IETF Logo Mail Archive

Re: [Crypto-panel] Stage 5 of PAKE selection process

Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 25 October 2019 12:25 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 065D412007C for <crypto-panel@ietfa.amsl.com>; Fri, 25 Oct 2019 05:25:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.827
X-Spam-Level:
X-Spam-Status: No, score=-0.827 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MALFORMED_FREEMAIL=1.159, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_HTML_ATTACH=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id STSnmfiwnWdu for <crypto-panel@ietfa.amsl.com>; Fri, 25 Oct 2019 05:25:14 -0700 (PDT)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0417120879 for <crypto-panel@irtf.org>; Fri, 25 Oct 2019 05:25:13 -0700 (PDT)
Received: by mail-wm1-x335.google.com with SMTP id q70so1927677wme.1 for <crypto-panel@irtf.org>; Fri, 25 Oct 2019 05:25:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=4gv6VJS4WzFYrL/SCb/dod6P/O3RUbuvn7mcufICbLY=; b=ip2NEg/MkjNGtQtLanRvdxjgz3B40FhZJETo1+WfPa7Ch5Y+EjEUSUl1JuDDupluS1 y1LMsHMR/1AexLlPI6CSXlW1MEygcNXvIdkkIvpH0FpO5mpcTqrfUDUBejzaeh+6DBXk hK33gQAUUvqGPAwhq4N+I1LPiSbhxltjkHWbThRG33pVzdPD2iK3Pm/P1lQKUTIhPJwW bfT1MVj4622hWSb+aCW7QraJAC0i46hsbT72vw5U47ZL8FvtKWC4UyxSY9ns5UrPRP6s LoljmciSfFvMXmVDRxtg7C6mrWHD6aaBCrxgtRrXTl6Db3FzqoQmeEwfe4/d98YIbHEi t+5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=4gv6VJS4WzFYrL/SCb/dod6P/O3RUbuvn7mcufICbLY=; b=WVih6d0qdDZ+js16oii+vGCoPEadF3LLcHOzVMnMF9RojNOua/sCOUEyiThpAcbK9D P6JIMA0fiIc5g/JEqlCT9M/X4ZVlmJQnuk9ZoS7QbPfpm7ZpqvKYCECyLdUwi01x8UIh yt7BtwIpVZU1hfwKVPvW3pUfR2NDIx2hbVnImOzjlk/OXlxye6c4R/WJ5NZZgum1VpOb PNqdjh3joevUmDEqpIn74CGnOPfi01GBeTtC7f46Nt+gZYAc8Vzs1uzIevxVeXn86nSV tHZ8pZfXG1xhv8AY2dnFtcj3LewpVsE/Yb0LbwExtvdMtzXBnyC3x8yYfLZty7lhvmvh hUAg==
X-Gm-Message-State: APjAAAW5Z2Dc0bn57NLZ/iBd3DUTmQDw1vfMDA9DekxekM6ppsdXaASZ Mv4KUUNIPq81GXgSC3/uzfw=
X-Google-Smtp-Source: APXvYqwLaruFygFlUvjVxBhmtaN5wdYc4YavV0TWTJo+BCnMt2ffJ9nLaAOWUu5Yb4xN9+cSFDkiUQ==
X-Received: by 2002:a7b:c444:: with SMTP id l4mr3314359wmi.49.1572006312021; Fri, 25 Oct 2019 05:25:12 -0700 (PDT)
Received: from [10.0.0.147] (bzq-79-182-74-87.red.bezeqint.net. [79.182.74.87]) by smtp.gmail.com with ESMTPSA id f17sm2111399wrs.66.2019.10.25.05.25.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 25 Oct 2019 05:25:10 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/10.1e.0.191013
Date: Fri, 25 Oct 2019 15:25:08 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Russ Housley <housley@vigilsec.com>, cfrg-chairs@ietf.org
CC: Tibor Jager <tibor.jager@upb.de>, "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, Scott Fluhrer <sfluhrer@cisco.com>, crypto-panel@irtf.org, Bjoern Tackmann <bjoern.tackmann@ieee.org>
Message-ID: <63EBDE7B-4B7F-4E65-A2D1-7864071C7D4C@gmail.com>
Thread-Topic: [Crypto-panel] Stage 5 of PAKE selection process
References: <CAMr0u6kNUPCMTm2Y37Q0y4pt-PPneKJYb07dxuiF9g33Qj3f_Q@mail.gmail.com> <CEB3C6D3-7B2E-4BA0-90BC-D0BE237B2628@vigilsec.com>
In-Reply-To: <CEB3C6D3-7B2E-4BA0-90BC-D0BE237B2628@vigilsec.com>
Mime-version: 1.0
Content-type: multipart/mixed; boundary="B_3654861910_971338930"
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/IFtADguL13GxynZQLNDn6RBUeGw>
Subject: Re: [Crypto-panel] Stage 5 of PAKE selection process
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2019 12:25:17 -0000

Dear CFRG chairs,

Please see my review in the attached (two formats). 

Thanks,
	Yaron

PS: this is formatted as an I-D, but I have not submitted it, at least while the chairs are deliberating their selections.

On 24/10/2019, 20:00, "Crypto-panel on behalf of Russ Housley" <crypto-panel-bounces@irtf.org on behalf of housley@vigilsec.com> wrote:

    Reviewer: Russ Housley
    Review Date: 24 October 2019
    
    CFRG is looking for a PAKE to support TLS 1.3 and IKEv2.  TLS 1.3 has
    a very rigid handshake in terms of the number of messages that are
    exchanged.  IKEv2 has mechanisms to accomodate the exchange os many
    messages as part of authentication.  As a result, I focus on TLS 1.3.
    Any PAKE that will work with TLS 1.3 will also work with IKEv2.
    
