IETF Logo Mail Archive

Re: [TLS] Elliptic Curve J-PAKE

Watson Ladd <watsonbladd@gmail.com> Mon, 15 April 2019 15:53 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E637312038F for <tls@ietfa.amsl.com>; Mon, 15 Apr 2019 08:53:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RoOiy8-0OZ0n for <tls@ietfa.amsl.com>; Mon, 15 Apr 2019 08:53:50 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4306812038B for <tls@ietf.org>; Mon, 15 Apr 2019 08:53:50 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id t4so7645576ljc.2 for <tls@ietf.org>; Mon, 15 Apr 2019 08:53:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9HYBJjFGxQ887vNRslrxKdWUA7foYJBSLHiyhlxFw2A=; b=h1gM9v6GP9jGgeiQw2rCbNU/mMyNnqmXFaUU4C3bXAaFSPESEkc7FD8EwIK4CYbZ3/ hOUhLPmHLeS2fvUfO61UMNWRFCNF1KSCWXtCJC6voNST0KWjkOupKpb8zwVdLPVtcDAC unNTpj2eisVG7HmxdXC3rjjNimkMI8VTysYTreHHhtnNxKhq2DJu9tfnlzugGpROtVu/ ewm0wNkQVmeOItn8jDl+QMIUd/b4LO/YwQ75Ft8wF/XGOQ2gT1rkhu+de+m1YmOB6g1i gIcCbXPsJXzI74tfswvvK7EnQZ2UwJc9AG6lSvLGZ/NdX5w3GV4jmlp3XH8+utr5chi2 ovAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9HYBJjFGxQ887vNRslrxKdWUA7foYJBSLHiyhlxFw2A=; b=LLI4DUdG/EpmDDerV7SoAFDzQJd/26jUPC0RUCuJ01dduN8rEPhL028keYosng/Rd6 VUj/AqZ9ezn077iQRnXZaniN8dha1iAdAltiXSKL9TezDvKMufUgb3gUwB0cA/095mLc Ir/iusA+vRMTkh8jGpH29HSlfIjrDjqrljUdCOeugD136uIPl5ln+8OJ6mN0DltiQ2YQ X7qi68L5V9oi5wTYc5YbJEvKeRJScWJnKJ55rHLOoRubdbGDCeHUBcWwXjeUlF6LHF0N v2NSzdpSSOlM6KfBka9Gwcb10pRccDWLVpAPUk2W8UnIhsuHACJv67vurbGLCOryzgsB Tj/Q==
X-Gm-Message-State: APjAAAWB92UGC9Aw8jWBKesrvu0CnAQh8XAJZF+eCpdT84IchzlSuRps GnVthhOKUfNI3g24WNElDyW9X6E+abYKuBE0PSM=
X-Google-Smtp-Source: APXvYqycbOHc/OlfPvRV2hhqJMbh6IDfGH4pP0JUZVaJ/FoPM6Nm7E0sZiqtf7q5UcwTvkPlX6a7wvHKblhPbIF5X40=
X-Received: by 2002:a2e:97d3:: with SMTP id m19mr1392259ljj.63.1555343628449; Mon, 15 Apr 2019 08:53:48 -0700 (PDT)
MIME-Version: 1.0
References: <VI1PR0801MB2112CFD46565F1BC8B3697D8FA5F0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CADi0yUP+xwWzej7+uvQCaO5xzvJOdwZ-0c-Ot7WF30R25jRxjQ@mail.gmail.com> <WM!3b68eb47588f67d9aaca229cf8c9e30dd2ddb828af3905daaa86a4172d790fff2ad158c5fb15a70a4484183790470a68!@mailhub-mx4.ncl.ac.uk> <6ADEC907-1273-41AF-A964-68E654103645@ncl.ac.uk> <WM!624962044e5b7753628d65d82a819fc287f20b66b28b7326bc1508f7f7d97f90cbf3d0c6dc796efa81e820d8dab51428!@mailhub-mx4.ncl.ac.uk> <CACsn0ckNiC27tbPr_QOboGuvQjsy+ERi2QuydD4pvW0JefnApQ@mail.gmail.com> <D8C1A660.42B1E%feng.hao@newcastle.ac.uk> <WM!c4e3c9f13abc7000dfbbde9eb12c9144d5d8234a17a0174a6949c158c95ffbaf8a2f24ff15a15f8486836962cd47d319!@mailhub-mx5.ncl.ac.uk> <WM!0582133d51ba80a26ba8d63cfde5c9963d11dc9f58798d78949e0216c82fa7d4d61faccee0685f9c317449bb1f65b1e7!@mailhub-mx1.ncl.ac.uk> <CACsn0cmgST5pCOy-OMVigW-MJvvnjcgO+tay3bhbnVG8YhrL-g@mail.gmail.com> <ED38F419-4251-4775-8F07-6877590EAEF0@live.warwick.ac.uk>
In-Reply-To: <ED38F419-4251-4775-8F07-6877590EAEF0@live.warwick.ac.uk>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 15 Apr 2019 08:53:34 -0700
Message-ID: <CACsn0cnOA11qHbVjC3fphkUTKjzP-0Ts4mOCj8D+vUJ-=MZTbQ@mail.gmail.com>
To: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
Cc: tls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007a3f62058693a817"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xYLF_B8FECPc-My3JYSoersa4m4>
Subject: Re: [TLS] Elliptic Curve J-PAKE
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2019 15:53:54 -0000

