[Crypto-panel] Stage 5 of PAKE selection process
Russ Housley <housley@vigilsec.com> Thu, 24 October 2019 17:00 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 545DB120013 for <crypto-panel@ietfa.amsl.com>; Thu, 24 Oct 2019 10:00:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qWU8y-3YGvMP for <crypto-panel@ietfa.amsl.com>; Thu, 24 Oct 2019 10:00:33 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A9C01200B2 for <crypto-panel@irtf.org>; Thu, 24 Oct 2019 10:00:33 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id DBFF7300B24 for <crypto-panel@irtf.org>; Thu, 24 Oct 2019 13:00:31 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Edsv2N7HD3EI for <crypto-panel@irtf.org>; Thu, 24 Oct 2019 13:00:28 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (unknown [138.88.156.37]) by mail.smeinc.net (Postfix) with ESMTPSA id E90913002AD; Thu, 24 Oct 2019 13:00:27 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <CAMr0u6kNUPCMTm2Y37Q0y4pt-PPneKJYb07dxuiF9g33Qj3f_Q@mail.gmail.com>
Date: Thu, 24 Oct 2019 13:00:28 -0400
Cc: crypto-panel@irtf.org, Yaron Sheffer <yaronf.ietf@gmail.com>, Bjoern Tackmann <bjoern.tackmann@ieee.org>, Scott Fluhrer <sfluhrer@cisco.com>, Tibor Jager <tibor.jager@upb.de>, "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Content-Transfer-Encoding: 7bit
Message-Id: <CEB3C6D3-7B2E-4BA0-90BC-D0BE237B2628@vigilsec.com>
References: <CAMr0u6kNUPCMTm2Y37Q0y4pt-PPneKJYb07dxuiF9g33Qj3f_Q@mail.gmail.com>
To: cfrg-chairs@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/kJ1IA8EVbuaDqgnmyCwGXdBH4NQ>
Subject: [Crypto-panel] Stage 5 of PAKE selection process
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 17:00:36 -0000
Reviewer: Russ Housley
Review Date: 24 October 2019
CFRG is looking for a PAKE to support TLS 1.3 and IKEv2. TLS 1.3 has
a very rigid handshake in terms of the number of messages that are
exchanged. IKEv2 has mechanisms to accomodate the exchange os many
messages as part of authentication. As a result, I focus on TLS 1.3.
Any PAKE that will work with TLS 1.3 will also work with IKEv2.
RECOMMENDATION: OPAQUE
Observations about each of the candidates follow.
J-PAKE
J-PAKE requires significant computation, even when elliptic curve is
used.
J-PAKE has big messages, even when elliptic curve is used.
J-PAKE is a two round (or three round) protocol, so it does not easily
fit into the TLS handshake.
CPace
CPAKE requires two elliptic curve operations by each party, one to
compute an ephemeral public value from the ephemeral random (private)
value and one to compute the shared secret.
CPake requires the pre-establishment of an session identifier (sid).
Perhaps this is done when the password is established, but the
requirements are not clear to me. The sid is sent by both the initiator
and the responder. Assuming the sid is not bigger than an ephemeral
public value, the message sizes seem reasonable.
CPAKE is a one round protocol, so it easily fits into the TLS handshake.
CPake requires a check that the "point order is sufficient for
security parameter 2k". I could not figure out the check to be
performed. Maybe I did not spend enough time searching for it ...
AuCPace
AuCPAKE requires two elliptic curve operations by each party, one to
compute an ephemeral public value from the ephemeral random (private)
value and one to compute the shared secret.
AuCPake requires the pre-establishment of an session identifier (sid).
Perhaps this is done when the password is established, but the
requirements are not clear to me. It also requires a sub-session
identifier (ssid) that can be a concatenation of the nonces from the
TLS handshake or computed from them. Assuming the sid is not bigger
than an ephemeral public value, the message sizes seem reasonable.
AuCPAKE requires more than one round trip, so it does not easily fits
into the TLS handshake.
AuCPake requires a check that the "point order is sufficient for
security parameter 2k". I could not figure out the check to be
performed. Maybe I did not spend enough time searching for it ...
OPAQUE
OPAQUE computational cost is determined by OPRF, Diffie-Hellman, and
authentication. The OPRF requires two elliptic curve operations for the
client and one for the server. The Diffie-Hellman requires two elliptic
curve operations for each party. If authentication uses signature, then
each party will have to generate and verify one signature.
OPAQUE requires two private key operations by each party during
registration, and then just one private key operation by each party
to compute the shared secret.
OPAQUE is a one round protocol; it easily fits into the TLS handshake.
If one is willing to employ an extra round trip, OPAQUE can provide
confidentiality of the user's name by encrypting it in the TLS
handshake key. It seems like this could be implemented as TLS-in-TLS.
OPAQUE needs an AEAD that includes "key committing". AES-GCM mode does
not provide this property, but I think that AES-KEY-WRAP mode does. It
seems straightforward to enhance an AEAD to get this property by adding
a all-zero block to the plaintext and checking it on decryption.
SPAKE2
SPAKE2 computational cost is four elliptic curve operations for each
party after the pre-provisioning takes place.
SPAKE2 is a two round protocol, but the pre-provisioning will take place
prior to any handshake, so it easily fits into the TLS handshake. That
said, if the point associated with the system-wide elements M and N
become known, then an offline dictionary attack becomes possible.
I found this part odd:
TT = len(A) || A || len(B) || B || len(S) || S
|| len(T) || T || len(K) || K || len(w) || w
If an identity is absent, it is omitted from the transcript entirely.
So, if A or B is absent, the inputs quite similar:
TT = len(B) || B || len(S) || S || len(T) || T
|| len(K) || K || len(w) || w
TT = len(A) || A || len(S) || S || len(T) || T
|| len(K) || K || len(w) || w
Somehow, using a zero length for the missing identity seems safer:
TT = len(nil) || len(B) || B || len(S) || S
|| len(T) || T || len(K) || K || len(w) || w
TT = len(A) || A || len(nil) || len(S) || S
|| len(T) || T || len(K) || K || len(w) || w
SPEKE
SPEKE computational cost is two elliptic curve operations for each
party.
SPEKE is a one round protocol, so it easily fits into the TLS
handshake. Also, the TLS 1.3 Finished message provides the
optional key confirmation. Finally, identity and session-unique
values are easily accommodated by the client and server Hello
messages.
VTBPEKE
VTBPEKE computational cost is four elliptic curve operations for each
party.
VTBPEKE is not a one round protocol, cannot be accommodated by the
TLS 1.3 handshake.
VTBPEKE offers forward secrecy. However, if the points associated with
the system-wide element U and V become known, then an offline dictionary
attack becomes possible.
BSPAKE
BSPAKE computational cost is five elliptic curve operations for the
client and four elliptic curve operations for the server.
BSPAKE requires two-round trips in the protocol, so it cannot be
accommodated by the TLS 1.3 handshake.
- [Crypto-panel] Stage 5 of PAKE selection process Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Russ Housley
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Yaron Sheffer
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Stanislav V. Smyshlyaev
- [Crypto-panel] Stage 5 of PAKE selection process Russ Housley
- Re: [Crypto-panel] Stage 5 of PAKE selection proc… Yaron Sheffer