IETF Logo Mail Archive

Re: [Cfrg] aPAKE Analysis

Björn Haase <bjoern.haase@endress.com> Mon, 23 September 2019 11:46 UTC

Return-Path: <bjoern.haase@endress.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B84B912008F for <cfrg@ietfa.amsl.com>; Mon, 23 Sep 2019 04:46:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=endress.com header.b=hRO+wCCC; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=endress.com header.b=YwQOkXkH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tnjDLN9aDU4k for <cfrg@ietfa.amsl.com>; Mon, 23 Sep 2019 04:46:49 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on060b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe02::60b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F074C120059 for <cfrg@irtf.org>; Mon, 23 Sep 2019 04:46:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=endress.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UPquX9VwzPEPgK5TXsA8A16YufGgt8X3kcqBihRJIbw=; b=hRO+wCCCx4oY58SyvfLywZvhwwGtdadhtZflYEBg3auBx4l+hKjly8Vn4v9fpB9EZjroPEzhbOdhez5Z7oG/S5+ED/oTJ9YDg4jal37/S1oRwNpmPfSiZ99wfmnInU9t3AVCdelD2Mau1NprLfIJcCd0iM3pHm8+TFTxpCi5TXc=
Received: from DB6PR0501CA0005.eurprd05.prod.outlook.com (2603:10a6:4:8f::15) by VI1PR0502MB3918.eurprd05.prod.outlook.com (2603:10a6:803:f::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.25; Mon, 23 Sep 2019 11:46:46 +0000
Received: from VE1EUR03FT060.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e09::201) by DB6PR0501CA0005.outlook.office365.com (2603:10a6:4:8f::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.21 via Frontend Transport; Mon, 23 Sep 2019 11:46:46 +0000
Authentication-Results: spf=pass (sender IP is 52.233.195.251) smtp.mailfrom=endress.com; irtf.org; dkim=fail (body hash did not verify) header.d=endress.com;irtf.org; dmarc=pass action=none header.from=endress.com;
Received-SPF: Pass (protection.outlook.com: domain of endress.com designates 52.233.195.251 as permitted sender) receiver=protection.outlook.com; client-ip=52.233.195.251; helo=iqsuite.endress.com;
Received: from iqsuite.endress.com (52.233.195.251) by VE1EUR03FT060.mail.protection.outlook.com (10.152.19.187) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2284.20 via Frontend Transport; Mon, 23 Sep 2019 11:46:45 +0000
Received: from mail pickup service by iqsuite.endress.com with Microsoft SMTPSVC; Mon, 23 Sep 2019 13:46:44 +0200
Received: from EUR01-HE1-obe.outbound.protection.outlook.com ([104.47.0.56]) by iqsuite.endress.com over TLS secured channel with Microsoft SMTPSVC(8.5.9600.16384); Mon, 23 Sep 2019 13:46:42 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=D2k6idQONcut1SXiiT5tIfkM17vtoUFkEPrCu+E850aInlTQajgrsXRPpazR4mw8fcvgAFpSKt8MqPu8H22xrCPJTbjFlglZedlLLtyWuN+j1czbzQcQkqo1IBpgA+dW8V6yLUNCw0IhBe0tG9IS478oSBKzy0NoITkH8XehvRAA8v7ZTJ87lJf/XOUWQJP+hNnnTB/FN2be24N73FiAyjhLBMe/aGcoo2Z5Pxjs9NaNjocb8hoZzDUC824AYCbY5fcU0ixXDp8qzXfjm/Vu24R4TeoqOIGnEUL/7rmNUvkLGGElt7Lv1oIvgLfIrMdKIhM5nOo2DFb5/eOHJK18KA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/3qVsDljLpqcoees0yDmUbIzd14XGEdhy9ftUkdLyCE=; b=g4XnRuihdwF2JsSBjbjBVETCawdUZTi9fVSRDISuutKoAILCq2ITMTiKhz3jJrgnpJKlGOeRHvX5x1mlYjmn2uBN3CzgiPiDdT4LR6d25P9+ZnyyR9c7kkO9HHnLr/XzmIbfb0GAH8Q1zGapyK8+AGhYKiNV5BGX08WszZm4uOYXExhvFNIIMMrIDTq19wxB41o3QgIK95eL0rwG/dyPQ1/ep6ZFX0kak0wZjrErkqMLT/Q1DqiJqPECJn9zh8g1K0rt/VAvFDfn2rR/8AfR7H8A+ijH+p45au1+vCCZJrrUWHnngSeVq09WNUdabUZKW519LAJ93O9xxr3DYsFi/Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=endress.com; dmarc=pass action=none header.from=endress.com; dkim=pass header.d=endress.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=endress.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/3qVsDljLpqcoees0yDmUbIzd14XGEdhy9ftUkdLyCE=; b=YwQOkXkH/UTzR2S6LML9afZtPohd5WDS0cQLo62DcFPPv4qItzkJhoDO9KuR00r4yV4xMERM8pLKWL89rAiwODNYEp5E/oMBZ2cV3PVP2eBiNewCgLd6Ve89lP+lx3KB+5QqyJjLThi61j9z9Gn+tycP4VvcY8gY/QwgRF7LAEE=
