Re: [Crypto-panel] Stage 5 of PAKE selection process
Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 25 October 2019 12:25 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 065D412007C for <crypto-panel@ietfa.amsl.com>; Fri, 25 Oct 2019 05:25:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.827
X-Spam-Level:
X-Spam-Status: No, score=-0.827 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MALFORMED_FREEMAIL=1.159, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_HTML_ATTACH=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id STSnmfiwnWdu for <crypto-panel@ietfa.amsl.com>; Fri, 25 Oct 2019 05:25:14 -0700 (PDT)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0417120879 for <crypto-panel@irtf.org>; Fri, 25 Oct 2019 05:25:13 -0700 (PDT)
Received: by mail-wm1-x335.google.com with SMTP id q70so1927677wme.1 for <crypto-panel@irtf.org>; Fri, 25 Oct 2019 05:25:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=4gv6VJS4WzFYrL/SCb/dod6P/O3RUbuvn7mcufICbLY=; b=ip2NEg/MkjNGtQtLanRvdxjgz3B40FhZJETo1+WfPa7Ch5Y+EjEUSUl1JuDDupluS1 y1LMsHMR/1AexLlPI6CSXlW1MEygcNXvIdkkIvpH0FpO5mpcTqrfUDUBejzaeh+6DBXk hK33gQAUUvqGPAwhq4N+I1LPiSbhxltjkHWbThRG33pVzdPD2iK3Pm/P1lQKUTIhPJwW bfT1MVj4622hWSb+aCW7QraJAC0i46hsbT72vw5U47ZL8FvtKWC4UyxSY9ns5UrPRP6s LoljmciSfFvMXmVDRxtg7C6mrWHD6aaBCrxgtRrXTl6Db3FzqoQmeEwfe4/d98YIbHEi t+5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=4gv6VJS4WzFYrL/SCb/dod6P/O3RUbuvn7mcufICbLY=; b=WVih6d0qdDZ+js16oii+vGCoPEadF3LLcHOzVMnMF9RojNOua/sCOUEyiThpAcbK9D P6JIMA0fiIc5g/JEqlCT9M/X4ZVlmJQnuk9ZoS7QbPfpm7ZpqvKYCECyLdUwi01x8UIh yt7BtwIpVZU1hfwKVPvW3pUfR2NDIx2hbVnImOzjlk/OXlxye6c4R/WJ5NZZgum1VpOb PNqdjh3joevUmDEqpIn74CGnOPfi01GBeTtC7f46Nt+gZYAc8Vzs1uzIevxVeXn86nSV tHZ8pZfXG1xhv8AY2dnFtcj3LewpVsE/Yb0LbwExtvdMtzXBnyC3x8yYfLZty7lhvmvh hUAg==
X-Gm-Message-State: APjAAAW5Z2Dc0bn57NLZ/iBd3DUTmQDw1vfMDA9DekxekM6ppsdXaASZ Mv4KUUNIPq81GXgSC3/uzfw=
X-Google-Smtp-Source: APXvYqwLaruFygFlUvjVxBhmtaN5wdYc4YavV0TWTJo+BCnMt2ffJ9nLaAOWUu5Yb4xN9+cSFDkiUQ==
X-Received: by 2002:a7b:c444:: with SMTP id l4mr3314359wmi.49.1572006312021; Fri, 25 Oct 2019 05:25:12 -0700 (PDT)
Received: from [10.0.0.147] (bzq-79-182-74-87.red.bezeqint.net. [79.182.74.87]) by smtp.gmail.com with ESMTPSA id f17sm2111399wrs.66.2019.10.25.05.25.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 25 Oct 2019 05:25:10 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/10.1e.0.191013
Date: Fri, 25 Oct 2019 15:25:08 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Russ Housley <housley@vigilsec.com>, cfrg-chairs@ietf.org
CC: Tibor Jager <tibor.jager@upb.de>, "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, Scott Fluhrer <sfluhrer@cisco.com>, crypto-panel@irtf.org, Bjoern Tackmann <bjoern.tackmann@ieee.org>
Message-ID: <63EBDE7B-4B7F-4E65-A2D1-7864071C7D4C@gmail.com>
Thread-Topic: [Crypto-panel] Stage 5 of PAKE selection process
References: <CAMr0u6kNUPCMTm2Y37Q0y4pt-PPneKJYb07dxuiF9g33Qj3f_Q@mail.gmail.com> <CEB3C6D3-7B2E-4BA0-90BC-D0BE237B2628@vigilsec.com>
In-Reply-To: <CEB3C6D3-7B2E-4BA0-90BC-D0BE237B2628@vigilsec.com>
Mime-version: 1.0
Content-type: multipart/mixed; boundary="B_3654861910_971338930"
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/IFtADguL13GxynZQLNDn6RBUeGw>
Subject: Re: [Crypto-panel] Stage 5 of PAKE selection process
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2019 12:25:17 -0000
Dear CFRG chairs, Please see my review in the attached (two formats). Thanks, Yaron PS: this is formatted as an I-D, but I have not submitted it, at least while the chairs are deliberating their selections. On 24/10/2019, 20:00, "Crypto-panel on behalf of Russ Housley" <crypto-panel-bounces@irtf.org on behalf of housley@vigilsec.com> wrote: Reviewer: Russ Housley Review Date: 24 October 2019 CFRG is looking for a PAKE to support TLS 1.3 and IKEv2. TLS 1.3 has a very rigid handshake in terms of the number of messages that are exchanged. IKEv2 has mechanisms to accomodate the exchange os many messages as part of authentication. As a result, I focus on TLS 1.3. Any PAKE that will work with TLS 1.3 will also work with IKEv2. RECOMMENDATION: OPAQUE Observations about each of the candidates follow. J-PAKE J-PAKE requires significant computation, even when elliptic curve is used. J-PAKE has big messages, even when elliptic curve is used. J-PAKE is a two round (or three round) protocol, so it does not easily fit into the TLS handshake. CPace CPAKE requires two elliptic curve operations by each party, one to compute an ephemeral public value from the ephemeral random (private) value and one to compute the shared secret. CPake requires the pre-establishment of an session identifier (sid). Perhaps this is done when the password is established, but the requirements are not clear to me. The sid is sent by both the initiator and