I went through the PAKE draft on TLS 1.3, and while I certainly appreciate the use of a PAKE within TLS, I would like to highlight one potential security issue that the working group needs to be aware of.
The draft has SPAKE2+ as its sole defined parameter set; SPAKE2+ has a rather interesting property that if the attacker can perform a single discrete log problem, in particular, compute the discrete log of N to the base of M, that is, find k such that kM = N, then the PAKE properties go away. That is, an active attacker can perform a single exchange, and then efficiently run through his dictionary of potential passwords and (as long as the correct password is in the dictionary) recover the password. Let me repeat this: if someone can solve a single discrete log problem (for example, if he has a slow Cryptographically Relevant Quantum Computer), then the attacker can immediately attack any SPAKE2+ implementation using that parameter set, anywhere in the world. If the working group endorses SPAKE2+, then they need to be aware of this, and should highlight it in the security considerations.
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
