IETF Logo Mail Archive

Re: [Cfrg] aPAKE Analysis

Jonathan Hoyland <jonathan.hoyland@gmail.com> Mon, 23 September 2019 10:19 UTC

Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4347812025D for <cfrg@ietfa.amsl.com>; Mon, 23 Sep 2019 03:19:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YQejfwbKioqz for <cfrg@ietfa.amsl.com>; Mon, 23 Sep 2019 03:19:28 -0700 (PDT)
Received: from mail-vs1-xe30.google.com (mail-vs1-xe30.google.com [IPv6:2607:f8b0:4864:20::e30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FB4F120105 for <cfrg@irtf.org>; Mon, 23 Sep 2019 03:19:28 -0700 (PDT)
Received: by mail-vs1-xe30.google.com with SMTP id f15so9028699vsq.6 for <cfrg@irtf.org>; Mon, 23 Sep 2019 03:19:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3hclp58BI2Jny1sEsNzJgzemHMaJ75mzaaTFbxU+75k=; b=Fz/t4WJXwW3h5zPVn1QqBQme//qeKgWzuLYDDRPsG3adOUwlMo4avTePmpCwRPT634 dKzujHEHv8+Pq54mUpVZBXS0E96z8PuvDyrDnGle/qXhkcH2awt9UHOQjt/T9UeddWpq Jl44QtMQ6n0f93ICQ3gYTqB5ZTaj8O9DXyVf5fan/l9hmBhQ10HTb5brc2xf6SwM5mtc 9qg4lLNUodWCap6634KSplsDOx3r/l63FSWWBQbR173CAb6wX+LqgFOOxxKvkmSFbRUY FUeML9/jncZAEIgxcD1/qjROw8ehRJ3UzFl1oN9KmD2GN7RYiEPhCp7iid6ymXr8qUQV oYPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3hclp58BI2Jny1sEsNzJgzemHMaJ75mzaaTFbxU+75k=; b=JnB3HkRIf/t63UEUwK7pQ4lmYwXWrWrrjdNqlUYVjZtA48p7b/eumGMe9V9jmJnvka THbC6w90OaMGYuQMagTM+FoOeoNbINGV/EGiwXiFHf0BO9NpbaO3ycG0ABNDAfy4aLqc kESH4Ed2fM5iZLX+qRtX4P/DSlKfLFDGB+q+LNxhsJu/PtSRr57y6BP/sj8sjnWMUqjc dm/Z5C2t8lYFhay40JupCv97kfG1wxUhxVgJngabWBLPCWoMtgv32JS8c2umRYPy6ksT 74X8byNd5utlYSiTaEZXV1EYCmWGqN+hiR2iv1kRprtFAKh419WII9h7Q0BdWXI+0xUR k1pw==
X-Gm-Message-State: APjAAAWjNL+FcZ43JFTCCEr8KVyfzmFZIAk/QYi/YPXBcktX8+tBBttc 9HX1/R5Sefxo4rmrZry1c3+1QO1gQ/3MrXkTeJY=
X-Google-Smtp-Source: APXvYqxpS81W4lXcuWyINAnGlcfRiQNoSVdvfNpAW1scr5RGFsaEAZP9tBaEq5jTpWJbKxfJObvikz53yRJno8CdH+A=
X-Received: by 2002:a67:f314:: with SMTP id p20mr2394531vsf.66.1569233967355; Mon, 23 Sep 2019 03:19:27 -0700 (PDT)
MIME-Version: 1.0
References: <1000404210.104219.1568701269003@email.ionos.com> <CACykbs3Bk40DpPb56SRXZJMHstUQqsT-n-Gkntrb0bhNss=zPw@mail.gmail.com> <CADi0yUPMiMdgZa8k7bP5wW_bVqxoMFXaJp0u1r7ZFRVaEfZOSg@mail.gmail.com> <CACykbs0mDkgfY=3=Wd0F=w7YwXYs9bEXJyhdcM74CEvw7w6-=Q@mail.gmail.com> <568ba75e-26fd-8b12-5974-67517bce23a4@web.de>
In-Reply-To: <568ba75e-26fd-8b12-5974-67517bce23a4@web.de>
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Mon, 23 Sep 2019 11:19:15 +0100
Message-ID: <CACykbs0Pq=w4catZNBM0TC16RmL+Ytmy_VhXfTTpWRMnKkSoZw@mail.gmail.com>
To: Björn Haase <bjoern.m.haase@web.de>
Cc: Hugo Krawczyk <hugo@ee.technion.ac.il>, steve@tobtu.com, cfrg <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000319f71059335c117"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/z5N7vHS1CzL3crsh3uBCb2DM-Tk>
Subject: Re: [Cfrg] aPAKE Analysis
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2019 10:19:31 -0000

Hi Björn,

A second round trip is a fairly large performance hit, especially as this
is before the site even begins to load.
If we want to see adoption we have to make sure we don't harm the metrics
website operators care about (for example time to first byte, or document
load).
You write on slide 22 that the user expects the dialogue immediately on the
Hello Retry, but very few users will be familiar with that flow.
They expect to see a fully rendered page with two boxes in which they are
to type their username and password, not an undecorated pop-up.
Because the site has not authenticated itself at this point, the browser
cannot add any site specific rendering (or rather, doing so would require
some complex SXG-style magic, with requires the user to verify the cert
chain at least twice and would immediately leak the site the user is
visiting).

Training users in this system will also make them more vulnerable to
malicious sites that render a blank page and throw a pop-up asking for a
username and password.

