Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE schemes
Watson Ladd <watsonbladd@gmail.com> Fri, 29 January 2016 05:34 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39B891B3E17 for <cfrg@ietfa.amsl.com>; Thu, 28 Jan 2016 21:34:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fp3Smr5WV9Ja for <cfrg@ietfa.amsl.com>; Thu, 28 Jan 2016 21:34:29 -0800 (PST)
Received: from mail-yk0-x22b.google.com (mail-yk0-x22b.google.com [IPv6:2607:f8b0:4002:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D2CD1B3E16 for <cfrg@irtf.org>; Thu, 28 Jan 2016 21:34:29 -0800 (PST)
Received: by mail-yk0-x22b.google.com with SMTP id r207so14203752ykd.2 for <cfrg@irtf.org>; Thu, 28 Jan 2016 21:34:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=ecc7FCge6d5WXjera8EaxvN77RpEiiubCqsfbOFxFTY=; b=v83/M+5WnrNPEjeL5QOFy4yIaUfzu4ET7ZqUUeLkAYTEKpIOjU09YZAIAT4anRKU1x C453Q2VCLmU5XwGOGaEzDRgY8BEWBOIyocaNmxEE0rhQkj7XsratU8fA7CRU/k9cwYfH OZnWl/9WplIF8YU6zZVgZn9aOKtBF+J3riSSjQNMxVV6hcnGXQCM9elTtx0WYd6Bc2on 4ezKvYqSRF3dBXbsoBnzXw7g7k1b88fQ56w7THrxMZNtSOagQchUaYdQL4C1+IDbDSAC 5VBxWahl4E7R5tvnIZiQfSlzn+EVdTVO4AMvOi8HVeAbY8S2aBcF3LWpUON51KgMhK7G s1YA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=ecc7FCge6d5WXjera8EaxvN77RpEiiubCqsfbOFxFTY=; b=RCip4pNQZArVyjrHWkuj4b4uXeLbvfbYA7Q14oAPC4X1QqAWWroPnBBzyxL92T7pYx oFvvjWZi53apmMsmqhrlbRphfmzTrUXSE1TQ6RYmZTrqIHvRbAKiClT8h7HuTDb7FgC2 A7ymqz9aGFEI3D7nru3dEK/fIcezez3Pdm+RVWtCxpgAjor/JhOTGXBT1Tr+x0LyXRAu aDCgrWkA6EvHrurKUTj32jRm5HUFV23ZEaPE5j7XegZzsaioFR3YFnKLsNZ3qnOLI7Cr NjrCU518peWX8AOR3rpB0Knh1E1hH5RnZ1N4MfYj/zpIK/FYCq/T5RE2Ma7xf0oAA/3A 5vQA==
X-Gm-Message-State: AG10YOShjlFCb3RnczQmQSi7KRkAbFrsv2BQzgVN6uNmoHLRVdmQUntK7Iyp95qoYCIhjZS71Xq6KWXxQnqvYg==
MIME-Version: 1.0
X-Received: by 10.37.78.5 with SMTP id c5mr1203605ybb.53.1454045668214; Thu, 28 Jan 2016 21:34:28 -0800 (PST)
Received: by 10.13.216.138 with HTTP; Thu, 28 Jan 2016 21:34:28 -0800 (PST)
In-Reply-To: <CAMr0u6nzV_Y87ghnAcmhgkzk4fgdKtC3Kj8NqPyawHrjhGVySg@mail.gmail.com>
References: <CAMr0u6=76q4n-u1Vpv5vWjSNgi4CtaOJoX0EmvcbXH+9C4w2mg@mail.gmail.com> <78D9D0BF-4ADE-4DDB-88A4-BF03DD6336BA@shiftleft.org> <9c878c6b6b505414f71fa53442e4a33a@mail.tc26.ru> <CAMr0u6nzV_Y87ghnAcmhgkzk4fgdKtC3Kj8NqPyawHrjhGVySg@mail.gmail.com>
Date: Thu, 28 Jan 2016 21:34:28 -0800
Message-ID: <CACsn0ckKX7pKZ5qU0y6cR3jyGV8JmL1V8EAUwU6b4ShDYVxmYw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/vYbTU60Mgd1VXHTLmEjfXMDWGt4>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE schemes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2016 05:34:33 -0000
On Thu, Jan 28, 2016 at 9:19 PM, Stanislav V. Smyshlyaev <smyshsv@gmail.com> wrote: > Hello, Mike and Grigory! > > Mike, I definitely agree with you that it is impossible to choose a single > solution for all PAKE applications. For example, now in Russia for the > current moment we have two fields where SESPAKE is used: > - protection of a channel between a PC and a cryptographic token (mostly for > the case of Bluetooth-tokens); > - draft implementations of IKEv2 with Russian crypto. > We have distinct issues with counters of attempts here – as you mentioned, > DoS prevention is crucial for many protocols, for IKE v2 particularly. > However, this does not mean that counters should not be controlled at all – > the whole PAKE idea would be nearly useless in this case – this only means > that counters must be managed sensitively and accurately: some of the > counters can be optional or can be controlled at other levels. > > For example, in our SESPAKE RFC draft > (https://www.ietf.org/id/draft-smyshlyaev-sespake-01.pdf) we stress (Section > 4, notes 5 and 6) that different counters must be handled in different ways. > The most important point here is that any PAKE security proof exploits > limitations of password trials – so the connected issues must be represented > in some way (with one or another level of strictness) in any PAKE protocol > description. > > Therefore, I would correct my consideration on PAKE requirements slightly. > It is of highly importance to add the requirement: a description of a PAKE > protocol MUST include descriptions and usage recommendations of the > following counters: > - counters of unsuccessful connections in a row, > - counters of unsuccessful connections for the particular password, > - counters of the total connections (successful and unsuccessful) > for the current password. Upper-layer protocols and applications can limit the number of login attempts. PAKEs that limit offline guessing and force online are sufficient, as most protocols already implement login limits. I don't see why site-specific policy needs to be put in an RFC. > > > Best regards, > Stanislav V. Smyshlyaev, Ph.D., > Head of Information Security Department, > CryptoPro LLC > > > 2016-01-28 23:45 GMT+03:00 Grigory Marshalko <marshalko_gb@tc26.ru>: >> >> Hi, for these heuristics we can use approaches like fuzzy extractors and >> the corresponding theory in order to determine corresponding limitations. >> But this of cause would require training phases. >> >> Regards, >> Grigory Marshalko, >> expert, >> Technical committee for standardisation "Cryptography and security >> mechanisms" (ТC 