[Cfrg] comments on draft-irtf-cfrg-pake-reqs-05
Feng Hao <feng.hao@newcastle.ac.uk> Mon, 25 July 2016 11:39 UTC
Return-Path: <feng.hao@newcastle.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5469612D7DF for <cfrg@ietfa.amsl.com>; Mon, 25 Jul 2016 04:39:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=newcastle.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L5Ov8ieRDRBH for <cfrg@ietfa.amsl.com>; Mon, 25 Jul 2016 04:39:06 -0700 (PDT)
Received: from cheviot22.ncl.ac.uk (cheviot22.ncl.ac.uk [128.240.234.22]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 717CA12B054 for <cfrg@irtf.org>; Mon, 25 Jul 2016 04:39:06 -0700 (PDT)
Received: from exhubvm01.ncl.ac.uk ([128.240.234.5] helo=EXHUBVM01.campus.ncl.ac.uk) by cheviot22.ncl.ac.uk with esmtp (Exim 4.63) (envelope-from <feng.hao@newcastle.ac.uk>) id 1bReDw-0002F6-Ey for cfrg@irtf.org; Mon, 25 Jul 2016 12:39:04 +0100
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (213.199.154.176) by exhub.ncl.ac.uk (128.240.234.5) with Microsoft SMTP Server (TLS) id 14.3.266.1; Mon, 25 Jul 2016 12:38:04 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=newcastle.onmicrosoft.com; s=selector1-newcastle-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=rEKZiZfS5E9ikRw7PqRQQc0fXqaygeifvk8hWYn+ZBo=; b=nHbrACtPMx8Y9X2cRio5yvSrD02c1xTVzxoCPlrd1RDk1OH8+6XE+lIAaGLnkOsT+gDezLKEen+0s0U3xZqPwBq0paRRqfI6yQgICcEFymobG+pSIkHJmkf7dbpCu6uQzLG9CEDIr2z+Ywd4bpqqOfdA/yGAJzTPLCtDmvzq8Mw=
Received: from DB5PR0701MB1928.eurprd07.prod.outlook.com (10.167.228.24) by DB5PR0701MB1927.eurprd07.prod.outlook.com (10.167.228.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.544.10; Mon, 25 Jul 2016 11:38:02 +0000
Received: from DB5PR0701MB1928.eurprd07.prod.outlook.com ([10.167.228.24]) by DB5PR0701MB1928.eurprd07.prod.outlook.com ([10.167.228.24]) with mapi id 15.01.0544.019; Mon, 25 Jul 2016 11:38:01 +0000
From: Feng Hao <feng.hao@newcastle.ac.uk>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: comments on draft-irtf-cfrg-pake-reqs-05
Thread-Index: AdHmVkz907YbMQseTa2gtqTMjY4Krw==
Date: Mon, 25 Jul 2016 11:38:01 +0000
Message-ID: <DB5PR0701MB1928FE11C6C1E9DE62A957EFD40D0@DB5PR0701MB1928.eurprd07.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=feng.hao@newcastle.ac.uk;
x-originating-ip: [128.240.225.103]
x-ms-office365-filtering-correlation-id: 461a7467-5a75-4451-fbbb-08d3b4802296
x-microsoft-exchange-diagnostics: 1; DB5PR0701MB1927; 6:nlTdimkFMQ1dmbb+oDj2D+vykaEvxcly5PIybDIMFbBqhdW0gMwMqDWuekueARvrVCOJsXr6tdJRWCPjhlse3haPoQB0ZvVzfRkmnPAiViNOwOqhR9CbdnyZ/M2G7O+5LIIX48u+f92ULLeqemUY5xXoQabLYth3JaaZWPtY27mzRZt58TLhK25xTJUzBJECuXDW1rKu6YfkUXTDrvEWwNvh5t9MYwYKBjoTgJsqHSkJTXwFAUi7u5i4FB1Nu93oMs1NFYfo1wcp4dGYYGejoUuTJ0HliThDhDZ0lO+tvls=; 5:mKGj7TKij82Prp0mpOOa+YktjnSxdSYqAzAjZFyyICDKigvV8fnOSWzmjGjnZczgAFaGomWmx2dsMJVSxUuT1hdUN9qSe3V2IW/xm8Z83gR0NaBb6OaLRK/o+aVa0IJBTpbT3U1eG+AMuRBSqwNbxQ==; 24:fOMBcMEMXaohaz1id4fFYImdhrHIM3VXYqJYmVyMQBevCK5M4HLVux8Mdzp9WlsDBXHdxOBPFj7umJReWDz70qUfiMHDipvIqRHFIY9NOnU=; 7:45yZXVh2L90T63rKdEN+rG2+eoOJPsdHXERW/wbxSj2Edo4qDBcs12WFq3LsWFL5/J2CtjDWZpz1AiimolzIJVF/qCb10A4Nt4f2lkpKbA0sKDVFFh0TyuffiGcptX331jVIXwb91HitEmNzCIk5uAh9pKwRmDCZuJQG36IRI7wvsvtnETWXPf3I1MPwjJhTxNoc8Qz37URXjJMKajvl7SDZxCqsQv6G4C9yfdfI8IBcfPYU4EadYlqH6Fvk/g0m
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB5PR0701MB1927;
x-microsoft-antispam-prvs: <DB5PR0701MB19275EAADDF9257F00DA62ABD40D0@DB5PR0701MB1927.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(278428928389397)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001); SRVR:DB5PR0701MB1927; BCL:0; PCL:0; RULEID:; SRVR:DB5PR0701MB1927;
x-forefront-prvs: 0014E2CF50
