IETF Logo Mail Archive

Re: [Cfrg] [CFRG] PAKE / Hash2Curve First Internet draft for balanced CPace subcomponent available

"Björn Haase" <Bjoern.M.Haase@web.de> Tue, 07 January 2020 14:32 UTC

Return-Path: <Bjoern.M.Haase@web.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B246C1200E0 for <cfrg@ietfa.amsl.com>; Tue, 7 Jan 2020 06:32:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.719
X-Spam-Level:
X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YpF8PJowXom7 for <cfrg@ietfa.amsl.com>; Tue, 7 Jan 2020 06:32:01 -0800 (PST)
Received: from mout.web.de (mout.web.de [212.227.17.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77C2912001A for <cfrg@irtf.org>; Tue, 7 Jan 2020 06:32:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1578407515; bh=qmoKbF9iqmVqb2gIAWr0lcnyx5U0pktlshPwUlmFeJM=; h=X-UI-Sender-Class:From:To:Subject:Date:In-Reply-To:References; b=gjUrRk6A19GA0VMTxWD75zoU2/VxCA8afcm0lvErP0gz2FBZj2Em+YJUFLpeZSpFl y/tuKJD1lvP4rqe3zIhtKr4BUlwPYqP5cGlqgwtqAgbz3hRl1ghahP05skhcnSZiAw qtDVE9OQDvolqlWq8rPLHhJDjUc/GWkinEuPIQn8=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [93.240.145.106] ([93.240.145.106]) by web-mail.web.de (3c-app-webde-bap27.server.lan [172.19.172.27]) (via HTTP); Tue, 7 Jan 2020 15:31:55 +0100
MIME-Version: 1.0
Message-ID: <trinity-fa0ee30c-84b8-4afa-8c7c-b5d6f3e4ac53-1578407515518@3c-app-webde-bap27>
From: "\"Björn Haase\"" <Bjoern.M.Haase@web.de>
To: "Hao, Feng" <Feng.Hao@warwick.ac.uk>, "cfrgirtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 07 Jan 2020 15:31:55 +0100
Importance: normal
Sensitivity: Normal
In-Reply-To: <F52C621B-0AEF-4BB8-BFBA-A8E45DDC1947@live.warwick.ac.uk>
References: <trinity-caa25477-d476-4e61-ba8b-384eafcf5a82-1578354680136@3c-app-webde-bap14> <F52C621B-0AEF-4BB8-BFBA-A8E45DDC1947@live.warwick.ac.uk>
Content-Transfer-Encoding: quoted-printable
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K1:PbDCiu/fpeLTZHWuRr3baWtRGZvgyeMi9h8TYLl8zRoXdznOPEZU9CtHCen4MMsyRPlTR iRlc0m585CSmRtIZd4LwbVCHUQgjXJmFhM3XzoO/Pb3YUNyHPfqwjF2U7PPBGX88N2hKwsywzq5K EN1QzDb2a238Fti/rPBSsEPvQN71hZ6j/eUZljF6u9ZijPZnfURQRvCpxRhRMVYim6RTYhV0bp/i njjonfaBVapbhqSQYCH7dyJkM7tqVlnCxKDA4ZdrctpOvSSizp298XCdoy9BhapIiSvIcWnDJy3Z Ww=
X-UI-Out-Filterresults: notjunk:1;V03:K0:RK8k6Tjx4Zo=:54Y2kKNVeyFnMriZk9z6mB 4lnQ2DYMhLSFftsOcMyYp7KlIe/Qpl2hxVmZ0rkAFhqghSlihnaP6bLorINgH+6/UV6CfyX5H yZjyFy9zC0jS7dADfUpF86tPuMZkwm5nepbaRrLmhAkHkCC5uh/t11os/nLhBXIl3FhlUYKxJ aGQ82pH2k4rOU8qkLeF0/VGe1EwMuzR3q+ATgl/nAt2aNhAwlpssb7IBykMpX9jzG2/pYYFw7 rfU0WPCggWxc5/wx9Lt3G2dmyRfeFe0yDgbdv9zd5GQZunc4PYeTTQ8JMsHYslZGd9haRlxxd tXULPXSXzRSqLSSolsGx0IMWocrz5bIl2e/HSFChxtrFAPubIePvYBPRsLeCTKHcSNPaSlKRi YJge3+CGzkL6jBW+pKhSXEPTbVZcH4WpWBng3QsZ403Ptw/yUtBimfhEiMjJGk2If/0Gcu4on OvqDtu13ZHCP0MOoCAQGb629tjnnfE68NdIQLYNW1E+t/XrTMlZN3DWLIrJp4r736tkyb6DQn TMTvAsKcYpUHInclRGK/B2goYZSLekk19Npl+uSzpzBl0YZ2n8pJm0exnleBdtvbo3Ey2WNeA /94/yn54JycZcYeSwNyV5SMCTfsjTK3Mdd/vSyZ+evglQb/CqG/ut07Aom0mnVpdipXMmqedI h6RGxt2dPwiWXKloz+M3VCI99Y06a4U6QjDQAnQFHbZoVCWoWIPI/7hmu5Go9iTbuYOY=
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ffdwcMbZdhwwpvXaJSdlFTGrai0>
Subject: Re: [Cfrg] [CFRG] PAKE / Hash2Curve First Internet draft for balanced CPace subcomponent available
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2020 14:32:03 -0000

Dear Feng,
 
thank you for your reply. I would like to respond point by point.
 
>First of all, it’s not safe to assume the sender must know the receiver’s exact identity before the key exchange.
>Identities are normally transmitted “in-flow” as part of the key exchange protocol, as each party may not always
>know the other party’s exact identity beforehand.
 
