[CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13

Hugo Krawczyk <hugo@ee.technion.ac.il> Mon, 27 May 2024 22:54 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FD39C14F6F0 for <cfrg@ietfa.amsl.com>; Mon, 27 May 2024 15:54:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.644
X-Spam-Level:
X-Spam-Status: No, score=-1.644 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2SBxM39xuVlP for <cfrg@ietfa.amsl.com>; Mon, 27 May 2024 15:54:37 -0700 (PDT)
Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B652C14F6EF for <cfrg@irtf.org>; Mon, 27 May 2024 15:54:37 -0700 (PDT)
Received: by mail-lf1-f42.google.com with SMTP id 2adb3069b0e04-529b4011070so288874e87.1 for <cfrg@irtf.org>; Mon, 27 May 2024 15:54:37 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716850475; x=1717455275; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=znMB46J/G9HPROa4Hi0I4JLJ4r3FbPug4XogRUZYURQ=; b=Mjupx5il1jrB8l85keyWT+AQ30raQ/Ietij78qr3CLJ4dyur0RiWxJFthw/z5LWKGB q4oXoBT1/ZYB9ra1lUsIwqcRtZOb8OT2S4J0444YRJg+svFvMuPcATRga3N7aTdwBFzG v7FuAl4kqA4zEuEjp7YcB/KBlHHc1FrN7c7VKLxjil98fUeP2bGZ4XmhG4l3TNuz02ju cU+pDesCBouCiWZFMGvDbkwWDftTZ8bkPrD+mUfvIXWvg5YAuOt2Ls4cbgLa/anb8nd5 FLxnlua0F74eKNYMXNurKUi0F9AuevCRes5xQZ++lqj239irxZqPRjUyr5ZHMu0jSKWL UI5g==
X-Forwarded-Encrypted: i=1; AJvYcCXs2Slq57TqcMVvJOhUnTyaMGpA3eEr79SKAR9GjXwjU2GXtQbOy8w2nzFa1fgTbbRwuJMgSUb4Aff9y4WB
X-Gm-Message-State: AOJu0YzLvBXXt0XeQmUvAogQCTPOvwn+J4zSjfZrgk9RDjN15TgnFAxg 6R6iNKehq5yMTYTMj8GhTaLbo+619e9ZHpJnNmpo1vWAXDgIddF0jprouYD0r6Yywk/+KIs6Djb jq3tHqiR7O3MtBJJtwJ6m5iBjWNw=
X-Google-Smtp-Source: AGHT+IHfXJbwQJb63UanPEaX0n76h4FIm9lY/mH4ya6e/6/JgUyEMas44sQn3+XncvchCwLI9gSQakxl0QX0fDoTlos=
X-Received: by 2002:a05:6512:452:b0:518:6d2:2a8f with SMTP id 2adb3069b0e04-529646df315mr7441374e87.24.1716850474971; Mon, 27 May 2024 15:54:34 -0700 (PDT)
MIME-Version: 1.0
References: <CADi0yUNbiVTe9BaoCFgDaTC06Z1LMAx6q2hJDiWydpy6xFqtRQ@mail.gmail.com> <GV1PR01MB8436B6B6B75DEBC9F1FB30A9D6EA2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUNCkk8Y5dQJH6DjR33cP7KXXrQsmHfA0UDRxjGuoXCaLA@mail.gmail.com> <GV1PR01MB8436DBCC8F5B167B0B44490AD6EA2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUPcyc9oSM4NqWynkWuTPStnD9yqt4XwmAg7c=XjCtik4A@mail.gmail.com> <GV1PR01MB84364908B61E293E46012214D6EB2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUOtSBmCnQMP-MoyzzxF6LZQcrKfo03sN2cNuO6MS74NAg@mail.gmail.com> <GV1PR01MB84361129416DC8B621CAAEDFD6F42@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <y5y4iquyvrao7jtpyc2ycjtz4sg5dbzhrhddz5j6rv3eydyd2o@zy65yreteuoh> <GV1PR01MB8436B919FE24E2E022639155D6F52@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <2dhbnlfzwgllzqc7farahxqkct3zqcoi7wdj7vybivlzzwxrei@e7phsvy5i6ae> <GV1PR01MB843618C88187FE124B1F142ED6F02@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CACsn0c=M5OofNyG8YhO4vYOWwFvZW9yLpwMGMXkkDrXZ=Ty1jw@mail.gmail.com> <GV1PR01MB8436ACA18A87EA7AA8A4EA57D6F02@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CABcZeBP64AC_mSgyU-YyQwCz3bHrbvcqB0xk0TdXampdCtvu6A@mail.gmail.com> <GV1PR01MB8436DDBCAF9F00DDCF34D19BD6F02@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CABcZeBPsVUaSsX-WOV9ow2tTSaZqspzeAoBhxLBBjJAav71C0g@mail.gmail.com>
In-Reply-To: <CABcZeBPsVUaSsX-WOV9ow2tTSaZqspzeAoBhxLBBjJAav71C0g@mail.gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Mon, 27 May 2024 18:54:05 -0400
Message-ID: <CADi0yUO5QjyXhkA7S5z7js79OTQWFdwBnhAiSkR7BFC3H+B1oA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="000000000000b17f530619776696"
Message-ID-Hash: ZQQDOUP6YEPAEFRGUCSNV4TK5TDLCQLV
X-Message-ID-Hash: ZQQDOUP6YEPAEFRGUCSNV4TK5TDLCQLV
X-MailFrom: hugokraw@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Hao, Feng" <Feng.Hao@warwick.ac.uk>, IRTF CFRG <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/WovL36KX4-0h_N8GTjv7y2Iee0I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

There is an even better reason not to go with what Feng proposes. His
modified protocol is insecure. To achieve the property that the server
learns first whether the password was wrong, you would need to move
auth_tag to the fourth message and that modified protocol is insecure (in
the real sense of insecure, not as Feng's "undetectable attack").

