IETF Logo Mail Archive

Re: [CFRG] Attack on a Real World SPAKE2 Implementation

Loup Vaillant-David <loup@loup-vaillant.fr> Sun, 09 May 2021 21:56 UTC

Return-Path: <loup@loup-vaillant.fr>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C7253A214C for <cfrg@ietfa.amsl.com>; Sun, 9 May 2021 14:56:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.696
X-Spam-Level:
X-Spam-Status: No, score=-0.696 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fiZouoPg1ujQ for <cfrg@ietfa.amsl.com>; Sun, 9 May 2021 14:56:18 -0700 (PDT)
Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9540B3A2149 for <cfrg@irtf.org>; Sun, 9 May 2021 14:56:17 -0700 (PDT)
X-Originating-IP: 78.198.246.40
Received: from grey-fade (unknown [78.198.246.40]) (Authenticated sender: loup@loup-vaillant.fr) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 6D7C760004; Sun, 9 May 2021 21:56:12 +0000 (UTC)
Message-ID: <c906626d484c23231258a01a0ed81d805aedb634.camel@loup-vaillant.fr>
From: Loup Vaillant-David <loup@loup-vaillant.fr>
To: steve@tobtu.com, cfrg@irtf.org
Date: Sun, 09 May 2021 23:56:10 +0200
In-Reply-To: <1662280882.109662.1620586978685@email.ionos.com>
References: <2bfbd767-b93a-42bd-be7d-1dae9e32e555@ruben-gonzalez.de> <SY4PR01MB625110F1F7633D989FCF183EEE579@SY4PR01MB6251.ausprd01.prod.outlook.com> <e88bae26-ff1f-42e3-babf-c5de3ee1d781@www.fastmail.com> <e47d0509-2b47-b811-7fd5-8846c11dc055@web.de> <1662280882.109662.1620586978685@email.ionos.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zEIDW2izv0qP6jDmwEptaBGOpqQ>
Subject: Re: [CFRG] Attack on a Real World SPAKE2 Implementation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 May 2021 21:56:22 -0000

Hi,


> I know of someone who read about "hash to curve" in I think OPAQUE
> and thought that it was "H(value)*G". So we need to make special
> notes on these things.

I made the same mistake the first time I've heard about PAKE. I was
like, "that can't possibly work", because I noticed that if I
implemented hash to curve this way, that would utterly break the
protocol I was looking at.

And I consider myself reasonably knowledgeable about these things, I
just didn't know about this new thing we called "hash to curve". I
expect many people stumbling upon the concept might not do the sanity
check I did, and happily something broken instead of reaching for the
real thing.

Loup.

v2.23.0 | Report a Bug | By Email