Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE schemes

Schmidt, Jörn-Marc <Joern-Marc.Schmidt@secunet.com> Tue, 09 February 2016 07:36 UTC

Return-Path: <Joern-Marc.Schmidt@secunet.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A98C1A1EEC for <cfrg@ietfa.amsl.com>; Mon, 8 Feb 2016 23:36:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.672
X-Spam-Level: **
X-Spam-Status: No, score=2.672 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_DYNAMIC_IPADDR=1.951, HELO_MISMATCH_NET=0.611, HOST_MISMATCH_COM=0.311, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MF2SUl0IT2n6 for <cfrg@ietfa.amsl.com>; Mon, 8 Feb 2016 23:36:55 -0800 (PST)
Received: from h-62.96.220.36.host.de.colt.net (a.mx.secunet.com [62.96.220.36]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D06731A1EED for <cfrg@irtf.org>; Mon, 8 Feb 2016 23:36:54 -0800 (PST)
Received: from localhost (alg1 [127.0.0.1]) by h-62.96.220.36.host.de.colt.net (Postfix) with ESMTP id 4AB651A0342; Tue, 9 Feb 2016 08:36:52 +0100 (CET)
X-Virus-Scanned: by secunet
Received: from h-62.96.220.36.host.de.colt.net ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 1I6ThElXn488; Tue, 9 Feb 2016 08:36:49 +0100 (CET)
Received: from mail-essen-02.secunet.de (unknown [10.53.40.205]) by h-62.96.220.36.host.de.colt.net (Postfix) with ESMTP id 7A0261A033F; Tue, 9 Feb 2016 08:36:49 +0100 (CET)
Received: from MAIL-ESSEN-01.secunet.de ([fe80::1c79:38b7:821e:46b4]) by mail-essen-02.secunet.de ([fe80::4431:e661:14d0:41ce%16]) with mapi id 14.03.0266.001; Tue, 9 Feb 2016 08:36:49 +0100
From: "Schmidt, Jörn-Marc" <Joern-Marc.Schmidt@secunet.com>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Thread-Topic: [Cfrg] [MASSMAIL]Re: Requirements for PAKE schemes
Thread-Index: AQHRWlbGk0sA/zoinUGtcgrmSL+Tz58R9pcAgAAbP4CAAFjcgIABVv2AgAAotACAAANMAIAPcDnA
Date: Tue, 09 Feb 2016 07:36:48 +0000
Message-ID: <38634A9C401D714A92BB13BBA9CCD34F167B14F3@mail-essen-01.secunet.de>
References: <CAMr0u6=76q4n-u1Vpv5vWjSNgi4CtaOJoX0EmvcbXH+9C4w2mg@mail.gmail.com> <78D9D0BF-4ADE-4DDB-88A4-BF03DD6336BA@shiftleft.org> <9c878c6b6b505414f71fa53442e4a33a@mail.tc26.ru> <CAMr0u6nzV_Y87ghnAcmhgkzk4fgdKtC3Kj8NqPyawHrjhGVySg@mail.gmail.com> <CACsn0ckKX7pKZ5qU0y6cR3jyGV8JmL1V8EAUwU6b4ShDYVxmYw@mail.gmail.com> <CAMr0u6kvc1B8MY7Nqs2NLd1tHPU6wiv7ti9QDQ5gvu6iRgw+2g@mail.gmail.com> <930102DC-F5B3-4233-BF6B-1EC631B4ABF5@gmail.com> <56AB6787.1010302@htt-consult.com> <30BB5B38-9DC3-4DC1-968C-F3A2AC293E6F@gmail.com> <01a1b24557860d5e2afc8349d55d6ca5@mail.tc26.ru> <CAMr0u6mj7jczAZSwATcDSYyc7hpa2XxMH1QJYhS9ffgwxW-rmA@mail.gmail.com>
In-Reply-To: <CAMr0u6mj7jczAZSwATcDSYyc7hpa2XxMH1QJYhS9ffgwxW-rmA@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.208.1.80]
x-exclaimer-md-config: 2c86f778-e09b-4440-8b15-867914633a10
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_04C9_01D16315.11B48000"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/gHbMQBfK0lDRP9mVB2X7Uw-9tjE>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE schemes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2016 07:36:57 -0000

Hi Stanislav,

Please excuse my late answer.