Let's move on.

Hugo

On Mon, May 27, 2024 at 6:47 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Mon, May 27, 2024 at 3:15 PM Hao, Feng <Feng.Hao@warwick.ac.uk> wrote:
>
>> Hi Eric,
>>
>>
>>
>> What I propose is to remove the key confirmation string sent by the
>> server in the 2nd pass. The client sends its key confirmation in the 3rd
>> pass, and the server only sends its key confirmation string in the 4th
>> pass. This will be a revision in the protocol spec. I couldn’t see how
>> adding a piece of text could properly address this issue.
>>
>
> Thanks for the explanation.
>
> I don't see this as a realistic proposal, as it would mean that OPAQUE
> would not be able to fit into TLS 1.3 without significant surgery to the
> TLS 1.3 core, which is obviously undesirable for deployment reasons. It
> seems to me that we do want it to be possible to use PAKEs with TLS 1.3,
> and if the choices are to accept this property or to make big changes to
> TLS 1.3, then I think the right answer is probably to accept this property
> and document it in the specification.
>
> -Ekr
>
>
>>
>> Cheers,
>>
>> Feng
>>
>>
>>
>> *From: *Eric Rescorla <ekr@rtfm.com>
>> *Date: *Monday, 27 May 2024 at 23:00
>> *To: *Hao, Feng <Feng.Hao@warwick.ac.uk>
>> *Cc: *Watson Ladd <watsonbladd@gmail.com>, IRTF CFRG <cfrg@irtf.org>
>> *Subject: *Re: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
>>
>> Feng,
>>
>>
>>
>> This has been a very long thread, with a lot of back and forth, but it's
>> not clear to me what outcome you are looking for here.
>>
>>
>>
>> Do you have a proposed piece of text that you think should be in the
>> OPAQUE draft prior to it going to RFC? If so, what is that text?
>>
>>
>>
>> -Ekr
>>
>>
>>
>>
>>
>> On Mon, May 27, 2024 at 2:32 PM Hao, Feng <Feng.Hao=
>> 40warwick.ac.uk@dmarc.ietf.org> wrote:
>>
>> Hi Watson,
>>
>>
>>
>> That will be a standard online dictionary attack which applies to any
>> PAKE, and can be detected and “accurately” recorded by the server. Please
>> have a look at Ding and Horster’s 1995 paper which I posted earlier.
>> https://dl.acm.org/doi/pdf/10.1145/219282.219298 That paper explains the
>> difference between a standard (detectable) online dictionary attack and an
>> undetectable online dictionary attack. Similar attacks in various different
>> protocol settings have been well studied in the past 30 years.
>>
>>
>>
>> Cheers,
>>
>> Feng
>>
>>
>>
>> *From: *Watson Ladd <watsonbladd@gmail.com>
>> *Date: *Monday, 27 May 2024 at 21:49
>> *To: *Hao, Feng <Feng.Hao@warwick.ac.uk>
>> *Cc: *Riad S. Wahby <riad@cmu.edu>, IRTF CFRG <cfrg@irtf.org>
>> *Subject: *Re: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
>>
>> On Mon, May 27, 2024 at 6:13 AM Hao, Feng
>> <Feng.Hao=40warwick.ac.uk@dmarc.ietf.org> wrote:
>> >
>> > Hi Riad,
>> >
>> >
>> >
>> > The factual difference between OPAQUE and SRP-6a is that in OPAQUE, the
>> server is authenticated first, whilst in SRP-6a, the client is
>> authenticated first. The order of authentication has a profound implication
>> in security here. For the case of OPAQUE, the server leaks password
>> verification information via the key confirmation string in the 2nd pass
>> before the client is authenticated. If the client drops out, the server
>> can’t distinguish legitimate drop-outs from online guessing attacks. This
>> means that the server has to deal with false positives (denying legitimate
>> users hence causing the DoS attack to its own users) and false negatives
>> (letting an attacker guess the password without being detected or logged).
>> Managing the false positive and false negative can be complicated in
>> practice.
>>
>> Huh? An attacker can always carry out the full protocol to guess to
>> lock someone out. That a query amounts to a guess doesn't really
>> change this.
>>
>> --
>> Astra mortemque praestare gradatim
>>
>> _______________________________________________
>> CFRG mailing list -- cfrg@irtf.org
>> To unsubscribe send an email to cfrg-leave@irtf.org
>>
>> _______________________________________________
> CFRG mailing list -- cfrg@irtf.org
> To unsubscribe send an email to cfrg-leave@irtf.org
>