Re: [Cfrg] OPAQUE at Facebook
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 28 August 2019 17:05 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3C9412023E for <cfrg@ietfa.amsl.com>; Wed, 28 Aug 2019 10:05:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yvBmhhpAZWpb for <cfrg@ietfa.amsl.com>; Wed, 28 Aug 2019 10:05:43 -0700 (PDT)
Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2C20120232 for <cfrg@irtf.org>; Wed, 28 Aug 2019 10:05:42 -0700 (PDT)
Received: by mail-ot1-x335.google.com with SMTP id b1so525076otp.6 for <cfrg@irtf.org>; Wed, 28 Aug 2019 10:05:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=R2Fq2QCI5yto+3YGMIG/w+19yxLni10ML05LlNa/y1k=; b=q30w1SHzNKk61iIPa50J4QKZZLXcne3CmOc/uMk1nM+oFbiJKQUtXZTvQ19lkI3d53 zCeup5LMIPYbO4Eya6sFGeY2L0L6fnYMBmLNSdsRafgFDY84DlDSZKfROVcdZrz/wDWL cOQG/5cuJrESc1QW/j/U5dezSi9uA6OpmJ4pvLUzWZHJlCOPveKCc69Gzdt5EVs7zpDr 1TveEeI7eIIQ1yMYEhaprMz47/3kQGahqgBm7W+QdD9TNGC2AVW0u5giZq/eLuwU7TZQ unMOf78XMVRLl/QPI+CXnlEQ+ZP3ib3BV6JA43ezL9/or0qplgwhh9VFvAe1m2b8BeDB MkMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=R2Fq2QCI5yto+3YGMIG/w+19yxLni10ML05LlNa/y1k=; b=SQnjuxQ5qNFgFiPpLXoMAvDdhEuUzIBHNHAbaVVG/LTtppT5/lVoUIzs/wA25ttbDI ewRwpoEvmpxVwIgEdy/ZRbjuNgqhCiWdW2vIhBMTkoTeatZFn/DdqkognloyD2nBHvTt LdfgYmVFVX96iH54Ft4TPKELL1I9mft8vIU8mDiw6KaJMWy45kbMwRbzWUzP3Xysiy/y RLOEqQ79mFcIi5+HPDqnf4L99uM0EWCVMXOkAk3860YHwBR1uT3Y6yvc2AGb8UABQLk4 8R18p+nXRPfIJKPN8pwLS53FsQLbj1e5x9Coud+O4HP0GxpdITcGoSkDPBsEyDfW1vdJ jUFg==
X-Gm-Message-State: APjAAAUrS1VAKAgmI6/e/F2wpBmzV3LulQ95lJANTk8O5h76our/MpAA 0CoTQcCIa7sRceRpZ2XrLne8dX5Fak9RSA1w6LQ=
X-Google-Smtp-Source: APXvYqznboyiiUR/MLSIATgQqGH8bUjXR6g+GfC6rDQTMcgfhy6NoidyzcGLlOL1KV0MDNhCWFe6UObffl7w5YTSLQs=
X-Received: by 2002:a9d:7516:: with SMTP id r22mr4329605otk.151.1567011942227; Wed, 28 Aug 2019 10:05:42 -0700 (PDT)
MIME-Version: 1.0
References: <CACitvs_9SoZaG-0ZVNsGgcXJdadYHULVYEOH7VAQFf-VeSwm8Q@mail.gmail.com> <631A3394-A17D-4414-8CDE-DBED231818E3@gmail.com> <CAHbuEH7zg-9DKFS=p1LeR23pmGrxBzq_PP-WbdyD74At8UpSvA@mail.gmail.com> <CAOLP8p5E3NF=g6TFgQwb+mkD++nyFd4gdS46jFZVZ84Z8uWq6A@mail.gmail.com>
In-Reply-To: <CAOLP8p5E3NF=g6TFgQwb+mkD++nyFd4gdS46jFZVZ84Z8uWq6A@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Wed, 28 Aug 2019 13:05:05 -0400
Message-ID: <CAHbuEH7k90Cv7Z0UWyaLUgfwrCbvAGmazvn24zsN+FFLMJO5wg@mail.gmail.com>
To: Bill Cox <waywardgeek@gmail.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Neil Madden <neil.e.madden@gmail.com>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000002ce54f059130669a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/gboXJjpdR0wu1q5hVo53mjoMGo8>
Subject: Re: [Cfrg] OPAQUE at Facebook
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2019 17:05:45 -0000
On Wed, Aug 28, 2019 at 12:36 PM Bill Cox <waywardgeek@gmail.com> wrote: > I have concerns about HOBA. From the RFC: > >> Servers using HOBA define their own policies for binding >>>> CPKs with accounts during account registration. >>>> >>>> I assume this step involves sending the sever a password, which it > would have to check against a password hash database. If this is true, it > would defeat the point of HOBA. This RFC appears to be a partial > solution only. > It's a public key, so I'm not sure that you would and am copying the author in case he hasn't seen the thread. I mentioned HOBA as it is more obscure and you may not have heard of it. FIDO also uses raw keys, but you've likely evaluated that already too? Best regards, Kathleen > > As for SCRAM, it still stores a salted password hash server-side. > > OPAQUE has some interesting properties: > > - The security proofs under the UC model provide some confidence in the > OPAQUE framework. > - The specific instantiations of the framework in the RFC look pretty good. > - If the aPAKE verifier is stored in a different security domain than the > OPRF secrets, an attacker mus PWN both to learn anyting when attacking > servers. > - The OPRF oracle can be an independent service, not controlled by the > aPAKE server in any way. > - The resulting 2-way authenticated shared key is interesting, and may > prove useful at some point (not sure how...). > > Downsides include: > > - The OPRF servers have to forward key exchange info learnied in the first > message to aPAKE server. Can this be fixed? > - Only client-side password hashing is supported. > - Servers store password-derived public keys, and if an attacker has both > the OPRF secrets (sid) and these keys, they can brute-force passwords. > - 3 messages are involved vs the usual 1 message for authentication. > > -- Best regards, Kathleen
- [Cfrg] OPAQUE at Facebook Kevin Lewi
- Re: [Cfrg] OPAQUE at Facebook Bill Cox
- Re: [Cfrg] OPAQUE at Facebook Björn Haase
- Re: [Cfrg] OPAQUE at Facebook david wong
- Re: [Cfrg] OPAQUE at Facebook Stanislav V. Smyshlyaev
- Re: [Cfrg] OPAQUE at Facebook Neil Madden
- Re: [Cfrg] OPAQUE at Facebook Kathleen Moriarty
- Re: [Cfrg] OPAQUE at Facebook Bill Cox
- Re: [Cfrg] OPAQUE at Facebook Bill Cox
- Re: [Cfrg] OPAQUE at Facebook Kathleen Moriarty
- Re: [Cfrg] OPAQUE at Facebook Kevin Lewi
- Re: [Cfrg] OPAQUE at Facebook Kevin Lewi
- Re: [Cfrg] OPAQUE at Facebook Bill Cox