Re: [Cfrg] The SESPAKE protocol and PAKE requirements

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Wed, 27 April 2016 08:12 UTC

Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24CE212B05D for <cfrg@ietfa.amsl.com>; Wed, 27 Apr 2016 01:12:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 552QyyPatKMq for <cfrg@ietfa.amsl.com>; Wed, 27 Apr 2016 01:12:00 -0700 (PDT)
Received: from mail-yw0-x235.google.com (mail-yw0-x235.google.com [IPv6:2607:f8b0:4002:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66B1712B03C for <cfrg@irtf.org>; Wed, 27 Apr 2016 01:12:00 -0700 (PDT)
Received: by mail-yw0-x235.google.com with SMTP id t10so64457430ywa.0 for <cfrg@irtf.org>; Wed, 27 Apr 2016 01:12:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=qGd66Yfbc2yQ67udXrguiBxMMWd/HYfuxH/YyEtslN4=; b=sr+mLGHEtw4Btg5dBODhakVXkVo8SspnA9CvoK2Jz9whCqJ+YaiGFP+EIwiNt/PjiB 8NtFM5LAnWMSw+44qKu56mwxSoLd6VJyC6DPJKRy684nUJ1L+YO8xVIHpkvORyB2i7fC g87dyjrYeOgy4Y9SQ5I00McmYuL8PGwoGwj/0zmeM9++j3X9vLc0oh72d7qBnHoE+Hdr mtvQmKvnZCfXeqwSHG6H/8IXsr4whgs4LZi9OTC/ZP7qXdvQ4VXZ2N+1tERmu0jBVAqf 72zsujMiuKiv55bLgdbUd8dWkTCewgfdnPDHDSS2xD8tA+tN7SrT1FsRFljIZjGNkxO5 VvZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=qGd66Yfbc2yQ67udXrguiBxMMWd/HYfuxH/YyEtslN4=; b=bEtnbJSpLpny8TQWlhUh8DJkI9oR81fwSxVLHPefiCmMDDzW9+q0/RSJ6m9SjtJojM 9a9JcRatOnD8/kgYjFJHlFn4noC50unvYw9YbVPIjfFpdLhUTSGIuLEhSLNCx+RB+9Es u57Yca+hBThbqbT93ttj4NKMU342sPVuExrSjTspNtHEKt+EXXRcyh7huQK0ngnRgm/J MBb6muka9qIoFsMy2qurYVEqJkX/rhHj1WYaZ2GXoReWN/lxk5ZU6C9R0UmUB2Ex1ghh 7j4lIgAOs2pMGCBKFRdSOayQ5vh/Ja7p8v8SxgmdzGVsPhOmq3pZ7/UkO0zjjE+nEv6W GNPA==
X-Gm-Message-State: AOPr4FUfjE4fqLtPHFvQSSFH7zGJUnWBUjvhz2EvUhFF9NfL2pSog/s8RDwo7d3I55uPsY4yevSzwBRX7UUJxQ==
MIME-Version: 1.0
X-Received: by 10.176.3.73 with SMTP id 67mr3497700uat.80.1461744719601; Wed, 27 Apr 2016 01:11:59 -0700 (PDT)
Received: by 10.31.107.5 with HTTP; Wed, 27 Apr 2016 01:11:59 -0700 (PDT)
In-Reply-To: <38634A9C401D714A92BB13BBA9CCD34F23476FEB@mail-essen-01.secunet.de>
References: <CAMr0u6nu=0H8pi=rEC1i69y1nhGLStvbJUXukUX0uHaVperkSg@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F167B5300@mail-essen-01.secunet.de> <CAMr0u6=eKJyCVQwHpuBLzB2TrrUQrfP8ti9N+Ai108=iS9tkZA@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F167B8267@mail-essen-01.secunet.de> <CAMr0u6m7TD2Nx29q+gFOBEFRswSiSCzXmGoVP_AmZtNhs0vUFw@mail.gmail.com> <CAMr0u6=YnFXRDtXxHuz03g2-Dt74Z1HZ3Pa3GVYOa2_hPFsgrw@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F23472FB0@mail-essen-01.secunet.de> <CAMr0u6kU2r=xKwAwCW+oCcA=-BDAEb7E2pbx6Df=DDw2-OkGXQ@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F23476BA3@mail-essen-01.secunet.de> <20160426144049.5910610.54445.3223@gmail.com> <38634A9C401D714A92BB13BBA9CCD34F23476F97@mail-essen-01.secunet.de> <CAMr0u6nUUa78VZaF8DTUDvuXSrSHheWgmn10dkO+yYdbxWaKsQ@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F23476FEB@mail-essen-01.secunet.de>
Date: Wed, 27 Apr 2016 11:11:59 +0300
Message-ID: <CAMr0u6==4bf4f65o+hDKDo6B_etdSAeHUK0Eb0akKmKi_q5SJg@mail.gmail.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
To: "Schmidt, Jörn-Marc" <Joern-Marc.Schmidt@secunet.com>
Content-Type: multipart/alternative; boundary="001a113f302ac3a5dc053172f62b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/k4nNoHGsugo3rWyAYYn-Yad3djw>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] The SESPAKE protocol and PAKE requirements
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2016 08:12:02 -0000

Thank you for your response, Jörn, it will be a pleasure to continue our
discussion after your modifications!

Kindest regards,

Stanislav.


2016-04-27 10:22 GMT+03:00 Schmidt, Jörn-Marc <
Joern-Marc.Schmidt@secunet.com>:

> Hello Stanislav,
>
> You're right, the two points are not precise enough - my sentence was too
> sloppy. I'll use your suggestion for the active adversary. I think it
> covers also passive adversaries - if eavesdropping leads to any information
> about the password, there is no "guess" needed. Which reminds me that
> "guess" is again not the best term - I'll use something like "interaction
> with legitimate parties"..
>
> Thanks a lot!
>
> Best regards,
>
> Jörn
>
> ----
> >Two points must be corrected in the sentence (2):
> >- not "divided by the password length", but "divided by the cardinality
> of the set of possible passwords" (for example, if you use passwords of
> digits 0-9 of length 8, the probability of success for 3 trials is
> estimated not as 3/8, but as 3/(10^8)).
> >- not "limited by [the number...divided...]", but something like "limited
> by [the number...divided...] plus a negligible value" (it is always a
> possibility with a negligible probability, that adversary breaks a CDH
> instance etc).
>
>
> >Moreover, since the requirement (1) in your statement can be trivially
> achieved without any PAKE (if you just use simple DH without any passwords,
> it's OK for the case of a passive adversary), I'd prefer to modify your
> statement in this way:
> >"In particular, the proof must show that the probability of an active
> adversary to (1) pass authentication or (2) to learn anything about the
> password or (3) to learn anything about the established key is limited by
> the number of guesses divided by the ...."
>
>