IETF Logo Mail Archive

Re: [Cfrg] My review of the four balanced PAKE (SPAKE2, SPEKE, CPACE, J-PAKE)

"Hao, Feng" <Feng.Hao@warwick.ac.uk> Fri, 06 September 2019 21:00 UTC

Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A122120DE8 for <cfrg@ietfa.amsl.com>; Fri, 6 Sep 2019 14:00:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QD5TdRCE2hfs for <cfrg@ietfa.amsl.com>; Fri, 6 Sep 2019 14:00:01 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10047.outbound.protection.outlook.com [40.107.1.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0CED120DE6 for <cfrg@ietf.org>; Fri, 6 Sep 2019 14:00:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kR7NG29m5ayCRXCgU2rAnPhwDQekzWWPIASw2IoR5raTAhGNCoDlxDOCka7EB5NPyaxHvQSoRF1hjg1S+cnshOSHZXGy/JUfQEnKlsc1N+cTSiFfmxoiq+WBPpvPeXxV+l1vJo6Mt5BPy/HloD0Hb5XP8IhN3/3GJng2YXnnOTVYjWJiJfHyElts02HmIXCzAJQBqjnS8CELYlkmbzz6r4DRSvLfyKXgJbsI9Nf7Je+hms/7k7pImrzPRPDXojk9Mdyq2ugrJi/S1fZvDPkW47QdjdoRurTfOALd2j1vDEb/nNi/xAJW3CAu117Lf9SkDzzjmq3i1nO6MdqBtsLBtQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DsteqgnoNPi/ypP2MPNeRsOSrojDmLhz0rqu4jVYXzw=; b=ALIwPt0LeGMTzt1FfzaTuxBBWfLrUtMSA6xE4b3avm/4pkDbqkNhHZ+0KIliGIimM5exfxzFTzNC4cqXUeTHFcCi1WAuiWLhbogr9HCyXSKW/OX+b3xBZH8smKak9PCee3uZqILkkzqxLEqNej8dhkY9U7furfVBiVZD66rQvsjJBb2h9WCak4v+/PfiojqZn/VkVxMLZgynN8LOaR/Q8OKdLD8Z8Xd6Wh4AhXxU4JfLenG211tm23Y/wV1F3+xHEElaEOxaYasFGjqJq+tyGFN/BhBFkoRFzuWITfIbUI5p3h1PCHDcrKyGXhNNl601SToDH2/0wOaP7v6WKuimVQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com (20.178.104.28) by DB7PR01MB4347.eurprd01.prod.exchangelabs.com (52.135.133.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2241.18; Fri, 6 Sep 2019 20:59:57 +0000
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::55eb:f0c1:7e8e:3af5]) by DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::55eb:f0c1:7e8e:3af5%7]) with mapi id 15.20.2241.014; Fri, 6 Sep 2019 20:59:57 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
CC: "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [Cfrg] My review of the four balanced PAKE (SPAKE2, SPEKE, CPACE, J-PAKE)
Thread-Index: AQHVZPYJE9IdTF5V4EG+/Jp97dMlFw==
Date: Fri, 06 Sep 2019 20:59:56 +0000
Message-ID: <D99879C6.47687%u1775114@live.warwick.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.7.170905
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Feng.Hao@warwick.ac.uk;
x-originating-ip: [86.1.47.16]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ef5548be-24a1-44b7-43b3-08d7330d2c8d
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DB7PR01MB4347;
x-ms-traffictypediagnostic: DB7PR01MB4347:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <DB7PR01MB43477B0573C6728509CB36FAD6BA0@DB7PR01MB4347.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0152EBA40F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(346002)(366004)(396003)(39850400004)(376002)(189003)(199004)(76094002)(5660300002)(6506007)(236005)(476003)(790700001)(6116002)(66066001)(606006)(3846002)(53546011)(76116006)(2906002)(26005)(6246003)(99286004)(478600001)(14454004)(58126008)(186003)(53936002)(4326008)(966005)(413944005)(25786009)(91956017)(102836004)(786003)(316002)(7736002)(66946007)(71200400001)(71190400001)(256004)(14444005)(229853002)(6436002)(6486002)(8936002)(66446008)(64756008)(486006)(66556008)(6916009)(6306002)(54896002)(66476007)(86362001)(8676002)(81166006)(6512007)(81156014); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR01MB4347; H:DB7PR01MB5435.eurprd01.prod.exchangelabs.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: warwick.ac.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: V8UsO8pEB8V95ZPN3R87x0h+EFMOQrcSY5STPmDRhlAH19naqafszAs0oGxEC4hMhG8dtQR0G8cMcg3Bmqz0C6Dau0vy9L7dpePMRZTBD0uVEbF5ixw4KHDRZgcKuL/I5mw3lIiGCHcIAElWgM1449YYMUZH1ScZOUL2RP39J7kvmaP7wUBiQFqwqA46u1z2R+3+Z1EuAsEdZIV9c7NdRplqtiG9rIH8dj9yWKaK+H50MWRNQhhWKSWBt6kxOMgAWcxtaiPz8ayZ8r0N0lj+CHXeHqs8GAmgOGD4RgSrszxQCifBF27gyhfXLbrDdj3oEXx78LEekV61KBYAd5KyRiOlKPRYceHcPwdR+XMBsRI13ilfMV7djqDQJR61sohimvBpHhEz/odq3r82I0+CPangY/i1nKcTDOapwwL4jAo=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_D99879C647687u1775114livewarwickacuk_"
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: ef5548be-24a1-44b7-43b3-08d7330d2c8d
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Sep 2019 20:59:56.9912 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1VPTII5cllJojUYfOD2r+FWLBgHxnQJ1Cn2DooA/2FUFBLr53PKqhbolJHBHc1zUm60s1ZtvVPAFDnEIWU/gC9PwmxSNoRePfZ0sMwxgYpo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR01MB4347
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/eEP2QeoAaUW7SAyv-HDJ_WE9b6o>
Subject: Re: [Cfrg] My review of the four balanced PAKE (SPAKE2, SPEKE, CPACE, J-PAKE)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Sep 2019 21:00:05 -0000

