Re: [Cfrg] The SESPAKE protocol and PAKE requirements

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Wed, 04 May 2016 07:06 UTC

Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 934B312D124 for <cfrg@ietfa.amsl.com>; Wed, 4 May 2016 00:06:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aAzHQZUPcKDS for <cfrg@ietfa.amsl.com>; Wed, 4 May 2016 00:05:59 -0700 (PDT)
Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DACA512B00E for <cfrg@irtf.org>; Wed, 4 May 2016 00:05:30 -0700 (PDT)
Received: by mail-yw0-x236.google.com with SMTP id j74so61842959ywg.1 for <cfrg@irtf.org>; Wed, 04 May 2016 00:05:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=AGhYu5AY/0027B0Ghv4w69SYE5xJ0p8XRVUaLF/naD8=; b=MnZBcnKCG12s+KbYRtDrFCc7ZZHUPN7V1EOTYx8oFDVbJrDPhbKpzIdkuNO49BgH+j UmaF3cNms6dtCjASiAY9Up9wkySHuh/cmTw8wIj4/5hsKHnM4LdEIkk8HoZgBPGziGPK TOxxHvFImWs/IAufcSCscpTPsU06MR4bmtUwVX4eJhOJtrqf0U3cQ/AtSXq0hdWJ4gYD YyKoAMZGNLTPX/3k0dVn3ZDyZVDSUqMjtFUjFDhZAH2mN90CRZ6+qLhVEwVOJ67JWCX1 CXctha7zatPJTzTJL73NNAPkcvRNzU2xTaqWEClgHdviKjh0ZMVNfSZEmMfYeYBkNDw+ Y/Pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=AGhYu5AY/0027B0Ghv4w69SYE5xJ0p8XRVUaLF/naD8=; b=kt4/vCceky9ABjyYVyb+GTdS7FbCQd9MhEMvvDCFwYiaswtF91EPN1hVBrx34pu+W7 brKtEcn89DxniOPoMZrsKTmAa1U56KYGmyMI+zls1cwXpt+ZedDubVHDDK38oYnjdyXg pbLUK5kWXIao16iK97xsGvmbsEgCWveEp/heXbhbyXDNT30bNzowfjOMSGVBYWVpI1By hWF+HPG9VpZ1nVWpY6pKN70OwpKR0rSj00GVPN4PcBV0OIjieRxWs0OhyVHTabZniB4v T7Tbbdoe0LQ3+Ic89+1vAWaQJpGrPoK2YJEArq1KEYe77X3lMUIN/negsvD9u5jiCKDa D0gQ==
X-Gm-Message-State: AOPr4FWOUfqGWq/nbDPk3xkokGt8OII7ykQn1KHiFLfl7s497glDDam15vCKbC8DgK0Ef4kUTlzqCTguxRVXhw==
MIME-Version: 1.0
X-Received: by 10.176.69.148 with SMTP id u20mr3984544uau.9.1462345530213; Wed, 04 May 2016 00:05:30 -0700 (PDT)
Received: by 10.31.107.5 with HTTP; Wed, 4 May 2016 00:05:30 -0700 (PDT)
In-Reply-To: <CAMr0u6==4bf4f65o+hDKDo6B_etdSAeHUK0Eb0akKmKi_q5SJg@mail.gmail.com>
References: <CAMr0u6nu=0H8pi=rEC1i69y1nhGLStvbJUXukUX0uHaVperkSg@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F167B5300@mail-essen-01.secunet.de> <CAMr0u6=eKJyCVQwHpuBLzB2TrrUQrfP8ti9N+Ai108=iS9tkZA@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F167B8267@mail-essen-01.secunet.de> <CAMr0u6m7TD2Nx29q+gFOBEFRswSiSCzXmGoVP_AmZtNhs0vUFw@mail.gmail.com> <CAMr0u6=YnFXRDtXxHuz03g2-Dt74Z1HZ3Pa3GVYOa2_hPFsgrw@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F23472FB0@mail-essen-01.secunet.de> <CAMr0u6kU2r=xKwAwCW+oCcA=-BDAEb7E2pbx6Df=DDw2-OkGXQ@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F23476BA3@mail-essen-01.secunet.de> <20160426144049.5910610.54445.3223@gmail.com> <38634A9C401D714A92BB13BBA9CCD34F23476F97@mail-essen-01.secunet.de> <CAMr0u6nUUa78VZaF8DTUDvuXSrSHheWgmn10dkO+yYdbxWaKsQ@mail.gmail.com> <38634A9C401D714A92BB13BBA9CCD34F23476FEB@mail-essen-01.secunet.de> <CAMr0u6==4bf4f65o+hDKDo6B_etdSAeHUK0Eb0akKmKi_q5SJg@mail.gmail.com>
Date: Wed, 4 May 2016 10:05:30 +0300
Message-ID: <CAMr0u6me=pC7CR=L4NwAJp2n_O-OmqA3MqpKAgijiuMFnC4g-g@mail.gmail.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
To: =?UTF-8?Q?Schmidt=2C_J=C3=B6rn=2DMarc?= <Joern-Marc.Schmidt@secunet.com>, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>, "alexey.melnikov@isode.com" <alexey.melnikov@isode.com>
Content-Type: multipart/alternative; boundary=94eb2c11bee8de0d6f0531fed954
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/pTG_lCZV3THLrHllAtru2lFFSM8>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] The SESPAKE protocol and PAKE requirements
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2016 07:06:07 -0000

Good afternoon,

Jörn, thank you for the updated version of the PAKE requirements RFC draft.

All my concerns were dealt with – in my opinion, the requirements draft is
complete now.

Best regards,

Stanislav Smyshlyaev


2016-04-27 11:11 GMT+03:00 Stanislav V. Smyshlyaev <smyshsv@gmail.com>:

> Thank you for your response, Jörn, it will be a pleasure to continue our
> discussion after your modifications!
>
> Kindest regards,
>
> Stanislav.
>
>
> 2016-04-27 10:22 GMT+03:00 Schmidt, Jörn-Marc <
> Joern-Marc.Schmidt@secunet.com>:
>
>> Hello Stanislav,
>>
>> You're right, the two points are not precise enough - my sentence was too
>> sloppy. I'll use your suggestion for the active adversary. I think it
>> covers also passive adversaries - if eavesdropping leads to any information
>> about the password, there is no "guess" needed. Which reminds me that
>> "guess" is again not the best term - I'll use something like "interaction
>> with legitimate parties"..
>>
>> Thanks a lot!
>>
>> Best regards,
>>
>> Jörn
>>
>> ----
>> >Two points must be corrected in the sentence (2):
>> >- not "divided by the password length", but "divided by the cardinality
>> of the set of possible passwords" (for example, if you use passwords of
>> digits 0-9 of length 8, the probability of success for 3 trials is
>> estimated not as 3/8, but as 3/(10^8)).
>> >- not "limited by [the number...divided...]", but something like
>> "limited by [the number...divided...] plus a negligible value" (it is
>> always a possibility with a negligible probability, that adversary breaks a
>> CDH instance etc).
>>
>>
>> >Moreover, since the requirement (1) in your statement can be trivially
>> achieved without any PAKE (if you just use simple DH without any passwords,
>> it's OK for the case of a passive adversary), I'd prefer to modify your
>> statement in this way:
>> >"In particular, the proof must show that the probability of an active
>> adversary to (1) pass authentication or (2) to learn anything about the
>> password or (3) to learn anything about the established key is limited by
>> the number of guesses divided by the ...."
>>
>>
>