Re: [Cfrg] Integration of OPAQUE in IKEv2
"Valery Smyslov" <smyslov.ietf@gmail.com> Thu, 12 September 2019 06:57 UTC
Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B861120824 for <cfrg@ietfa.amsl.com>; Wed, 11 Sep 2019 23:57:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.497
X-Spam-Level:
X-Spam-Status: No, score=-0.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w-ZwxqiVbFtp for <cfrg@ietfa.amsl.com>; Wed, 11 Sep 2019 23:57:05 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5047120811 for <cfrg@ietf.org>; Wed, 11 Sep 2019 23:57:04 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id u3so3273129lfl.10 for <cfrg@ietf.org>; Wed, 11 Sep 2019 23:57:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=+Q8bL1svB65c2Qlko7GJMVRuJ83MtXEr3ZvooGnrIFc=; b=XcbgXTzdn+basI+Jie3s9dHZ8lT3LubZCUzz+iGx/HQ5+0X17W7+KfxnOyDE4UG97S OQURbU2e2suA27c4a90X3n9ExcAXnnbqpuQEGSSvLBQRkQTgzN2l65xZ+eZD9tpDTSTO alJMRUuX7cWAXVcoKWpEIXvCpQnNydTy8P+1KS4FKyqqRxbDYkgOhpkxqZOiih0HP34X i4OqRBHXaetUNNGlzhdHnU+ETdxeqCbbNCv7vA/jJq9WUpcnu0Ib9cJOxXaBHPXADth7 ZJ+X2b7Ju5t4BnUYZITmTmEpAZ13+F/+ubICDlvFoSLMzkCmmYzNvlAzduEeBqnm2Js5 ZnQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=+Q8bL1svB65c2Qlko7GJMVRuJ83MtXEr3ZvooGnrIFc=; b=EVcGFjUSj3rLfwWa0JBOPKEMzUo3gurWKvAo72+CkVXL02zHmrWhfZLA5ZPnn1qTTy mEyWPBmrXViwlcUQIfDRedq47zrAFZbIt40V9NQilwRo+yI7GK8ndZ94FB25BOwYZf3k vENe15qeEqy4W67Vn76qagRnfj5GjVPsSvgy7Ceg2+GKPaDBreyDbe3W/AAxazxFreZ8 Kgu2LYgmkZ9EcrXWxHXOgitzb6NE0nfvoEvF1UcZbRz7NJfgtyjSOsjli/6ZAXlpNcnI LwZ7tj2ON6UlMQ4PDatha8XhAwJwVBgmMxMtO/bA+JzMHK9VYNGyFgF8jIMYyDZCJTJm eKZw==
X-Gm-Message-State: APjAAAX0rGi5ZziYY66frWJiPcPx3I1QZ/u2nE9ce0o9+Mlzg+T+ET7I v7q0f33aA/f/Ck6+z1LWKxqnfPWc
X-Google-Smtp-Source: APXvYqzTosvPkGgtskajtGcc2d2hosFIwqu4VLxVoLgqfyFXeFIi7Am+k68qlRV8PT8yCINGX6kLjw==
X-Received: by 2002:ac2:530e:: with SMTP id c14mr25804544lfh.165.1568271422583; Wed, 11 Sep 2019 23:57:02 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id q24sm6084613lfa.94.2019.09.11.23.57.01 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 11 Sep 2019 23:57:01 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Hugo Krawczyk' <hugo@ee.technion.ac.il>, 'Yoav Nir' <ynir.ietf@gmail.com>
Cc: cfrg@ietf.org
References: <0791DF4A-098E-4753-B886-BFC2D7DA1F97@gmail.com> <CADi0yUN=+mX80ESTnttgVYk+mT3jTWZ=mcqB28T5YmdRQZ1bhw@mail.gmail.com>
In-Reply-To: <CADi0yUN=+mX80ESTnttgVYk+mT3jTWZ=mcqB28T5YmdRQZ1bhw@mail.gmail.com>
Date: Thu, 12 Sep 2019 09:56:58 +0300
Message-ID: <011001d56937$46284660$d278d320$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0111_01D56950.6B770500"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGw5pk5BZzGYeW9eEdodBLRs3jvYQITmhnTp1/9ljA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/mxzaD6wssKVhGWrnWxfLnDg-MsY>
Subject: Re: [Cfrg] Integration of OPAQUE in IKEv2
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2019 06:57:08 -0000
HI Hugo, Hi Yoav and Valery, thanks for your extensive analysis of the different PAKE candidates. I would like to clarify some issues regarding the way you envision the integration of OPAQUE in the context of IKEv2. Let me first refer to Yoav's analysis https://mailarchive.ietf.org/arch/msg/cfrg/PWhIOQKBHapZ1Rpbd7Brr_JFIg8 where he says: > OPAQUE spends one round-trip on sending IDi and receiving EnvU and vU. > OPAQUE spends another round-trip on the OPRF protocol. > OPAQUE spends yet another round-trip for a KE exchange. > The final IKE_AUTH flow uses the generated key for the AUTH payloads. > Altogether 5 round-trips (or IKE_AUTH exchanges) are needed for user > authentication. This mimics the modular description in the OPAQUE draft that shows the different logical components. However, these components need not be run sequentially but rather in parallel, namely, piggybacking the OPRF to any existing AKE protocol. This is exemplified in the OPAQUE draft for any AKE with 3 flows as follows: Generic OPAQUE with 3-message KE: o C to S: Uid, alpha=H'(PwdU)*g^r, KE1 o S to C: beta=alpha^kU, vU, EnvU, KE2 o C to S: KE3 Thus, one can integrate OPAQUE with IKEv2 at the cost of a single additional message from C to S, and no change to the AUTH mechanics. Here is how it would look (I keep Yoav's notation and add the OPAQUE elements in < ... >). The only changes to regular IKEv2 are piggybacking the elements alpha, beta, vU, EnvU to the existing IKEv2 flows and adding the last client-to-server flow with the AUTH value. User Server ------------------------------------------------------------------- HDR, SAi1, KEi, Ni --> <-- HDR, SAr1, KEr, Nr, HDR, SK {IDi, [IDr,] SAi2, TSi, TSr <alpha>} --> <-- HDR, SK {IDr, AUTH, <beta, vU, EnvU>} HDR, AUTH --> Server's AUTH needs no change, except that the signature is computed with the server's key authenticated under EnvU, and client's AUTH in the added flow is computed under the user's key under EnvU. The first two flows don't change (except maybe for a HDR type indicating password authentication). The value IDi is used to transfer user's account information (whose privacy is protected against passive adversaries by virtue of the DH exchange (KEi, KEr)). As you can see, my depiction above is quite similar to the way Valery Smyslov https://datatracker.ietf.org/doc/html/draft-smyslov-ikev2-pake integrates OPAQUE with IKEv2, with two notable differences. Valery's version (top of page 10 in the draft) takes three round trips (instead of 2.5) as he delays the server's AUTH to an additional sixth flow. I did this for the purpose. IKEv2 is a strict request-response protocol, so that initiator sends a request message and responder sends a response. It is the initiator who is responsible for any retransmission in case request or response get lost. This is a core principle of IKEv2 and for this reason non-integer RTTs are non-applicable for IKEv2. In your example the proper sequence would be: User Server ------------------------------------------------------------------- HDR, SAi1, KEi, Ni --> <-- HDR, SAr1, KEr, Nr, HDR, SK {IDi, [IDr,] SAi2, TSi, TSr <alpha>} --> <-- HDR, SK {IDr, AUTH, <beta, vU, EnvU>} HDR, AUTH --> <-- HDR, SK{} which, in my opinion, is no better than my proposal, because it also changes the order AUTH payloads are computed by initiator and responder (I prefer the initiator authenticates itself first to decrease possible DoS attacks surface). In contrast, I include this information in the fourth flow. More significantly, Valery re-defines the AUTH values as AUTHi = sig(PrivU, <InitiatorSignedOctets>) AUTHr = sig(PrivS, <ResponderSignedOctets>) This is not necessary. One can keep IKEv2's AUTH unchanged (as I said, only the public keys change from certificate-based to EnvU-based). Actually, defining AUTH i/r as above would not be secure (it departs from the necessary logic of SIGMA-R underlying IKEv2). Here I’m confused. Actually, the above AUTH payload calculation is exactly as it is done in IKEv2 (or in SIGMA) with the assumption that once the OPAQUE is complete each peer can use its private key Priv[U|S] for signing. I believed I didn’t change AUTH calculation in case of OPAQUE at all. From RFC7296, Section 2.15: 2.15. Authentication of the IKE SA When not using extensible authentication (see Section 2.16), the peers are authenticated by having each sign (or MAC using a padded shared secret as the key, as described later in this section) a block of data. Later in this section this block of data is depicted as InitiatorSignedOctets for initiator and as ResponderSignedOctets for responder. So, I failed to understand where I changed the way AUTH payload is calculated for the OPAQUE. Am I missing something? Thank you, Valery. Finally, responding to one of the points of Yoav, the password registration procedure only takes 3 flows (C to S, S to C, C to S). The common point to the above comments is that integrating OPAQUE into an existing protocol should be quite painless. You just need to piggyback the two OPRF messages and EnvU to the existing key exchange flows. Assuming extensibility of the protocol to accommodate the above elements, the cost would be at most one additional flow for user's explicit authentication. Computation-wise it's just one exponentiation for the server and two for the client (with one or both of these exponentiations using a fixed base), plus a hash into the curve by the client. Let me know if the above makes sense to you and whether I missed something significant about the way IKEv2 works. Thanks again! Hugo
- [Cfrg] Review of the PAKE proposals Yoav Nir
- [Cfrg] Integration of OPAQUE in IKEv2 Hugo Krawczyk
- Re: [Cfrg] Integration of OPAQUE in IKEv2 Valery Smyslov
- Re: [Cfrg] Integration of OPAQUE in IKEv2 Hugo Krawczyk
- Re: [Cfrg] Integration of OPAQUE in IKEv2 Yoav Nir
- [Cfrg] Review of the Balanced PAKE proposals Karthik Bhargavan
- Re: [Cfrg] Review of the Balanced PAKE proposals Hao, Feng