From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by mail.stargrave.org (Postfix, from userid 66) id 3025313B70; Mon, 4 May 2015 11:00:20 +0300 (MSK) Received: by mail.stargrave.org (Postfix, from userid 1001) id 0BA857B80; Mon, 4 May 2015 10:57:57 +0300 (MSK) Date: Mon, 4 May 2015 10:57:57 +0300 From: stargrave@stargrave.org To: govpn-devel@lists.cypherpunks.ru Message-ID: <20150504075757.GA79157@stargrave.org> Mail-Followup-To: govpn-devel@lists.cypherpunks.ru References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh" Content-Disposition: inline In-Reply-To: Organization: cypherpunks.ru OpenPGP: id=E49857EF; url=http://www.stargrave.org/pubkey.txt User-Agent: Mutt/1.5.22 (2013-10-16) Subject: Re: [Govpn-devel] Security issues in protocol X-BeenThere: govpn-devel@lists.cypherpunks.ru X-Mailman-Version: 2.1.18 Precedence: list List-Id: "GoVPN announcements, patches, questions and bug reports" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 May 2015 08:00:20 -0000 --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Greetings! *** Watson Ladd [2015-05-04 05:00]: >It's possible for an attacker to mount an offline-guessing attack >against A-EKE as follows. First, the attacker compiles a list of all >possible DSA keys from a given list of passwords. Secondly, for each >key, the attacker determines if decryption with that key would produce >a valid Curve25519 public key. Only half of all thirty-two byte >strings are valid keys, so on average this removes half the >possibilities each time. GoVPN's DSA keypairs are generated not directly from the password, but =66rom PBKDF2 applied to it. And you have to provide a salt (that equals to client's id). You can not pre-build possible keys without knowing exact salt, that is not sent on the wire in clear. Maybe I am wrong, but seems it is only applicable if salt=3Dclient's identity is know. >This attack can be prevented by using Elligator, or by using >alternative PAKE schemes which are proved to be secure such as SPAKE2. Thanks for the suggestion! Currently I will look on Elligator more closely, because the fast that public key curves are distinguishable =66rom the random is annoying. --=20 Happy hacking, Sergey Matveev --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVRyZ6AAoJEB4exEVrNQulXz4P/0fyqQi9y9+fE3l4xFdKjXE0 8f8Zmj1HNEBiltlw/Jx3P02BUKlQa8rHShn65ai2B7BhiCxNGMmb8jE8vmjwcfqT hrRFMsezvDlZjDsm2oIU+Ph+z/my8OrhOi88xFdWB1PZCXbXA1G/spI5B0+VAbmF EG5kMK5MhXC2Ga31uHCgqAu9ny0YwoLQv+T+QiithJFOafyj5gKbcFaRIsshJ36i U4Zh8TPNiEcFAwsBh/nPEcEmgtgu9v70rC6DwH9QcsZ+U3weAPV2x2uBeVtjmm8B 75fqMxyQLe2MQoev4sZYYivmP6QYw461OtCksyIjoAb1lgdwACnavF99/h8RVKTS XRQsitTkUE382xazkDp2eYQycRGl95kZ/05Oy/5baeYWGlCsdGCeLBPa/eAGyqoM +mKPv5aAOulQwyyDvZtzl+9scfsGFr9eT6rLgS/OmzrU62yownI1B2Od1F7tuzuf jpOJ/hQr3wIirRqnw+R4vZDVJRcdjzOC1KdP6JCN9OOddpYd9f3bKlBgEGCttnVu mFlYB6FqYChzT+GPNdA1QhTIYKiz6OdImZKDk1KYYHoIx38EKnEtBI4doM8JrmYG IrlIrME99IKQi1wGB9hMYw96ex0/iVAnggvi1oe+xK1gNLLPyYvHNp7CgqDvExYN 9ZSxaKRL53jHOJ/C3fZg =RRP7 -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh--