From 03485c932cd333fccbdee21fae07768566d306b6 Mon Sep 17 00:00:00 2001 From: Kevin Lewi Date: Mon, 27 May 2024 17:43:13 -0700 Subject: [PATCH] Adding note on handling online guessing attacks --- draft-irtf-cfrg-opaque.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/draft-irtf-cfrg-opaque.md b/draft-irtf-cfrg-opaque.md index b2ce9136..72bc2e75 100644 --- a/draft-irtf-cfrg-opaque.md +++ b/draft-irtf-cfrg-opaque.md @@ -1893,7 +1893,9 @@ password as input to the OPRF. Furthermore, it is RECOMMENDED to incorporate additions provide domain separation for clients and servers; see {{security-analysis}}. -Finally, note that online guessing attacks (against any aPAKE) can be done from +## Handling Online Guessing Attacks + +Online guessing attacks (against any aPAKE) can be done from both the client side and the server side. In particular, a malicious server can attempt to simulate honest responses to learn the client's password. While this constitutes an exhaustive online attack, hence as expensive as an @@ -1903,6 +1905,14 @@ In such cases, these online attacks are limited to clients and the authenticated itself. Moreover, such a channel provides privacy of user information, including identity and envelope values. +Additionally, note that a client participating in the online login stage +will learn whether or not authentication is successful after receiving the +`KE2` message. This means that the server should treat any client which fails to +send a subsequent `KE3` message as an authentication failure. This can be handled +in applications that wish to track authentication failures by, for example, +assuming by default that any client authentication attempt is a failure unless a `KE3` +message is received by the server and passes `ServerFinish` without error. + ## Error Considerations Some functions included in this specification are fallible. For example, the