Dear Scott,

Many thanks for your comprehensive reviews! Much appreciated.

I would like to clarify a few points in your review regarding J-PAKE.

From: Cfrg <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> on behalf of "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com<mailto:sfluhrer@cisco.com>>
Date: Thursday, 5 September 2019 at 19:33
To: "cfrg@ietf.org<mailto:cfrg@ietf.org>" <cfrg@ietf.org<mailto:cfrg@ietf.org>>
Subject: [Cfrg] My review of the four balanced PAKE (SPAKE2, SPEKE, CPACE, J-PAKE)

"J-PAKE (even over an elliptic curve) uses rather more bandwidth and more computation than other proposals that use elliptic curves (not as much as SPEKE, but that’s because for this review we limited SPEKE to MODP groups).  Using a MODP group, the bandwidth usage becomes excessive; even if we use a 2048 bit Schnorr group (with a 256 bit subgroup; this reduces the size of the NIZKPs), the response from the server in 1.5 round mode would be over 1600 bytes, causing either fragmentation or segmentation, which is likely to be considered unacceptable (compared to the existing alternatives)."
[FH] Thanks for pointing this out. I agree that the bandwidth of J-PAKE is significant in MODP groups. To address it I recommend using ECC groups whenever possible, as done in the Thread. The use of ECC (e.g., P256) reduces that size to about 300 bytes.
"In addition, the draft refers to RFC8235 as a method to perform the NIZPKs; the requirement to validate that all the points are actually on the curve need to be high-lighted (and the actual procedure needs to be spelled out; the comment ‘the public key validation incurs almost negligible cost due to the cofactor being small’ indicates a possible misunderstanding of the issue, because we also need to protect against points that are not on the curve at all)."
[FH] I would like to clarify that checking whether the public key is actually a point on the curve is one of the compulsory steps to perform “public key validation” in an ECC setting. I believe this is the general consensus in the community.

Fyi See: https://www.dcs.warwick.ac.uk/~fenghao/files/EllipticCurveJPAKEDemo.java

"Also, not formally a part of this review, but as I went through the RFCs (8236 and 8235), a potential improvement occurred to me.  The NIZKP in 8235 allows the proof to reference an OtherInfo field; this is a value used to specify the context (so that the proof is not valid in any other context).  OtherInfo is currently unused in J-PAKE, however suppose we were to insert (for example) all the currently seen points in each proof as OtherInfo.  For example, the initial client pass might have the values of (x1, x2) as the extra info in both of its NIZKPs; the server response (assuming the 1.5 pass version) might have (x1, x2, x3, x4, B) as its extra info, and the final client response might use (x1, x2, x3, x4, A, B)..  What this would mean is that the adversary has even less flexibility in his attack; he now cannot extract values from previous exchanges and reuse them in new ones (with the exception that he can exactly duplicate the initial client pass); he could (for example) modify the server response from an honest server, however he would have to select entirely fresh x3, x4, B values for which he knows the appropriate discrete logs.  Because the adversary has fewer options, this means that the proof could potentially be simplified (as there are fewer things that the proof has to prove can’t happen), as well as giving a potentially better end security bound (everything the proof disallows does cause a small reduction in the provable security bound.  In fact, we might be able to limit the possible adversary strategies sufficiently that it would be practical to do a case analysis covering everything an attacker can attempt (which would be less rigorous, but considerably easier to understand).  In addition, this suggestion cannot hurt security (the existing proof is still valid, as the NIZPKs still meet the security assumptions), it would not increase bandwidth at all (the data inserted into the OtherInfo field is already present in the messages), and would only cause a tiny increase in the computation time (the extra info is just included in a hash).  Just a thought…"

[FH] Thanks for your suggestion. I don’t object anyone doing the above, which is exactly why I defined OtherInfo (optional) in the RFC, to provide the flexibility to include the transcript of the key exchange (if people want) into the hash so to restrict the attacker even further and make the proof tighter. However, I didn’t want to make it mandatory for two reasons. 1) I don’t consider this is strictly necessary for the security of J-PAKE; 2) if we do it, we will end up with a protocol specification that depends on whether the protocol will be implemented as 2 rounds or 1.5 round. It’s not neat, and makes things more complex. Between simplicity and complexity, I would err in favour of the former : )

v2.23.0 | Report a Bug | By Email