IETF Logo Mail Archive

Re: [Cfrg] (Preliminary) review of augmented PAKEs

Björn Haase <bjoern.m.haase@web.de> Sun, 22 September 2019 20:26 UTC

Return-Path: <bjoern.m.haase@web.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9618912002E for <cfrg@ietfa.amsl.com>; Sun, 22 Sep 2019 13:26:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j63oHCC3kkTR for <cfrg@ietfa.amsl.com>; Sun, 22 Sep 2019 13:26:07 -0700 (PDT)
Received: from mout.web.de (mout.web.de [212.227.17.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D02F120024 for <cfrg@irtf.org>; Sun, 22 Sep 2019 13:26:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1569183962; bh=jY930oId4PzpI/FUWI3PzBqW4Fe/FuAEAGYeH1ycw6s=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=JioImprF2BMZ0PlRhXmFTjJQCVTDjFy9jeRGMrf890HwieiKory1kmIasbecbrzgU N6355jfhQljA5dpsnDJNYTaCuKGcNnTPdjagJb/V5XhIblrxQyYVJvmJZuJpPDCMGo wYVSMKUEpuXnm0+UAact92TFXvJLk2nD0nzO297A=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [192.168.2.161] ([94.218.65.48]) by smtp.web.de (mrweb102 [213.165.67.124]) with ESMTPSA (Nemesis) id 0LiCsx-1hpC5B0Xbv-00nN1Z; Sun, 22 Sep 2019 22:26:02 +0200
To: cfrg@irtf.org, Bjoern Tackmann <bjoern.tackmann@ieee.org>
References: <EDDF4DA5-32A7-4967-BA1C-3AAA359D6C19@ieee.org>
From: Björn Haase <bjoern.m.haase@web.de>
Message-ID: <912964bd-639f-4a13-adcd-bfdc56383e17@web.de>
Date: Sun, 22 Sep 2019 22:26:01 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <EDDF4DA5-32A7-4967-BA1C-3AAA359D6C19@ieee.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:xOWt+2hhT3UHs5CqWQMdJ0iQJkiV9VdrTcQN6uh67tKhcJAvb/3 d5kSw+cqj7CsWsRncjoFjP2WG9hT3bxB5Kp/qiKbg5VxpK0jD4na9QVSCz+grSQpaOF87zc vWrkT5wSfm54uOaz5jw7hSjcBsV3ycM+q0FVr1+lY+ykGnv8a6XFpWk/ehFmiy8WRoOigFU J61fXF57SICxsAg3RWGnw==
X-UI-Out-Filterresults: notjunk:1;V03:K0:+fiL9p0VF/c=:t9IzX7+5k4dB/pt990Rh2V 4aRl/xe/Ipp499yeJjGJo2+uAckeqL8QIAXpjJck5JvAIV/MutyU+8XRzd+bVBc3frRlnncMf aAIk2imv3A5JQBR/9oFHkXxE+kpnJei/PP/n6wrMWak89yqboMEciR/PoWUuYBljFKui0R1zs RSjzSr2wnBd2Vg5whDb0+kXcsHZ9/djt0cjH/JE0ZIhgjNz1aZe/aXZMl9OFk/0Dc9dEeG43f EXzvTPwBR78O+xIzAIq4hVuBImrq1+lsjrk71rCPyYSPTviKgLB8qo6QEsuCo/oUX3a24ewRU yz+NSsTK+juoYsY9kx8mw4+H1s8r9DM9Mc9Hg/j6KLjBiMa/Mzl4EsJmOHi+cb/ex/sUafNy8 TCXvCXS1uYQ/yPhaQ3Wqjm7653se9Nrx6PBNojYmKWvhHSg2ZO1YK/k5dwTtXZAU2GwJBcyAT Ni3tKYfkzYhkkCnq9XYELm+x6ds0VhZ7oBJPMrc2xIT33px1I4WsOSGT4S8uTWmIwsN1JqYRo 4o0JhWZNMc6UbQuYvbvbNUuy8jXJFffd3DGvv8UQqQJ3PDgciE+19HD9s1kEIfXFRvq6xoMcV 59k45PYVwyk52q5P9djI2TPJaMX28CaYpSY59hyYkjev7amLuN6VQKWJngSmhFmDbKV+XouFF TxnlBr7LZkNQVSnWC0Z50NM2z/UTj0Wss4KVhw0MX0rENkh9FBL1QQlrsOqfolIeG2cGsIucb TIr1zPOx+SwYTvnWtRvNvvi/aY5WWpyMWwzh81LOHgd7DFmaTxEGEI0G6CsTSQMt3h4kwUPQV sGLwwDElN7WHqgSSnpZRlye5FYSehKOcksn8SpwHn3O3O0AoMD7bHlQYTsh98kVRmGWA6ahc7 BPgOQKxhv6XMpOxgJ1p4JF8Q4WKP9F2lhd3FUzfTVuQVFnjNjvmVIRbD1IQd+VbF9QATVlzAB 31tfuX990x0ahmVYt3poHSqVCU7aj+NNr75c5cHLIyZKwztoeVJT1TDyJMZySeVlf20/E9pS1 6NBZ+9cIQ0bqunREJMQqWWGRrlnBivwk4kfhaE5qgHogwNjdGX4S2UHshQypx+lgy5GAfAwgh CohQT+Kc5DtKFrsNdkqMP1pACOzt4It4HHpYpcL2MtP3FbfKhS6ibIhsSmMDu6ARRBnx6VPGh /4zxYAqyFYIRc7rJ5sQpaT/ULq8mKKAWMUC1aM8K88vD2Qm3XV+dxrSlCuEVyZm05e67ZOhYl gCFTtZrCjCBN4g8kU329ggI09ALd8wGig34RZ1Dg8oJnh5SeBiPdwMskq2xY=
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/vK5TqgFD5e1-8FWjdEyEMoX7-mg>
Subject: Re: [Cfrg] (Preliminary) review of augmented PAKEs
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Sep 2019 20:26:10 -0000

