Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE schemes
"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Sat, 30 January 2016 12:27 UTC
Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7518F1A1A8F for <cfrg@ietfa.amsl.com>; Sat, 30 Jan 2016 04:27:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.901
X-Spam-Level:
X-Spam-Status: No, score=0.901 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PuBQ9Mg_S_Pv for <cfrg@ietfa.amsl.com>; Sat, 30 Jan 2016 04:27:21 -0800 (PST)
Received: from mail-vk0-x233.google.com (mail-vk0-x233.google.com [IPv6:2607:f8b0:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 643E31A1A8A for <cfrg@irtf.org>; Sat, 30 Jan 2016 04:27:21 -0800 (PST)
Received: by mail-vk0-x233.google.com with SMTP id e185so55446925vkb.1 for <cfrg@irtf.org>; Sat, 30 Jan 2016 04:27:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=QcKObdAoxghuuHDoUQX3vfM2ut16AOGu++em0OtE2m8=; b=qj+lTqjX7M0vJSJ31SiIS703n4sunCNa/3BJzxnQs39iLABiXi4RtFtw5pR0y/E5zf aZTr9nPkNtxwvgqkRTKRxxIhuBsWHOKuab6wMIHIEVIsBsPHC10YSv7Fi4JFN0aFDHKm 5cjDk4cXBAvqp5HVYGuDZc3gtV+M+Z6Ma3yM418yPGS1A63DJ06ur8h9Cmrez2EhZDYs 2XapTYyvQBZbadjhkm30F/Hk2Ljbup8b29cK7Rbsmk58z6tWmDozJX3MmmsSP4v6jjiH P7k0dpECjjD774BFqm6aiaslxr5pW8dDD/UXIn3oIDELkNhBOZVkhZT1A07ACjJGW6KX FkoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=QcKObdAoxghuuHDoUQX3vfM2ut16AOGu++em0OtE2m8=; b=LsxUW5/I1SQpC0Ig1QgOXJ30djwDn8s7hq6yEf3WXCDfadq6dS99PUsF6YYab6YuOl Wdklv7P5miTkEstkp9htA4p0KcxtSD1TulgZZxVXLdyKnVeSI4MwnZ1TycBrxcBcwG20 9FpEWIFEgiAWrSFarXWP8k3pdxZXD+sKrG+UKz1LqCCT1ByV7SNxhUfzA048AxU8FJbx nlsXsBiZpsPkYCXEifuOj75LGfipd8Af0gllnCtAlVZVOjsfafB3a5Li2J6VUQxHQYBp Nxo7TOdnfyMh+f7MUC53F4RuhxifQ+zP/yB8r+4FqUImssR9EPEx55rT7NAj/raYOyHS R3uQ==
X-Gm-Message-State: AG10YOSBaCQHHxYWp71xjfwTPsF5WgKxZmr9wahuhnYEJXDBw7iemGslxLUfMj6Vt0MjTBPNWemBGTqcHSCoNw==
MIME-Version: 1.0
X-Received: by 10.31.56.140 with SMTP id f134mr9393102vka.23.1454156840457; Sat, 30 Jan 2016 04:27:20 -0800 (PST)
Received: by 10.31.80.133 with HTTP; Sat, 30 Jan 2016 04:27:20 -0800 (PST)
In-Reply-To: <01a1b24557860d5e2afc8349d55d6ca5@mail.tc26.ru>
References: <CAMr0u6=76q4n-u1Vpv5vWjSNgi4CtaOJoX0EmvcbXH+9C4w2mg@mail.gmail.com> <78D9D0BF-4ADE-4DDB-88A4-BF03DD6336BA@shiftleft.org> <9c878c6b6b505414f71fa53442e4a33a@mail.tc26.ru> <CAMr0u6nzV_Y87ghnAcmhgkzk4fgdKtC3Kj8NqPyawHrjhGVySg@mail.gmail.com> <CACsn0ckKX7pKZ5qU0y6cR3jyGV8JmL1V8EAUwU6b4ShDYVxmYw@mail.gmail.com> <CAMr0u6kvc1B8MY7Nqs2NLd1tHPU6wiv7ti9QDQ5gvu6iRgw+2g@mail.gmail.com> <930102DC-F5B3-4233-BF6B-1EC631B4ABF5@gmail.com> <56AB6787.1010302@htt-consult.com> <30BB5B38-9DC3-4DC1-968C-F3A2AC293E6F@gmail.com> <01a1b24557860d5e2afc8349d55d6ca5@mail.tc26.ru>
Date: Sat, 30 Jan 2016 15:27:20 +0300
Message-ID: <CAMr0u6mj7jczAZSwATcDSYyc7hpa2XxMH1QJYhS9ffgwxW-rmA@mail.gmail.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
To: Grigory Marshalko <marshalko_gb@tc26.ru>
Content-Type: multipart/alternative; boundary="001a1143f0ccec5d4f052a8c45b3"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/XwwzSKPYtODcWzppAIc2us0mvN0>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Robert Moskowitz <rgm-sec@htt-consult.com>
Subject: Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE schemes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jan 2016 12:27:23 -0000
Hello, Yoav! Thank you for your opinion; you are absolutely right that no one needs trivial considerations like "number of login attempts MUST be controlled" in each RFC (as much as "users MUST NOT store their passwords on sheets of paper pinned on their monitors", "Dual EC DRBG MUST NOT be used for generating both confidential and public data" etc). Moreover, including such an obvious recommendation is harmful for the security of implementations. If one reads such a phrase, he'll probably stop reading "Security considerations" section and won't read really important info that should be there next: specific recommendations of handling login attempt counters such as "counter value MUST be incremented before