARZgxLaQeiyJ25By2JsCuE5BFe5DoamYiWjgG6HVxcPYikq6o1S1w5Jk7bJSRCHkRM5ntP4jlnzX384dpAIBCYZLnW+5VRTA+pdVE+ykfRSqjNofISpwrKOC6GEkltmnrtsPQw3kV0RNoONNdBOmxZ8TUOxpbLWgrmROXCT5oP+kUzVPHcbA=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN7PR11MB2641FB742590168DD714FFFDC1970BN7PR11MB2641namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 6d03732d-5a7e-4a7f-579d-08d816f33f43
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jun 2020 21:28:46.5448 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JsAdnBk5lN8FLjAG71Qs3eWScpO7r7ZK8Hi9/LOgpHzNgWTU4IM0JY/XmpqKrv0VZUtZncGHZCebzztkmuefeQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3715
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/POf0AnpiPrYASVZHT8IbH6zBGqk>
X-Mailman-Approved-At: Thu, 25 Jun 2020 02:05:20 -0700
Subject: Re: [Cfrg] Using ephemeral DH in lieu of fresh nonces
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jun 2020 21:28:54 -0000

I do not feel that I am qualified to make general statements about systems that are secure against malicious implementations that attempt to exfiltrate secrets; to do this completely would sound to me to be quite difficult (especially since ASAs are not the only thing to worry about – could an implementation leak some information with the timing?)

However, I will address the two PAKEs that have recently been selected:


  *   CPace; if the adversary spikes the entropy source (so that they can guess the randomness used by either the client or the server), then they can perform an offline dictionary attack; CPace uses, as you suggested, a base point derived from the password, and so if they know the exponent, they can recover the base point that was actually used, and then compare it to the base points that are derived from the various passwords in his dictionary.  In addition, even if the password is strong (and not in the dictionary), the attacker can still derive the shared secret for that specific session (and thus listen in, and possibly MITM, if he wishes).
  *   Opaque is arguably worse; if the adversary spikes the client’s entropy source, then the attacker can recover the clients private signature keys (even if the password was strong); he can then able to log in as the client (without knowing the actual password).  It is less clear if Opaque would allow a MITM, as it doesn’t itself derive a shared secret, but uses another exchange to do that (possibly an authenticated DH or MQV); to MITM, we’d have to assume that the adversary spikes that entropy as well.


From: Dan Brown <danibrown@blackberry.com>
Sent: Monday, June 22, 2020 3:11 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>om>; Hugo Krawczyk <hugo@ee.technion.ac.il>il>; Loup Vaillant-David <loup@loup-vaillant.fr>fr>; <cfrg@ietf.org> <cfrg@ietf.org>
Subject: RE: [Cfrg] Using ephemeral DH in lieu of fresh nonces

Hi Scott,
Good point too, about DH itself allowing 1 bit exfiltration (by a malicious implementation).

A bunch of naïve questions below …

The malicious implementation threat model is still very confusing to me. What are reasonable capabilities? What are the goals?

(Why not just fill the DH keys with PRNG output from a seed known to be bad guys?  Is it that there are some other keys, e.g. signature keys, that we want to exfiltrate instead, ultimately to forge signatures, over and above defeating the privacy provided by DH.)

I suppose that I was thinking about the Dual_EC_DRBG in TLS, which seemed to work well against nonces, but not against DH values.  If this is a realistic threat, i.e. a good DH implementation being attacked by a bad RNG implementation, then your DH-filtering attack still applies if the bad RNG can pre-compute the DH values.  The best fix is to use a good RNG, but if Dual_EC is technically worse than DH-filtering, it seems be a difference in the nonces (it socially worse due to its standardization, etc.)

In a PAKE system, what about a bad RNG that does not see the password? Would the bad RNG be able exfiltrate things by filtering DH-type values it should not be able to compute (say, if the base point is derived from the password)?  The bad-seed RNG could defeat security (without using nonces), or at least expose passwords to offline attacks.  Would a bad-seed RNG be more detectable, or less likely, than DH-filtering RNG?

