public inbox for govpn-devel@lists.cypherpunks.ru
Atom feed
From: Watson Ladd <watsonbladd@gmail•com>
To: govpn-devel@lists.cypherpunks.ru
Subject: [Govpn-devel] Security issues in protocol
Date: Sun, 3 May 2015 18:59:13 -0700	[thread overview]
Message-ID: <CACsn0cmneZx8pq76dApMvVCmq-zxPB1i8O8rxt9aRcsMjSwBEQ@mail.gmail.com> (raw)

Dear all,

It's possible for an attacker to mount an offline-guessing attack
against A-EKE as follows. First, the attacker compiles a list of all
possible DSA keys from a given list of passwords. Secondly, for each
key, the attacker determines if decryption with that key would produce
a valid Curve25519 public key. Only half of all thirty-two byte
strings are valid keys, so on average this removes half the
possibilities each time.

After observing approximately 40 or so exchanges, the attacker has
recovered the key.

This attack can be prevented by using Elligator, or by using
alternative PAKE schemes which are proved to be secure such as SPAKE2.

Sincerely,
Watson Ladd

             reply	other threads:[~2015-05-04  1:59 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-05-04  1:59 Watson Ladd [this message]
2015-05-04  7:57 ` [Govpn-devel] Security issues in protocol stargrave
2015-05-04 12:01 ` stargrave