[Cfrg] SIDs in UC-secure PAKE and KE
"Canetti, Ran" <canetti@bu.edu> Sun, 13 October 2019 05:47 UTC
Return-Path: <canetti@bu.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7FCE1200DE for <cfrg@ietfa.amsl.com>; Sat, 12 Oct 2019 22:47:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q05D7KP4J9gR for <cfrg@ietfa.amsl.com>; Sat, 12 Oct 2019 22:47:22 -0700 (PDT)
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (mail-eopbgr690119.outbound.protection.outlook.com [40.107.69.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02BAD1200D6 for <cfrg@irtf.org>; Sat, 12 Oct 2019 22:47:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ux1mtSxdTJKfkAraG12uizDr85s02+cvOtTdWyyJIKGVBjw0uZfyi7de1nhKj/1f84ouO0ayile9i5pMO4Vk+LEFvc2jF60TUGI+5PFJxePR5VbbJ/RpqRSuWYlr4VpXKlRNek5qIYX/L20mxC24gQbxiWArCkHksVS4dfjQo4wpdX8xacV9XsIHGPI/dV/FoUeSVr3YmesaAHu9qXMcBrgOdOT7jgF22UePwyLRcgJ7ruUv2jbXIhxopNoi3yX0DaKNFq2LRke64NDTux/7/BG2nFmXgBqAc3SH8WqRNfs62vti20gPgZz1/accfZOPAH/vAAm5ogFjwnVF86zhnA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rcQW5KwrJOCTJgvR6wIy3rrghFkhQ48v3AHzFofJG4U=; b=hKev7zrkUY0lKxcXHdL25ZDfsAuCReEm3h1zG9PjEo0U0ncLY9P7kqisjCWxRGLLudawRQwqjm4UNCX7/55DEZIgAqe5FXfpyXmQ0CFdF+iKXO7lqJxnHHxJj5S3HRcK5k7tzTEbH+iP8UXidPqi9qsHIAGcn51iilFqR0ga+GAY5G3/m/ZUKh0G0gOm/1e7kzH3E9qQ9uT2S7pycZKDsEtWH8J4YKp2ir4DcMkgAw1xpAaMyrTx6A5aMo7PJcv2Kk6I8zkW7Ewy7K8BX66Sxsz4iaC2oWTS7NAsdf01GBYdNIHFMafpXJL6HCHjA2laafkKCMI6yzrr8S7uQbDp1A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rcQW5KwrJOCTJgvR6wIy3rrghFkhQ48v3AHzFofJG4U=; b=h/YSPIWilZGGxVZmHtHIPn5JZNxc1hBZWtNSB8WTvdkrYuvUS4XznvMFH0xUR/ufhIbMIfYM8KqA340VjH3w0oWDkV9uONvGLtEXoBDyA7XzkXy4wkWXciOtaRONwOT+d+c3ALzO7bvYbeRB2DF3QApC9nwZujdZQg888gNv8Yc=
Received: from BYAPR03MB4677.namprd03.prod.outlook.com (20.179.91.94) by BYAPR03MB4280.namprd03.prod.outlook.com (20.177.126.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.13; Sun, 13 Oct 2019 05:47:19 +0000
Received: from BYAPR03MB4677.namprd03.prod.outlook.com ([fe80::9c53:2d80:7f5b:abba]) by BYAPR03MB4677.namprd03.prod.outlook.com ([fe80::9c53:2d80:7f5b:abba%4]) with mapi id 15.20.2347.021; Sun, 13 Oct 2019 05:47:19 +0000
From: "Canetti, Ran" <canetti@bu.edu>
To: cfrg <cfrg@irtf.org>
Thread-Topic: SIDs in UC-secure PAKE and KE
Thread-Index: AQHVgYmtzEFnX1Yt20SjAem7qUOBww==
Date: Sun, 13 Oct 2019 05:47:19 +0000
Message-ID: <86363201-ce8c-5ebb-a727-a27e4b7a5231@bu.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: BL0PR02CA0032.namprd02.prod.outlook.com (2603:10b6:207:3c::45) To BYAPR03MB4677.namprd03.prod.outlook.com (2603:10b6:a03:12f::30)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=canetti@bu.edu;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [209.6.148.68]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b71f6ef3-647d-4d21-eee0-08d74fa0cf95
x-ms-traffictypediagnostic: BYAPR03MB4280:
x-microsoft-antispam-prvs: <BYAPR03MB428090B4C1FDD3CD91D17DFBD7910@BYAPR03MB4280.namprd03.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-forefront-prvs: 01894AD3B8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(346002)(136003)(396003)(366004)(376002)(189003)(199004)(99286004)(25786009)(186003)(81166006)(8676002)(75432002)(81156014)(6436002)(6486002)(31686004)(66446008)(6512007)(54896002)(52116002)(8936002)(64756008)(66946007)(26005)(66476007)(66066001)(66556008)(102836004)(386003)(6506007)(486006)(5660300002)(476003)(2616005)(6916009)(7736002)(71190400001)(71200400001)(14454004)(3846002)(478600001)(6116002)(31696002)(36756003)(86362001)(88552002)(2906002)(316002)(256004)(786003)(14444005); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR03MB4280; H:BYAPR03MB4677.namprd03.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: bu.edu does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: o6apO9TlKv/6qn7u5kUVOwpV4Q9lIh2yCtDyQ+8kSbFidrsppo3xjENTTUHwopTH0RapcHsx8xFMOmAYRrH+YbALSoFcJdB/WuFWG/3u44BpefqF/8woDoyVtL/7tA+WJCTBE0+RLlz1htOKf3khY/SDaXO/AsTuNicjpdphz1AoRadWQhJARnFki+t7a12kn9hV25duYFxmx7YmrCPgG/U2K2ll8dvYNsRAvrFIs+wRkX16hg3/TLxB/lLFjEmt7D1XZfGDHbqUzOLXjIvhX/wFaJJttcD/Bn93mk47aLtkx9vUAbAbYOjobBc/VaGEq4cdMYbvrwA3NFkK4+7y/g+8y5gpzN2lbSJ5UzXw6odv1jgjUn5PtnUd9IUolsnyGqEU/R4RgvQZoMv/pgP22rEjOFlNEX9FcucQ/Eep7Mk=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_86363201ce8c5ebba727a27e4b7a5231buedu_"
