Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [STDS-802-11-TGM] Updates to document 11-19/1173



--- This message came from the IEEE 802.11 Task Group M Technical Reflector ---
Hi Mark,

Thanks for the comments. I posted https://mentor.ieee.org/802.11/dcn/19/11-19-1173-18-000m-pwe-in-constant-time.docx with updates you suggested with respect to the wording of the  "If the AP does not advertise...." statements.

As we discussed during the Monday PM1 session, the consensus in TGmd was to leave the CSEL and CEQ operating in constant time statements unchanged. In addition, Jouni has responded with the following comment:

"While the CSEL/CEQ description may look a bit duplicative, I would like to note that these are references to a particular way of comparing and selecting values in a manner that minimize differences in timing and memory access. They are known with those names and removing “constant time” from the description of the function would increase the likelihood of incorrect interpretation of someone who would design and implement the algorithm. The ‘C’ in those functions is indeed coming from this constant time design that was particularly developed for the purpose of preventing wide category of side channel attacks. In other words, including “constant time” when defining CSEL/CEQ looks appropriate to me. Since the other operations in this algorithm need to be performed in constant time, there is need for that more general shall requirement as well. IMHO, this combination is clear and removing “constant time” from CSEL/CEQ definition or making the general statement about constant time requirement would increase the likelihood of the standard being understood incorrectly for the case where this really matters from the security view point."

Therefore the document was not changed in r18.

Cheers,

Mike



On Tue, Sep 17, 2019 at 3:51 PM Mark Rison <m.rison@xxxxxxxxxxx> wrote:

Hello,

 

Thanks for this, Mike.

 

“All operations shall be done in constant time” is really referring to all operations in the SSWU algorithm. This includes both the CSEL/CEQ functions that are explicitly noted as operating in constant time and all the mathematical operations.

 

Then I think the explicit references to CSEL and CEQ operating in constant

time should be deleted, since they are covered by the general statement,

and the explicit references misleadingly imply that maybe some of the

other operations do not in fact operate in constant time.

“If the AP does not advertise support for the Extended RSN Capability SAE hash-to-element or the SAE initiator does not set Status Code to SAE_HASH_TO_ELEMENT in its SAE Commit message”. 

Editorials: … does not indicate support for the SAE hash-to-element capability in its Extended RSN Capabilities field …

set the Status Code field …

 

Thanks,

 

Mark

 

--

Mark RISON, Standards Architect, WLAN   English/Esperanto/Français

Samsung Cambridge Solution Centre       Tel: +44 1223  434600

Innovation Park, Cambridge CB4 0DS      Fax: +44 1223  434601

ROYAUME UNI                             WWW: http://www.samsung.com/uk

 

From: ***** 802.11 REVm - Revision Maintainance List ***** <STDS-802-11-TGM@xxxxxxxx> On Behalf Of M Montemurro
Sent: 17 September 2019 08:41
To: STDS-802-11-TGM@xxxxxxxxxxxxxxxxx
Subject: [STDS-802-11-TGM] Updates to document 11-19/1173

 

--- This message came from the IEEE 802.11 Task Group M Technical Reflector ---

I posted r16 of document 11-19/1173 based on the discussion yesterday:

 

The document updates includes:

1) 12.4.4.2.2 and 12.4.4.3.2: Replace “When a direct form of hashing to discover the PWE is not signaled by the AP, or if the SAE initiator does not signal its use in its SAE Commit message” with “If the AP does not advertise support for the Extended RSN Capability SAE hash-to-element or the SAE initiator does not set Status Code to SAE_HASH_TO_ELEMENT in its SAE Commit message”. 

 

2) 12.4.4.2.3: remove the subscripts in the descriptive paragraph, changing x_1 and x_2 to x1 and x2.

 

3) 12.4.4.2.3: Fix the type in the sentence: "All operations shall be done in constant time"

 

With respect to the normative statement quoted in 3), I consulted Jouni and he has the following response:

“All operations shall be done in constant time” is really referring to all operations in the SSWU algorithm. This includes both the CSEL/CEQ functions that are explicitly noted as operating in constant time and all the mathematical operations. For me, “all operations” is pretty clear here, so I’m not sure what else to propose. One need to be careful not to open possibility for someone to interpret a more specific list of operations as something that would imply there are potential exceptions to this rule if something was not seen as being listed. For example, “All mathematical operations” would be confusing since it could leave LSB() out from the operations that shall be in constant time.

 

As a side note, the importance of all these operations being constant time (and really, constant memory access behavior to avoid the cache attacks) is much less important in H2E case compared to the hunting-and-pecking design since this calculation happens offline and an attacker has no means for inputting different data to it. In other words, it would be very difficult to do attacks similar to ones described in the Dragonblood paper since there would be only one data point that would provide timing or memory access differences based on the password and even if that same operation would be repeated multiple times, it would provide the exact same information since this part does not take in MAC addresses or anything else that can change between iterations. All that said, it would still be appropriate to state that the operations need to be done in constant time."

 

I'd like to request some agenda time today or tomorrow to discuss this response and I intend to make a motion this week to adopt this proposal.

 

Cheers,

 

Mike

 

 


To unsubscribe from the STDS-802-11-TGM list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGM&A=1

 



To unsubscribe from the STDS-802-11-TGM list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGM&A=1

Attachment: noname
Description: GIF image