IETF Logo Mail Archive

Re: [CFRG] Attack on a Real World SPAKE2 Implementation

Filippo Valsorda <filippo@ml.filippo.io> Sun, 09 May 2021 23:26 UTC

Return-Path: <filippo@ml.filippo.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 274B93A247C for <cfrg@ietfa.amsl.com>; Sun, 9 May 2021 16:26:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.097
X-Spam-Level:
X-Spam-Status: No, score=-0.097 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=filippo.io header.b=zlhP+Ck1; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=eRbl1ki5
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dllp53gYUS-3 for <cfrg@ietfa.amsl.com>; Sun, 9 May 2021 16:26:31 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 381CE3A2477 for <cfrg@irtf.org>; Sun, 9 May 2021 16:26:31 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 3CDA85C00C6; Sun, 9 May 2021 19:26:30 -0400 (EDT)
Received: from imap1 ([10.202.2.51]) by compute3.internal (MEProxy); Sun, 09 May 2021 19:26:30 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=filippo.io; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type; s=fm3; bh=NKO1J0U4xkzeDFDpLv+DVIwgzh6AGRs 8iS/QedQ+QxU=; b=zlhP+Ck1lmjeQRt0W/KWMZ3jyBxOriNLmTc3Z2PI/IPG5aq DB/Idfy6uk6TK4f671ojqkm0hfILhqAoYAo0Hc64GzkLeOaEQh1wOVkSbXDe941f e+jZHKuRbxCAzrVBQG+TNr863qJ2orNb0PPmVkL5JiSUjidlpMAg5sXNCLRZCqE4 UwcRzi40ELoG2yAVlq7yHSJ1+Kh7LVjvQ0Imqg/nzxrYP1CTzyhYbSzNcMf+BP9e jL15u7bAcpacMX+5zuPLaSivOpumoM1tnvG3Rj/vmP3Z+y1+Lf0Vlek2cgMXbepo BoKm9oA7IHI9NGdEErVTf8cwfU9hzBTfMwN/m8Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=NKO1J0 U4xkzeDFDpLv+DVIwgzh6AGRs8iS/QedQ+QxU=; b=eRbl1ki5vaC6NGXYYpKJ/i TnTlWPWUDipsEeKKWKvK3FikbZF6dWFgnEe97L/4bXL9UP7Sn3pBME1LXtM4h6P8 PWAO/jthEu5ili0Rgo3OS/DWvKTLafe/xQT3X6BesVm1TMc9fBCA05j6cbLLnAsE ePGrldjBqxJ9Yk4bq2CjNKgS8rJxDlCa7RymKQXgv6/IYAF2AaDGpQw03iJCBsVt uL+CzhezxowUWXNOdAbjfyiIgHnBzaBB9i8xVOiRo+AtFEc7kIs069MKi6zapUYt 8F5R3dbLnW2lKtfEHkTJwOJFsp1rltWsXjAsIkPrnY93qomuAxP1wE37nmWS1Kgw ==
X-ME-Sender: <xms:pG-YYPcnhrykt5yRUxZ45kUrZrZc2CxXzIp2jURSx2_q_20rtE9LJw> <xme:pG-YYFMKsR5kHCMAA2jiBEVBr2F1Nu7CNewnpc3OHn7JO-USahmOd8xI0C7K2Pc0R -UhawROrBb_7UwNEQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdegjedgudekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesrgdtreerreertdenucfhrhhomhepfdfhihhl ihhpphhoucggrghlshhorhgurgdfuceofhhilhhiphhpohesmhhlrdhfihhlihhpphhord hioheqnecuggftrfgrthhtvghrnhepgedtveelfedtjeekfeelgfeigeduieduleelgfev gfekieekiedtleffkeekuedtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpe hmrghilhhfrhhomhepfhhilhhiphhpohesmhhlrdhfihhlihhpphhordhioh
X-ME-Proxy: <xmx:pG-YYIhPjJaPKpcB3YdLID527YwLCor2X-QDqUpGHz_uLixT8DS03Q> <xmx:pG-YYA95da_o2TIOaPVxOFMC6l0uzXjceM73gAa4m0qX8vHLtYVEkg> <xmx:pG-YYLvJ3xeGBD-XteLx6Sv4EZYpxyV78qlbEUsrjPwz1ODZYxAhNg> <xmx:pm-YYE4z9hsG_2l1QflJGNjo4ipEIWZjJ3dPgrhImWHWZHIYvlvfzQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id D5F181300073; Sun, 9 May 2021 19:26:28 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-448-gae190416c7-fm-20210505.004-gae190416
Mime-Version: 1.0
Message-Id: <c9f3e28d-6352-417e-8efb-9bf01151acf9@www.fastmail.com>
In-Reply-To: <CACsn0ckL25j+WDTgd0aQTp3eo5qRwMb-AjfXmq2zFNU-JqYr1g@mail.gmail.com>
References: <2bfbd767-b93a-42bd-be7d-1dae9e32e555@ruben-gonzalez.de> <SY4PR01MB625110F1F7633D989FCF183EEE579@SY4PR01MB6251.ausprd01.prod.outlook.com> <e88bae26-ff1f-42e3-babf-c5de3ee1d781@www.fastmail.com> <CACsn0ckL25j+WDTgd0aQTp3eo5qRwMb-AjfXmq2zFNU-JqYr1g@mail.gmail.com>
Date: Mon, 10 May 2021 01:26:07 +0200
From: Filippo Valsorda <filippo@ml.filippo.io>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Ruben Gonzalez <in+lists@ruben-gonzalez.de>, CFRG <cfrg@irtf.org>, "rixxc@redrocket.club" <rixxc@redrocket.club>
Content-Type: multipart/alternative; boundary="86b3f8fdc78644fb8c2ceb88e3117a61"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/rwYS7ALXonNo94f5VwmNIDOz46E>
Subject: Re: [CFRG] Attack on a Real World SPAKE2 Implementation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 May 2021 23:26:37 -0000

