Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-05.txt

That said, does anyone know if there is an updated security proof of AugPAKE?  If I recall correctly the one in [SKI10] doesn’t actually work.

> On Jan 22, 2016, at 10:13 AM, Michael Scott <mike.scott@miracl.com> wrote:
> 
> Oops my mistake, no that attack doesn't work. Thanks to Rene Struik for pointing out my mistake.
> 
> 
> Mike
> 
> 
> On Fri, Jan 22, 2016 at 1:17 PM, Michael Scott <mike.scott@miracl.com <mailto:mike.scott@miracl.com>> wrote:
> Appears to be a small weakness here, assuming that the actual password w is used "the binary representation of the processed UTF-8 character string"
> 
> A false server who wants to eliminate some password guesses from their list, responds with
> 
> Y=(X^y.g^(w*r*y))^n where they wish to eliminate passwords w,2w,3w,... nw
> 
> The user responds with a hash of known quantities, plus Y^{1/(x+wr)} = g^{ny}
> 
> The false server drops the link, and offline checks for the correct value of n. If its not there, then w,2w,3w,.. nw can be eliminated.
> 
> 
> Mike
> 
> On Fri, Jan 22, 2016 at 1:13 AM, <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>> wrote:
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>  This draft is a work item of the Crypto Forum Working Group of the IETF.
> 
>         Title           : Augmented Password-Authenticated Key Exchange (AugPAKE)
>         Authors         : SeongHan Shin
>                           Kazukuni Kobara
>         Filename        : draft-irtf-cfrg-augpake-05.txt
>         Pages           : 20
>         Date            : 2016-01-21
> 
> Abstract:
>    This document describes a secure and highly-efficient augmented
>    password-authenticated key exchange (AugPAKE) protocol where a user
>    remembers a low-entropy password and its verifier is registered in
>    the intended server.  In general, the user password is chosen from a
>    small set of dictionary whose space is within the off-line dictionary
>    attacks.  The AugPAKE protocol described here is secure against
>    passive attacks, active attacks and off-line dictionary attacks (on
>    the obtained messages with passive/active attacks).  Also, this
>    protocol provides resistance to server compromise in the context that
>    an attacker, who obtained the password verifier from the server, must
>    at least perform off-line dictionary attacks to gain any advantage in
>    impersonating the user.  The AugPAKE protocol is not only provably
>    secure in the random oracle model but also the most efficient over
>    the previous augmented PAKE protocols (SRP and AMP).
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-irtf-cfrg-augpake/ <https://datatracker.ietf.org/doc/draft-irtf-cfrg-augpake/>
> 
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-irtf-cfrg-augpake-05 <https://tools.ietf.org/html/draft-irtf-cfrg-augpake-05>
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-augpake-05 <https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-augpake-05>
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/ <ftp://ftp.ietf.org/internet-drafts/>
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org <mailto:Cfrg@irtf.org>
> https://www.irtf.org/mailman/listinfo/cfrg <https://www.irtf.org/mailman/listinfo/cfrg>
> 
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg