IETF Logo Mail Archive

Re: [http-auth] I-D Action: draft-ietf-httpauth-mutual-algo-00.txt

Yutaka OIWA <y.oiwa@aist.go.jp> Fri, 18 July 2014 08:31 UTC

Return-Path: <y.oiwa@aist.go.jp>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A4FD1A00B9 for <http-auth@ietfa.amsl.com>; Fri, 18 Jul 2014 01:31:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.679
X-Spam-Level:
X-Spam-Status: No, score=-3.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3cnGv9uZl6BU for <http-auth@ietfa.amsl.com>; Fri, 18 Jul 2014 01:31:30 -0700 (PDT)
Received: from na3sys010aog101.obsmtp.com (na3sys010aog101.obsmtp.com [74.125.245.70]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D8851A00B5 for <http-auth@ietf.org>; Fri, 18 Jul 2014 01:31:30 -0700 (PDT)
Received: from mail-vc0-f170.google.com ([209.85.220.170]) (using TLSv1) by na3sys010aob101.postini.com ([74.125.244.12]) with SMTP ID DSNKU8jbYTlaPBW3Sgf1YXPktAqWrG5+kQNn@postini.com; Fri, 18 Jul 2014 01:31:30 PDT
Received: by mail-vc0-f170.google.com with SMTP id lf12so6786103vcb.15 for <http-auth@ietf.org>; Fri, 18 Jul 2014 01:31:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=VEeh5MKxNq69M2wLShRheCltIqfmnkhpE0OZoVIgSJQ=; b=EgRKrwG/sOAkb81JX241YOPQGJsgp89HRyY3SQc4StZnJuU+sFVWCNtq4qJF6bUaAW n8Do8NZI2+ExwjSB/b/AarfGvrGnIhlpDnMhj6WhOgwdqz+3NfdIz8LoTxjQ2wpeqBM8 nStSOCg2YmSuIlsgS9NzdRyC30R/W6RzvH5Cw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=VEeh5MKxNq69M2wLShRheCltIqfmnkhpE0OZoVIgSJQ=; b=Yx5zScDqSbQIzJgjK7VdfJ6GMHgmoguz0qUpotPtfOdVSjw0ejM7bGKnfqsgGErV1s dUX6yHmYFPovw5ZASpyU08vq2eyhJpBx6E9VE6wrsNlzBb1083HQRgJ9+dmgeCqX8CW6 XNoz0zyaMr9Q1RwWbDVzaF5gLa8G0XziTFnQdooA4KC6HoibKo+wvoW5ZV3wYO8wJcJK eig1YxuBfiTmMhvesbhqF/eP/aYSLPFl30xV14n4+HG4VysKPgZtLaMdABVV7uFLIUib hVRj9vR09H/m182HjxibFauTlA1GweJHdTwVIwj+ySCBzA9MZn37eCkCzIK9zlQhLmvH 0VXw==
X-Gm-Message-State: ALoCoQn2m4LeZasQ6XAal8ZdKBQ1z/Z2g/Qw84AdiHL14Yt+ALDu41Ylo0Nr2p9wZUiUHYrGCIT8/av+j2H8SAclJ+UWWU2QB0T0Of2ZbUIwDn7Dl2F8GupMr55TYOCxjPAp4cPe/xO2
X-Received: by 10.52.157.41 with SMTP id wj9mr2605404vdb.1.1405672289353; Fri, 18 Jul 2014 01:31:29 -0700 (PDT)
X-Received: by 10.52.157.41 with SMTP id wj9mr2605391vdb.1.1405672289239; Fri, 18 Jul 2014 01:31:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.58.154.198 with HTTP; Fri, 18 Jul 2014 01:31:09 -0700 (PDT)
In-Reply-To: <20140705124400.GA3684@LK-Perkele-VII>
References: <20140704220217.30291.17196.idtracker@ietfa.amsl.com> <20140705124400.GA3684@LK-Perkele-VII>
From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Fri, 18 Jul 2014 17:31:09 +0900
Message-ID: <CAMeZVwsM8s+XNPwFQ96XsmnLHgnb9UmsL9cu-1en_xKiBPYs1w@mail.gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/OSmGRUGkp5xReg1C59l3WvtLFgc
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] I-D Action: draft-ietf-httpauth-mutual-algo-00.txt
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jul 2014 08:31:32 -0000

Dear Ilari,

2014-07-05 21:44 GMT+09:00 Ilari Liusvaara <ilari.liusvaara@elisanet.fi>:

> Section 2.2&2.3:
>
> 2.2 has:
>> The value of K_s1 MUST satisfy 1 < K_s1 < q-1.  If this condition
>> is not held, the server MUST retry using another value for S_s1.
>
> And 2.3:
>> The value of K_s1 MUST represent a valid curve point and satisfy
>> [4] * P'(K_s1) <> 0_E. If this condition is not satisfied, the
>> server MUST retry using another value for S_s1.
>
> If K_c1 has certain relationship (extremely unlikely) with
> J(pi), that will fail over and over again (no S_s1 works).
>
> Values of S_s1 that don't work are AFAICT very rare anyway (making
> failures be dominated by all sorts of calculation errors in K_s1).

I've checked and analyzed our current draft and original ISO specification.
Current our specification is exactly corresponding to the
original spec in this aspect.

However, as you have mentioned,

If (J(pi) + [t_1] * K_c1') = 0_E or similar, the K_s1 will always be 0_E,
regardless of the choice of S_s1.
The value t_1 is also derived from K_c1 using a hash function.
If this happens, it causes a denial-of-service condition on server-side.
It depends on how J(pi) is stored in the server-side.

If J(pi) is computed on server-side from the plain-text password pi,
finding S_c1 which causes this problem is pretty hard.
It can be done off-line by clients, but it requires brute-force search on
the whole candidates of S_c1.

However, if J(pi) is provided from client-side, it is easy to cause
the problematic condition, by
 * choose an arbitrary S_c1 randomly,
 * compute J as -([t_1] * K_c1'), and send it to server as J(pi),
 * talk to server with per-determined S_c1.
The similar problem also exists in DL setting.
Verifying whether J is valid (correctly derived from some
plain-text password pi) is impossible.

Could someone double-check my observations above?

The fix is quite easy in one of two ways:
 * check that [4] * (J(pi) + [t_1] * K_c1') <> 0_E upon
    reception of K_c1, or
 * limit number of retries of S_s1 selection (to some small numbers).
In either ways, if the client is not malicious, possibility of
invoking this condition accidentally is cryptographically negligible.
I'll incorporate one of these additional checks into the next revision.

-- 
Yutaka OIWA, Ph.D.                 Leader, System Life-cycle Research Group
                               Research Institute for Secure Systems (RISEC)
     National Institute of Advanced Industrial Science and Technology (AIST)
                       Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]

v2.23.0 | Report a Bug | By Email