Re: [CFRG] On the properties of sid in CPace

Filippo Valsorda <filippo@ml.filippo.io> Tue, 13 April 2021 03:24 UTC

Return-Path: <filippo@ml.filippo.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E0093A10E0 for <cfrg@ietfa.amsl.com>; Mon, 12 Apr 2021 20:24:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=filippo.io header.b=ZdsPhoET; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=FFaw7Wsk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qRbXuVwZu0Pc for <cfrg@ietfa.amsl.com>; Mon, 12 Apr 2021 20:23:59 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 686863A10D7 for <cfrg@irtf.org>; Mon, 12 Apr 2021 20:23:59 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 9131C5C0223 for <cfrg@irtf.org>; Mon, 12 Apr 2021 23:23:57 -0400 (EDT)
Received: from imap1 ([10.202.2.51]) by compute3.internal (MEProxy); Mon, 12 Apr 2021 23:23:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=filippo.io; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=rxIYZhezvmroWjRSL/RKOQl6Ye1Cmwt kx5AtsM2vX98=; b=ZdsPhoETgFNVfYWpNsb3g9X9XKtVvnveof8U0Z6t5JTsmuv Ge8XVjDE4+1ybd0sKFeqbThOmvp0aK16xx9NIMP63ZJDjTJamaHyseuwDL9otq8Q zMt3UuvDJ150WT8LG98/OGYYJURXhpxoi8hRgESA5LzL8FG9NOkapEJuIbEfwlVs SCy9AxIE4vIejSO857bug5yUIDznkzFo9R34Tefq/VjzaXjv4wK2TKeeGpASssu/ 4wxvPIr1whrThc/xiS7gZZjQEc/3dQ409xpE4eBOTWbCVcUwCcBu0XHPYhYKK1w0 y72BPnSG3sjRxnr06Ppd5yPX3v9nIpexTXgITGw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=rxIYZh ezvmroWjRSL/RKOQl6Ye1Cmwtkx5AtsM2vX98=; b=FFaw7WskXnJggZBDLMrUJA 849wYFSW+Xgf55iyzazCFmm9cSKJ38dUxeJykh2+RprkP2wEo6BCsmdpn7d3MWCj rP6z68ocM1UaitkpvYlwQn9g8ztOP+y5/pBosufejlNFXcQZzfMTtfAZTiaOuD98 B4Wg171tAGzGFE2/hVuGBkFtr8sMusg29qXD8NIujaDWStXvsoET7Fa0zRcQP0I9 w+MKB/wbiAOBeLBMOWM8xX7wXx8aVuYkJDgy1/477Q+lvYTM+TuukOeWyFNZATuV gzSZCYbISWiYxjWuTsk0eh8OmZMue9q/S4nRwPTZM1j4RCtWBHjAy7ywYuAMUxwA ==
X-ME-Sender: <xms:zQ51YHAlecWaQlqi1-JiBxfJbaOL6YdV3rcTIlvms0CehXQxVgKA6w> <xme:zQ51YNisbdeB1Q4a9mCOczT_nmMbeZgC8v_MTAUCzR05PIMmQrAB5-y6-iw_O7XSH 9nvI95gcpMHiDhZIA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudekkedgieelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsegrtd erreerredtnecuhfhrohhmpedfhfhilhhiphhpohcugggrlhhsohhruggrfdcuoehfihhl ihhpphhosehmlhdrfhhilhhiphhpohdrihhoqeenucggtffrrghtthgvrhhnpeehudffud efkeeugfeifefgtdevteeikeffvedvudegieejteefgffgfeekgeevteenucffohhmrghi nhepihgvthhfrdhorhhgpdhirhhtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpehfihhlihhpphhosehmlhdrfhhilhhiphhpohdr ihho
X-ME-Proxy: <xmx:zQ51YCkAfeEgDsj-9w2IWkRfOeSsYyvk1VpGgPI1uJ7Q0vj1fDBt6A> <xmx:zQ51YJxTDUnYBTA6Rl6EshS22jgOxCOoPE2ziUVRIm0h6QG5Y4ErtQ> <xmx:zQ51YMSF3qsaIfhH2ouQ4vuzxkAbRS1ZO-5BNQTrz0-5o5yQacwb1A> <xmx:zQ51YDfOXjidIZ_Wgl9ETpyhoksyIrKPF4vfyTRiG13bmgpA23udzw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 0BD8D130005F; Mon, 12 Apr 2021 23:23:57 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-273-g8500d2492d-fm-20210323.002-g8500d249
Mime-Version: 1.0
Message-Id: <a8f60406-4b3e-4d69-823d-b27bd2130011@www.fastmail.com>
In-Reply-To: <28627528-517a-368f-3482-ab8f768bdf75@gmail.com>
References: <03a81355-32e2-465e-b08a-e33d02112ab8@www.fastmail.com> <28627528-517a-368f-3482-ab8f768bdf75@gmail.com>
Date: Tue, 13 Apr 2021 05:23:12 +0200
From: "Filippo Valsorda" <filippo@ml.filippo.io>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary=cb880bcb923f4a088f1461f93ec8a54b
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/cd1LveNKegiNIgZDWDmgKOofdsY>
Subject: Re: [CFRG] On the properties of sid in CPace
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 03:24:05 -0000