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(6009001)(7916002)(199003)(189002)(305945005)(8676002)(10400500002)(19580395003)(230783001)(105586002)(2501003)(74482002)(2351001)(106356001)(229853001)(81156014)(5003600100003)(7736002)(7696003)(54356999)(3280700002)(92566002)(5002640100001)(2906002)(50986999)(81166006)(7846002)(68736007)(551544002)(66066001)(33656002)(2900100001)(97736004)(76576001)(6116002)(1730700003)(450100001)(3846002)(110136002)(102836003)(101416001)(77096005)(3660700001)(189998001)(86362001)(8936002)(5640700001)(87936001)(9686002)(74316002)(107886002)(122556002)(15975445007)(586003)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:DB5PR0701MB1927; H:DB5PR0701MB1928.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: newcastle.ac.uk does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2016 11:38:01.6484 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c5012c9-b616-44c2-a917-66814fbe3e87
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR0701MB1927
X-OriginatorOrg: newcastle.ac.uk
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/o7jdfq3f5NhXF7xvG5yNAocMXw4>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Subject: [Cfrg] comments on draft-irtf-cfrg-pake-reqs-05
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2016 11:39:09 -0000
Hi Joern-Marc (and others who are interested in PAKE), I have a few comments on the latest draft on "Requirements for PAKE schemes" (draft-irtf-cfrg-pake-reqs-05), and hope they may help. 1. In Introduction, "In other words, they are horrible credentials to use for authentication". I don't think "horrible" is a scientific word that should be used here. The key question is what are the alternatives? Passwords are just one of the three authentication factors. The other two, including biometrics and token (which may store a public key certificate), also have various drawbacks. I suggest to remove this sentence as it doesn't look adding any value. 2. In introduction, it may be worth mentioning that there are two main approaches to realise "Authenticated" Key Exchange: based on PKI and passwords. The current TLS protocol is largely based on PKI. However, PKI has many problems (which everyone knows and you don't need to repeat in this draft). Hence, for applications where it's not feasible or possible to setup/maintain PKI, PAKE can be a suitable alternative. Of course, for those who believe PKI (or the use of public key certificates) works on solving all their problems, they don't need PAKE. I see that you mention later in the sentence that "PAKEs ... without requiring any Public Key Infrastructure (PKI)." I suggest you can elaborate this more, since PKI-based AKE and PAKE are two different protocols, which can be complementary. It's not the case that one replaces another. 3. In Sec 3.1, "When one side maintains an uninvertable transform of the password and ...". The word "uninvertable" is technically not correct as it's actually invertable for all augmented PAKEs with a certain doable effort. I suggest simply to remove the word "uninvertable". I don't know if there is a better way to rephrase this. 4. In Sec 3.1, "The benefit of an augmented PAKE is that the server's password database is protected in a way that is not possible with a balanced PAKE." The meaning is vague (to me). I suggest you to illustrate this more explicitly. 5. In sec 3.1, "Augmented PAKEs are resistant to Key Compromise Impersonation (KCI) where an adversary who has successfully attacked Bob can impersonate Bob to everyone, but it is not possible to impersonate everyone back to Bob." This sentence is a bit problematic. I think you borrow the definition of KCI from PKI-based AKE, but it is mixed up in PAKE as the contexts are different. For example, assume Bob is the client: then this sentence is obviously wrong; now assume Bob is the server, then the sentence is still arguably incorrect, since the attacker can still break your security by doing an offline search. I don't know how to address this other than removing this sentence. 