On Mon, Apr 15, 2019, 5:50 AM Hao, Feng <Feng.Hao@warwick.ac.uk> wrote:

> Hi Watson,
>
> On 15/04/2019, 00:39, "TLS on behalf of Watson Ladd" <
> tls-bounces@ietf.org on behalf of watsonbladd@gmail.com> wrote:
>
>     On Wed, Mar 27, 2019 at 11:36 PM Feng Hao <feng.hao@newcastle.ac.uk>
> wrote:
>     >
>     > Hi Watson,
>     >
>     > When the attacker knows the relation, besides the active attack,
> there may
>     > be other things he can exploit. This however is not usually analysed
> as by
>     > the assumption of the proof, this should never happen.
>
>     Random self-reducibility seems relevant here, as does the fact an
>     attacker should be able to solve any discrete logarithm problems over
>     a group one is using.
>
> OK, jargons apart - my point was about the assumption. If the relation of
> the two system generators is known, the assumption of the proof is
> violated, and the proof becomes invalid.
>
>     > You¹re correct that J-PAKE uses Shamir-Fiat heuristics, hence the
> proof is
>     > in ROM. The key design principle in J-PAKE is based on understanding
> the
>     > importance of zero-knowledge proof. The use of Shamir-Fiat
> heuristics to
>     > make ZKP non-interactive is a standard technique in cryptography. In
> the
>     > field of secure two/multi-party computation, ZKP is almost
> universally
>     > used in every protocol. However, in the field of PAKE, to my
> knowledge,
>     > J-PAKE is the only protocol that uses ZKP. On the other hand, if you
> think
>     > about PAKE, it¹s fundamentally a two-party secure computation
> problem on
>     > an equality function (with the side benefit that both sides produce a
>     > common session key when the equality holds).
>
>     This paragraph is not responsive to my assertion that ROM=> common
>     random string.
>
>     J-PAKE is an instance of a generic design approach where an honest but
>     curious protocol is transformed into a malicious party secure on
>     through adding proofs of correctness. Each of those proofs and
>     verifications is expensive. Hence J-PAKE is expensive. The security of
>     JPAKE versus SPAKE2 is the same: both are secure in the ROM.
>
> As explained earlier, the difference is the "assumption" in the proof.
> From the engineering perspective, we ought to prepare for the worst. When
> one specific instance of the discrete logarithm is resolved, there is a big
> difference between the class attack and the session attack. This is in no
> way to say the SPAKE2 draft that you're working on is not useful (on the
> contrary, I think it can be useful in some specific applications where the
> effect of a class attack is tolerable), but I just want to point out the
> factual differences between the two.
>

Attackers shouldn't be able to compute any discrete logs, and they cannot
go back and break old SPAKE2 sessions with that information (DH reduction I
should write up).


