IETF Logo Mail Archive

Re: [Cfrg] My review of the four balanced PAKE (SPAKE2, SPEKE, CPACE, J-PAKE)

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Fri, 06 September 2019 22:07 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 800E6120DFA for <cfrg@ietfa.amsl.com>; Fri, 6 Sep 2019 15:07:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Jbp1BTye; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=HRlHpy1q
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WdEnlaEyDI5L for <cfrg@ietfa.amsl.com>; Fri, 6 Sep 2019 15:06:59 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A02D5120271 for <cfrg@ietf.org>; Fri, 6 Sep 2019 15:06:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13294; q=dns/txt; s=iport; t=1567807619; x=1569017219; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=kqLUdpyj4+8XrJ3t0VAq8SVOP5pXFNoVsUZrBIBC3Ho=; b=Jbp1BTyeA3vxPcXlaicsHizIuA9O7uNiwIfQd5CiqW62mBrY7nkZ5J6t UeAWGBDJ8ukUJE/maKbvp67miBsP09B2X8gTgVY6csndQadSj514Rs10f 47tx07PyJ4L+eWmFf2iUh3xDxoypRD9IDIqfuJmHj1ji1h7wStR77BLfI c=;
IronPort-PHdr: 9a23:X/oO8BUgnSiciX5LFACs1V6CIpvV8LGuZFwc94YnhrRSc6+q45XlOgnF6O5wiEPSA9yJ8OpK3uzRta2oGXcN55qMqjgjSNRNTFdE7KdehAk8GIiAAEz/IuTtankhEsBfVEVo5VmwMFNeH4D1YFiB6nA=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BUAQDn1nJd/5pdJa1lDg4BAQEEAQEHBAEBgVYEAQELAYEVL1ADbVYgBAsqh2gDinWCXJMRhFyCUgNUCQEBAQwBAS0CAQGEPwKCNyM3Bg4CAwkBAQQBAQECAQYEbYUuDIVKAQEBAQMSGxMBASMUAQ8CAQgVMTIlAgQOBQgagwGBHU0DHQGeTgKBOIhhgiWCfQEBBYUQGIIWCYE0AYkugkkYgUA/gRFGgh4uPoQeEBgFB4MvgiaMSYgTlnNuCoIglQyYe6ZhAgQCBAUCDgEBBYFoIoFYcBU7gmyCQgsBF4NPihg7c4EpjHOCUwEB
X-IronPort-AV: E=Sophos;i="5.64,474,1559520000"; d="scan'208,217";a="326492033"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 06 Sep 2019 22:06:58 +0000
Received: from XCH-RCD-020.cisco.com (xch-rcd-020.cisco.com [173.37.102.30]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id x86M6whM005007 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 6 Sep 2019 22:06:58 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-020.cisco.com (173.37.102.30) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 6 Sep 2019 17:06:57 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 6 Sep 2019 17:06:54 -0500
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 6 Sep 2019 18:06:54 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bEIJo632wd9yBUMCwAHcnpjilimvM5YCzF/gSZHW/1DJ6sky2Qieg3Tu37ftDWsjspPq9e6cT9FSwY+HCewQN/CHvdYfJhbPOJ9n5WpDZ5usIEiftbu68l2Y+tAW+Blot7Tqu7ZNSvyYSC5H5T1xkb881+q0fQ2nnPGAz2ty//K8T3uwU6xWib5V7wQ7/ym2ePp2TGxVKy794NNm57GjRL7mKPr8Nee6jBtMc7kMnx5S/bnRJrcdrIYhwRbtZfFR+amaG2CBHv1dsmMWaumAO8m27laOWhvVYYUxbFlZB/aGZgK5Dhp8xGcMElX2PhoM6I0ibD0DL8sZDovRRlrOZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=897V+0xW+y/D5Z/wmZBfoHZWk/Oim0D5Hs0kgSizQIU=; b=H50oiMbfIyMniVYwXe4JUVV/pfP26zSE388X2nONgrylvOACkl9xmrweS1OQrEh0B0BnzaRH9EHxps5aevCVQNtunv14rx+6j078jjO1Hv7p3XDfCdTJs7Coh35mgwvvlE/QSn+x5QKfUvvZjuh4A84/UCXdBdDdAvUOM+fhe2Gao+rIEzO3bZeAezDz6GwSEI4deoO2midBX7n8RodNtRtNTDeE5T+bCGOpVGmTQGKsoiECG89A3SeF2Ao54ehcEAZRvC2p5KjkJiU232ea+BOzXFqR9K5CeD1Qy9vOh8ZjEE/IB/fSMHovolxAHE6QIzdEa9V01CQnvb2Z9bykIw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=897V+0xW+y/D5Z/wmZBfoHZWk/Oim0D5Hs0kgSizQIU=; b=HRlHpy1qEFtnllGQ3kr1X4leo1ajyy/mmF1+dn7td3jOUVBIZEF6nFhhc++YqQsnU6k6HI664V66fC83jcdJQ5yjuQnqAr0a/WXx1i9Zw9P8AaZb8vq1cLlDSLj7YgToymqeaMJMMW7qaKFvIKMExhtuNhYCZDUS2gwS8172YfA=