sending [i]-th message of the [xyz]PAKE protocol". General recommendations shouldn't be there, but specific ones must. Kind regards, Stanislav 2016-01-30 15:15 GMT+03:00 Grigory Marshalko <marshalko_gb@tc26.ru>: > It is very important to have such security considerations be written > somewhere, especially if they are common and obvious for security experts. > The problem is that for many implementors they are not obvious, and this is > always the root of flawed implementations. > > Regards, > Grigory Marshalko, > expert, > Technical committee for standardisation "Cryptography and security > mechanisms" (ТC 26) > www.tc26.ru > > 30 января 2016 г., 12:50, "Yoav Nir" <ynir.ietf@gmail.com > <%22Yoav%20Nir%22%20%3Cynir.ietf@gmail.com%3E>> написал: > > > > > On 29 Jan 2016, at 3:22 PM, Robert Moskowitz <rgm-sec@htt-consult.com> > wrote: > > > On 01/29/2016 03:04 AM, Василий Долматов wrote: > > > > 29 янв. 2016 г., в 9:26, Stanislav V. Smyshlyaev <smyshsv@gmail.com> > написал(а): > > A major number of cryptography failures follows from incorrect embedding > of lower-level protocols to high-level ones – if you prove the security of > PAKE under specific assumtions on counter handling and then someone > implements it without knowledge of them, you have a practical > vulnerability. We do not create protocols for vacuum, we make them for > practice and must write security considerations (a specific "Security > considerations" section in RFC can be used for discussing these issues, if > someone thinks that they are not important enough to be in the main part). > > I think that idea of moving these recommendations and notice about > importance of correct setting of these counters to the «Security > consideration» section is a good one. > > > I agree. It is the perfect use of "security considerations" for a > security technlogy. None of the old "this whole document is about > security". The security considerations should contain what the > risks/threats to the technology is and point out what is done to > address/mitigate them. > > > I’m not sure about that. These considerations are true for any PAKE. In > fact, they’re true for any kind of password scheme. You could even make the > case that they’re true for any authentication scheme, because letting the > opponent keep guessing is at least creating a DoS on the attacked > authentication server. > We generally write in the Security Considerations section stuff that is > relevant for that particular scheme, not for a whole class of schemes. So > it may be fine to have a BCP document for “Deploying Password > Authentication on the Internet”, but I don’t think we need some boilerplate > text that goes into the security considerations of any password-related RFC. > Yoav > >
- [Cfrg] Requirements for PAKE schemes
- Re: [Cfrg] Requirements for PAKE schemes Paul Lambert
- Re: [Cfrg] Requirements for PAKE schemes
- Re: [Cfrg] Requirements for PAKE schemes 辛星漢
- Re: [Cfrg] Requirements for PAKE schemes Stanislav V. Smyshlyaev
- Re: [Cfrg] Requirements for PAKE schemes Mike Hamburg
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Grigory Marshalko
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Stanislav V. Smyshlyaev
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Watson Ladd
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Stanislav V. Smyshlyaev
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Василий Долматов
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Robert Moskowitz
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Yoav Nir
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Grigory Marshalko
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Станислав Смышляев
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Stanislav V. Smyshlyaev
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc…
- Re: [Cfrg] Requirements for PAKE schemes Stanislav V. Smyshlyaev
- Re: [Cfrg] Requirements for PAKE schemes Евгений Алексеев
- Re: [Cfrg] Requirements for PAKE schemes