IETF Logo Mail Archive

Re: [CFRG] Attack on a Real World SPAKE2 Implementation

Björn Haase <bjoern.m.haase@web.de> Sun, 09 May 2021 16:06 UTC

Return-Path: <bjoern.m.haase@web.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 217213A1186 for <cfrg@ietfa.amsl.com>; Sun, 9 May 2021 09:06:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7L2MwIHAD8k4 for <cfrg@ietfa.amsl.com>; Sun, 9 May 2021 09:05:54 -0700 (PDT)
Received: from mout.web.de (mout.web.de [212.227.15.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 608073A1185 for <cfrg@irtf.org>; Sun, 9 May 2021 09:05:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1620576352; bh=YR8ZySnZjiY8hD4kJiostpzKrIwG/o8fOfJ6G/GWnyo=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=VglP7Z/JThkzuPm4yW5CiJP/VDd3aIY8eB0g29y1Fan6W4l002SmaPsHQPygM2G5I F9tlAtkc9rUgJTCyOfxsui6F0OB6T8GaolwzGmgDUFQRVdI9vLhwn9JyAOvWBYvwD7 krws4yny80Mb1KYx1h1e1lsB2w6NX3/GR/6W3xB4=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [192.168.178.21] ([109.90.104.251]) by smtp.web.de (mrweb006 [213.165.67.108]) with ESMTPSA (Nemesis) id 1MjgT9-1lEAMO3U9T-00l7Mz for <cfrg@irtf.org>; Sun, 09 May 2021 18:05:51 +0200
To: cfrg@irtf.org
References: <2bfbd767-b93a-42bd-be7d-1dae9e32e555@ruben-gonzalez.de> <SY4PR01MB625110F1F7633D989FCF183EEE579@SY4PR01MB6251.ausprd01.prod.outlook.com> <e88bae26-ff1f-42e3-babf-c5de3ee1d781@www.fastmail.com>
From: Björn Haase <bjoern.m.haase@web.de>
Message-ID: <e47d0509-2b47-b811-7fd5-8846c11dc055@web.de>
Date: Sun, 09 May 2021 18:05:47 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1
MIME-Version: 1.0
In-Reply-To: <e88bae26-ff1f-42e3-babf-c5de3ee1d781@www.fastmail.com>
Content-Type: multipart/alternative; boundary="------------24C9F0EFDDCD23E5524CC795"
X-Provags-ID: V03:K1:4eOW3fczd8vXFGPTivZoOg+qNxehwI1whTwZCWURIGff0oiHjVi zAMcXcFop2AxGB9VcFqFAXju389DyvqiRv8Bz/cJE23+sLq2nYmTHsBISuUgTgP+0tZA9Dz sGyUqINZTiyvCvBsG2VwRvZ3jJvaYVlSl84LEbcLoISwsCPT9bcgTlZKqDcS65IuIvmAFqq GysN6W2jbwpVmDUxzQzlQ==
X-UI-Out-Filterresults: notjunk:1;V03:K0:UtjN/XRHQGU=:/iecsP353E2OUmB5c1W0n7 iAPOtycxrXPGr9k7Ev5S6tT92PfnMnZvu9SkiF5fKv8MGtYDqKglvohU+pCHxVqTftDFxKC7k wgw2W8ZYiTaYTV6nUcCgdNKlDiRFgLiZYpHFD0PNf4RFwQzsQ1dcLSMbvva5/NdvEMgSsOC8q MYXzx7BeeoM+nD9SfCrYXvRf26SrdMpsiPNBepOE6YbbrMIBgrCVECe4IWK4QJEzSAs/lQWxl UlKf6R7Ky7fYF0D7rkDQahtmtEP1qONpS5gykHYP6anDTQV0hCER1+h2JNYpSv2zJOs7VC6Gm Y87VxDH5BHwC8RHSB5ITqpxBmC5jFnu+lzu4OIP8cHwIn+9A5Iu4lsHj2KrMy7LzftAM5oehz DJziUEtklpNA/Bu/CpMRdIqLwrYcGhk82HyIyuv0q9tmppMnaCWhBBWaLO+5aBATYzWlhiJxQ L288Qoyl9n4RsKzPGmZtwWRx+quxLQ/irKXNP3MmeI9doS+Rrz8eLt8/TtNWVs7BWWiGONhGk 8zcZ0UVarZapPt2p8CUeTCWA3cvhNRzBpAb/No57NYew1HNJN7Kmj8qRq8YVL7Os6l7fPrPlx H0Uh1IZqFk+vPwisn5RByzFbl0pDiJJcUgmOkveY7a5p98OkMTz8ITSWv1sh2Jklj0QsuoChO l0MJT7Q/FBozFODtF81aMoWzvXFHj5H/EJcDbx9jJUkJ1lrIBMacGzuZUwELCX8Gdb4KPk8vj 0dmikKH4oiyU8R/ehwkWMpJN4mQp5Tjc7e64ax0s8y1uAbdePoJ9o7OgZYD9n+dbnEKk1UcGf sdntaIjm2mgATKHS40ainJdoL7pMmYVKLpwna6DOcgER+2cdY1YEJ2aVnr4F+LyR8XC5uLcQq 8WTXV9tKafLP1A4BmTTBdp4HTvYBrvaaLXKJKxnkAPwO+0Wxcxi6Nue3Hj2IBBO8J8+1IHwFR y40HHvQhmQy55U+lXrmUHXA4xk+gSpjmWT1oKd657H+4D+s03L/1n4PAStxuqQwbn5lnFhBQD ecDQNgcEwZJW0tusaIr/fi9KgqyfZPpeRnixuvKMiFqk4QMf43f2fFHVqH041jK5vLulHhsdI MTV/Bg5+ycf32naosQdaLG2N71XPKZTOYAB/pC5wVz3lxkKCdNPIrUIskHFN+Xf8XD5vN3WLm OlfI2YXSVrpQGfjk9yGxPI15mpLi/xETUdoO4A6O9PJgdF/FouMR7oHPrRZb3CRL5Kj9c=
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/bUp1h09xRdaRI-x6FnbgiOhYuKs>
Subject: Re: [CFRG] Attack on a Real World SPAKE2 Implementation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 May 2021 16:06:00 -0000

