[CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13

Eric Rescorla <ekr@rtfm.com> Mon, 27 May 2024 22:46 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01229C14F6E9 for <cfrg@ietfa.amsl.com>; Mon, 27 May 2024 15:46:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X-_I3kVpBKty for <cfrg@ietfa.amsl.com>; Mon, 27 May 2024 15:46:01 -0700 (PDT)
Received: from mail-yw1-x1136.google.com (mail-yw1-x1136.google.com [IPv6:2607:f8b0:4864:20::1136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3C54C14F689 for <cfrg@irtf.org>; Mon, 27 May 2024 15:46:00 -0700 (PDT)
Received: by mail-yw1-x1136.google.com with SMTP id 00721157ae682-62a087bc74bso1919147b3.2 for <cfrg@irtf.org>; Mon, 27 May 2024 15:46:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1716849960; x=1717454760; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=NfPxjg/AVpYuh4UWd6x4viQWtSL4J7tT5msXOqBvsLc=; b=dHJrjuu2NSpNrm446qcJNeq0tLmfETlAgN2zGhA6C4bHtBxjgaPm8DtoGAjhFcF8gW A+r2fhyRTsYSTWhHm+xkI3xKdZg+xNGDZnVb8MUbwlH1oRu2xPk4q2ibqGujkt0chRGQ PV32c+hNr1th0FRHKS1FjkzEXdDzO99WxLIMNzUP/yw35udMgsZliHzF7k2xb2WcYCXR bq/DWaCAFA+XgR2tcaO55IveDCGuZ/Bc3V2kLhqe/1RDDaulQqGKoFlrizDWDv//01Q2 UHdoomucXCqPNGkmn9v4msAK/FVrPc95vvAqpXxp5UGL60O3UvePsEjMvpugupAe2ijJ kNjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716849960; x=1717454760; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NfPxjg/AVpYuh4UWd6x4viQWtSL4J7tT5msXOqBvsLc=; b=EmzBvHofWoYDSluJCl+4B0KRK9NFOkevM12/rX/ydtWNqCxfNMBahqrxj3Z6kamaIv JEZ/nc8CmY9Uv3CaBVdBERd27MLRHXcUFoaFAqpus0xp+aVaFLP0X3a40F9N/kz+x/Z6 YlWGm5CMmeu9x6+g0WNw4/0gyP8P4mHE/TkIok3s0cQppxAwdaQ2IEFGR896YwWIURcR XaoQZ4XZfsphMQTReXBfIQoNWRNzijQO0LPxkBoJk65oLiTcjQDWzjgU7C74iFj+yXbY NIrMKJ+j2/zSJo5vADHSq/x+KG07LmpycwCDJTqJwGB0ozVoVhr4zqGaMOISb3VX66CS aDFw==
X-Gm-Message-State: AOJu0YxEyRnWb0fwoFbqOJLHaL2Y3uaG8/biPJ7ff4bSvReIajw+z+qB zFIMBnKPIeLGOyhDWC4iAk54QU915588wNvqYzrZWwC9x33aH0tYOeEhftKia30Za9CFLEu/TsW 85ycN1ygQxhhoaSjOUpEyobL3ZTqcEOM1WYGhtM5Da9J36kXI
X-Google-Smtp-Source: AGHT+IGjaP6F6C9hzczFDlfZgd5U7B/yrQk5IvGkGjv+5i9gMSh8hujlewjjYr28mctmcM0LhtgzRnuFKXa9Yz5sB9M=
X-Received: by 2002:a81:4324:0:b0:61b:16d9:47cd with SMTP id 00721157ae682-62a08d5ec80mr101064497b3.11.1716849959685; Mon, 27 May 2024 15:45:59 -0700 (PDT)
MIME-Version: 1.0
References: <CADi0yUNbiVTe9BaoCFgDaTC06Z1LMAx6q2hJDiWydpy6xFqtRQ@mail.gmail.com> <GV1PR01MB8436B6B6B75DEBC9F1FB30A9D6EA2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUNCkk8Y5dQJH6DjR33cP7KXXrQsmHfA0UDRxjGuoXCaLA@mail.gmail.com> <GV1PR01MB8436DBCC8F5B167B0B44490AD6EA2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUPcyc9oSM4NqWynkWuTPStnD9yqt4XwmAg7c=XjCtik4A@mail.gmail.com> <GV1PR01MB84364908B61E293E46012214D6EB2@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CADi0yUOtSBmCnQMP-MoyzzxF6LZQcrKfo03sN2cNuO6MS74NAg@mail.gmail.com> <GV1PR01MB84361129416DC8B621CAAEDFD6F42@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <y5y4iquyvrao7jtpyc2ycjtz4sg5dbzhrhddz5j6rv3eydyd2o@zy65yreteuoh> <GV1PR01MB8436B919FE24E2E022639155D6F52@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <2dhbnlfzwgllzqc7farahxqkct3zqcoi7wdj7vybivlzzwxrei@e7phsvy5i6ae> <GV1PR01MB843618C88187FE124B1F142ED6F02@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CACsn0c=M5OofNyG8YhO4vYOWwFvZW9yLpwMGMXkkDrXZ=Ty1jw@mail.gmail.com> <GV1PR01MB8436ACA18A87EA7AA8A4EA57D6F02@GV1PR01MB8436.eurprd01.prod.exchangelabs.com> <CABcZeBP64AC_mSgyU-YyQwCz3bHrbvcqB0xk0TdXampdCtvu6A@mail.gmail.com> <GV1PR01MB8436DDBCAF9F00DDCF34D19BD6F02@GV1PR01MB8436.eurprd01.prod.exchangelabs.com>
In-Reply-To: <GV1PR01MB8436DDBCAF9F00DDCF34D19BD6F02@GV1PR01MB8436.eurprd01.prod.exchangelabs.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 27 May 2024 15:45:22 -0700
Message-ID: <CABcZeBPsVUaSsX-WOV9ow2tTSaZqspzeAoBhxLBBjJAav71C0g@mail.gmail.com>
To: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
Content-Type: multipart/alternative; boundary="000000000000faf4c506197747d5"
Message-ID-Hash: 7L4GPI2NPU3E35R6JCGI7IKOS7KSUEGD
X-Message-ID-Hash: 7L4GPI2NPU3E35R6JCGI7IKOS7KSUEGD
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IRTF CFRG <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/u97ZfVuLDZw8t7DDrc-Aq2i5Xc8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

