IETF Logo Mail Archive

Re: [Crypto-panel] Request for review: CPace

Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr> Sun, 04 February 2024 16:02 UTC

Return-Path: <karthikeyan.bhargavan@inria.fr>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 663ACC14F604 for <crypto-panel@ietfa.amsl.com>; Sun, 4 Feb 2024 08:02:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=inria.fr
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vtZKc_AM3FNl for <crypto-panel@ietfa.amsl.com>; Sun, 4 Feb 2024 08:02:46 -0800 (PST)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68F98C14F707 for <crypto-panel@irtf.org>; Sun, 4 Feb 2024 08:02:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=JNnRjRWXalmhCPPv1GCTmofC5QacELBFL+UTkcdGy5Y=; b=g/BQ0Wfydueuhl8lldpVicG84pVQ5eb+/Y/XI1g9uPXDTIsoGJE9frBS /kWj8H/2rWN/feHxVc1NwRYXCdkoQ7UJPyqRGcHPMAsAZT9Xg0VGziUFI zWfZpppEgOMTufWVhKIamxc1cgKbj0phZ8yUy3gjUPLtb2grDLPYxxSlg A=;
Authentication-Results: mail2-relais-roc.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=karthikeyan.bhargavan@inria.fr; dmarc=fail (p=none dis=none) d=inria.fr
X-IronPort-AV: E=Sophos;i="6.05,242,1701126000"; d="scan'208,217";a="150170378"
Received: from 88-174-234-205.subs.proxad.net (HELO smtpclient.apple) ([88.174.234.205]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Feb 2024 17:02:34 +0100
From: Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr>
Message-Id: <201647B6-D0DB-40BE-AFAF-F50918BF3F9B@inria.fr>
Content-Type: multipart/alternative; boundary="Apple-Mail=_AF035A20-A243-4988-80F2-475762071283"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Date: Sun, 04 Feb 2024 17:02:27 +0100
In-Reply-To: <CAMr0u6nu-mC0hQKQVBTwKB8jW=6Rn9eiibU-FN+p6ntJNwittQ@mail.gmail.com>
Cc: crypto-panel@irtf.org, Bjoern Tackmann <bjoern.tackmann@ieee.org>, Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, Thomas Pornin <thomas.pornin=40nccgroup.com@dmarc.ietf.org>, Thomas Pornin <thomas.pornin@nccgroup.com>, draft-irtf-cfrg-cpace@ietf.org, cfrg-chairs@ietf.org
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
References: <CAMr0u6kAW_rEK3_7Y64nU=-DP=7JjXM-oiX1XB+_973yP+pf0w@mail.gmail.com> <CAMr0u6nPOnUDCvfZ7mM_8nYWcmbp3nt+jp1O7tAP7byMWWWgWw@mail.gmail.com> <CAMr0u6nu-mC0hQKQVBTwKB8jW=6Rn9eiibU-FN+p6ntJNwittQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3774.400.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/0V7ZhCd7IUFxinCJpxVukq05jVM>
Subject: Re: [Crypto-panel] Request for review: CPace
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Review Panel review coordination <crypto-panel.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Feb 2024 16:02:50 -0000

Hello All,

I spent a couple of days re-reading the CPace draft 10 (https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-cpace-10), the 2021 security analysis paper by Abdella, Haase, 
and Hesse (https://eprint.iacr.org/2021/114.pdf) and the process critique paper by Hao (https://eprint.iacr.org/2021/839.pdf) 
In particular, I looked at how CPace could be securely integrated into a protocol like TLS 1.3.

----
In 2019, we reviewed the original CPace proposal with colleagues at Inria Prosecco and our review raised three points on the original proposal:

1) CPace uses a unique connection identifier (CI) in the first message from the initiator to the responder to prevent relay attacks.
    It was not clear to us how this unique CI could be computed without adding a round-trip to the protocol.

2) CPace relies on a unique session identifier (sid) for multi-session security. This sid is also used in the first protocol message.
    Again, it was not clear to us how the two parties could agree on an sid without adding a round-trip to the protocol.

