IETF Logo Mail Archive

Re: [TLS] draft on new TLS key exchange

Rene Struik <rstruik.ext@gmail.com> Fri, 07 October 2011 18:37 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4B4921F8509 for <tls@ietfa.amsl.com>; Fri, 7 Oct 2011 11:37:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.421
X-Spam-Level:
X-Spam-Status: No, score=-2.421 tagged_above=-999 required=5 tests=[AWL=1.177, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nNzd0GMZOZUo for <tls@ietfa.amsl.com>; Fri, 7 Oct 2011 11:37:20 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 5836E21F8507 for <tls@ietf.org>; Fri, 7 Oct 2011 11:37:20 -0700 (PDT)
Received: by ggnk3 with SMTP id k3so3682067ggn.31 for <tls@ietf.org>; Fri, 07 Oct 2011 11:40:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type; bh=C1P/BZQkUKEF7SLLrZThqkwnxKrqttQBJWHjHd1wwG8=; b=lTXVPocf3AArJkDJ+YaxS/LS2S4jmw8FP0xLzmJ0yGvW6khZAsDrgo7Emykxq1LDga HVYPAbmXTn62SPDsqx8CE1z8cSIbmkBjsreQc+CDyi3k+3jRHu0rtLkxsr9qjk+vR/eJ LnfdVx5xD8zfcG1y8nCDrNqOG6oTSz7RBj59E=
Received: by 10.101.193.17 with SMTP id v17mr1789292anp.75.1318012834330; Fri, 07 Oct 2011 11:40:34 -0700 (PDT)
Received: from [192.168.1.103] (CPE0013100e2c51-CM001cea35caa6.cpe.net.cable.rogers.com. [99.231.117.243]) by mx.google.com with ESMTPS id r12sm26909453anm.13.2011.10.07.11.40.32 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 07 Oct 2011 11:40:33 -0700 (PDT)
Message-ID: <4E8F4797.9000008@gmail.com>
Date: Fri, 07 Oct 2011 14:40:23 -0400
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: mrex@sap.com
References: <201110071758.p97HwniX022621@fs4113.wdf.sap.corp>
In-Reply-To: <201110071758.p97HwniX022621@fs4113.wdf.sap.corp>
X-Enigmail-Version: 1.3.2
Content-Type: multipart/alternative; boundary="------------070807050900070700010805"
Cc: dhalasz@intwineenergy.com, tls@ietf.org
Subject: Re: [TLS] draft on new TLS key exchange
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2011 18:37:22 -0000

Dear colleagues:

The discussion re draft-harkins-tls-pwd-00 seems to focus on two
elements, viz.:
1) use case of password-based key agreement schemes and differentiation
w.r.t. other IETF work products (EKE, etc.);
2) the mapping from passwords to elliptic curve points.

As to #2, indeed, the procedure in Section 4.1.1 for mapping a password
to a point on the curve ("hunting and pecking") has indeed a
non-deterministic running time, due to "trial-and-error" approach and
may, therefore, by vulnerable to a side channel attack. Note, however,
that there are also deterministic methods for mapping a a value to a
curve as introduced, e.g., in the Crypto 2010 paper by Icart, Coron, et
al (cf. also IACR ePrint 2009-340) and the CRYPTO 2009 paper by Icart et
al. The CRYPTO 2009 paper discusses the probabilistic method Dan Harkins
describes (cf. Section 1.1 - Try and Increment Method; Section 5 -
Practical Implementations). Table 1 of Section 6 (Try and Increment v3)
provides results for an implementation that supposedly prevents
potential leakage of information from determining whether x^3 + a x + b
is a quadratic residue in GFp via the Legendre symbol computations.
Thus, that paper suggests that side channel resistance can be dealt
with, at the expense of time latency. The paper also illustrates that
the deterministic method for "hashing to a curve" has better performance
(again, refer to Table 1 of Section 6 of the CRYPTO 2009 paper).

I hope this helps.

Best regards, Rene


On 07/10/2011 1:58 PM, Martin Rex wrote:
> Dan Harkins wrote:
>> The relation-- yours is "faster" than the unknown one-- means nothing.
>> That knowledge doesn't help. Knowing how many iterations the hunting-
>> and-pecking loop went through to find PE for an unknown password might
>> but the relationship between two means nothing.  In fact, since both
>> sides are contributing randomness into the hunting-and-pecking loop
>> yours might be "faster" one time and considerably slower the next time.
>> That knowledge doesn't really help.
> The number of iterations for the hunting and pecking is visible in the
> timing unless a reliable response time blending is employed (which would
> have to account for an attacker running multiple requests in parallel to
> slow down server-side processing).
>
> Although both sides contribute randomness into the process, the only
> unknown in the low-entropy password, everything else is revealed.
> Since it is revealed, the attacker can use the timing "distance"
> between processing his own password and processing guessed passwords
> with the EXACT same parameters to sort out unlikely candidates.
>
> -Martin
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls


-- 
email: rstruik.ext@gmail.com
Skype: rstruik
cell: +1 (647) 867-5658
USA Google voice: +1 (415) 690-7363

v2.23.0 | Report a Bug | By Email