26) >> www.tc26.ru >> >> 28 января 2016 г., 21:10, "Mike Hamburg" <mike@shiftleft.org> написал: >> >> Hello Dr Smyshlyaev, >> >> It's worth noting that in many systems, the risk of DoS weighs against the >> risk of password guessing. The designers of these systems may not find it >> acceptable to hard lock an account based on a global count of attempts, >> especially if most of their adversaries are not powerful. For example, eBay >> doesn't want people to lock out the accounts of their competitors just by >> trying 10 times to log in. In these systems, heuristics are used (based eg >> on IP, CAPTCHAs or browser metrics) to deter guessing. The same sort of >> work is applicable to PAKE systems. So I don't think brute force prevention >> will be so one-size-fits-all. >> Cheers, >> -- Mike >> >> Sent from my phone. Please excuse brevity and typos. >> >> On Jan 28, 2016, at 02:59, Stanislav V. Smyshlyaev <smyshsv@gmail.com> >> wrote: >> >> >> >> Good afternoon! >> The order of most security bounds of PAKE protocols is determined by the >> value $q{send}/|D|$, where $D$ is a size of a password set and $q_{send}$ >> is a number of the adversary’s active impacts on the channel. The active >> impact assumes that the adversary can intercept a data in the channel and >> change it. A PAKE protocol is secure if a little number of such impacts >> cannot lead to the adversary’s success for some threat. It means that for >> the secure protocol any active impact leads to the fail abortion of the >> protocol. The bounds of the security can be reflected in the particular >> values if there are limitations for the value $q_{send}$. In practice it >> can be achieved with counters that limit the number of unsuccessful >> authentication attempts. These limitations are the essential part of the >> protocol as they define the final security. For example, their absence leads >> to the vulnerability of the protocol to the online password brute force >> attack. >> So we think that it is of highly importance to add the following >> requirement: the description of the protocol of the PAKE type MUST include >> the limitations and detailed description of the following counters: >> - counters of the fail connections in a row, >> - counters of the fail connections for the particular password, >> - counters of the total connections (successful and unsuccessful) >> for the current password. >> Best regards, >> Stanislav V. Smyshlyaev, Ph.D., >> Head of Information Security Department, >> CryptoPro LLC >> <seonghan.shin@aist.go.jp> wrote: >> >> Dear Jörn, >> Thank you for the document. >> Here are some comments: >> 1. It is somewhat misleading to differ balanced and augmented by a type of >> password storage in Section 3.1 because in balanced PAKE protocols passwords >> can be stored as elements generated with a one-way function. As you already >> wrote in the second paragraph, the difference is whether it is providing KCI >> or not. >> 2. In Section 3.3, “~ while the second one proposes a generic construction >> that allows transferring any two-party PAKE into a GPAKE protocol.”. >> However, there are other papers to convert 2-party PAKE to group PAKE (e.g., >> [ACGP11]). >> M. Abdalla et al., “Contributory Password-Authenticated Group Key Exchange >> with Join Capability,”' CT-RSA 2011 >> Best regards, >> Shin >> >> ------------------------------------------------------------------------------ >> SeongHan Shin >> Information Technology Research Institute (ITRI), >> National Institute of Advanced Industrial Science and Technology (AIST), >> 8F, AIST Tokyo Waterfront Bio-IT Research Building, >> 2-4-7 Aomi, Koto-ku, Tokyo, 135-0064, Japan >> Tel : +81-3-3599-8001 >> E-mail : seonghan.shin@aist.go.jp >> >> ------------------------------------------------------------------------------ >> >> >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > -- "Man is born free, but everywhere he is in chains". --Rousseau.
- [Cfrg] Requirements for PAKE schemes
- Re: [Cfrg] Requirements for PAKE schemes Paul Lambert
- Re: [Cfrg] Requirements for PAKE schemes
- Re: [Cfrg] Requirements for PAKE schemes 辛星漢
- Re: [Cfrg] Requirements for PAKE schemes Stanislav V. Smyshlyaev
- Re: [Cfrg] Requirements for PAKE schemes Mike Hamburg
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Grigory Marshalko
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Stanislav V. Smyshlyaev
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Watson Ladd
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Stanislav V. Smyshlyaev
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Василий Долматов
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Robert Moskowitz
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Yoav Nir
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Grigory Marshalko
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Станислав Смышляев
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Stanislav V. Smyshlyaev
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc…
- Re: [Cfrg] Requirements for PAKE schemes Stanislav V. Smyshlyaev
- Re: [Cfrg] Requirements for PAKE schemes Евгений Алексеев
- Re: [Cfrg] Requirements for PAKE schemes