IETF Logo Mail Archive

Re: [kitten] SPAKE Preauth

Nathaniel McCallum <npmccallum@redhat.com> Fri, 01 May 2015 21:27 UTC

Return-Path: <npmccallum@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB5D11A005D for <kitten@ietfa.amsl.com>; Fri, 1 May 2015 14:27:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.911
X-Spam-Level:
X-Spam-Status: No, score=-5.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cvJh2ZMyPlQE for <kitten@ietfa.amsl.com>; Fri, 1 May 2015 14:27:06 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D938F1A0066 for <kitten@ietf.org>; Fri, 1 May 2015 14:27:05 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t41LR4MB011736 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 1 May 2015 17:27:04 -0400
Received: from vpn-58-124.rdu2.redhat.com (vpn-58-124.rdu2.redhat.com [10.10.58.124]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t41LR3GG004843 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 1 May 2015 17:27:04 -0400
Message-ID: <1430515623.2514.16.camel@redhat.com>
From: Nathaniel McCallum <npmccallum@redhat.com>
To: Nico Williams <nico@cryptonector.com>
Date: Fri, 01 May 2015 17:27:03 -0400
In-Reply-To: <20150501212321.GC10065@localhost>
References: <1430138754.2682.10.camel@redhat.com> <553FA2B3.8030301@mit.edu> <alpine.GSO.1.10.1504281531500.22210@multics.mit.edu> <20150501211503.GA10065@localhost> <1430515138.2514.10.camel@redhat.com> <20150501212321.GC10065@localhost>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/U8NMtCx-9ilkzDsAoUKJ9RqHTkI>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] SPAKE Preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2015 21:27:07 -0000

On Fri, 2015-05-01 at 16:23 -0500, Nico Williams wrote:
> On Fri, May 01, 2015 at 05:18:58PM -0400, Nathaniel McCallum wrote:
> > On Fri, 2015-05-01 at 16:15 -0500, Nico Williams wrote:
> > > Yes.  And 4.4 makes it worse because continued 2nd factor 
> > > exchanges
> > > use EncryptedData, including from the AS to the client (which can
> > > then confirm that its choice of password guess was incorrect).
> > > 
> > > The fix for this is to send AS->client 2nd factor continuations 
> > > in
> > > the clear if at all possible.  Which means that in the AS->client
> > > 3rd and subsequent passes we need a CHOICE of OCTET STRING or
> > > EncryptedData, or perhaps allow the use of the null enctype in 
> > > the
> > > AS->client 2nd factor EncryptedData.
> > > 
> > > The AS will know as soon as it tries to decrypt the client's 2nd
> > > factor (whose EncryptedData functions as a proof of possession) 
> > > that
> > > the client doesn't know the password.  In this case the AS should
> > > continue and process _a_ 2nd factor as much as possible as if the
> > > password was right.  The AS could do this by arranging to have a
> > > special user account (so as not to lock out the real user) for
> > > testing bogus second factors, and using a random or constant 2nd
> > > factor for this.
> > 
> > I think this is overkill. Most continuations will have already
> > validated some aspect of the second factor. For instance, in 
> > HOTP/TOTP
> > continuations are used for synchronization of the token after the
> > validation of the initial token code.
> 
> It doesn't seem like overkill to me.  Unless the property that an
> attacker can't distinguish which factor was wrong is not that 
> important.
> 
> Note that AS implementations could just always send continuations as
> EncryptedData, leaking that way.  What I want is for it to be 
> possible
> to implement an AS that doesn't leak.

I don't think that is possible. The cost for sending data in the clear
to avoid leaking EncryptedData is the loss of integrity protection.

Nathaniel

v2.23.0 | Report a Bug | By Email