The flow for OPAQUE with EAs is much closer to what we see currently.
OPAQUE + EAs performs user authentication _after_ the TLS handshake is
complete, and uses the exporter key interface to bind the authentication to
the underlying channel.

>From a user's perspective,  they go to a website that renders normally, and
then they then login using a username and password box.
If you wanted to, you could switch to OPAQUE + EAs without making the user
aware of the change.
This setup also gives you a major advantage in username leakage, because
impersonating the server requires the attacker to compromise the site's
certificate, which is a reasonably high bar.
Because the site is authenticated to the user before the user sends their
username impersonating a site is much harder.
Further, because of the binding of EAs to the underlying connection you can
also prevent an attacker from MITMing the login.

OPAQUE + EAs:
The system is easy to make memory-hard with protection from rainbow tables.
There are no obvious obstacles for using EAs to perform 2FA based
authentication.
There is also plenty of scope for arranging password changes by binding EAs
to each other, as well as the underlying TLS connection.
There is no change to the TLS state machine.
There is no blow-up in TLS complexity.
The UI elements are kept even further from TLS than under AuCPace.

Regards,

Jonathan

On Sun, 22 Sep 2019 at 20:03, Björn Haase <bjoern.m.haase@web.de> wrote:

> Dear Jonathan,
>
> Am 18.09.2019 um 12:09 schrieb Jonathan Hoyland:
> > Björn: The specific issue I have with AuCPace is that the AuCPace
> > substep has to happen before the CPace substep, which means that you
> > need to have a roundtrip before you start TLS.
>
> I understand your concerns but still I am convinced that this is a
> problem that we will be having anyway. In my perception we will have to
> face the situation that the method for authentication to use is up to
> the choice of the server within the most important application settings.
>
> In my perception we will be having at least the settings
> 1.) "Password over certificate-authenticated TLS"
> 2.) "aPAKE authenticated TLS"
> 3.) "aPAKE + 2FA TLS".
>
> Depending on the actual setting of the server, which the HMI client will
> not be knowing beforehand (at least for the case of the https://
> web-server) the client side will not be able to provide all of the
> required information in the first client hello.
>
> As pointed out in my slides
>
>
> https://github.com/BjoernMHaase/fe25519/blob/master/Concept_For_Modularized_PAKE_integration_into_TLS_20190726.pdf
>
> on page 22, I also don't see any performance issue for the HMI interface.
>
> My suggestion on what could best be implemented is the following approach.
>
> The Client tries a conventional Web-PKI-based TLS connection attempt as
> usual with its ClientHello. In this ClientHellow it informs the server
> that it also supports "aPAKE" and "aPAKE with 2FA".
>
> In case of today's webservers, the server replies with a ServerHello as
> normal. In case of a "aPAKE" or "aPAKE with 2FA" requirement by the
> server, the server responds with a "HelloRetry" message in which he
> answers which variant of aPAKE it needs. This first round could also be
> used for establishing an ephemeral session ID on both sides by using the
> random fields.
>
> Then the "aPAKE" or "aPAKE with 2FA"  authentication protocol is started
> and exchanges one ore more message rounds. (For identifying the
> sessions, one could use the session ID as established beforehand.) For
> this purpose, we need an extension to TLS for tunneling these protocol
> messages, which are completely ignored by the TLS layer but transferred
> as opaque payload. In case of "aPAKE with 2FA", the data required for
> the second factor is also transmitted in addition to the messages needed
> by the aPAKE sub-component.
>
> At some spot the external layers will come up with a "PRS" string. In
> the case of the "aPAKE with 2FA", this PRS string will also include data
> from the second factor. Once this value is there, one could resume the
> TLS operation by sending a "ClientHello" with the appropriate SID and
> PRS information.
>
> - We keep the TLS state machine as simple as it is today.
> - We handle the case of balanced and augmented PAKE with the same
> feature set
> - We allow for extensability and flexibility (e.g. 2FA) without blowing
> up the TLS complexity
> - We keep the notoriously complex user-interface components out of TLS
>
> Note that once we have this "tunnel mechanism" that could exchange data
> between both sides for implementing use-cases such as password-changes,
> etc. .
>
> > I think that the pre-TLS phase is going to be difficult to actually
> > implement and deploy, will probably have unacceptable performance,
>
> I don't quite see where you identify a performance problem. Do you
> consider the same application context as I did on slide 22 (as mentioned
> above?)
>
> > and leaks the username, which is a far more serious vulnerability than
> > lack of quantum annoyingness.
>
> Note that the username is leaked in clear text in *all* nominations to
> an adversary impersonating the server! There is nothing I see that we
> can do against it. At least for the case of an industrial plant, in my
> assessment this is the far more critical case and easier to mount than a
> passive adversary which is eavesdropping on the network. In this light,
> I personally don't see a very significant advantage of using PAKE over
> an un-authenticated but encrypted link.
>
> > I think if there was a construction that let you use a balanced PAKE
> > first and then do an augmentation step second, then simply integrating
> > a balanced PAKE into TLS might be an acceptable solution.
> Unfortunately, doing so will make it impossible (IMO) to use memory-hard
> password hashing without rainbow tables :-(.
> > The other option is to run the AuCPace and CPace substeps over a TLS
> > connection, once it has been established, and do some sort of channel
> > binding on top, which adds two roundtrips.
> > I'll specifically address the subsystem question in the other thread.
> >
>

v2.23.0 | Report a Bug | By Email