the responder. Assuming the sid is not bigger than an ephemeral public value, the message sizes seem reasonable. CPAKE is a one round protocol, so it easily fits into the TLS handshake. CPake requires a check that the "point order is sufficient for security parameter 2k". I could not figure out the check to be performed. Maybe I did not spend enough time searching for it ... AuCPace AuCPAKE requires two elliptic curve operations by each party, one to compute an ephemeral public value from the ephemeral random (private) value and one to compute the shared secret. AuCPake requires the pre-establishment of an session identifier (sid). Perhaps this is done when the password is established, but the requirements are not clear to me. It also requires a sub-session identifier (ssid) that can be a concatenation of the nonces from the TLS handshake or computed from them. Assuming the sid is not bigger than an ephemeral public value, the message sizes seem reasonable. AuCPAKE requires more than one round trip, so it does not easily fits into the TLS handshake. AuCPake requires a check that the "point order is sufficient for security parameter 2k". I could not figure out the check to be performed. Maybe I did not spend enough time searching for it ... OPAQUE OPAQUE computational cost is determined by OPRF, Diffie-Hellman, and authentication. The OPRF requires two elliptic curve operations for the client and one for the server. The Diffie-Hellman requires two elliptic curve operations for each party. If authentication uses signature, then each party will have to generate and verify one signature. OPAQUE requires two private key operations by each party during registration, and then just one private key operation by each party to compute the shared secret. OPAQUE is a one round protocol; it easily fits into the TLS handshake. If one is willing to employ an extra round trip, OPAQUE can provide confidentiality of the user's name by encrypting it in the TLS handshake key. It seems like this could be implemented as TLS-in-TLS. OPAQUE needs an AEAD that includes "key committing". AES-GCM mode does not provide this property, but I think that AES-KEY-WRAP mode does. It seems straightforward to enhance an AEAD to get this property by adding a all-zero block to the plaintext and checking it on decryption. SPAKE2 SPAKE2 computational cost is four elliptic curve operations for each party after the pre-provisioning takes place. SPAKE2 is a two round protocol, but the pre-provisioning will take place prior to any handshake, so it easily fits into the TLS handshake. That said, if the point associated with the system-wide elements M and N become known, then an offline dictionary attack becomes possible. I found this part odd: TT = len(A) || A || len(B) || B || len(S) || S || len(T) || T || len(K) || K || len(w) || w If an identity is absent, it is omitted from the transcript entirely. So, if A or B is absent, the inputs quite similar: TT = len(B) || B || len(S) || S || len(T) || T || len(K) || K || len(w) || w TT = len(A) || A || len(S) || S || len(T) || T || len(K) || K || len(w) || w Somehow, using a zero length for the missing identity seems safer: TT = len(nil) || len(B) || B || len(S) || S || len(T) || T || len(K) || K || len(w) || w TT = len(A) || A || len(nil) || len(S) || S || len(T) || T || len(K) || K || len(w) || w SPEKE SPEKE computational cost is two elliptic curve operations for each party. SPEKE is a one round protocol, so it easily fits into the TLS handshake. Also, the TLS 1.3 Finished message provides the optional key confirmation. Finally, identity and session-unique values are easily accommodated by the client and server Hello messages. VTBPEKE VTBPEKE computational cost is four elliptic curve operations for each party. VTBPEKE is not a one round protocol, cannot be accommodated by the TLS 1.3 handshake. VTBPEKE offers forward secrecy. However, if the points associated with the system-wide element U and V become known, then an offline dictionary attack becomes possible. BSPAKE BSPAKE computational cost is five elliptic curve operations for the client and four elliptic curve operations for the server. BSPAKE requires two-round trips in the protocol, so it cannot be accommodated by the TLS 1.3 handshake. _______________________________________________ Crypto-panel mailing list Crypto-panel@irtf.org https://www.irtf.org/mailman/listinfo/crypto-panel
- [Crypto-panel] Stage 5 of PAKE selection process Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Russ Housley
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Yaron Sheffer
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Stanislav V. Smyshlyaev
- [Crypto-panel] Stage 5 of PAKE selection process Russ Housley
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Yaron Sheffer