    RECOMMENDATION: OPAQUE
    
    
    Observations about each of the candidates follow.
    
    
    J-PAKE
    
    J-PAKE requires significant computation, even when elliptic curve is
    used.
    
    J-PAKE has big messages, even when elliptic curve is used.
    
    J-PAKE is a two round (or three round) protocol, so it does not easily
    fit into the TLS handshake.
    
    
    CPace
    
    CPAKE requires two elliptic curve operations by each party, one to
    compute an ephemeral public value from the ephemeral random (private)
    value and one to compute the shared secret.
    
    CPake requires the pre-establishment of an session identifier (sid).
    Perhaps this is done when the password is established, but the
    requirements are not clear to me.  The sid is sent by both the initiator
    and the responder.  Assuming the sid is not bigger than an ephemeral
    public value, the message sizes seem reasonable.
    
    CPAKE is a one round protocol, so it easily fits into the TLS handshake.
    
    CPake requires a check that the "point order is sufficient for
    security parameter 2k".  I could not figure out the check to be
    performed.  Maybe I did not spend enough time searching for it ...
    
    
    AuCPace
    
    AuCPAKE requires two elliptic curve operations by each party, one to
    compute an ephemeral public value from the ephemeral random (private)
    value and one to compute the shared secret.
    
    AuCPake requires the pre-establishment of an session identifier (sid).
    Perhaps this is done when the password is established, but the
    requirements are not clear to me.  It also requires a sub-session
    identifier (ssid) that can be a concatenation of the nonces from the
    TLS handshake or computed from them.  Assuming the sid is not bigger
    than an ephemeral public value, the message sizes seem reasonable.
    
    AuCPAKE requires more than one round trip, so it does not easily fits
    into the TLS handshake.
    
    AuCPake requires a check that the "point order is sufficient for
    security parameter 2k".  I could not figure out the check to be
    performed.  Maybe I did not spend enough time searching for it ...
    
    
    OPAQUE
    
    OPAQUE computational cost is determined by OPRF, Diffie-Hellman, and
    authentication.  The OPRF requires two elliptic curve operations for the
    client and one for the server.  The Diffie-Hellman requires two elliptic
    curve operations for each party.  If authentication uses signature, then
    each party will have to generate and verify one signature.
    
    OPAQUE requires two private key operations by each party during
    registration, and then just one private key operation by each party
    to compute the shared secret.
    
    OPAQUE is a one round protocol; it easily fits into the TLS handshake.
    
    If one is willing to employ an extra round trip, OPAQUE can provide
    confidentiality of the user's name by encrypting it in the TLS
    handshake key.  It seems like this could be implemented as TLS-in-TLS.
    
    OPAQUE needs an AEAD that includes "key committing".  AES-GCM mode does
    not provide this property, but I think that AES-KEY-WRAP mode does.  It
    seems straightforward to enhance an AEAD to get this property by adding
    a all-zero block to the plaintext and checking it on decryption.
    
    
    SPAKE2
    
    SPAKE2 computational cost is four elliptic curve operations for each
    party after the pre-provisioning takes place.
    
    SPAKE2 is a two round protocol, but the pre-provisioning will take place
    prior to any handshake, so it easily fits into the TLS handshake.  That
    said, if the point associated with the system-wide elements M and N
    become known, then an offline dictionary attack becomes possible.
    
    I found this part odd:
    
               TT = len(A) || A || len(B) || B || len(S) || S
                 || len(T) || T || len(K) || K || len(w) || w
    
       If an identity is absent, it is omitted from the transcript entirely.
    
    So, if A or B is absent, the inputs quite similar:
    
               TT = len(B) || B || len(S) || S || len(T) || T
                 || len(K) || K || len(w) || w
    
               TT = len(A) || A || len(S) || S || len(T) || T
                 || len(K) || K || len(w) || w
    
    Somehow, using a zero length for the missing identity seems safer:
    
               TT = len(nil)    || len(B) || B || len(S) || S
                 || len(T) || T || len(K) || K || len(w) || w
    
               TT = len(A) || A || len(nil)    || len(S) || S
                 || len(T) || T || len(K) || K || len(w) || w
    
    
    SPEKE
    
    SPEKE computational cost is two elliptic curve operations for each
    party.
    
    SPEKE is a one round protocol, so it easily fits into the TLS
    handshake.  Also, the TLS 1.3 Finished message provides the
    optional key confirmation.  Finally, identity and session-unique
    values are easily accommodated by the client and server Hello
    messages.
    
    
    VTBPEKE
    
    VTBPEKE computational cost is four elliptic curve operations for each
    party.
    
    VTBPEKE is not a one round protocol, cannot be accommodated by the
    TLS 1.3 handshake.
    
    VTBPEKE offers forward secrecy.  However, if the points associated with
    the system-wide element U and V become known, then an offline dictionary
    attack becomes possible.
    
    
    BSPAKE
    
    BSPAKE computational cost is five elliptic curve operations for the
    client and four elliptic curve operations for the server.
    
    BSPAKE requires two-round trips in the protocol, so it cannot be
    accommodated by the TLS 1.3 handshake.
    
    
     
    
    _______________________________________________
    Crypto-panel mailing list
    Crypto-panel@irtf.org
    https://www.irtf.org/mailman/listinfo/crypto-panel

v2.23.0 | Report a Bug | By Email