Dear Björn (Tackmann),

I have just uploaded a revised version of the security paper for AuCPace
and CPace on the eprints

https://eprint.iacr.org/2018/286

The most significant change with respect to the previous paper version
is the corrction with respect to perfect and weak forward secrecy
regarding protocol variants with and without explicit key confirmation.

> One difference in modeling with OPAQUE is in user registration: AuCPace has an explicit user registration sub-protocol in which the user inputs the password and interacts with the server. OPAQUE models the cleartext password to be input by the server. The AuCPace modeling seems to better capture real deployments, but the modeling of this step in the analysis is inconsistent and evades the formal model. So at this point I’m not really happy with either.

I have re-worked the modeling of password registration. I now have
modified the ideal functionality F_apwKE such that it allows for
registering the password on the server P_j by a query of the client P_i.

Also I have reworked the formal procedure of password registration by
introducing a F_tunnel functionality for the confidential and
authenticated channel which is assumed to be used for password change
and password registering.

> Concrete issues in the current proofs:
>
> CPace:
> - In G1, the authors use Assumption 2 to argue that the image of Map2Point is large. This argument fails (the reduction does not work out), but as this property of Map2Point (that its image is large in J) should hold unconditionally for interesting candidates, it seems preferable to simply state and use this fact. (It fixes and simplifies the proof.)
I have now added this requirement as additional statement for assumption
A1 for the CPace theorem. (Since both parties, client and Server, "halt"
after issuing the NewSession query to F_pwKE and F_pwKE already sends a
message to the adversary as reaction on the client and server'S
NewSession queries, the only way to make the protocol proceed seems to
be a message from the adversary.)
> - In G3, the flag DHFails is set if the adversary interacted with the Diffie-Hellman values "in a destructive way". However, one should note that the basis used in the original protocol and the one used in the simulation are not the same, it’s not a priori clear that "destructive” would be the same (or at least that would require proof). One fix for this is a modification of the protocol, namely computing sk = H2(sid || K || Ya || Yb) instead of sk = H2(sid || K) as done now; then any modification by the adversary will be destructive.

I agree with you that hashing full transcripts simplifies security
analysis a lot and doing so is kind of the "gold standard" for this type
of protocol. We were aware of this when designing the protocol.

However as AuCPace was explicitly designed to be tailored for smallest
targets, even the 64 or 128 bytes of additional RAM requirement for the
transcript were considered to be an issue. I agree that your suggestion
is also a safe choice and simplifies the security proofs. However, I am
still convinced that all of the security guarantees are maintained also
without "full transcripts". I have added a corresponding section 4.3
that considers this topic in more detail. Actually for subsystems like
TLS I would also advocate for "full transcripts", however for other
constructions that aim to be less resource-hungry, I'd like to keep the
option without full transcripts.

> AuCPace:
> - The protocol has an input (contimueAfterHashingParams, sid, ssid, P_i) [sic] that is never sent, which formally makes the server halt. It does not seem to be an input from Z, since Fawpke does not have it. It could also be a message from the client, but the protocol does not specify that either. (I think it should be an input of Fawpke.)
In fact, we need the external trigger from the adversary in order to
make the server party continue. We have added a corresponding statement
in the description.
> Overall, although I am not explicitly aware of further flaws and believe the protocol is secure, I found it impossible to be fully convinced by the proofs of CPace and AuCPace. (Especially verifying the completeness, meaning that all cases are covered, mostly due to the write-up.)

I agree that the write-up would benefit from a complete rework from
scratch. (With my present knowledge I would have addressed the topic
completely differently). However we did not see to manage this re-work
within our target deadline of end of september latest. Thank you for
your patience and care.

One problem for us was, that we aimed at covering all of the different
possible combinations of "partial/full augmentation", "with / without
explicit key confirmation" and "with / without pre-computation attack
resistance" in one proof paper in addition to the complexity of adaptive
adversaries ...

In order to make the differences in the functionalities, assumptions and
protocol variants more transparent, we now have added an appendix E.

> On tightness. The security statements are asymptotic, and cannot easily be turned into concrete security ones with good bounds (see, e.g., the step Game0 -> Game1 of the CPace proof).
Yes, I agree.

v2.23.0 | Report a Bug | By Email