IETF Logo Mail Archive

Re: [Cfrg] Integration of OPAQUE in IKEv2

"Valery Smyslov" <smyslov.ietf@gmail.com> Thu, 12 September 2019 06:57 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B861120824 for <cfrg@ietfa.amsl.com>; Wed, 11 Sep 2019 23:57:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.497
X-Spam-Level:
X-Spam-Status: No, score=-0.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w-ZwxqiVbFtp for <cfrg@ietfa.amsl.com>; Wed, 11 Sep 2019 23:57:05 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5047120811 for <cfrg@ietf.org>; Wed, 11 Sep 2019 23:57:04 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id u3so3273129lfl.10 for <cfrg@ietf.org>; Wed, 11 Sep 2019 23:57:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=+Q8bL1svB65c2Qlko7GJMVRuJ83MtXEr3ZvooGnrIFc=; b=XcbgXTzdn+basI+Jie3s9dHZ8lT3LubZCUzz+iGx/HQ5+0X17W7+KfxnOyDE4UG97S OQURbU2e2suA27c4a90X3n9ExcAXnnbqpuQEGSSvLBQRkQTgzN2l65xZ+eZD9tpDTSTO alJMRUuX7cWAXVcoKWpEIXvCpQnNydTy8P+1KS4FKyqqRxbDYkgOhpkxqZOiih0HP34X i4OqRBHXaetUNNGlzhdHnU+ETdxeqCbbNCv7vA/jJq9WUpcnu0Ib9cJOxXaBHPXADth7 ZJ+X2b7Ju5t4BnUYZITmTmEpAZ13+F/+ubICDlvFoSLMzkCmmYzNvlAzduEeBqnm2Js5 ZnQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=+Q8bL1svB65c2Qlko7GJMVRuJ83MtXEr3ZvooGnrIFc=; b=EVcGFjUSj3rLfwWa0JBOPKEMzUo3gurWKvAo72+CkVXL02zHmrWhfZLA5ZPnn1qTTy mEyWPBmrXViwlcUQIfDRedq47zrAFZbIt40V9NQilwRo+yI7GK8ndZ94FB25BOwYZf3k vENe15qeEqy4W67Vn76qagRnfj5GjVPsSvgy7Ceg2+GKPaDBreyDbe3W/AAxazxFreZ8 Kgu2LYgmkZ9EcrXWxHXOgitzb6NE0nfvoEvF1UcZbRz7NJfgtyjSOsjli/6ZAXlpNcnI LwZ7tj2ON6UlMQ4PDatha8XhAwJwVBgmMxMtO/bA+JzMHK9VYNGyFgF8jIMYyDZCJTJm eKZw==
X-Gm-Message-State: APjAAAX0rGi5ZziYY66frWJiPcPx3I1QZ/u2nE9ce0o9+Mlzg+T+ET7I v7q0f33aA/f/Ck6+z1LWKxqnfPWc
X-Google-Smtp-Source: APXvYqzTosvPkGgtskajtGcc2d2hosFIwqu4VLxVoLgqfyFXeFIi7Am+k68qlRV8PT8yCINGX6kLjw==
X-Received: by 2002:ac2:530e:: with SMTP id c14mr25804544lfh.165.1568271422583; Wed, 11 Sep 2019 23:57:02 -0700 (PDT)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id q24sm6084613lfa.94.2019.09.11.23.57.01 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 11 Sep 2019 23:57:01 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Hugo Krawczyk' <hugo@ee.technion.ac.il>, 'Yoav Nir' <ynir.ietf@gmail.com>
Cc: cfrg@ietf.org
References: <0791DF4A-098E-4753-B886-BFC2D7DA1F97@gmail.com> <CADi0yUN=+mX80ESTnttgVYk+mT3jTWZ=mcqB28T5YmdRQZ1bhw@mail.gmail.com>
In-Reply-To: <CADi0yUN=+mX80ESTnttgVYk+mT3jTWZ=mcqB28T5YmdRQZ1bhw@mail.gmail.com>
Date: Thu, 12 Sep 2019 09:56:58 +0300
Message-ID: <011001d56937$46284660$d278d320$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0111_01D56950.6B770500"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGw5pk5BZzGYeW9eEdodBLRs3jvYQITmhnTp1/9ljA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/mxzaD6wssKVhGWrnWxfLnDg-MsY>
Subject: Re: [Cfrg] Integration of OPAQUE in IKEv2
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2019 06:57:08 -0000

HI Hugo,

 

Hi Yoav and Valery, 

 

thanks for your extensive analysis of the different PAKE candidates. 

I would like to clarify some issues regarding the way you
envision the integration of OPAQUE in the context of IKEv2. 

Let me first refer to Yoav's analysis 

https://mailarchive.ietf.org/arch/msg/cfrg/PWhIOQKBHapZ1Rpbd7Brr_JFIg8

where he says:

> OPAQUE spends one round-trip on sending IDi and receiving EnvU and vU.
> OPAQUE spends another round-trip on the OPRF protocol.
> OPAQUE spends yet another round-trip for a KE exchange.
> The final IKE_AUTH flow uses the generated key for the AUTH payloads.
> Altogether 5 round-trips (or IKE_AUTH exchanges) are needed for user
> authentication.