Received: from VI1PR0501MB2255.eurprd05.prod.outlook.com (10.169.135.11) by VI1PR0501MB2749.eurprd05.prod.outlook.com (10.172.11.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.26; Mon, 23 Sep 2019 11:46:42 +0000
Received: from VI1PR0501MB2255.eurprd05.prod.outlook.com ([fe80::855f:14b4:fe51:27ad]) by VI1PR0501MB2255.eurprd05.prod.outlook.com ([fe80::855f:14b4:fe51:27ad%10]) with mapi id 15.20.2284.023; Mon, 23 Sep 2019 11:46:41 +0000
From: Björn Haase <bjoern.haase@endress.com>
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>, Björn Haase <bjoern.m.haase@web.de>
CC: cfrg <cfrg@irtf.org>, Hugo Krawczyk <hugo@ee.technion.ac.il>
Thread-Topic: [Cfrg] aPAKE Analysis
Thread-Index: AQHVbSAtGBNxLQS/4Uq76i9bjBHT3acvyI6AgACHcgCAAOgpAIAG3n8AgAD/y4CAAA7EgA==
Content-Class:
Date: Mon, 23 Sep 2019 11:46:41 +0000
Message-ID: <VI1PR0501MB22552B1FA70101AFD48837DA83850@VI1PR0501MB2255.eurprd05.prod.outlook.com>
References: <1000404210.104219.1568701269003@email.ionos.com> <CACykbs3Bk40DpPb56SRXZJMHstUQqsT-n-Gkntrb0bhNss=zPw@mail.gmail.com> <CADi0yUPMiMdgZa8k7bP5wW_bVqxoMFXaJp0u1r7ZFRVaEfZOSg@mail.gmail.com> <CACykbs0mDkgfY=3=Wd0F=w7YwXYs9bEXJyhdcM74CEvw7w6-=Q@mail.gmail.com> <568ba75e-26fd-8b12-5974-67517bce23a4@web.de> <CACykbs0Pq=w4catZNBM0TC16RmL+Ytmy_VhXfTTpWRMnKkSoZw@mail.gmail.com>
In-Reply-To: <CACykbs0Pq=w4catZNBM0TC16RmL+Ytmy_VhXfTTpWRMnKkSoZw@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Enabled=True; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_SiteId=52daf2a9-3b73-4da4-ac6a-3f81adc92b7e; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Owner=bjoern.haase@endress.com; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_SetDate=2019-09-23T11:46:38.9359982Z; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Name=Not Protected; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Application=Microsoft Azure Information Protection; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_ActionId=283bca50-6651-42a8-889d-4b8190b1f2a0; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Extended_MSFT_Method=Automatic
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=bjoern.haase@endress.com;
x-originating-ip: [93.240.145.106]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 81d2c517-a7a6-49b7-6d51-08d7401bb608
X-Microsoft-Antispam-Untrusted: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:VI1PR0501MB2749;
X-MS-TrafficTypeDiagnostic: VI1PR0501MB2749:|VI1PR0502MB3918:
X-Microsoft-Antispam-PRVS: <VI1PR0502MB391882D3EEB147B2AE0F439983850@VI1PR0502MB3918.eurprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 0169092318
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(376002)(39860400002)(366004)(136003)(346002)(396003)(199004)(189003)(54906003)(6116002)(11346002)(790700001)(446003)(14454004)(3846002)(85202003)(476003)(102836004)(74316002)(478600001)(19627235002)(25786009)(7736002)(33656002)(256004)(66574012)(76176011)(966005)(6506007)(186003)(14444005)(99286004)(4326008)(52536014)(55016002)(9686003)(86362001)(66066001)(2906002)(5660300002)(6436002)(66946007)(71190400001)(71200400001)(66476007)(8676002)(64756008)(66556008)(66446008)(6306002)(54896002)(7696005)(26005)(85182001)(76116006)(316002)(486006)(81166006)(81156014)(110136005)(8936002)(376185003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0501MB2749; H:VI1PR0501MB2255.eurprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: endress.