Dan

From: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com<mailto:sfluhrer@cisco.com>>
Sent: Monday, June 22, 2020 1:05 PM
To: Dan Brown <danibrown@blackberry.com<mailto:danibrown@blackberry.com>>; Hugo Krawczyk <hugo@ee.technion.ac.il<mailto:hugo@ee.technion.ac.il>>; Loup Vaillant-David <loup@loup-vaillant.fr<mailto:loup@loup-vaillant.fr>>; <cfrg@ietf.org<mailto:cfrg@ietf.org>> <cfrg@ietf.org<mailto:cfrg@ietf.org>>
Subject: RE: [Cfrg] Using ephemeral DH in lieu of fresh nonces

As for subliminal channels to exfiltrate keys, ephemeral DH can do that just fine (it just takes longer).

To exfiltrate a key (one bit at a time), one simple way you can do that is, when you need to send the next ephemeral DH key share, you generate one honestly, and check its lsbit; if it is not the bit you want to leak, then you multiple the key share by the generator (and increment the private value by 1), and repeat your check.  This means that the lsbits of the successive key shares you send spell out the key.  There are more sophisticated ways to do this; this is just a simple example.

What a nonce gives you is an easy-to-use way to exfiltrate multiple bits at once; however I don’t know if the difference in exploitability difficulty is really that significant.

From: Cfrg <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> On Behalf Of Dan Brown
Sent: Monday, June 22, 2020 11:20 AM
To: Hugo Krawczyk <hugo@ee.technion.ac.il<mailto:hugo@ee.technion.ac.il>>; Loup Vaillant-David <loup@loup-vaillant.fr<mailto:loup@loup-vaillant.fr>>; <cfrg@ietf.org<mailto:cfrg@ietf.org>> <cfrg@ietf.org<mailto:cfrg@ietf.org>>
Subject: Re: [Cfrg] Using ephemeral DH in lieu of fresh nonces

Hi Hugo,
Good points about the advantages of nonces with ephemeral DH (for PAKE or TLS, etc.).
What about the disadvantages, such as misuse of nonces as a subliminal channel to exfiltrate keys?

Perhaps some protocols are already mitigate this disadvantage (e.g. strict patterned nonces, counters).  Perhaps nonce-misuse is non-issue due to the obscure threat model and due to the abundance of other subliminal channels (timing, non-crypto nonces, etc.)

Best regards,
​​​​​
Dan

From: Cfrg <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> On Behalf Of Hugo Krawczyk
Sent: Monday, June 22, 2020 11:02 AM
To: Loup Vaillant-David <loup@loup-vaillant.fr<mailto:loup@loup-vaillant.fr>>; <cfrg@ietf.org<mailto:cfrg@ietf.org>> <cfrg@ietf.org<mailto:cfrg@ietf.org>>
Subject: [Cfrg] Using ephemeral DH in lieu of fresh nonces

In the email below, Loup raises a natural question: Why not reuse ephemeral DH values in a protocol instead of fresh nonces?

Formalisms apart, fresh non-repeating session identifiers are essential for many reasons: against replay attacks, for binding session flows together, avoiding  "composition attacks" (e.g., where flows from different sessions are mixed-and-matched), ensuring domain separation, etc. A natural implementation of session id's uses session-specific fresh random nonces. An equally natural question (and I think your email was referring to this issue) is why not use the ephemeral DH in lieu of random nonces, after all these values are selected as fresh random values for each session.

A generic reason (which I strongly advocate) for not doing so is that one should avoid having the same element in the protocol to serve  two separate functionalities/roles (in this case it would be using a DH value as key share and also as nonce/sessionid). This results in fragile protocols that can easily go wrong with variants of the protocol or when the protocol evolves over time, and is prone to bad implementations. For example, if one of the roles of this element is not  required anymore (due to changes in the protocol or changes in the setting where the protocol operates), the element may be changed "without remembering" that it had this other role.

