Re: [Cfrg] Requirements for PAKE schemes
"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Thu, 28 January 2016 10:59 UTC
Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EE901B35A7 for <cfrg@ietfa.amsl.com>; Thu, 28 Jan 2016 02:59:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gdaOxuGkehWV for <cfrg@ietfa.amsl.com>; Thu, 28 Jan 2016 02:59:12 -0800 (PST)
Received: from mail-vk0-x233.google.com (mail-vk0-x233.google.com [IPv6:2607:f8b0:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A8131B36AE for <cfrg@irtf.org>; Thu, 28 Jan 2016 02:59:12 -0800 (PST)
Received: by mail-vk0-x233.google.com with SMTP id e6so21446284vkh.2 for <cfrg@irtf.org>; Thu, 28 Jan 2016 02:59:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Rr9w4EdYZPMNqzo6TXbcuYW/T/ki8ZvRGCwjNEpQuVY=; b=IjAT4VCaBfwn68XXjNweqXep8TLC28LPRSG+zsaXkeeP8UIDqWOTqRARLHWlzKZnJf ygNhFAfPqQ3Ngbs05iZF3wmV/Zx9zcaQvn2KE9K3L8SecJkrbQjS2/BmYnpK2wksAGRx hqlRAgtK51iNkgGppgfzjLBkSeTYYI/lTI6dkiVTq8/7f5HzxqWwzXWhreVux2/Br/GD dEKO48sjMCscOuvg4TfdMOhXMba6eR/O9dMndIzW8jY7dKlfEhYX2eFtdwEVv/mcY0RP LS+8G9b+cu2FZCPHMMBoN4MA9ptWM14i8+C3Dz78FR2iQxRqfvkQnqc6t4lL7R/XO6iA 2VAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=Rr9w4EdYZPMNqzo6TXbcuYW/T/ki8ZvRGCwjNEpQuVY=; b=PXYIwnvKi4g5NDcrdPoKDe214XaMxNaYJN8+2cMW8BHDxRsvTh426cNX+vbStphfMY GvjhDsZz4teLB0v7APcOITiwV95A/6vzW9UzEokApqCnt61XCJmf4c9PizAjgUd2Q5CH jT/Xrw/88537Fkcf6FTUfNXo6L6f2b/7aAHWycH6ET/9Do2SXV8rfRAuyDgeSPCRjZG4 YKfXTVDy2BKVVvYUvVITv8lgw8jHGTrKe1+Z99oY0c0LaxfCgTOQhnMQYbTNTX1B51cB Cl+1VZhIfTTv16et6+IE6fV1mKAIvZGC7uph0h4YFBhjc/H5f+7obI9xrABoXypNlwTa m4Dg==
X-Gm-Message-State: AG10YOSqV1dIXZ7hYDCCL8k8MwBaeeXvD375izl95uVEOdU5lwXxNO7nrYqGk7qrkgZrYKYgoy8aT1FzihLZ6w==
MIME-Version: 1.0
X-Received: by 10.31.10.199 with SMTP id 190mr1593926vkk.51.1453978751025; Thu, 28 Jan 2016 02:59:11 -0800 (PST)
Received: by 10.31.63.21 with HTTP; Thu, 28 Jan 2016 02:59:10 -0800 (PST)
Date: Thu, 28 Jan 2016 13:59:10 +0300
Message-ID: <CAMr0u6=76q4n-u1Vpv5vWjSNgi4CtaOJoX0EmvcbXH+9C4w2mg@mail.gmail.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>, "alexey.melnikov@isode.com" <alexey.melnikov@isode.com>, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>, Joern-Marc.Schmidt@secunet.com, seonghan.shin@aist.go.jp
Content-Type: multipart/alternative; boundary="001a11440176f748ce052a62ced4"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/xzAsSNTLyft_ug46YGFkLiPZ_PI>
Subject: Re: [Cfrg] Requirements for PAKE schemes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jan 2016 10:59:14 -0000
Good afternoon!
The order of most security bounds of PAKE protocols is determined by the
value $q{send}/|D|$, where $D$ is a size of a password set and $q_{send}$
is a number of the adversary’s active impacts on the channel. The active
impact assumes that the adversary can intercept a data in the channel and
change it. A PAKE protocol is secure if a little number of such impacts
cannot lead to the adversary’s success for some threat. It means that for
the secure protocol any active impact leads to the fail abortion of the
protocol. The bounds of the security can be reflected in the particular
values if there are limitations for the value $q_{send}$. In practice it
can be achieved with counters that limit the number of unsuccessful
authentication attempts. These limitations are the essential part of the
protocol as they define the final security. For example, their absence
leads to the vulnerability of the protocol to the online password brute
force attack.
So we think that it is of highly importance to add the following
requirement: the description of the protocol of the PAKE type MUST include
the limitations and detailed description of the following counters:
- counters of the fail connections in a row,
- counters of the fail connections for the particular password,
- counters of the total connections (successful and unsuccessful)
for the current password.
Best regards,
Stanislav V. Smyshlyaev, Ph.D.,
Head of Information Security Department,
CryptoPro LLC
<seonghan.shin@aist.go.jp> wrote:
> Dear Jörn,
>
> Thank you for the document.
>
> Here are some comments:
> 1. It is somewhat misleading to differ balanced and augmented by a type of password storage in Section 3.1 because in balanced PAKE protocols passwords can be stored as elements generated with a one-way function. As you already wrote in the second paragraph, the difference is whether it is providing KCI or not.
>
> 2. In Section 3.3, “~ while the second one proposes a generic construction that allows transferring any two-party PAKE into a GPAKE protocol.”. However, there are other papers to convert 2-party PAKE to group PAKE (e.g., [ACGP11]).
> M. Abdalla et al., “Contributory Password-Authenticated Group Key Exchange with Join Capability,”' CT-RSA 2011
>
> Best regards,
> Shin
>
> ------------------------------------------------------------------------------
> SeongHan Shin
> Information Technology Research Institute (ITRI),
> National Institute of Advanced Industrial Science and Technology (AIST),
> 8F, AIST Tokyo Waterfront Bio-IT Research Building,
> 2-4-7 Aomi, Koto-ku, Tokyo, 135-0064, Japan
> Tel : +81-3-3599-8001
> E-mail : seonghan.shin@aist.go.jp
> ------------------------------------------------------------------------------
>
>
>
- [Cfrg] Requirements for PAKE schemes Schmidt
- Re: [Cfrg] Requirements for PAKE schemes Paul Lambert
- Re: [Cfrg] Requirements for PAKE schemes Schmidt
- Re: [Cfrg] Requirements for PAKE schemes 辛星漢
- Re: [Cfrg] Requirements for PAKE schemes Stanislav V. Smyshlyaev
- Re: [Cfrg] Requirements for PAKE schemes Mike Hamburg
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Grigory Marshalko
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Stanislav V. Smyshlyaev
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Watson Ladd
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Stanislav V. Smyshlyaev
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Василий Долматов
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Robert Moskowitz
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Yoav Nir
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Grigory Marshalko
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Станислав Смышляев
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Stanislav V. Smyshlyaev
- Re: [Cfrg] [MASSMAIL]Re: Requirements for PAKE sc… Schmidt
- Re: [Cfrg] Requirements for PAKE schemes Stanislav V. Smyshlyaev
- Re: [Cfrg] Requirements for PAKE schemes Евгений Алексеев
- Re: [Cfrg] Requirements for PAKE schemes Schmidt