Re: [Cfrg] (Preliminary) review of augmented PAKEs
Björn Haase <bjoern.m.haase@web.de> Sun, 22 September 2019 20:26 UTC
Return-Path: <bjoern.m.haase@web.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9618912002E for <cfrg@ietfa.amsl.com>; Sun, 22 Sep 2019 13:26:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j63oHCC3kkTR for <cfrg@ietfa.amsl.com>; Sun, 22 Sep 2019 13:26:07 -0700 (PDT)
Received: from mout.web.de (mout.web.de [212.227.17.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D02F120024 for <cfrg@irtf.org>; Sun, 22 Sep 2019 13:26:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1569183962; bh=jY930oId4PzpI/FUWI3PzBqW4Fe/FuAEAGYeH1ycw6s=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=JioImprF2BMZ0PlRhXmFTjJQCVTDjFy9jeRGMrf890HwieiKory1kmIasbecbrzgU N6355jfhQljA5dpsnDJNYTaCuKGcNnTPdjagJb/V5XhIblrxQyYVJvmJZuJpPDCMGo wYVSMKUEpuXnm0+UAact92TFXvJLk2nD0nzO297A=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [192.168.2.161] ([94.218.65.48]) by smtp.web.de (mrweb102 [213.165.67.124]) with ESMTPSA (Nemesis) id 0LiCsx-1hpC5B0Xbv-00nN1Z; Sun, 22 Sep 2019 22:26:02 +0200
To: cfrg@irtf.org, Bjoern Tackmann <bjoern.tackmann@ieee.org>
References: <EDDF4DA5-32A7-4967-BA1C-3AAA359D6C19@ieee.org>
From: Björn Haase <bjoern.m.haase@web.de>
Message-ID: <912964bd-639f-4a13-adcd-bfdc56383e17@web.de>
Date: Sun, 22 Sep 2019 22:26:01 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <EDDF4DA5-32A7-4967-BA1C-3AAA359D6C19@ieee.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:xOWt+2hhT3UHs5CqWQMdJ0iQJkiV9VdrTcQN6uh67tKhcJAvb/3 d5kSw+cqj7CsWsRncjoFjP2WG9hT3bxB5Kp/qiKbg5VxpK0jD4na9QVSCz+grSQpaOF87zc vWrkT5wSfm54uOaz5jw7hSjcBsV3ycM+q0FVr1+lY+ykGnv8a6XFpWk/ehFmiy8WRoOigFU J61fXF57SICxsAg3RWGnw==
X-UI-Out-Filterresults: notjunk:1;V03:K0:+fiL9p0VF/c=:t9IzX7+5k4dB/pt990Rh2V 4aRl/xe/Ipp499yeJjGJo2+uAckeqL8QIAXpjJck5JvAIV/MutyU+8XRzd+bVBc3frRlnncMf aAIk2imv3A5JQBR/9oFHkXxE+kpnJei/PP/n6wrMWak89yqboMEciR/PoWUuYBljFKui0R1zs RSjzSr2wnBd2Vg5whDb0+kXcsHZ9/djt0cjH/JE0ZIhgjNz1aZe/aXZMl9OFk/0Dc9dEeG43f EXzvTPwBR78O+xIzAIq4hVuBImrq1+lsjrk71rCPyYSPTviKgLB8qo6QEsuCo/oUX3a24ewRU yz+NSsTK+juoYsY9kx8mw4+H1s8r9DM9Mc9Hg/j6KLjBiMa/Mzl4EsJmOHi+cb/ex/sUafNy8 TCXvCXS1uYQ/yPhaQ3Wqjm7653se9Nrx6PBNojYmKWvhHSg2ZO1YK/k5dwTtXZAU2GwJBcyAT Ni3tKYfkzYhkkCnq9XYELm+x6ds0VhZ7oBJPMrc2xIT33px1I4WsOSGT4S8uTWmIwsN1JqYRo 4o0JhWZNMc6UbQuYvbvbNUuy8jXJFffd3DGvv8UQqQJ3PDgciE+19HD9s1kEIfXFRvq6xoMcV 59k45PYVwyk52q5P9djI2TPJaMX28CaYpSY59hyYkjev7amLuN6VQKWJngSmhFmDbKV+XouFF TxnlBr7LZkNQVSnWC0Z50NM2z/UTj0Wss4KVhw0MX0rENkh9FBL1QQlrsOqfolIeG2cGsIucb TIr1zPOx+SwYTvnWtRvNvvi/aY5WWpyMWwzh81LOHgd7DFmaTxEGEI0G6CsTSQMt3h4kwUPQV sGLwwDElN7WHqgSSnpZRlye5FYSehKOcksn8SpwHn3O3O0AoMD7bHlQYTsh98kVRmGWA6ahc7 BPgOQKxhv6XMpOxgJ1p4JF8Q4WKP9F2lhd3FUzfTVuQVFnjNjvmVIRbD1IQd+VbF9QATVlzAB 31tfuX990x0ahmVYt3poHSqVCU7aj+NNr75c5cHLIyZKwztoeVJT1TDyJMZySeVlf20/E9pS1 6NBZ+9cIQ0bqunREJMQqWWGRrlnBivwk4kfhaE5qgHogwNjdGX4S2UHshQypx+lgy5GAfAwgh CohQT+Kc5DtKFrsNdkqMP1pACOzt4It4HHpYpcL2MtP3FbfKhS6ibIhsSmMDu6ARRBnx6VPGh /4zxYAqyFYIRc7rJ5sQpaT/ULq8mKKAWMUC1aM8K88vD2Qm3XV+dxrSlCuEVyZm05e67ZOhYl gCFTtZrCjCBN4g8kU329ggI09ALd8wGig34RZ1Dg8oJnh5SeBiPdwMskq2xY=
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/vK5TqgFD5e1-8FWjdEyEMoX7-mg>
Subject: Re: [Cfrg] (Preliminary) review of augmented PAKEs
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Sep 2019 20:26:10 -0000
Dear Björn (Tackmann), I have just uploaded a revised version of the security paper for AuCPace and CPace on the eprints https://eprint.iacr.org/2018/286 The most significant change with respect to the previous paper version is the corrction with respect to perfect and weak forward secrecy regarding protocol variants with and without explicit key confirmation. > One difference in modeling with OPAQUE is in user registration: AuCPace has an explicit user registration sub-protocol in which the user inputs the password and interacts with the server. OPAQUE models the cleartext password to be input by the server. The AuCPace modeling seems to better capture real deployments, but the modeling of this step in the analysis is inconsistent and evades the formal model. So at this point I’m not really happy with either. I have re-worked the modeling of password registration. I now have modified the ideal functionality F_apwKE such that it allows for registering the password on the server P_j by a query of the client P_i. Also I have reworked the formal