MIME-Version: 1.0
X-OriginatorOrg: bu.edu
X-MS-Exchange-CrossTenant-Network-Message-Id: b71f6ef3-647d-4d21-eee0-08d74fa0cf95
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Oct 2019 05:47:19.3815 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d57d32cc-c121-488f-b07b-dfe705680c71
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BG8xJs+Es4lDYEGtPj21h5273jRb2TP+Rk/fMoPGIHeLi7iOQ2gp2+u55y1iMckN
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR03MB4280
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/fgwMYLfaa1ZbF_UgKcurse211KE>
Subject: [Cfrg] SIDs in UC-secure PAKE and KE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Oct 2019 05:47:26 -0000
Dear CFRG: Apologies for the long message. There seems to be some confusion in some CFRG postings regarding the role of the session identifiers in the UC framework. In particular I believe it was stated that in order for a PAKE (or more generally a KE) protocol to be eligible to be considered UC secure, the protocol must involve an initial round where the involved parties agree on a session identifier (SID) to be used in the actual PAKE/ KE protocol, and I've been asked to clarify. So, in short: This is not the case! To give a more meaningful clarification, let me start with some background. The basic computing unit in the UC model (which I'll refer to here as a "machine") represents some computational process within some computer/cluster/principal/party. Each machine has an identity string. The identity is fixed throughout the lifetime of the machine. Each machine can create, during its execution, multiple other machines; when a new machine is created, the creating machine sets the identity of the created machine to some value, according to the program of the creating machine. It is up to the creator machine to set the identities appropriately. Machine identities can be just nonces, sequence numbers, or be more sophisticated (eg public keys). Machines have access to their own identity, but the identities are in essence a tool for the creator machine to tell the created ones apart. To facilitate delineating individual “protocol instances” within a larger system, the UC framework further sub-partitions the identity of a machine to a session identifier (SID) and "the rest" (called party identifier, or PID). Session s of protocol \pi at a certain moment in an execution of a system is then defined to be the set of machines whose program is \pi and whose SID is s. This allows for a relatively simple-yet-expressive definition of protocol instances in dynamically changing systems. [To avoid modeling ambiguity, the framework prohibits having two machines with the same identity and program. but there are simple mechanisms to "hide" this fact from the protocol being analyzed. That is, it is possible to represent and analyze protocols that assume that identities and codes are repeatable, if one insists...] Let me describe how hese conventions can play out in the modeling of KE (or PAKE) protocol, in two different modeling styles. First let me describe the simpler, single-session modeling of KE. Here a session of the KE protocol corresponds to a single exchange of a key: 1. First, the "application machine" within the initiator of the exchange (say, an HTTPS machine, or perhaps a “secure channel machine” that was created by the HTTPS machine), creates a new machine whose code is the code of the single-instance KE protocol, where the SID and PID of the newly created machine are set by the application machine, and where the KE machine is given the identity of the responder as input. Let (sid,Init) be the sid and pid of the initiator KE machine, and let Resp be the identity of the responder. 