Hi Julia,

Thank you for the thorough explanation of how the UC framework
assumptions work!

Do I understand correctly that, in summary, an initiator-selected sid
does not meet the uniqueness requirement, so the CPace proof does not
cover the protocol currently specified in the draft?

There are real world uses for an initiator-selected sid, as it enables
0.5RTT data, so it would be really nice if the proof could be extended.

In the meantime, it sounds like CPace should only run after unique
values (such as random values with comfortable birthday bounds) have
been negotiated from both sides, as I can't think of any other way to
provide such a strong uniqueness guarantee.

>From a protocol engineering point of view, I find it more comfortable
to think in terms of transcripts, and not have to worry about how sid,
identities, and additional data might have different properties and
requirements, so I would suggest the following variant

    G = map_to_group_mod_neg(DSI1 || PRS || ZPAD || transcript1)

    ISK = H(DSI2 || Ks || transcript2) [should there be a ZPAD after Ks?]

where transcript1 MUST include unique values from both sides, and
transcript2 MUST include transcript1, Yas, and Ybs.

(This implies sending Yas and Ybs on the wire, which raises the question
of why the current draft sends Ya and Yb instead. Sending something
different from what's hashed in the transcript seems like asking for
trouble. Of course none of this would matter for a proper prime order
group such as ristretto255...)

Besides being IMHO clearer about how to integrate in a protocol, this
variant has two other advantages: it encourages the use of transcripts
even further, and it eliminates the difference between CI and sid, which
is still not clear to me.

What do you think?