procedure of password registration by introducing a F_tunnel functionality for the confidential and authenticated channel which is assumed to be used for password change and password registering. > Concrete issues in the current proofs: > > CPace: > - In G1, the authors use Assumption 2 to argue that the image of Map2Point is large. This argument fails (the reduction does not work out), but as this property of Map2Point (that its image is large in J) should hold unconditionally for interesting candidates, it seems preferable to simply state and use this fact. (It fixes and simplifies the proof.) I have now added this requirement as additional statement for assumption A1 for the CPace theorem. (Since both parties, client and Server, "halt" after issuing the NewSession query to F_pwKE and F_pwKE already sends a message to the adversary as reaction on the client and server'S NewSession queries, the only way to make the protocol proceed seems to be a message from the adversary.) > - In G3, the flag DHFails is set if the adversary interacted with the Diffie-Hellman values "in a destructive way". However, one should note that the basis used in the original protocol and the one used in the simulation are not the same, it’s not a priori clear that "destructive” would be the same (or at least that would require proof). One fix for this is a modification of the protocol, namely computing sk = H2(sid || K || Ya || Yb) instead of sk = H2(sid || K) as done now; then any modification by the adversary will be destructive. I agree with you that hashing full transcripts simplifies security analysis a lot and doing so is kind of the "gold standard" for this type of protocol. We were aware of this when designing the protocol. However as AuCPace was explicitly designed to be tailored for smallest targets, even the 64 or 128 bytes of additional RAM requirement for the transcript were considered to be an issue. I agree that your suggestion is also a safe choice and simplifies the security proofs. However, I am still convinced that all of the security guarantees are maintained also without "full transcripts". I have added a corresponding section 4.3 that considers this topic in more detail. Actually for subsystems like TLS I would also advocate for "full transcripts", however for other constructions that aim to be less resource-hungry, I'd like to keep the option without full transcripts. > AuCPace: > - The protocol has an input (contimueAfterHashingParams, sid, ssid, P_i) [sic] that is never sent, which formally makes the server halt. It does not seem to be an input from Z, since Fawpke does not have it. It could also be a message from the client, but the protocol does not specify that either. (I think it should be an input of Fawpke.) In fact, we need the external trigger from the adversary in order to make the server party continue. We have added a corresponding statement in the description. > Overall, although I am not explicitly aware of further flaws and believe the protocol is secure, I found it impossible to be fully convinced by the proofs of CPace and AuCPace. (Especially verifying the completeness, meaning that all cases are covered, mostly due to the write-up.) I agree that the write-up would benefit from a complete rework from scratch. (With my present knowledge I would have addressed the topic completely differently). However we did not see to manage this re-work within our target deadline of end of september latest. Thank you for your patience and care. One problem for us was, that we aimed at covering all of the different possible combinations of "partial/full augmentation", "with / without explicit key confirmation" and "with / without pre-computation attack resistance" in one proof paper in addition to the complexity of adaptive adversaries ... In order to make the differences in the functionalities, assumptions and protocol variants more transparent, we now have added an appendix E. > On tightness. The security statements are asymptotic, and cannot easily be turned into concrete security ones with good bounds (see, e.g., the step Game0 -> Game1 of the CPace proof). Yes, I agree.
- [Cfrg] (Preliminary) review of augmented PAKEs Bjoern Tackmann
- Re: [Cfrg] (Preliminary) review of augmented PAKEs Hugo Krawczyk
- Re: [Cfrg] (Preliminary) review of augmented PAKEs Björn Haase
- Re: [Cfrg] (Preliminary) review of augmented PAKEs Björn Haase