Thread Links | Date Links | ||||
---|---|---|---|---|---|
Thread Prev | Thread Next | Thread Index | Date Prev | Date Next | Date Index |
1) 12.4.4.2.2 and 12.4.4.3.2: Replace “When a direct form of hashing to discover the PWE is not signaled by the AP, or if the SAE initiator does not signal its use in its SAE Commit message” with “If the AP does not advertise support for the Extended RSN Capability SAE hash-to-element or the SAE initiator does not set Status Code to SAE_HASH_TO_ELEMENT in its SAE Commit message”.
“All operations shall be done in constant time” is really referring to all operations in the SSWU algorithm. This includes both the CSEL/CEQ functions that are explicitly noted as operating in constant time and all the mathematical operations. For me, “all operations” is pretty clear here, so I’m not sure what else to propose. One need to be careful not to open possibility for someone to interpret a more specific list of operations as something that would imply there are potential exceptions to this rule if something was not seen as being listed. For example, “All mathematical operations” would be confusing since it could leave LSB() out from the operations that shall be in constant time.
As a side note, the importance of all these operations being constant time (and really, constant memory access behavior to avoid the cache attacks) is much less important in H2E case compared to the hunting-and-pecking design since this calculation happens offline and an attacker has no means for inputting different data to it. In other words, it would be very difficult to do attacks similar to ones described in the Dragonblood paper since there would be only one data point that would provide timing or memory access differences based on the password and even if that same operation would be repeated multiple times, it would provide the exact same information since this part does not take in MAC addresses or anything else that can change between iterations. All that said, it would still be appropriate to state that the operations need to be done in constant time."
I'd like to request some agenda time today or tomorrow to discuss this response and I intend to make a motion this week to adopt this proposal.
Cheers,
Mike
To unsubscribe from the STDS-802-11-TGM list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGM&A=1