Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.txt

Yoav Nir <ynir@checkpoint.com> Tue, 04 February 2014 08:20 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BF631A033D for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 00:20:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.435
X-Spam-Level:
X-Spam-Status: No, score=-7.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RgkE6Or-zsbs for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2014 00:20:16 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id C46C51A018E for <cfrg@ietf.org>; Tue, 4 Feb 2014 00:20:15 -0800 (PST)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id s148K3nS012515; Tue, 4 Feb 2014 10:20:03 +0200
X-CheckPoint: {52F09BE1-2-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.110]) by IL-EX10.ad.checkpoint.com ([169.254.2.228]) with mapi id 14.03.0123.003; Tue, 4 Feb 2014 10:20:03 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.txt
Thread-Index: AQHPIRWoMZ9CZfGVZkSRBFiO8Otf/pqjyE2AgAAFdYCAACI4gIAABhWAgAAqW4CAAAcwgIAAeH+A
Date: Tue, 4 Feb 2014 08:20:02 +0000
Message-ID: <14AB44E0-4C90-4E4C-A656-885A31CF4C02@checkpoint.com>
References: <20140203192451.6268.76511.idtracker@ietfa.amsl.com> <7af2f9df96e5867d493c614806235363.squirrel@www.trepanning.net> <CACsn0cm1f-P95je5AbEbZ02Ut3+HM7Hx28P6j46TqE-=06eZDg@mail.gmail.com> <52F00EF3.3040505@cisco.com> <CACsn0c=zS5GKex3eF_hKgTsL1kH=TiBi3iAP9oMrJ9hDQcT4Gw@mail.gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B81B7DE5@SC-VEXCH2.marvell.com> <CACsn0cn0TaHsDkyN2ewOorxxBzXivCg=QGR-ZnBiC3nJhvhpRg@mail.gmail.com>
In-Reply-To: <CACsn0cn0TaHsDkyN2ewOorxxBzXivCg=QGR-ZnBiC3nJhvhpRg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.20.207]
x-kse-antivirus-interceptor-info: protection disabled
Content-Type: multipart/alternative; boundary="_000_14AB44E04C904E4CA656885A31CF4C02checkpointcom_"
MIME-Version: 1.0
Cc: "<cfrg@ietf.org>" <cfrg@ietf.org>, David McGrew <mcgrew@cisco.com>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 08:20:20 -0000

On Feb 4, 2014, at 3:08 AM, Watson Ladd <watsonbladd@gmail.com<mailto:watsonbladd@gmail.com>> wrote:



> I would like to reverse the question.
>
>
>
> Watson, in your technical analysis of the
>
> protocol in its current form (draft-irtf-cfrg-dragonfly-03.txt),
>
> can you identify any exploitable security flaw specific to
>
> the protocol?

Yes: an algorithm exists that guesses passwords in time 2^40. I can't exhibit it, but it exists. JPAKE doesn't have this issue.

2^40 times doing what?  Is it 2^40 calculations based on a single observed authentication?  Observing 2^40 successful authentications?  Actively interacting 2^40 times with the authentication server?

For password-based authentication, these are totally different things, because most passwords come from a 16-bit pool, and nearly all come from a 24-bit pool ([1]). That means that they are very vulnerable to active guessing, which is why pretty much every application limits an attacker's guessing using timeouts.

So what kind of attack is it that you can't exhibit?

Yoav


[1] http://www.maths.tcd.ie/~dwmalone/p/www2012-slides.pdf