2021-05-08 21:25 GMT+02:00 Watson Ladd <watsonbladd@gmail.com <mailto:watsonbladd%40gmail.com>>:
> On Fri, May 7, 2021, 7:52 PM Filippo Valsorda <filippo@ml.filippo.io> wrote:__
>> 2021-05-07 04:17 GMT-04:00 Peter Gutmann <pgut001@cs.auckland.ac.nz <mailto:pgut001%40cs.auckland.ac.nz>>:
>>> Ruben Gonzalez <in+lists@ruben-gonzalez.de <mailto:in%2Blists%40ruben-gonzalez.de>> writes:
>>> 
>>> >We did not attack SPAKE2 directly, but a faulty implementation.
>>> 
>>> Nice work!  This is an example of what I once referred to as second-order
>>> snake oil crypto, good crypto applied badly (first-order is bad crypto).
>> 
>> Snake oil is fraudulent. This is a broken implementation, for which specification authors should at least consider sharing the blame. How did the spec fail the implementers, who presumably were not trying to implement something in a broken way?
> 
> The SPAKE2 draft postdates many if the deployed implementations. There is no evidence the authors consulted the draft which counting specified M and N to avoid exactly this failure.
>> 
>> 
>> (I know, I know, SPAKE2 is a draft, not an RFC! But it's been a draft for almost 7 years, and at some point people need to implement stuff.)
> 
> I think the failure to publish a secure protocol that is actually deployed and used in a timely manner is a problem. Thankfully it has at last gotten out of the CFRG.
> 
> Part of the issue is that I had a dissertation to write and was not the most motivated all of the time. But the bigger issue imho is that very few implementors gave feedback or provided the prodding to advance it. Until Ben came along no one cared and kitten ended up doing its own thing because we were too slow.
> 
> What happened to rough consensus and running code?

That was bad phrasing on my side, sorry Watson.

It was "specification authors" at large, not "this specification's Authors". It looks like the way it failed this implementation might be by not finalizing soon enough, which is definitely not your individual responsibility (as that would be of course an unsustainable model).

In other words, agreed on where the problem lies.

v2.23.0 | Report a Bug | By Email