3) It was unclear whether key confirmation was needed or not.

It is worth noting that 1) and 2) are also pointed out as potential CPace defects in Hao’s critique.

----
After reviewing the latest CPace draft, I can confirm that these questions are now answered in the text:

Connection Identifier (CI)
- Section 3.1 now says that the CI is *optional*.
- In response to our review, the authors said that the CI could use network addresses (IP addresses and ports) which do not require a round-trip
- The authors also say that CI is not needed if the application protocol provides key confirmation, which e.g. TLS 1.3 does

Session Identifier (CI)
- Section 3.1 now says that the sid is *optional*.
- This section recommends that the two parties should jointly establish an sid before the connection (which does imply an extra round-trip, at least for TLS 1.3)
- It also says that the initiator can unilaterally generate a fresh sid and send it to the responder (which would not require an extra round-trip).

Key Confirmation
- Section 9.4 explicitly describes how to obtain Explicit Key Confirmation if needed
- Protocols like TLS 1.3 already provide key confirmation.

----
Given the above clarifications, the following security questions still remain:

- The multi-session security of CPace relies on a “jointly” generated unique sid.
  Does this proof still hold if the initiator unilaterally generates the sid?
  Couldn’t the responder be vulnerable to replay attacks in this setting?
  How would one adapt the proof to account for unilateral “sid”s?

- What is the recommended way of integrating CPace into (say) TLS 1.3?
  Does the ISK take the role of (EC)DHE shared secret in the key schedule?
  Does the ISK become an additional input that is combined with an (EC)DHE shared secret?
  The definition and format of transcript in CPace is not exactly the same as the TLS handshake transcript.
  Are these two to be merged? If so, the test vectors of CPace would no longer work.

It if of course not expected that the CPace draft should answer these questions with concrete designs and formal proofs, 
but it would be useful to the reader and implementor to learn the answers to these questions and know the pitfalls of
embedding CPace incorrectly into an application protocol.


Best regards,
Karthik


 


> On Thu, Oct 5, 2023 at 10:51 AM Stanislav V. Smyshlyaev <smyshsv@gmail.com <mailto:smyshsv@gmail.com>> wrote:
>> Hi all,
>> 
>> We still need reviewers (three or four) for the CPace draft.
>> 
>> Since CPace was a winner of the PAKE selection process, we have to be 100% sure that all concerns have been properly addressed.
>> 
>> Bjoern, Russ, Karthik, we will be happy to receive reviews from you (taking into account your reviews provided during the PAKE Selection process).
>> 
>> Chloe, Julia, Jean-Philippe, Scott, if some of you could review the CPace draft, despite the fact that you've just reviewed the OPAQUE draft (thanks a lot once again for this!), that would be amazing as well.
>> 
>> Best regards,
>> Stanislav (for CFRG chairs)
>> 
>> On Mon, Sep 25, 2023 at 3:17 PM Stanislav V. Smyshlyaev <smyshsv@gmail.com <mailto:smyshsv@gmail.com>> wrote:
>>> Dear Crypto Panel Experts,
>>> 
>>> The chairs would like to ask the Crypto Panel to provide three (or more) reviews for the CPace draft, "CPace, a balanced composable PAKE", draft-irtf-cfrg-cpace-10 (https://datatracker.ietf.org/doc/draft-irtf-cfrg-cpace/).
>>> 
>>> The CPace protocol was selected as a result of the PAKE selection process in CFRG (as well as the OPAQUE protocol which has recently been reviewed by the Panel). 
>>> 
>>> There were a lot of reviews of the protocol and the early versions of the draft, see https://github.com/cfrg/pake-selection
>>> There were several important questions in those reviews which had to be addressed during the evolution of the draft in CFRG: some of them are underlined in the following paper: https://eprint.iacr.org/2021/839.pdf
>>> 
>>> Hence we would like to ask the reviewers to pay a lot of attention to reviewing this draft, trying to take into account as many considerations provided in the previous reviews as possible.
>>> 
>>> Stanislav (on behalf of the CFRG Chairs)

v2.23.0 | Report a Bug | By Email