There seems to be the need for more clearly specify, what is "identity".
For the CPace draft, I assumed that the receiver or sender "identity", i.e. the content
of the strings A and B in the CPace draft, would be something like a destination IP address and
a destination port on this machine. I.e. information that is required for establishing the link and exchanging
the message.
 
This is also why I did denote the compiled information that enters CPace as "Channel Identifier" (CI).
In fact the "identities" are not actually the identities in the sense of "Name: Peter, Birthday: 29th of februrary"
but only the "communication identities" such as "Peter's phone number".
 
I think that it might be worth rephrasing this aspect in the draft as A and B denote the "Communication identity"
of the two parties, for making it more clear and explicit.
 
In this understanding the party identifier *will* be known before the protocol could start.
With including the "communication identity" mechanism, we are able to fend off "relay attacks" where A party is thinking it is communicating
with party B while in fact its messages are actually relayed by an adversary
to a party C (which might share the same password).
 
>I understand Watson Ladd is trying to modify SPAKE2 by hashing the user identities before the
>key exchange to avoid the trusted setup, but that wouldn’t work for the same reason. Also,
>I suggest you have a look at the SPEKE specification in the IEEE P1363.2 (2006). If you
>interpret that specification literally, you may find it’s basically the same as
>the CPace protocol you propose.
It is not astonishing to find close similiarities with SPEKE, since CPace *is* essentially SPEKE.
The difference IMO is 1) that with CPace
we *mandatorily* use a session identifier that makes the generator ephemeral and
2) that CPace comes with a proof of the security guarantees
without the requirement for explicit mutual authentication as part of CPace itself.
(Allowing for optionally subsequent mutual explicit authentication, as AuCPace is doing, e.g..)
 
Note that the latter aspects leaves the implementer the freedom to use the mutual explicit
authentication scheme of his personal choice (e.g. exactly the ones used in TLS1.3 or IPSEC).
 
>The trick is how you define the “shared secret”. In IEEE P1363.2, it’s defined as follows (also see [1])
>
>“A password-based octet string which is generally derived from a password or a hashed password,
>identifiers for one or more entities, an identifier of a communication session if more
>than one session might execute concurrently, and optionally includes a salt
>value and/or other data.”
Yes this is close, but CPace REQUIRES the session id.
 
>The items you define in the hash-to-curve function include the above. But obviously, the definition above is highly
>ambitious and makes the incorrect assumption that identities and session identifiers are always known by the
>other party even before the key exchange.
 
As described beforehand that depends on what we call "Identity". If a true identity is available: "Fine you should use it!"
if only the communication identity is available: "This needs to be used as a bare minimum for fending off relay attacks.".
 
>This is addressed in the latest SPEKE specification in ISO/IEC 11770-4:2017, in which the shared secret is
>defined as “the password only”. No assumption is made about knowing the other party’s precise
>identity before the key exchange.
 
The definitions like the SPEKE-"password only" definition would not be provably secure in UC
in my perception, because this would allow for "relay attacks".
 
>Second, some people on this list seem to assume hash-to-curve will provide you with an ideal RO-like
>mapping with negligible cost at a constant time. I would urge caution on that assumption until the
>fact is fully established.
>
>The use of hash-to-curve is not anything new; people in the PAKE field have been playing with that idea for
>nearly 2 decodes. There are previous efforts in IEEE P1363 (2000-2008) and ISO/IEC 11770-4 to define and
>standardize this function.
>However, over the past many years, hash-to-curve has been known to be notoriously difficult to get
>right. In fact, the original SPAKE2 protocol was designed with the motivation to avoid hash-to-curve
> (but it introduces the trusted setup assumption instead).
 
In my conviction, the true reason for all of the problems with efficient constant-time hash-to-curve algorithms
has nothing to do with techical aspects. I am convinced, it's all about legal stuff and IPR.
(Also note, that CPace does not require a true RO hashing to the curve but just an encoding.)
 
The IPR nightmare is exactly, why I have been so painfully picky regarding IPR in conjunction with hash-to-curve.
It's not because I love this awful and annoying attorney stuff: I HATE digging through that!
Still I am convinced that this IPR stuff is the only and
true source of all the awful "PACE-Generic-Mapping" complexity and at the source of the "Dragonblood" issue.
 
It's also all about patents, IMO, why J-PAKE has been integrated by companies like Mozilla, and SPEKE and
SPAKE2 were not considered.
(In fact, I  believe that very few people will be talking openly about this type of reasoning.)
 
Note also, while the SPEKE patent has expired, the PAK patent that I believe to be relevant for
SPAKE2 will still be a painful problem for the years to come.
 
In my opinion it is a major achievement of the hash-to-curve team (notably Riad!) to have found a
way to work around the IPRs! I am not able and willing to give any legal advice (IANAL!), but personally I
am now fully convinced that with the current specficiations for SSWU in hash-to-curve-05 the team has found
a way through the jungle also for short-Weierstrass curves.
 
>We may need to wait a bit until the ongoing IEFT effort on defining and standardizing hash-to-curve to
>finish and for that to become a really established secure primitive (which will be a major contribution
>to the field, but we should not underestimate that this is actually a very tricky and challenging task).
 
Actually as mentioned above, I personally don't see any remaining technical or security risks.
(This is also what I did take with me from discussions with the BSI people that designed the PAKE protocol
for the german identity cards.)
Also note, that there *are* already high security applications that use PAKE with mapping,
such as the "french" version of PACE.
 
Maybe you could be more specific, where exactly, you identify security issues with hashing to curves.
 
Yours,
 
Björn.

v2.23.0 | Report a Bug | By Email