Received: from BL0PR11MB3172.namprd11.prod.outlook.com (10.167.182.222) by BL0PR11MB3507.namprd11.prod.outlook.com (20.177.205.211) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2220.20; Fri, 6 Sep 2019 22:06:52 +0000
Received: from BL0PR11MB3172.namprd11.prod.outlook.com ([fe80::de4:ce0b:65fc:5b12]) by BL0PR11MB3172.namprd11.prod.outlook.com ([fe80::de4:ce0b:65fc:5b12%4]) with mapi id 15.20.2241.014; Fri, 6 Sep 2019 22:06:52 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
CC: "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [Cfrg] My review of the four balanced PAKE (SPAKE2, SPEKE, CPACE, J-PAKE)
Thread-Index: AQHVZPYJE9IdTF5V4EG+/Jp97dMlF6cfMF1w
Date: Fri, 06 Sep 2019 22:06:51 +0000
Message-ID: <BL0PR11MB31727858D86D170DDA4B622CC1BA0@BL0PR11MB3172.namprd11.prod.outlook.com>
References: <D99879C6.47687%u1775114@live.warwick.ac.uk>
In-Reply-To: <D99879C6.47687%u1775114@live.warwick.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=sfluhrer@cisco.com;
x-originating-ip: [2001:420:c0c8:1006::781]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 20a3d1e2-f068-4630-623d-08d7331685ad
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:BL0PR11MB3507;
x-ms-traffictypediagnostic: BL0PR11MB3507:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BL0PR11MB3507460851B74F384D26B385C1BA0@BL0PR11MB3507.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0152EBA40F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(366004)(376002)(346002)(39860400002)(76094002)(199004)(189003)(6506007)(6246003)(8936002)(54896002)(186003)(9686003)(53936002)(6306002)(55016002)(102836004)(46003)(71200400001)(71190400001)(86362001)(5660300002)(446003)(14444005)(6436002)(6916009)(76176011)(256004)(486006)(476003)(229853002)(11346002)(4326008)(7696005)(2906002)(14454004)(6116002)(790700001)(478600001)(33656002)(66556008)(81166006)(66476007)(99286004)(81156014)(64756008)(66946007)(76116006)(66446008)(8676002)(52536014)(74316002)(25786009)(316002)(7736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BL0PR11MB3507; H:BL0PR11MB3172.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: JnBdQYoZPNts2MQvwzNKyO3/TgSMNut4+zUKskQ/syZAyK9Ty7Ohmn56NXp5q7Lsc0TLC4aqFLnfTK20+wOuZ1D5PRp9HjEIC/tKFE7Vfgc0FpyPe/s3KSu4cF9dQzIp0Tqfb/pqOHZOB6iG8lzYPwyXvPN5OhE+qQm9ZhWAxuljXTMhsBdhNYIZGW+toogh9DuaW2Ax3RhUIWRjfI18s2D1tYkqOS7yu1C2GdzsHK+Ed026NLR99t7H5TeIIviiO5obPm7rJhsjgBsIRDvQ5mV6mPm3MEWyeScPFipXznoDUXryfRX6XuGZHIgI55/iMOZAgaEay7Exrw9zpRJ1OL05NVPtGh6kWEySkJUMCFAjCdqcaFQ1Kch4bFWaec/EAOKBeNBkIpzvmdYPabYntj5C6r69gtRO8DPC4+9sTjQ=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BL0PR11MB31727858D86D170DDA4B622CC1BA0BL0PR11MB3172namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 20a3d1e2-f068-4630-623d-08d7331685ad
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Sep 2019 22:06:51.9835 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: etJCDIe4nE2jG77VkUrOAG80nzu62yUYuSn6YOfC+5YosbRjy1bJtvH6S+kx49xmIg5yCmF6dvusIVimb2P0sA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3507
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.30, xch-rcd-020.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/U_0EfDy8ycp8g5EcBv_V8WPRVWs>
Subject: Re: [Cfrg] My review of the four balanced PAKE (SPAKE2, SPEKE, CPACE, J-PAKE)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Sep 2019 22:07:03 -0000