>     >
>     > Cheers,
>     > Feng
>     >
>     > On 27/03/2019, 20:08, "Watson Ladd" <watsonbladd@gmail.com> wrote:
>     >
>     > >On Wed, Mar 27, 2019 at 7:56 PM Feng Hao <feng.hao@newcastle.ac.uk>
> wrote:
>     > >>
>     > >> Hi Hugo,
>     > >>
>     > >>
>     > >>
>     > >> Thanks for your comments.
>     > >>
>     > >>
>     > >> Just to clarify the difference between SPAKE2 and J-PAKE - The
> proof of
>     > >>SPAKE2 depends on the assumption of a trusted setup: the discrete
>     > >>logarithm between the two group generators must be unknown by
> anyone.
>     > >
>     > >The above is not true: we rely on the common random string model,
> not
>     > >the common reference model. This matters for below.
>     > >
>     > >>If a powerful adversary (3 letter agency) gathers sufficient
> resources
>     > >>and time (say 1 year) to break one instance of discrete logarithm,
> it
>     > >>will be a class attack, breaking all >instances of SPAKE2 without
> anyone
>     > >>knowing it. By contrast, they can only break one session in J-PAKE,
>     > >>since by design the randomness is refreshed in every session
> >rather
>     > >>than being built into a static setup. This explain why J-PAKE
> requires
>     > >>more computation than SPAKE2. Hope it clarifies.
>     > >
>     > >I don't know of a JPAKE proof that doesn't rely on Shamir-Fiat
>     > >heuristic, which implies common random string. Your proof is in the
>     > >ROM no? Also I do not see how one recovers the password from past
>     > >sessions or recovers the negotiated key in this case: certainly an
>     > >active attack is possible knowing a relation!
>     > >
>     > >>
>     > >>
>     > >> Regards,
>     > >>
>     > >> Feng
>     > >>
>     > >>
>     > >>
>     > >> From: TLS <tls-bounces@ietf.org> on behalf of Hugo Krawczyk
>     > >><hugo@ee.technion.ac.il>
>     > >> Date: Wednesday, 27 March 2019 at 02:49
>     > >> To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
>     > >> Cc: "tls@ietf.org" <tls@ietf.org>
>     > >> Subject: Re: [TLS] Elliptic Curve J-PAKE
>     > >>
>     > >>
>     > >>
>     > >> Hi Hannes,
>     > >>
>     > >>
>     > >>
>     > >> J-PAKE is a symmetric PAKE. Both parties store the same password.
> It is
>     > >>not suitable for most client-server scenarios where using J-PAKE
> would
>     > >>mean that an attacker that breaks into the server simply steals all
>     > >>plaintext passwords. OPAQUE is an asymmetric (or augmented) PAKE
> where
>     > >>user remembers a password (and nothing else, including no public
> key of
>     > >>the server) while the server stores a one-way image of the
> password.
>     > >>Security requires that if the server is compromised, the attacker
> needs
>     > >>to run an offline dictionary attack for each user in the database
> to
>     > >>find the password.
>     > >>
>     > >>
>     > >>
>     > >> If what you need is a symmetric PAKE then there are better
> candidates
>     > >>than J-PAKE such as SPAKE2 described in draft-irtf-cfrg-spake2-08.
>     > >>SPAKE2 is *much* more efficient than J-PAKE and while both J-PAKE
> and
>     > >>SPAKE2 have proofs of security, SPAKE2 is proven in a stronger
> security
>     > >>model relative to J-PAKE.
>     > >>
>     > >>
>     > >>
>     > >> I am not aware of any advantage of J-PAKE over SPAKE2 - but I may
> be
>     > >>missing something. Maybe the PAKE presentation in cfrg will clarify
>     > >>these issues further.
>     > >>
>     > >>
>     > >>
>     > >> Hugo
>     > >>
>     > >>
>     > >>
>     > >>
>     > >>
>     > >>
>     > >>
>     > >> On Tue, Mar 26, 2019 at 1:03 PM Hannes Tschofenig
>     > >><Hannes.Tschofenig@arm.com> wrote:
>     > >>
>     > >> Hi all,
>     > >>
>     > >> in context of the OPAQUE talk by Nick today at the TLS WG meeting
> I
>     > >>mentioned that the Thread Group has used the Elliptic Curve J-PAKE
> for
>     > >>IoT device onboarding.
>     > >> Here is the draft written for TLS 1.2:
>     > >> https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01
>     > >>
>     > >> The mechanism is described in https://tools.ietf.org/html/rfc8236
>     > >>
>     > >> @Nick & Richard: Have a look at it and see whether it fits your
> needs.
>     > >>
>     > >> Ciao
>     > >> Hannes
>     > >>
>     > >> IMPORTANT NOTICE: The contents of this email and any attachments
> are
>     > >>confidential and may also be privileged. If you are not the
> intended
>     > >>recipient, please notify the sender immediately and do not
> disclose the
>     > >>contents to any other person, use it for any purpose, or store or
> copy
>     > >>the information in any medium. Thank you.
>     > >>
>     > >> _______________________________________________
>     > >> TLS mailing list
>     > >> TLS@ietf.org
>     > >> https://www.ietf.org/mailman/listinfo/tls
>     > >>
>     > >> _______________________________________________
>     > >> TLS mailing list
>     > >> TLS@ietf.org
>     > >> https://www.ietf.org/mailman/listinfo/tls
>     > >
>     > >
>     > >
>     > >--
>     > >"Man is born free, but everywhere he is in chains".
>     > >--Rousseau.
>     >
>
>
>     --
>     "Man is born free, but everywhere he is in chains".
>     --Rousseau.
>
>     _______________________________________________
>     TLS mailing list
>     TLS@ietf.org
>     https://www.ietf.org/mailman/listinfo/tls
>
>
>

v2.23.0 | Report a Bug | By Email