6. Actually, the above comments (3-5) are all related. The best is perhaps to rewrite that paragraph. There are a couple of points that are worth mentioning: 1) in balanced PAKE, the password doesn't have to be stored in plaintext form (I'm glad that you've covered that in the previous paragraph); 2) when the server is compromised, the stolen credential can be used directly to authenticate to the (compromised) server in the balanced PAKE case; but requires some offline brute-force effort in the augmented PAKE. That's the only advantage of augmented PAKE over balanced PAKE. However, saying that augmented PAKEs provide resistance to "server compromise" may provide a false sense of security, as once the server is compromised, all passwords must be updated anyway. No augmented PAKEs can provide any real security assurance in that case. 7. In Sec 3.2, " A variant of this method, as it is e.g. used in international travel documents by PACE [BFK09] ". The PACE protocol has two main stages: in the first stage, it uses the password to encrypt nonces, and in the second stage, it combines the nonces and other data to derive a secret base generator (like in SPEKE). So, saying PACE is a variant of EKE is not very correct; PACE is a protocol that combines the ideas of EKE and SPEKE. 8. In Sec 3.2, " These public keys may be blinded by some function of the shared password, but the public key that is transmitted across the unsecured medium is an element in a finite field, not a random blob". This seems to be more like how J-PAKE works rather than SPEKE. In SPEKE, what the party sends is a field element; I wouldn't call it a public key, as the generator in SPEKE must be kept secret. If you want to classify PAKEs, in my knowledge there are three: 1) using the password to encrypt key exchange items (e.g., EKE-style); 2) using the password to derive a secret generator (e.g., SPEKE-style); 3) the using the password to juggle the ephemeral public keys by encrypting items (and achieving a cancellation of random factors when the two passwords match) on the exponent (e.g., J-PAKE-style). 9. In Sec 4, " All PAKEs have a flaw: if Eve guesses the password she can subvert the exchange". I would suggest changing "flaw" to "limitation". A flaw is more a design error that should have been addressed. But what you describe is one inherent limitation with PAKE. As an example, suppose one says that all PKI-based AKE schemes have a flaw: all parties need to trust CA - That's stating a factual limitation, not really a design flaw. 10. " In addition, proofs sometimes rely on idealized versions of hash functions and/or block ciphers, called random oracles and ideal ciphers. " But "ideal ciphers", you probably refer to the assumption made in the EKE proofs. But they are not really idealized "block ciphers" - if you use any secure block cipher, say AES, you end up with an EKE that trivially leaks info about the password. There is a tricky interplay with the theoretical proofs (or "provable security") and the practical security; e.g., for more details, see Sec 2.2 in https://eprint.iacr.org/2010/190.pdf. I don't know how you can address this. You may want to explain the "ideal ciphers" more concretely and explicitly, but that is not easy to do without causing even more confusion. My suggestion is to remove this sentence. Best regards, Feng