This mimics the modular description in the OPAQUE draft that shows the different
logical components. However, these components need not be run sequentially but
rather in parallel, namely, piggybacking the OPRF to any existing AKE protocol.
This is exemplified in the OPAQUE draft for any AKE with 3 flows as follows:

   Generic OPAQUE with 3-message KE:

   o  C to S: Uid, alpha=H'(PwdU)*g^r, KE1

   o  S to C: beta=alpha^kU, vU, EnvU, KE2

   o  C to S: KE3

Thus, one can integrate OPAQUE with IKEv2 at the cost of a single additional
message from C to S, and no change to the AUTH mechanics.

Here is how it would look (I keep Yoav's notation and add the OPAQUE elements in
< ... >). The only changes to regular IKEv2 are piggybacking the elements
alpha, beta, vU, EnvU to the existing IKEv2 flows and adding the last
client-to-server flow with the AUTH value.


   User                              Server
   -------------------------------------------------------------------
   HDR, SAi1, KEi, Ni  -->
                                <--  HDR, SAr1, KEr, Nr,
   HDR, SK {IDi,
       [IDr,] SAi2,
       TSi, TSr  
       <alpha>}     -->
                                <--  HDR, SK {IDr, AUTH, <beta, vU, EnvU>}
   HDR, AUTH       -->


Server's AUTH needs no change, except that the signature is computed with
the server's key authenticated under EnvU, and client's AUTH in the added
flow is computed under the user's key under EnvU.

The first two flows don't change (except maybe for a HDR type indicating
password authentication). The value IDi is used to transfer user's account
information (whose privacy is protected against passive adversaries by virtue of
the DH exchange (KEi, KEr)).

As you can see, my depiction above is quite similar to the way Valery Smyslov
https://datatracker.ietf.org/doc/html/draft-smyslov-ikev2-pake
integrates OPAQUE with IKEv2, with two notable differences. 
Valery's version (top of page 10 in the draft) takes three round trips (instead
of 2.5) as he delays the server's AUTH to an additional sixth flow. 

 

          I did this for the purpose. IKEv2 is a strict request-response protocol,

          so that initiator sends a request message and responder

          sends a response. It is the initiator who is responsible for 

          any retransmission in case request or response get lost.

         This is a core principle of IKEv2 and for this reason non-integer

         RTTs are non-applicable for IKEv2. In your example the proper sequence 

         would be:

         

   User                              Server
   -------------------------------------------------------------------
   HDR, SAi1, KEi, Ni  -->
                                <--  HDR, SAr1, KEr, Nr,
   HDR, SK {IDi,
       [IDr,] SAi2,
       TSi, TSr  
       <alpha>}     -->
                                <--  HDR, SK {IDr, AUTH, <beta, vU, EnvU>}
   HDR, AUTH       -->

                                <--  HDR, SK{}

 

      which, in my opinion, is no better than my proposal,

       because it also changes the order AUTH payloads are

       computed by initiator and responder (I prefer the 

       initiator authenticates itself first to decrease possible DoS attacks surface).

 

In contrast, I include this information in the fourth flow.
More significantly, Valery re-defines the AUTH values as 
               AUTHi = sig(PrivU, <InitiatorSignedOctets>)
               AUTHr = sig(PrivS, <ResponderSignedOctets>)
This is not necessary. One can keep IKEv2's AUTH unchanged (as I said, only the
public keys change from certificate-based to EnvU-based). Actually, defining
AUTH i/r as above would not be secure (it departs from the necessary logic of
SIGMA-R underlying IKEv2).

 

          Here I’m confused. Actually, the above AUTH payload calculation

          is exactly as it is done in IKEv2 (or in SIGMA) with the assumption

          that once the OPAQUE is complete each peer can use its private

          key Priv[U|S] for signing. I believed I didn’t change AUTH calculation 

          in case of OPAQUE at all. From RFC7296, Section 2.15:

 

2.15.  Authentication of the IKE SA

 

   When not using extensible authentication (see Section 2.16), the

   peers are authenticated by having each sign (or MAC using a padded

   shared secret as the key, as described later in this section) a block

   of data.

 

     Later in this section this block of data is depicted as InitiatorSignedOctets

          for initiator and as ResponderSignedOctets for responder.

 

          So, I failed to understand where I changed the way AUTH payload

          is calculated for the OPAQUE. Am I missing something?

 

          Thank you,

          Valery.



Finally, responding to one of the points of Yoav, the password registration
procedure only takes 3 flows (C to S, S to C, C to S).

The common point to the above comments is that integrating OPAQUE into an
existing protocol should be quite painless. You just need to piggyback the two
OPRF messages and EnvU to the existing key exchange flows. Assuming
extensibility of the protocol to accommodate the above elements, the cost would
be at most one additional flow for user's explicit authentication.
Computation-wise it's just one exponentiation for the server and two for the
client (with one or both of these exponentiations using a fixed base), plus a
hash into the curve by the client.

Let me know if the above makes sense to you and whether I missed something
significant about the way IKEv2 works.

Thanks again!

Hugo

v2.23.0 | Report a Bug | By Email