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info-Original: C/OhNmTtfZGmzg/NmRi0j9TvnTdFwlBskC7dYiOgN5pMrhzNrWVLw3Oj8oKYzJBGmnIPa2doeOgBlUDlG3X9zC0XM0XCrjrmqxusTnU96YZVfXbTb0x0YYJCofDpGRtrRK0A4YXDu0wqUJYhFUq85b62sYr8emLIJHNF7noUhQ01xlwLibBlrmdKt9KNXTFmmIji8wnF6UIpCnZztYQt69hbU5bFSZwQj0XHwNWmetv7wQYmi9zlogkxsVeGqf71eCBR9mLkEgfqPAridJclGlHBkqRQf8fTlTqdXe5+YU4FTF8A/0bwHgb9r5uW5P1uh2uuE7L/lTxQR5v/kmjTKfLeOVRA1Mj+jKNmnEPAGIJmCccLx7nOdfkYpIZQ0EHHA4PAYkZWwaRQsFORnIg+t5fhfx4L0ATtOjmOpWb7bWk=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_VI1PR0501MB22552B1FA70101AFD48837DA83850VI1PR0501MB2255_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0501MB2749
X-OriginalArrivalTime: 23 Sep 2019 11:46:42.0589 (UTC) FILETIME=[919F9CD0:01D57204]
X-Trailer: 1
X-GBS-PROC: oNCY3LjDuOZwfO77WcMUDuLz4/Vw8Zri8IeCth0ZfFE=
X-GRP-TAN: IQWE02@9D598E56C5E64F27A8BD37D8426E4B70
X-iqsuite-process: processed
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT060.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:52.233.195.251; IPV:CAL; CTRY:NL; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(376002)(39860400002)(396003)(136003)(346002)(26234003)(199004)(189003)(26826003)(966005)(126002)(236005)(99286004)(14444005)(6306002)(26005)(54896002)(102836004)(25786009)(9686003)(316002)(6506007)(19627235002)(186003)(33964004)(110136005)(86362001)(478600001)(85202003)(55016002)(7696005)(336012)(16586007)(85182001)(76176011)(15974865002)(106002)(66066001)(8676002)(76130400001)(70586007)(70206006)(54906003)(790700001)(8936002)(6116002)(606006)(2906002)(4326008)(3846002)(81166006)(5660300002)(71190400001)(81156014)(66574012)(486006)(14454004)(33656002)(52536014)(476003)(446003)(356004)(74316002)(107886003)(7736002)(11346002)(376185003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0502MB3918; H:iqsuite.endress.com; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 123c4030-02de-473b-e94e-08d7401bb3ae
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600167)(710020)(711020)(4605104)(4709080)(1401327)(2017052603328)(7193020); SRVR:VI1PR0502MB3918;
X-MS-Exchange-PUrlCount: 3
X-Forefront-PRVS: 0169092318
X-Microsoft-Antispam-Message-Info: UGQUFxb73Etoe4yhggTVJ4qCrzwB4tVBbnyy+DXORa8jGRV0xcrEDIba1/oh5uQ8k7025of8WcEzT28lzRU2XQ/fTyXMx2vS53YF+IFTBEDBCP64pmTeOF9aWscFDA5AXvA3CV9aBVBdIzqL/Ye6fdFjuFhZ1Zx50AvDOVGdQOfKrrvaeY0a3fuwBfqC27wRF4SH9HVRyAfQwTsdkV0+jo9ClgYLTm6qSiJhlP/gIxBHgq2NNYvOxkjBINomEXFGXbkNAra2PY9WIfqsHgYourtgj2OlQ1B6EnUNul7MSV8F8J3nV20FEpNTjCrjXfxnBLjPU8+Uap0YKTvqFf9v07xZMNXm5earV5uytjNKOWy8uOxBhs7VMP9ElD8K8cyDFeSEIg7bSuTkUPiq5dO0j/7XCYyIsybVEuJ2nejIoXo=
X-OriginatorOrg: endress.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Sep 2019 11:46:45.7744 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 81d2c517-a7a6-49b7-6d51-08d7401bb608
X-MS-Exchange-CrossTenant-Id: 52daf2a9-3b73-4da4-ac6a-3f81adc92b7e
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=52daf2a9-3b73-4da4-ac6a-3f81adc92b7e; Ip=[52.233.195.251]; Helo=[iqsuite.endress.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0502MB3918
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ecojPAawrupkAC7qlJPMkbke6BI>
Subject: Re: [Cfrg] aPAKE Analysis
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2019 11:46:54 -0000

