public inbox for govpn-devel@lists.cypherpunks.ru
Atom feed
* [Govpn-devel] Security issues in protocol
@ 2015-05-04 1:59 Watson Ladd
2015-05-04 7:57 ` stargrave
2015-05-04 12:01 ` stargrave
0 siblings, 2 replies; 3+ messages in thread
From: Watson Ladd @ 2015-05-04 1:59 UTC (permalink / raw)
To: govpn-devel
Dear all,
It's possible for an attacker to mount an offline-guessing attack
against A-EKE as follows. First, the attacker compiles a list of all
possible DSA keys from a given list of passwords. Secondly, for each
key, the attacker determines if decryption with that key would produce
a valid Curve25519 public key. Only half of all thirty-two byte
strings are valid keys, so on average this removes half the
possibilities each time.
After observing approximately 40 or so exchanges, the attacker has
recovered the key.
This attack can be prevented by using Elligator, or by using
alternative PAKE schemes which are proved to be secure such as SPAKE2.
Sincerely,
Watson Ladd
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Govpn-devel] Security issues in protocol
2015-05-04 1:59 [Govpn-devel] Security issues in protocol Watson Ladd
@ 2015-05-04 7:57 ` stargrave
2015-05-04 12:01 ` stargrave
1 sibling, 0 replies; 3+ messages in thread
From: stargrave @ 2015-05-04 7:57 UTC (permalink / raw)
To: govpn-devel
[-- Attachment #1: Type: text/plain, Size: 1216 bytes --]
Greetings!
*** Watson Ladd <watsonbladd@gmail•com> [2015-05-04 05:00]:
>It's possible for an attacker to mount an offline-guessing attack
>against A-EKE as follows. First, the attacker compiles a list of all
>possible DSA keys from a given list of passwords. Secondly, for each
>key, the attacker determines if decryption with that key would produce
>a valid Curve25519 public key. Only half of all thirty-two byte
>strings are valid keys, so on average this removes half the
>possibilities each time.
GoVPN's DSA keypairs are generated not directly from the password, but
from PBKDF2 applied to it. And you have to provide a salt (that equals
to client's id). You can not pre-build possible keys without knowing
exact salt, that is not sent on the wire in clear.
Maybe I am wrong, but seems it is only applicable if salt=client's
identity is know.
>This attack can be prevented by using Elligator, or by using
>alternative PAKE schemes which are proved to be secure such as SPAKE2.
Thanks for the suggestion! Currently I will look on Elligator more
closely, because the fast that public key curves are distinguishable
from the random is annoying.
--
Happy hacking, Sergey Matveev
[-- Attachment #2: Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Govpn-devel] Security issues in protocol
2015-05-04 1:59 [Govpn-devel] Security issues in protocol Watson Ladd
2015-05-04 7:57 ` stargrave
@ 2015-05-04 12:01 ` stargrave
1 sibling, 0 replies; 3+ messages in thread
From: stargrave @ 2015-05-04 12:01 UTC (permalink / raw)
To: govpn-devel
[-- Attachment #1: Type: text/plain, Size: 587 bytes --]
*** Watson Ladd <watsonbladd@gmail•com> [2015-05-04 05:00]:
>This attack can be prevented by using Elligator, or by using
>alternative PAKE schemes which are proved to be secure such as SPAKE2.
Elligator encoding is applied to DH public key before its encryption in
development branch. So, as I clearly understand, we can not determine
successful decryption of public DH when guessing passwords.
Do you mind if I mention you on the Thanks page for your suggestion and
pointing this issue out? If so, should I specify your email address?
--
Happy hacking, Sergey Matveev
[-- Attachment #2: Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-05-04 12:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-04 1:59 [Govpn-devel] Security issues in protocol Watson Ladd
2015-05-04 7:57 ` stargrave
2015-05-04 12:01 ` stargrave