Cheers,
Filippo

2021-04-12 21:51 GMT+02:00 Julia Hesse <juliahesse2@gmail.com <mailto:juliahesse2%40gmail.com>>:
> Dear Filippo,
> 
> thank you for opening this topic, which certainly needs discussion. I 
> planned to write about sid establishment in general for a while, so I'm 
> happy you are finally forcing me :) First, let me try to 
> complement/structure some prior information given on this list about 
> session identifiers in UC.
> 
> From the side of UC, there are 2 requirements on the sid of a protocol 
> (for the purpose of this email, it's okay to think of a 2-party key 
> exchange protocol):
>  (1) uniqueness
>  (2) known in advance
> Both properties are assumptions made by the UC framework, which is why 
> protocols formulated in UC terminology never check uniqueness of the sid 
> given to them. It is simply an assumption, meaning that it is not 
> possible to model protocol executions with session identifiers are not 
> unique or not known in advance. As Ran explained here 
> [https://mailarchive.ietf.org/arch/msg/cfrg/fgwMYLfaa1ZbF_UgKcurse211KE/], 
> he chose these mechanisms for the proper modeling of interactive 
> processes in dynamic systems.
> 
> Okay. But who choses sid's, and how?
> 
> Combining both properties, for a two-party protocol our options are 
> essentially as follows:
> (1) sid is given as input to initiator, the responder obtains the sid 
> with the initiator's first message and outputs it to the application.
> (2) sid is given as input to both parties.
> In both cases, the application needs to ensure uniqueness of the sid for 
> proven UC guarantees to hold even if the protocol is executed multiple 
> times. For (2), one could let both parties contribute their own 
> randomness in an interactive protocol that is run *as part of the 
> application*. A non-interactive way is to let both parties' application 
> processes derive a unique sid from the application's session's values, 
> e.g. sid=(IP-A,IP-B,application-transcript). There might be ways to 
> nicely integrate such sid establishment into application protocols 
> (e.g., TLS or HTTPS) by piggybacking messages etc., but they all exploit 
> properties of the specific application protocol. What I want to say is 
> that, imo, there is no way of telling what the best sid establishment 
> methods for CPace or OPAQUE are without considering the concrete 
> application protocols.
> 
> If we want to provide and analyze an application-independent method for 
> session identifier establishment, we need to switch to a multi-session 
> version of, e.g., key exchange (as hinted by Ran in his post already). A 
> practical example of such a multi-session protocol is the DH key 
> exchanges within TLS1.3 (essentially, all of them, seen as one single 
> protocol execution that runs since the deployment of TLS1.3). Since this 
> protocol is started only once and runs during the lifetime of TLS1.3, we 
> can simply set sid=DHKE_TLS1.3. In this protocol, it is up to the 
> parties to keep track of and distinguish their different attempts to 
> exchange keys. Thus, any multi-session key exchange protocol will have 
> to incorporate a mechanism to establish unique joint identifiers 
> (``sub-session identifiers'') whenever two parties want to exchange a key.
> 
> What does this mean for CPace, which is analyzed and drafted as a 
> single-session key exchange? Let me try to answer some of your questions:
> 
> >
> > First, how does the security of CPace degrade upon sid reuse? If it 
> > were to
> > happen due to birthday bounds, how catastrophic would it be?
> >
> > What happens if the sid can be attacker-controlled between two 
> > otherwise honest
> > peers which both know the password?
> >
> No need to invoke the birthday bound, as it happens already when the 
> responder accepts any sid proposed by a malicious initiator (who can of 
> course also play man-in-the-middle with same sid on both sides). Note 
> that we are now kind of outside the UC model for single-session CPace, 
> since in UC sid re-use "merges" CPace instances, while in reality we can 
> have different CPace executions with same sids.
> 
> To answer your question formally, one would need to consider CPace as 
> multi-session protocol. If this protocol has a built-in mechanism to 
> keep parties from running different key exchanges with matching sids, I 
> would bet that we can just use the same simulation strategy as in 
> single-session CPace, to simulate each subsession. If such mechanism is 
> missing, it seems the current proof strategy cannot be lifted to 
> multiple sessions: it breaks down upon re-use of sid for a pair of 
> parties P,P' exchanging two keys from same passwords. The individual 
> simulation strategies for those exchanges would attempt to program the 
> password hash function at the same point (sid,P,P',pw) to different 
> values, and thus fail.
> 
> This of course does not imply that there is a meaningful attack on the 
> multi-session protocol level (a protocol that has not even been 
> specified yet), nor that the conducted single-session proof is flawed. 
> It does however suggest that method (1), which is also used in the 
> current version of the draft, is not the best choice for single-session 
> CPace.
> 
> > Is uniqueness its only requirement, or does it also have to be 
> > unpredictable?
> >
> The proof of CPace does not rely on unpredictability. Of course, 
> unpredictability could help ensuring uniqueness in a setting where 
> multiple single-session CPace executions are spread in a distributed 
> system that does not have any other mean for ensuring uniqueness.
> 
> Best
> Julia
> 
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org <mailto:CFRG%40irtf.org>
> https://www.irtf.org/mailman/listinfo/cfrg
>