Hi Jonathan,

we seem to have very different use-cases.

>You write on slide 22 that the user expects the dialogue immediately on the Hello Retry,
>but very few users will be familiar with that flow.
>They expect to see a fully rendered page with two boxes in which they are to type their
>username and password, not an undecorated pop-up.

Indeed what I am suggesting is to have this login page displayed as part of browser controls or even better by OS or a password manager’s controls and not by the remote server’s html.

I could imagine that one possibly could add some small SVG icon on the login screen (that’s what we do for our E+H Bluetooth app) but indeed the login window might be rather un-decorated, as it is part of the browser GUI/skin. Making it part of a window external to the https:// main application region could also be considered a security feature. The end-user could more easily distinguish a control from the browser/OS from what is shown in the browser application.

A user might even choose his own skin (unknown to the adversary) of the window, making phishing attacks more difficult. The attacker would have to find out, how the specific user’s login window looks like.

In our setting this would be perfectly suitable from a usability point of view.

Also one of our main problems is that we could not expect the server to have any valid Web-Certificate installed! Thus, for some IoT device for which a web certificate was not bought and maintained, we would just not have the option to establish any https:// connection through the normal WEB-PKI certificate process! A well-configured browser would just not allow for a connection!

>Training users in this system will also make them more vulnerable to malicious sites that render a >blank page and throw a pop-up asking for a username and password.

I don’t see that there would be any need for “user training” for the “login window in browser” feature. Moreover a site screen should (IMO) not be considered to provide *any* security feature. Any “reasonable” attacker would make his fishing web page look just like the honest server!

>From a user's perspective,  they go to a website that renders normally, and then they then login using >a username and password box.

As mentioned before this approach mandatorily requires a valid Web-PKI certificate in the first place. Secondly this approach would allow an attacker to just use a normal http:// GUI control for standard un-protected text for fishing the password. How would the user be able to distinguish a web page that sends the clear-text password directly to the server from a page that uses a secure aPAKE?

In my opinion a solution using a specific browser or OS-based GUI window for the login could be made more secure. A small site icon might be fine, but this could possibly even be sent by the server in its HelloRetry when using an appropriate compression format such as SVG.

The main problem that I see with your suggestion is that it works only, if the server has a valid trusted Web-PKI certificate *in addition* to the aPAKE solution.

This might be the case for some “conventional” Web-Applications, but not the case for de-centralized Web servers in IoT devices (e.g. a control valve in an industry installation or some household IoT equipment).

Yours,

Björn.


Mit freundlichen Grüßen I Best Regards 

Dr. Björn Haase 

Senior Expert Electronics | TGREH Electronics Hardware
Endress+Hauser Conducta GmbH+Co.KG | Dieselstrasse 24 | 70839 Gerlingen | Germany
Phone: +49 7156 209 377 | Fax: +49 7156 209 221
bjoern.haase@endress.com |  www.conducta.endress.com 



Endress+Hauser Conducta GmbH+Co.KG
Amtsgericht Stuttgart HRA 201908
Sitz der Gesellschaft: Gerlingen
Persönlich haftende Gesellschafterin:
Endress+Hauser Conducta Verwaltungsgesellschaft mbH
Sitz der Gesellschaft: Gerlingen
Amtsgericht Stuttgart HRA 201929
Geschäftsführer: Dr. Manfred Jagiella

 
Gemäss Datenschutzgrundverordnung sind wir verpflichtet, Sie zu informieren, wenn wir personenbezogene Daten von Ihnen erheben.
Dieser Informationspflicht kommen wir mit folgendem Datenschutzhinweis (https://www.endress.com/de/cookies-endress+hauser-website) nach.

 

Disclaimer: 

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete the material from any computer. This e-mail does not constitute a contract offer, a contract amendment, or an acceptance of a contract offer unless explicitly and conspicuously designated or stated as such.

v2.23.0 | Report a Bug | By Email