From: Hao, Feng <Feng.Hao@warwick.ac.uk>


"Also, not formally a part of this review, but as I went through the RFCs (8236 and 8235), a potential improvement occurred to me.  The NIZKP in 8235 allows the proof to reference an OtherInfo field; this is a value used to specify the context (so that the proof is not valid in any other context).  OtherInfo is currently unused in J-PAKE, however suppose we were to insert (for example) all the currently seen points in each proof as OtherInfo.  For example, the initial client pass might have the values of (x1, x2) as the extra info in both of its NIZKPs; the server response (assuming the 1.5 pass version) might have (x1, x2, x3, x4, B) as its extra info, and the final client response might use (x1, x2, x3, x4, A, B)..  What this would mean is that the adversary has even less flexibility in his attack; he now cannot extract values from previous exchanges and reuse them in new ones (with the exception that he can exactly duplicate the initial client pass); he could (for example) modify the server response from an honest server, however he would have to select entirely fresh x3, x4, B values for which he knows the appropriate discrete logs.  Because the adversary has fewer options, this means that the proof could potentially be simplified (as there are fewer things that the proof has to prove can't happen), as well as giving a potentially better end security bound (everything the proof disallows does cause a small reduction in the provable security bound.  In fact, we might be able to limit the possible adversary strategies sufficiently that it would be practical to do a case analysis covering everything an attacker can attempt (which would be less rigorous, but considerably easier to understand).  In addition, this suggestion cannot hurt security (the existing proof is still valid, as the NIZPKs still meet the security assumptions), it would not increase bandwidth at all (the data inserted into the OtherInfo field is already present in the messages), and would only cause a tiny increase in the computation time (the extra info is just included in a hash).  Just a thought..."

[FH] Thanks for your suggestion. I don't object anyone doing the above, which is exactly why I defined OtherInfo (optional) in the RFC, to provide the flexibility to include the transcript of the key exchange (if people want) into the hash so to restrict the attacker even further and make the proof tighter. However, I didn't want to make it mandatory for two reasons. 1) I don't consider this is strictly necessary for the security of J-PAKE; 2) if we do it, we will end up with a protocol specification that depends on whether the protocol will be implemented as 2 rounds or 1.5 round. It's not neat, and makes things more complex. Between simplicity and complexity, I would err in favour of the former : )

Well, I just spent a disgusting amount of time slogging through four different simulation-based proofs of PAKE, and they were all pretty much clear as mud.   I did not find any problems with your proof, however I am not entirely convinced (because of the subtlety involved) that I didn't miss anything.
In contrast, with my idea, well, that severely limits the games that an attacker can play.  I suspect that we could simply list the various things that an adversary can try (e.g. keep the first message unchanged, replace the values in the second and third messages with values whose dlog he knows) and show that none of the attacks allows the adversary any unwarranted advantage.  Why would such a proof (which I have not worked out the details) be considered attractive?  Because it'd be clear that it covers everything an adversary can do, and between a proof which is opaque (and which might hide hidden flaws) and one which is obviously valid, I would err in favor of the latter. :)

Of course, as a compromise, you could have the responder's x3, x4 values have only (x3, x4) as the OtherInfo; that would make both the 2 pass and the 1.5 pass version identical.  It would allow the attacker more options (e.g. he could now leave x3 and x4 unchanged, but insert his own B value), but there might not be *that* many more cases...

v2.23.0 | Report a Bug | By Email