Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Fri, 30 September 2016 11:57 UTC

Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-ID: <20160930115742.5926994.13826.7659@gmail.com>
Date: Fri, 30 Sep 2016 14:57:42 +0300
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
In-Reply-To: <D4121C90.A249D%paul@marvell.com>
References: <D411B584.A2445%paul@marvell.com> <CAMr0u6n_OEe772s2b55iND7zYL_CN0F8k6DFaq6K7z-0gH1Mpg@mail.gmail.com> <D4121C90.A249D%paul@marvell.com>
To: Paul Lambert <paul@marvell.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/nHaJ9amLANCD0q8xRW2IItHDGH0>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA
Precedence: list

Dear Paul,

Thank you for your comments and for the updated version‎ of the slides. Since you agree with my thoughts about the importance of defining "encrypt" properties, let's remember this question.

After another careful reading of the protocol ‎now I have a concern about it that seems very important to me.

In the original SPAKE2 (as well as in SESPAKE and AugPAKE etc) there is an important property (that is even proven for SPAKE2 and SESPAKE) of absence of password leakage problems in the cases when the resulting session keys are revealed (in real life - when the session key is misused and compromised somehow). It is extremely important since session keys often get compromised in real life and no one wants to leak authentication data with them.

And the proposed protocol lacks this property: if sk_AB is compromised, then x_A and P_A are known to adversary too - thus he knows w*M_A and can find short secret pw by dictionary attack.

Thus in the current version any agreed session key compromise would lead to long-term password‎ compromise, that seems to be a really bad property.

I'll be thankful for your comments on this concern. Please correct me, if I missed something in your description.

Kindest regards,

Stanislav Smyshlyaev

От: Paul Lambert

Отправлено: четверг, 29 сентября 2016 г., 11:54

Кому: Stanislav V. Smyshlyaev

Копия: cfrg@irtf.org

Тема: Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA

Dear Stanislav,

Thank you for these links – they give a slightly new viewpoint on PAKEs applications (I think the most discussed question will be "for which applications will combining public keys and passwords be most useful?").

Yes … it may be useful as a type of ‘introduction’ process.

An editorial comment on the description of the protocol in the slides: it seemts that after the second message A should check that "R_B - w*M_B == x_B * P_B", not "R_B == x_B * P_B" as it is shown now. Similarly with the B's check.

And a tiny remark: there is a misprint in the plaintext that A encrypts on sk_AB for the third message: "(x_A, P_A)" should be there, not "(m_A, P_A)".

Many thanks for catching my errors!

I’ve updated the figures and reposted: https://mentor.ieee.org/802.11/dcn/16/11-16-1142-06-00ai-cryptographic-review-and-pkex.ppt" rel="nofollow">https://mentor.ieee.org/802.11/dcn/16/11-16-1142-06-00ai-cryptographic-review-and-pkex.ppt

About the protocol itself, I'll try my best to give you our opinion today or tomorrow.

At a glance, it seems to be useful to add some specific requirements for the used "encrypt" functions now or some concrete cipher modes (e.g. GCM or CTR + HMAC)

Yes, this is not clear. The notation slide mentions AEAD encryption but could say more on requirements. The ‘additional data’ is not being used, so AEAD is not strictly required. For concrete examples, I’m considering AES-SIV or GCM-SIV or something similar.

due to the words "decrypt is successful" (is it a real data authentication or just some padding check?). EMVco used to check PIN-blocks just by correctness of ECB decryption of IUN, so we should have more details here.

Yes, exactly. The decryption provides the validity check for the password based authentication and does need a better description.

Best Regards,

Paul

Kindest regards,

Stanislav

2016-09-29 4:25 GMT+03:00 Paul Lambert <paul@marvell.com>:

The PKEX protocol ( https://tools.ietf.org/html/draft-harkins-pkex-00" rel="noreferrer nofollow" target="_blank"> https://tools.ietf.org/html/draft-harkins-pkex-00 )
provides PAKE functionality (with SPAKE2) and adds public key
authentication (PAKE+PKA).

In looking at alternatives to PKEX, combining an existing and evaluated
authenticated public key exchange with a PAKE seems like an interesting
design path. To this end, the SPAKE2 protocol (
https://tools.ietf.org/html/draft-irtf-cfrg-spake2-03" rel="noreferrer nofollow" target="_blank">https://tools.ietf.org/html/draft-irtf-cfrg-spake2-03 ) combines nicely
with mutually blinded Diffie-Hellman (mbDH). Blinded DH (bDH) is described
in https://www.emvco.com/specifications.aspx?id=285" rel="noreferrer nofollow" target="_blank"> https://www.emvco.com/specifications.aspx?id=285

A brief description of the resulting SPAKE2+mbDH protocol is contained in
slides 13 to 18 of:

https://mentor.ieee.org/802.11/dcn/16/11-16-1142-04-00ai-cryptographic-rev%0Aiew-and-pkex.ppt" rel="noreferrer nofollow" target="_blank"> https://mentor.ieee.org/802.11/dcn/16/11-16-1142-04-00ai-cryptographic-rev
iew-and-pkex.ppt

Comments would be appreciated.

If this protocol seems useful an RFC could be developed.

Paul

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg" rel="noreferrer nofollow" target="_blank">https://www.irtf.org/mailman/listinfo/cfrg

[Cfrg] SPAKE2+mbDH a PAKE+PKA Paul Lambert
Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA Stanislav V. Smyshlyaev
Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA Paul Lambert
Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA Stanislav V. Smyshlyaev
Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA Dan Harkins
Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA Andy Lutomirski
Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA Paul Lambert