IETF Logo Mail Archive

Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE schemes

Yoav Nir <ynir.ietf@gmail.com> Sat, 30 January 2016 09:49 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCCBA1B3796 for <cfrg@ietfa.amsl.com>; Sat, 30 Jan 2016 01:49:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jMkGa3Pc76fQ for <cfrg@ietfa.amsl.com>; Sat, 30 Jan 2016 01:49:57 -0800 (PST)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6BDD1B3795 for <cfrg@irtf.org>; Sat, 30 Jan 2016 01:49:56 -0800 (PST)
Received: by mail-wm0-x233.google.com with SMTP id r129so10049878wmr.0 for <cfrg@irtf.org>; Sat, 30 Jan 2016 01:49:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=+xRUzAVKGNxUljbf7kQsjaJNLwMVOW9+xHghKhKvIqw=; b=pBY8fSoLrzOXKKhLjb89C05yXiIcAmJXKWVa68f1hVYyzoNUFYV4JS9BFUHMJi28pb ubEuJ0n/eCI7+FzXpMv93MewniSfY0V4Hp7/iC2Cxt64q/2uRI/EiVV6CTfT61IB0FHu em2teqqD2LYtYnFxhpULtIGolo03FWHI1g5MVCmCGSuxwioB7XLj5hmbx5itPA/L07k6 MWZh6dZl3qN1rYYvDg5RRamPnaw8ab+NaIKsL6sY2NpHjwDtAsVppY627VAAPw9Jdoqr shaWeCBNz7l+tiC52fkzGlb/eATSGEzkqfJP6XnReIgOvGYhsN5MCtAkDwWQ4GA/85aa YurQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=+xRUzAVKGNxUljbf7kQsjaJNLwMVOW9+xHghKhKvIqw=; b=XbW7aubrny2hShPy8DgtwU7Ml6++ojTmHhxFhnQ1qBfUkMEsUNUrVyxeF6+Y4hkJNG KXDQ9YZZ/Kgofpsx5xs7h2/b8p65zRDdbRQN6kEO43xGQp8uDZM99HDOcbwXha9kII23 eBZ+TCqG4ia+hoRB8CGDzmASTOXx7Y9A4UYPURRCWz1/N92IX39tFa2YqSOAzZucMO2S qwdD5PaEd5PMunkMJQycjTifl/TAMAL8IA6r5qOrGHhRyvvAJPRHapgotbiolyUL6S/4 SBpk1tHQedZMmi5aL5F2oaDAt1jzLBNuOx+LzbfGwrg8RY5kWOXGnLwVOTpJWQWw28sx aXDg==
X-Gm-Message-State: AG10YORUh0w4QJ6do2bmRpo5YOoI2EaACRbZf1HL8ag31LBkPMoMVH5h1LrgCxbfePo5Rg==
X-Received: by 10.194.216.100 with SMTP id op4mr12439928wjc.85.1454147395461; Sat, 30 Jan 2016 01:49:55 -0800 (PST)
Received: from [192.168.1.13] ([46.120.13.132]) by smtp.gmail.com with ESMTPSA id yz5sm19325385wjc.36.2016.01.30.01.49.53 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 30 Jan 2016 01:49:54 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_BE805379-8FC4-4165-885D-BF6F9EF6E54F"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <56AB6787.1010302@htt-consult.com>
Date: Sat, 30 Jan 2016 11:49:51 +0200
Message-Id: <30BB5B38-9DC3-4DC1-968C-F3A2AC293E6F@gmail.com>
References: <CAMr0u6=76q4n-u1Vpv5vWjSNgi4CtaOJoX0EmvcbXH+9C4w2mg@mail.gmail.com> <78D9D0BF-4ADE-4DDB-88A4-BF03DD6336BA@shiftleft.org> <9c878c6b6b505414f71fa53442e4a33a@mail.tc26.ru> <CAMr0u6nzV_Y87ghnAcmhgkzk4fgdKtC3Kj8NqPyawHrjhGVySg@mail.gmail.com> <CACsn0ckKX7pKZ5qU0y6cR3jyGV8JmL1V8EAUwU6b4ShDYVxmYw@mail.gmail.com> <CAMr0u6kvc1B8MY7Nqs2NLd1tHPU6wiv7ti9QDQ5gvu6iRgw+2g@mail.gmail.com> <930102DC-F5B3-4233-BF6B-1EC631B4ABF5@gmail.com> <56AB6787.1010302@htt-consult.com>
To: Robert Moskowitz <rgm-sec@htt-consult.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/iafVH6z2RO4XwlwB6Qm6c2MAjas>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Subject: Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE schemes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jan 2016 09:49:59 -0000

> On 29 Jan 2016, at 3:22 PM, Robert Moskowitz <rgm-sec@htt-consult.com> wrote:
> 
> 
> 
> On 01/29/2016 03:04 AM, Василий Долматов wrote:
>> 
>>> 29 янв. 2016 г., в 9:26, Stanislav V. Smyshlyaev <smyshsv@gmail.com <mailto:smyshsv@gmail.com>> написал(а):
>>> 
>>> A major number of cryptography failures follows from incorrect embedding of lower-level protocols to high-level ones – if you prove the security of PAKE under specific assumtions on counter handling and then someone implements it without knowledge of them, you have a practical vulnerability. We do not create protocols for vacuum, we make them for practice and must write security considerations (a specific "Security considerations" section in RFC can be used for discussing these issues, if someone thinks that they are not important enough to be in the main part).
>> I think that idea of moving these recommendations and notice about importance of correct setting of these counters to the «Security consideration» section is a good one.
> 
> I agree.  It is the perfect use of "security considerations" for a security technlogy.  None of the old "this whole document is about security".  The security considerations should contain what the risks/threats to the technology is and point out what is done to address/mitigate them.

I’m not sure about that. These considerations are true for any PAKE. In fact, they’re true for any kind of password scheme. You could even make the case that they’re true for any authentication scheme, because letting the opponent keep guessing is at least creating a DoS on the attacked authentication server. 

We generally write in the Security Considerations section stuff that is relevant for that particular scheme, not for a whole class of schemes. So it may be fine to have a BCP document for “Deploying Password Authentication on the Internet”, but I don’t think we need some boilerplate text that goes into the security considerations of any password-related RFC.

Yoav

v2.23.0 | Report a Bug | By Email