[CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13

"Riad S. Wahby" <riad@cmu.edu> Fri, 24 May 2024 14:52 UTC

Return-Path: <rswatjfet.org@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AEF0C1C3D4A for <cfrg@ietfa.amsl.com>; Fri, 24 May 2024 07:52:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XZWF6cXRVOop for <cfrg@ietfa.amsl.com>; Fri, 24 May 2024 07:51:59 -0700 (PDT)
Received: from mail-oi1-f169.google.com (mail-oi1-f169.google.com [209.85.167.169]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53AC3C1E0D77 for <cfrg@irtf.org>; Fri, 24 May 2024 07:51:59 -0700 (PDT)
Received: by mail-oi1-f169.google.com with SMTP id 5614622812f47-3c99aec9598so3908961b6e.0 for <cfrg@irtf.org>; Fri, 24 May 2024 07:51:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716562318; x=1717167118; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=erLgByL8hJ8WEm4gE++af6skEEWubN20EtqbdSxawhI=; b=CrK3M883eEAP76ZGn0FuctXCGy8NMcCu4nBzNRkJLTSSrTx6orpsVC3JV4u01E+LHj pX1N997I0SyAlwx1z9hJFfDFauwR8quin+YkL0hVX/2IULXncstQnz7syuteTTSufsY2 CDKp4rqyCWpcOvq05tkYh3RQ5x5rEbQgMPJYenuBFsKYzVrejiZ7bQncDzNlCsuOlvkr y/Mv1wc5XCF2yeayIFuXjWaWq6Pn0FYrA4yW74TKQCnRyODqUn1I+74jJREvPay5s+FS mltOBjjkUR1zexy4VmoVTCVpv/A7/68YzcMJqZxd/voYHQyrZDa4J4X+jWlInbVXCGzr 0BMQ==
X-Forwarded-Encrypted: i=1; AJvYcCUEUuOcPb/Tfr7r0AD5FW1EDS3/dbxgIk4IHBR7hapGfegy3iECmdP/kqgfYZT71aFFK1lwCxi0QqWwh0mD
X-Gm-Message-State: AOJu0Yzmwao5dqjPuNH4CkttYXgTYCY7IKVCi/587rsK4E/M2Ey4pUFz BiHDxRtlgmbYtEQ2hkN+ZdT1IvB7fI+s06NYMDSwowNuIRvTVSdzcwFQiQ==
X-Google-Smtp-Source: AGHT+IGA4BwVrGnbfm/5G5HjGpfqz/8Gy7rmd/Fp4Lf4Tm56CI8N9+s8lUtCB289PyeSPgxHJJ+6Ug==
X-Received: by 2002:a05:6808:11c7:b0:3c7:41ba:102f with SMTP id 5614622812f47-3d1a63f2e0fmr2802530b6e.34.1716562318337; Fri, 24 May 2024 07:51:58 -0700 (PDT)
Received: from localhost ([71.116.60.198]) by smtp.gmail.com with ESMTPSA id af79cd13be357-794abca84e7sm70181685a.23.2024.05.24.07.51.57 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 24 May 2024 07:51:58 -0700 (PDT)
Date: Fri, 24 May 2024 10:51:57 -0400
From: "Riad S. Wahby" <riad@cmu.edu>
To: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
Message-ID: <2dhbnlfzwgllzqc7farahxqkct3zqcoi7wdj7vybivlzzwxrei@e7phsvy5i6ae>
References: <CADi0yUNbiVTe9BaoCFgDaTC06Z1LMAx6q2hJDiWydpy6xFqtRQ@mail.gmail.com> <GV1PR01MB8436B6B6B75DEBC9F1FB30A9D6EA2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUNCkk8Y5dQJH6DjR33cP7KXXrQsmHfA0UDRxjGuoXCaLA@mail.gmail.com> <GV1PR01MB8436DBCC8F5B167B0B44490AD6EA2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUPcyc9oSM4NqWynkWuTPStnD9yqt4XwmAg7c=XjCtik4A@mail.gmail.com> <GV1PR01MB84364908B61E293E46012214D6EB2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUOtSBmCnQMP-MoyzzxF6LZQcrKfo03sN2cNuO6MS74NAg@mail.gmail.com> <GV1PR01MB84361129416DC8B621CAAEDFD6F42@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <y5y4iquyvrao7jtpyc2ycjtz4sg5dbzhrhddz5j6rv3eydyd2o@zy65yreteuoh> <GV1PR01MB8436B919FE24E2E022639155D6F52@GV1PR01MB8436.eurprd01.prod.exchangelabs.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <GV1PR01MB8436B919FE24E2E022639155D6F52@GV1PR01MB8436.eurprd01.prod.exchangelabs.com>
Message-ID-Hash: 5ZR72YHNIHYXU3KNVI4IWPDFLI7YY3C2
X-Message-ID-Hash: 5ZR72YHNIHYXU3KNVI4IWPDFLI7YY3C2
X-MailFrom: rswatjfet.org@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Kevin Lewi <lewi.kevin.k@gmail.com>, IRTF CFRG <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Hello Feng,

"Hao, Feng" <Feng.Hao@warwick.ac.uk> wrote:
> @Riad, please note that the undetectable online dictionary attack is
> different from the (standard) online dictionary attack. The "completely
> standard attack detection heuristic" applies to the latter only.

This is false. Your "undetectable online dictionary attack" is just a
marketing term that's used to make a minor optimization sound important.

Of course it's detectable, and in exactly the same way that all online
attacks are detectable: the server just counts all authentication attempts
against the rate limit, whether they drop out before completion or not.
As I previously argued, that's the correct behavior no matter which PAKE
you use; it completely dispenses with your "undetectable" attack; and by
the way it is already standard practice.

If there's something to be added to the Security Considerations of OPAQUE
(and indeed, any PAKE document), it's just this: authentication attempts
must be strictly rate limited because passwords are subject to guessing.
That's been the completely standard advice roughly forever, but it doesn't
hurt to remind the reader lest they become confused by silly marketing.

Let's please stop flogging this dead horse. The concern trolling over easily
detected "undetectable" attacks has long since become embarrassing.

-=rsw