IETF Logo Mail Archive

Re: [kitten] SPAKE Preauth

Nathaniel McCallum <npmccallum@redhat.com> Fri, 01 May 2015 21:19 UTC

Return-Path: <npmccallum@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C5BB1A0069 for <kitten@ietfa.amsl.com>; Fri, 1 May 2015 14:19:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.012
X-Spam-Level:
X-Spam-Status: No, score=-4.012 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 126LCghtZtEF for <kitten@ietfa.amsl.com>; Fri, 1 May 2015 14:19:00 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B41F1A0033 for <kitten@ietf.org>; Fri, 1 May 2015 14:19:00 -0700 (PDT)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (Postfix) with ESMTPS id 288092BB398; Fri, 1 May 2015 21:19:00 +0000 (UTC)
Received: from vpn-58-124.rdu2.redhat.com (vpn-58-124.rdu2.redhat.com [10.10.58.124]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t41LIwDl006766 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 1 May 2015 17:18:59 -0400
Message-ID: <1430515138.2514.10.camel@redhat.com>
From: Nathaniel McCallum <npmccallum@redhat.com>
To: Nico Williams <nico@cryptonector.com>
Date: Fri, 01 May 2015 17:18:58 -0400
In-Reply-To: <20150501211503.GA10065@localhost>
References: <1430138754.2682.10.camel@redhat.com> <553FA2B3.8030301@mit.edu> <alpine.GSO.1.10.1504281531500.22210@multics.mit.edu> <20150501211503.GA10065@localhost>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/_wxctOF8dC5qvS0c5bwdtgYpUT0>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] SPAKE Preauth
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2015 21:19:02 -0000

On Fri, 2015-05-01 at 16:15 -0500, Nico Williams wrote:
> On Tue, Apr 28, 2015 at 05:53:01PM -0400, Benjamin Kaduk wrote:
> > "can't tell which factor was guessed incorrectly" seems like a 
> > pretty
> > important property (I would be really excited to see a scheme with 
> > this
> > property get deployed!), but it does not seem to be mentioned in 
> > the
> > current section 1.2 text.  (It does talk about avoiding
> > ciphertexts^Wpackets which are vulnerable to offline brute-force 
> > attack,
> > but I don't see anything mentioning the online attack as well.) 
> >  Hmm, this
> > is mentioned in the security considerations, at least.  I think it 
> > should
> > be more prominent earlier in the document.
> > 
> > However, it seems like the text at the end of section 4.3 wherein 
> > "[i]f
> > validation of the second factor requires furthe round-trips, the 
> > KDC MUST
> > reply to the client with KDC_ERR_MORE_PREAUTH_DATA_REQUIRED [...]" 
> > loses
> > the indistinguishability property, as the encrypted 
> > SPAKESecondFactor
> > would not be generated if the long-term key (password) was 
> > incorrect.
> > This seems inherent to second factors which require multiple round 
> > trips
> > to validate, though, so maybe we have to make a choice of the 
> > tradeoff.
> 
> Yes.  And 4.4 makes it worse because continued 2nd factor exchanges 
> use
> EncryptedData, including from the AS to the client (which can then
> confirm that its choice of password guess was incorrect).
> 
> The fix for this is to send AS->client 2nd factor continuations in 
> the
> clear if at all possible.  Which means that in the AS->client 3rd and
> subsequent passes we need a CHOICE of OCTET STRING or EncryptedData, 
> or
> perhaps allow the use of the null enctype in the AS->client 2nd 
> factor
> EncryptedData.
> 
> The AS will know as soon as it tries to decrypt the client's 2nd 
> factor
> (whose EncryptedData functions as a proof of possession) that the 
> client
> doesn't know the password.  In this case the AS should continue and
> process _a_ 2nd factor as much as possible as if the password was 
> right.
> The AS could do this by arranging to have a special user account (so 
> as
> not to lock out the real user) for testing bogus second factors, and
> using a random or constant 2nd factor for this.

I think this is overkill. Most continuations will have already
validated some aspect of the second factor. For instance, in HOTP/TOTP
continuations are used for synchronization of the token after the
validation of the initial token code.

Nathaniel

v2.23.0 | Report a Bug | By Email