Greetings! *** Watson Ladd [2015-05-04 05:00]: >It's possible for an attacker to mount an offline-guessing attack >against A-EKE as follows. First, the attacker compiles a list of all >possible DSA keys from a given list of passwords. Secondly, for each >key, the attacker determines if decryption with that key would produce >a valid Curve25519 public key. Only half of all thirty-two byte >strings are valid keys, so on average this removes half the >possibilities each time. GoVPN's DSA keypairs are generated not directly from the password, but from PBKDF2 applied to it. And you have to provide a salt (that equals to client's id). You can not pre-build possible keys without knowing exact salt, that is not sent on the wire in clear. Maybe I am wrong, but seems it is only applicable if salt=client's identity is know. >This attack can be prevented by using Elligator, or by using >alternative PAKE schemes which are proved to be secure such as SPAKE2. Thanks for the suggestion! Currently I will look on Elligator more closely, because the fast that public key curves are distinguishable from the random is annoying. -- Happy hacking, Sergey Matveev