I think the draft contains the requirement to control the number of attempts implicitly in the "Security of PAKEs" section: Eve needs to interact with a legitimate party and cannot perform offline attacks.
Maybe it would be worth adding a sub-clause in this section that mentions the tradeoff between security (minimal number of wrong tries) and risk of DoS attacks. This way, the statement is clear, but in the running text it would not cause the reader to skip the rest. What do you think?

Best regards,

Jörn




-----Ursprüngliche Nachricht-----
Von: Cfrg [mailto:cfrg-bounces@irtf.org] Im Auftrag von Stanislav V. Smyshlyaev
Gesendet: Samstag, 30. Januar 2016 13:27
An: Grigory Marshalko
Cc: cfrg@irtf.org; Robert Moskowitz
Betreff: Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE schemes

‎Hello, Yoav!

Thank you for your opinion; you are absolutely right that no one needs trivial considerations like "number of login attempts MUST be controlled" in each RFC (as much as "users MUST NOT store their passwords on sheets of paper pinned on their monitors", "Dual EC DRBG MUST NOT be used for generating both confidential and public data" etc). 

Moreover, including such an obvious recommendation is harmful for the security of implementations. If one reads such a phrase, he'll probably stop reading "Security considerations" section and won't read really important info that should be there next: specific recommendations of handling login attempt counters‎ such as "counter value MUST be incremented before sending [i]-th message of the [xyz]PAKE protocol".

General recommendations shouldn't be there, but specific ones must.


Kind regards,
Stanislav







2016-01-30 15:15 GMT+03:00 Grigory Marshalko <marshalko_gb@tc26.ru>:


	
	It is very important to have such security considerations be written somewhere, especially if they are common and obvious for security experts. The problem is that for many implementors they are not obvious, and this is always the root of flawed implementations.
	
	Regards,
	Grigory Marshalko,
	expert,
	Technical committee for standardisation "Cryptography and security mechanisms" (ТC 26)
	www.tc26.ru
	
	30 января 2016 г., 12:50, "Yoav Nir" <ynir.ietf@gmail.com <mailto:%22Yoav%20Nir%22%20%3Cynir.ietf@gmail.com%3E> > написал:

		 
		 

			On 29 Jan 2016, at 3:22 PM, Robert Moskowitz <rgm-sec@htt-consult.com> wrote:
			 
			 
			On 01/29/2016 03:04 AM, Василий Долматов wrote:

				 

					29 янв. 2016 г., в 9:26, Stanislav V. Smyshlyaev <smyshsv@gmail.com> написал(а):
					 
					A major number of cryptography failures follows from incorrect embedding of lower-level protocols to high-level ones – if you prove the security of PAKE under specific assumtions on counter handling and then someone implements it without knowledge of them, you have a practical vulnerability. We do not create protocols for vacuum, we make them for practice and must write security considerations (a specific "Security considerations" section in RFC can be used for discussing these issues, if someone thinks that they are not important enough to be in the main part).

				I think that idea of moving these recommendations and notice about importance of correct setting of these counters to the «Security consideration» section is a good one.


			I agree.  It is the perfect use of "security considerations" for a security technlogy.  None of the old "this whole document is about security".  The security considerations should contain what the risks/threats to the technology is and point out what is done to address/mitigate them.

		 
		I’m not sure about that. These considerations are true for any PAKE. In fact, they’re true for any kind of password scheme. You could even make the case that they’re true for any authentication scheme, because letting the opponent keep guessing is at least creating a DoS on the attacked authentication server. 
		We generally write in the Security Considerations section stuff that is relevant for that particular scheme, not for a whole class of schemes. So it may be fine to have a BCP document for “Deploying Password Authentication on the Internet”, but I don’t think we need some boilerplate text that goes into the security considerations of any password-related RFC.
		Yoav