IETF Logo Mail Archive

Re: [kitten] SPAKE Preauth

Nico Williams <nico@cryptonector.com> Fri, 01 May 2015 21:15 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA1881A009B for <kitten@ietfa.amsl.com>; Fri, 1 May 2015 14:15:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.233
X-Spam-Level:
X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TJ_rHgAup7Vn for <kitten@ietfa.amsl.com>; Fri, 1 May 2015 14:15:05 -0700 (PDT)
Received: from homiemail-a31.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id CE7D51A0033 for <kitten@ietf.org>; Fri, 1 May 2015 14:15:05 -0700 (PDT)
Received: from homiemail-a31.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a31.g.dreamhost.com (Postfix) with ESMTP id 8AD3D202038; Fri, 1 May 2015 14:15:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=HWqXo3eeqjBPCm 0fqu1cIDm2fKI=; b=hvTDBSfeVtQbOfdOw32CaThjvg0NRZo7gsrGKUqSDnWHer /ksCuLX7w1xB8o6S1QZ5VEeF0nlRpWXiTC5EgsWAYOOoqrwEiJQMHJXElZjFqB+c FuktldiJF0hVK8eyUILexgY7QsJ71JPPXplooVoJsnqw7++dZebwI4HXirhpQ=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a31.g.dreamhost.com (Postfix) with ESMTPA id 28729202022; Fri, 1 May 2015 14:15:05 -0700 (PDT)
Date: Fri, 01 May 2015 16:15:04 -0500
From: Nico Williams <nico@cryptonector.com>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Message-ID: <20150501211503.GA10065@localhost>
References: <1430138754.2682.10.camel@redhat.com> <553FA2B3.8030301@mit.edu> <alpine.GSO.1.10.1504281531500.22210@multics.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.GSO.1.10.1504281531500.22210@multics.mit.edu>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/4zlNw14mL9jYe8ugYW71O0tupmA>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] SPAKE Preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2015 21:15:06 -0000

On Tue, Apr 28, 2015 at 05:53:01PM -0400, Benjamin Kaduk wrote:
> "can't tell which factor was guessed incorrectly" seems like a pretty
> important property (I would be really excited to see a scheme with this
> property get deployed!), but it does not seem to be mentioned in the
> current section 1.2 text.  (It does talk about avoiding
> ciphertexts^Wpackets which are vulnerable to offline brute-force attack,
> but I don't see anything mentioning the online attack as well.)  Hmm, this
> is mentioned in the security considerations, at least.  I think it should
> be more prominent earlier in the document.
> 
> However, it seems like the text at the end of section 4.3 wherein "[i]f
> validation of the second factor requires furthe round-trips, the KDC MUST
> reply to the client with KDC_ERR_MORE_PREAUTH_DATA_REQUIRED [...]" loses
> the indistinguishability property, as the encrypted SPAKESecondFactor
> would not be generated if the long-term key (password) was incorrect.
> This seems inherent to second factors which require multiple round trips
> to validate, though, so maybe we have to make a choice of the tradeoff.

Yes.  And 4.4 makes it worse because continued 2nd factor exchanges use
EncryptedData, including from the AS to the client (which can then
confirm that its choice of password guess was incorrect).

The fix for this is to send AS->client 2nd factor continuations in the
clear if at all possible.  Which means that in the AS->client 3rd and
subsequent passes we need a CHOICE of OCTET STRING or EncryptedData, or
perhaps allow the use of the null enctype in the AS->client 2nd factor
EncryptedData.

The AS will know as soon as it tries to decrypt the client's 2nd factor
(whose EncryptedData functions as a proof of possession) that the client
doesn't know the password.  In this case the AS should continue and
process _a_ 2nd factor as much as possible as if the password was right.
The AS could do this by arranging to have a special user account (so as
not to lock out the real user) for testing bogus second factors, and
using a random or constant 2nd factor for this.

Nico
--

v2.23.0 | Report a Bug | By Email