2. The initiator KE machine (let’s call it (sid,Init,KE) ) sends a message to the responder KE machine (sid,Resp,KE). As a result, a new machine (sid,Resp,KE) is created. [I'm a bit cheating here, since the initiator machine doesn’t send messages directly to the responder. The communication goes via some channel machine, and then via the adversary, but never mind that. Also, if for some reason the machine (sid,Resp,KE) already exists in the system, then the message will be routed to it. If the protocol is designed correctly than this will only happen due to adversarial intervention and so the exchange should fail in this case.] 3. The initiator and responder KE machines now exchange messages (via the adversary). They may also contact other machines, such as a PKI service, a signing module, a hashed-password repository, etc. At some point, the initiator KE machine sends output to its caller, namely the initiator application machine. This output will contain the sid, the session key, and potentially other parameters 4. At another point, the responder KE machine generates output to some other machine, as its code instructs. That other machine can represent, say, the application machine (eg, the secure channel or HTTPS process within the responder). So here, we have an instance of a KE protocol, that consists of two machines (sid,init,KE) and (sid,Resp,KE), and where there is no other communication in the system other than the actual protocol messages between the two KE machines (possibly altered by the adversary). The only thing that's required is that the initiator KE machine be able to communicate the SID that was determined by its caller, via the protocol messages, to the responder KE machine. whenever transmitting the sid fails, the exchange should fail. In essence, the SID mechanism provides a link that starts at the application machine within the initiator, threads through the two KE machines, and ends at the application machine within the responder. It provides a way for the two endpoints to link the session with other concurrent stuff that is going on at the two endpoints in a globally consistent way. A second way to model KE protocols is to have a single session of a KE protocol handle multiple exchanges of a key among multiple parties. To avoid confusion, let me call this primitive MKE. This formulation is a bit more cumbersome, but it can be useful as a tool to analyze protocols that “generate their own SIDs”. That is, protocols where there is no SID value that was given by the initiator calling machine to the initiator KE machine, and that also appears in the output of the responder KE machine, but on the other hand each exchanged key is associated with a public non-repeating identifier. Here execution will proceed as follows: 1. There is a single, global “sid” * for MKE that all use. (That is, all participants will use the same long-lived instance of MKE.) 2. At setup of each “principal” (pid), the principal starts its own long-lived MKE machine with identity (*,pid). 3. To initiate the exchange of a key, the application machine (say, HTTPS, or a multi-session secure channels machine) within the initiator calls (MKE,*,Init) with input (Resp, lid). (Here Init is the pid of the initiator, Resp is the pid of the responder, and lid is a “local identifier” between the application machine and MKE.) 4. The machine (MKE,*,Init) interacts (via the adversary) with the machine (MKE,*,Resp) within the responder. At some point (MKE,*,Init) outputs to the initiator application machine some value (lid, s, k), where lid is the local identifier, s is a session id generated by MKE, and k is the session key. 5. At another point, (MKE,*,Resp) outputs to the recipient application machine the value (lid’,s,k) where lid’ is a local value within the responder, and s and k are the same as above. It should be noted that the value s is not a “formal UC sid”, but it still provides a link that threads from the application machine within the initiator to the application machine within the responder. So when is going the KE way better and when is going the MKE way better? Clearly, KE is easier to handle from the point of view of specification and analysis. Otoh, in situations where one wants to analyze an existing protocol whose structure does not allow for a convenient KE modeling (as appears to be the case for TLS1.*), one’s hands are clearly tied. But are there additional considerations? Or situations where one might be preferable to the other? (It’s an honest question, perhaps people on the list might have some insight.) Happy to further clarify if needed. Best, Ran
- [Cfrg] SIDs in UC-secure PAKE and KE Canetti, Ran