Hello All,

I think we should be be careful with biased wordings such as "sharing
the blame" and assumptions such as "snake oil" which implies fraudulent
intentions.

IMO, we just don't know all of the details and it might be more
constructive not to speculate too much.

(When writing this: Even though my professional experience taught me to
never under-estimate the power of foolishness, I think that it should be
considered to be truly remarkable how many things have gone wrong here
simultaneously. )

For the same reason, I don't think that one should be careful of
"blaming" the authors of the SPAKE2 for anything that has gone wrong here.

Regarding possible improvements of the draft I still would like to come
up with a suggestion:

What about adding a clear and *mandatory* specification for conforming
implementations of SPAKE2 on any curve on how to generate the "nothing
upon my sleeve" inputs M,N?

I would recommend mandating a procedure that refers to the current draft
version of the h2c draft as it is today.

Alternatively, if one would like to avoid references to the h2c draft
(in order to make M,N independent of possible future changes in the h2c
draft), one could consider using a specification in the style of
appendix A in https://eprint.iacr.org/2018/286.pdf, where similar 
"nothing upon my sleeve" points "A, C" were needed.

At any rate, I believe that there seems to be need for a mandatory
trustworthy way for generating M, N for *any* curve.

Yours,

Björn

P.S.:

Actually, I just noticed that its not really explicit how the points M,
N in the current SPAKE2 draft 18 are calculated for the curves where
test vectors are provided. I presume that the uniform h2c map was used
for the given seed inputs?


Am 08.05.2021 um 01:51 schrieb Filippo Valsorda:
> 2021-05-07 04:17 GMT-04:00 Peter Gutmann <pgut001@cs.auckland.ac.nz
> <mailto:pgut001%40cs.auckland.ac.nz>>:
>> Ruben Gonzalez <in+lists@ruben-gonzalez.de
>> <mailto:in%2Blists%40ruben-gonzalez.de>> writes:
>>
>> >We did not attack SPAKE2 directly, but a faulty implementation.
>>
>> Nice work!  This is an example of what I once referred to as second-order
>> snake oil crypto, good crypto applied badly (first-order is bad crypto).
>
> Snake oil is fraudulent. This is a broken implementation, for which
> specification authors should at least consider sharing the blame. How
> did the spec fail the implementers, who presumably were not trying to
> implement something in a broken way?
>
> (I know, I know, SPAKE2 is a draft, not an RFC! But it's been a draft
> for almost 7 years, and at some point people need to implement stuff.)
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email