IETF Logo Mail Archive

Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE schemes

"Grigory Marshalko" <marshalko_gb@tc26.ru> Thu, 28 January 2016 20:45 UTC

Return-Path: <marshalko_gb@tc26.ru>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCDF91AD0B8 for <cfrg@ietfa.amsl.com>; Thu, 28 Jan 2016 12:45:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.531
X-Spam-Level:
X-Spam-Status: No, score=-0.531 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Du5PdXmTewOU for <cfrg@ietfa.amsl.com>; Thu, 28 Jan 2016 12:45:51 -0800 (PST)
Received: from mail.tc26.ru (mail.tc26.ru [188.40.163.82]) by ietfa.amsl.com (Postfix) with ESMTP id D71571ACF6C for <cfrg@irtf.org>; Thu, 28 Jan 2016 12:45:49 -0800 (PST)
Received: from mail.tc26.ru (localhost [127.0.0.1]) by mail.tc26.ru (Postfix) with ESMTPSA id 12D0D3001CD; Thu, 28 Jan 2016 23:45:45 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tc26.ru 12D0D3001CD
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tc26.ru; s=mx; t=1454013949; bh=dFdScbFsMc0ET2acmJ4oSPGAVW/yoLCLKLuU0c+/GuQ=; h=Date:From:Subject:To:Cc:In-Reply-To:References:From; b=eSUPMbc/bDnp8TVFZJYGnrtQPNfK0oyuTLKfg+6GiBKqsIekO2s8csirbwD2/GHps LLvdtIZ/B/hlrrcJo5dYAo69/tUaHx1OIxMP2fuCcpLi5dYWdHmC33ygyt2IVSrN9V /xlA4C1PnfAd646pItUnia6E/LDtVbT4zltV+erM=
Mime-Version: 1.0
Date: Thu, 28 Jan 2016 20:45:44 +0000
Content-Type: multipart/alternative; boundary="--=_RainLoop_189_276125244.1454013944"
Message-ID: <9c878c6b6b505414f71fa53442e4a33a@mail.tc26.ru>
X-Mailer: RainLoop/1.9.3.365
From: Grigory Marshalko <marshalko_gb@tc26.ru>
To: Mike Hamburg <mike@shiftleft.org>, "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
In-Reply-To: <78D9D0BF-4ADE-4DDB-88A4-BF03DD6336BA@shiftleft.org>
References: <78D9D0BF-4ADE-4DDB-88A4-BF03DD6336BA@shiftleft.org> <CAMr0u6=76q4n-u1Vpv5vWjSNgi4CtaOJoX0EmvcbXH+9C4w2mg@mail.gmail.com>
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Lua-Profiles: 90369 [Jan 28 2016]
X-KLMS-AntiSpam-Version: 5.5.6
X-KLMS-AntiSpam-Envelope-From: marshalko_gb@tc26.ru
X-KLMS-AntiSpam-Rate: 0
X-KLMS-AntiSpam-Status: not_detected
X-KLMS-AntiSpam-Method: none
X-KLMS-AntiSpam-Moebius-Timestamps: 3936763, 3936790, 3936459
X-KLMS-AntiSpam-Info: LuaCore: 407 407 95088b6730bc8abe9b35391686e3291f9b43d2f2, Auth:dkim=none
X-KLMS-AntiSpam-Interceptor-Info: scan successful
X-KLMS-AntiPhishing: Clean, 2016/01/26 12:51:30
X-KLMS-AntiVirus: Kaspersky Security 8.0 for Linux Mail Server, version 8.0.1.721, bases: 2016/01/28 16:44:00 #6879603
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/lUU3AHhqY03p6yHUP2Chhz-M8Ts>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE schemes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jan 2016 20:45:53 -0000

Hi, for these heuristics we can use approaches like fuzzy extractors and the corresponding theory in order to determine corresponding limitations. But this of cause would require training phases.

Regards,
Grigory Marshalko,
expert,
Technical committee for standardisation "Cryptography and security mechanisms" (ТC 26)
www.tc26.ru

28 января 2016 г., 21:10, "Mike Hamburg"  написал:

Hello Dr Smyshlyaev,

It's worth noting that in many systems, the risk of DoS weighs against the risk of password guessing. The designers of these systems may not find it acceptable to hard lock an account based on a global count of attempts, especially if most of their adversaries are not powerful. For example, eBay doesn't want people to lock out the accounts of their competitors just by trying 10 times to log in.  In these systems, heuristics are used (based eg on IP, CAPTCHAs or browser metrics) to deter guessing.  The same sort of work is applicable to PAKE systems. So I don't think brute force prevention will be so one-size-fits-all. 

Cheers,
-- Mike

Sent from my phone.  Please excuse brevity and typos.

On Jan 28, 2016, at 02:59, Stanislav V. Smyshlyaev  wrote:
  

Good afternoon!

The order of most security bounds of PAKE protocols is determined by the value  $q{send}/|D|$, where $D$ is a size of a password set and $q_{send}$ is a number of the adversary’s active impacts on the channel. The active impact assumes that the adversary can intercept a data in the channel and change it. A PAKE protocol is secure if a little number of such impacts cannot lead to the adversary’s success for some threat. It means that for the secure protocol any active impact leads to the fail abortion of the protocol. The bounds of the security can be reflected in the particular values if there are limitations for the value $q_{send}$.  In practice it can be achieved with counters that limit the number of unsuccessful authentication attempts. These limitations are the essential part of the protocol as they define the final security. For example, their absence leads to the vulnerability of the protocol to the online password brute force attack. 

So we think that it is of highly importance to add the following requirement: the description of the protocol of the PAKE type MUST include the limitations and detailed description of the following counters:
-          counters of the fail connections in a row, 
-          counters of the fail connections for the particular password,
-          counters of the total connections (successful and unsuccessful) for the current password.
Best regards,
Stanislav V. Smyshlyaev, Ph.D.,
Head of Information Security Department,
CryptoPro LLC
 wrote:

	Dear Jörn, Thank you for the document. Here are some comments: 1. It is somewhat misleading to differ balanced and augmented by a type of password storage in Section 3.1 because in balanced PAKE protocols passwords can be stored as elements generated with a one-way function. As you already wrote in the second paragraph, the difference is whether it is providing KCI or not. 2. In Section 3.3, “~ while the second one proposes a generic construction that allows transferring any two-party PAKE into a GPAKE protocol.”. However, there are other papers to convert 2-party PAKE to group PAKE (e.g., [ACGP11]). M. Abdalla et al., “Contributory Password-Authenticated Group Key Exchange with Join Capability,”' CT-RSA 2011 Best regards, Shin ------------------------------------------------------------------------------ SeongHan Shin Information Technology Research Institute (ITRI), National Institute of Advanced Industrial Science and Technology (AIST), 8F, AIST Tokyo Waterfront Bio-IT Research Building, 2-4-7 Aomi, Koto-ku, Tokyo, 135-0064, Japan Tel : +81-3-3599-8001 E-mail : seonghan.shin@aist.go.jp (mailto:seonghan.shin@aist.go.jp) ------------------------------------------------------------------------------

 
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org (mailto:Cfrg@irtf.org)
https://www.irtf.org/mailman/listinfo/cfrg (https://www.irtf.org/mailman/listinfo/cfrg)

v2.23.0 | Report a Bug | By Email