On Mon, May 27, 2024 at 3:15 PM Hao, Feng <Feng.Hao@warwick.ac.uk> wrote:

> Hi Eric,
>
>
>
> What I propose is to remove the key confirmation string sent by the server
> in the 2nd pass. The client sends its key confirmation in the 3rd pass,
> and the server only sends its key confirmation string in the 4th pass.
> This will be a revision in the protocol spec. I couldn’t see how adding a
> piece of text could properly address this issue.
>

Thanks for the explanation.

I don't see this as a realistic proposal, as it would mean that OPAQUE
would not be able to fit into TLS 1.3 without significant surgery to the
TLS 1.3 core, which is obviously undesirable for deployment reasons. It
seems to me that we do want it to be possible to use PAKEs with TLS 1.3,
and if the choices are to accept this property or to make big changes to
TLS 1.3, then I think the right answer is probably to accept this property
and document it in the specification.

-Ekr


>
> Cheers,
>
> Feng
>
>
>
> *From: *Eric Rescorla <ekr@rtfm.com>
> *Date: *Monday, 27 May 2024 at 23:00
> *To: *Hao, Feng <Feng.Hao@warwick.ac.uk>
> *Cc: *Watson Ladd <watsonbladd@gmail.com>, IRTF CFRG <cfrg@irtf.org>
> *Subject: *Re: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
>
> Feng,
>
>
>
> This has been a very long thread, with a lot of back and forth, but it's
> not clear to me what outcome you are looking for here.
>
>
>
> Do you have a proposed piece of text that you think should be in the
> OPAQUE draft prior to it going to RFC? If so, what is that text?
>
>
>
> -Ekr
>
>
>
>
>
> On Mon, May 27, 2024 at 2:32 PM Hao, Feng <Feng.Hao=
> 40warwick.ac.uk@dmarc.ietf.org> wrote:
>
> Hi Watson,
>
>
>
> That will be a standard online dictionary attack which applies to any
> PAKE, and can be detected and “accurately” recorded by the server. Please
> have a look at Ding and Horster’s 1995 paper which I posted earlier.
> https://dl.acm.org/doi/pdf/10.1145/219282.219298 That paper explains the
> difference between a standard (detectable) online dictionary attack and an
> undetectable online dictionary attack. Similar attacks in various different
> protocol settings have been well studied in the past 30 years.
>
>
>
> Cheers,
>
> Feng
>
>
>
> *From: *Watson Ladd <watsonbladd@gmail.com>
> *Date: *Monday, 27 May 2024 at 21:49
> *To: *Hao, Feng <Feng.Hao@warwick.ac.uk>
> *Cc: *Riad S. Wahby <riad@cmu.edu>, IRTF CFRG <cfrg@irtf.org>
> *Subject: *Re: [CFRG] Re: RGLC on draft-irtf-cfrg-opaque-13
>
> On Mon, May 27, 2024 at 6:13 AM Hao, Feng
> <Feng.Hao=40warwick.ac.uk@dmarc.ietf.org> wrote:
> >
> > Hi Riad,
> >
> >
> >
> > The factual difference between OPAQUE and SRP-6a is that in OPAQUE, the
> server is authenticated first, whilst in SRP-6a, the client is
> authenticated first. The order of authentication has a profound implication
> in security here. For the case of OPAQUE, the server leaks password
> verification information via the key confirmation string in the 2nd pass
> before the client is authenticated. If the client drops out, the server
> can’t distinguish legitimate drop-outs from online guessing attacks. This
> means that the server has to deal with false positives (denying legitimate
> users hence causing the DoS attack to its own users) and false negatives
> (letting an attacker guess the password without being detected or logged).
> Managing the false positive and false negative can be complicated in
> practice.
>
> Huh? An attacker can always carry out the full protocol to guess to
> lock someone out. That a query amounts to a guess doesn't really
> change this.
>
> --
> Astra mortemque praestare gradatim
>
> _______________________________________________
> CFRG mailing list -- cfrg@irtf.org
> To unsubscribe send an email to cfrg-leave@irtf.org
>
>