Concretely, in the case of using ephemeral DH values for freshness, there are good practical examples where security breaks with the dual use of these values. For example, an application may decide (e.g., for performance reasons) that they do not need "perfect" forward secrecy, but that a one-minute forward-secrecy window of repeated ephemeral DH values is enough for the application. With repeated DH values used as session ids, the uniqueness of the session id is gone.  This is also the case of applications that need to avoid forward secrecy at all (see requests for a static version of TLS 1.3 in the TLS mailing list). Yet another example is the SIGMA-I protocol (used in TLS 1.3 and IKEv1). If the initiator sends g^x in the first message, this value can be used against replay attacks in the responder's signature. Then, someone decides (and there may be good reasons for that) to send g^x only in the third message and you lose your anti-replay mechanism.

Mea culpa: I have used ephemeral DH values in the dual functionality of key shares and session identifiers in several of my papers for the sake of analysis/notation simplicity. But you should not do it when building real-world implementations. In the SIGMA instantiation in draft-krawczyk-cfrg-opaque, for example, nonces are used in addition to DH values. (See also appendix B of https://webee.technion.ac.il/~hugo/sigma-pdf.pdf<https://urldefense.proofpoint.com/v2/url?u=https-3A__webee.technion.ac.il_-7Ehugo_sigma-2Dpdf.pdf&d=DwMFaQ&c=yzoHOc_ZK-sxl-kfGNSEvlJYanssXN3q-lhj0sp26wE&r=qkpbVDRj7zlSRVql-UonsW647lYqnsrbXizKI6MgkEw&m=r1zeEz6DEF0-bdDU7a7UYsRe6vNvnWpEk4pzla6k_Ow&s=XaZPR3wmEdhE0biqIgP9ZcuesZGSBCE_0gDBnILUtek&e=> )

Hugo

On Fri, Jun 19, 2020 at 12:34 PM Loup Vaillant-David <loup@loup-vaillant.fr<mailto:loup@loup-vaillant.fr>> wrote:
>>From the latest draft:

  https://tools.ietf.org/html/draft-haase-cpace-01<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dhaase-2Dcpace-2D01&d=DwMFaQ&c=yzoHOc_ZK-sxl-kfGNSEvlJYanssXN3q-lhj0sp26wE&r=qkpbVDRj7zlSRVql-UonsW647lYqnsrbXizKI6MgkEw&m=r1zeEz6DEF0-bdDU7a7UYsRe6vNvnWpEk4pzla6k_Ow&s=AuO92opvT_bYl9sYBgQ79RpgQzjqQZfXef0Dl192XxY&e=>

""" Let sid be a session id byte string chosen for each protocol
""" session before protocol execution; The length len(sid) SHOULD be
""" larger or equal to 16 bytes.

""" It is RECOMMENDED sid, is generated by sampling ephemeral random
""" strings.

Unlike ZPAD, The draft doesn't explain this recommendation.
What problem may occur if we omit sid altogether?

Even if G ends up being reused across several sessions, I don't believe
there's any way to tell, because Ya and Yb are uniformly distributed if
ya and yb are indeed random. I feel like I'm missing something.

Loup.


_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg<https://urldefense.proofpoint.com/v2/url?u=https-3A__urldefense.proofpoint..com_v2_url-3Fu-3Dhttps-2D3A-5F-5Fwww.irtf.org-5Fmailman-5Flistinfo-5Fcfrg-26d-3DDwMFaQ-26c-3DyzoHOc-5FZK-2Dsxl-2DkfGNSEvlJYanssXN3q-2Dlhj0sp26wE-26r-3DqkpbVDRj7zlSRVql-2DUonsW647lYqnsrbXizKI6MgkEw-26m-3Dr1zeEz6DEF0-2DbdDU7a7UYsRe6vNvnWpEk4pzla6k-5FOw-26s-3DTnDdq0O8w7uMnPtXoYDGprqQPk-5F1YZfKPZTB-2Db4rv3o-26e-3D&d=DwMGaQ&c=yzoHOc_ZK-sxl-kfGNSEvlJYanssXN3q-lhj0sp26wE&r=mf6j6fOClApRsArWE9wqI1rEGUVkfxZ0aXWmn35nK_c&m=t08k5n9Fi0sWBQAvptHMHJPZVGzIwEhq41trz3Rn9Q0&s=9cklS7GBbaibRfGUdDu8ipkt-JFIpMblorqkCfp7-lQ&e=>
________________________________
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
________________________________
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.