Hello,
Thanks for this, Mike.
“All operations shall be done in constant time” is really referring to all operations in the SSWU algorithm. This includes both the CSEL/CEQ functions that are explicitly noted as operating in constant time and all the mathematical operations.
Then I think the explicit references to CSEL and CEQ operating in constant
time should be deleted, since they are covered by the general statement,
and the explicit references misleadingly imply that maybe some of the
other operations do not in fact operate in constant time.
“If the AP does not advertise support for the Extended RSN Capability SAE hash-to-element or the SAE initiator does not set Status Code to SAE_HASH_TO_ELEMENT in its SAE Commit message”.
Editorials: … does not indicate support for the SAE hash-to-element capability in its Extended RSN Capabilities field …
set the Status Code field …
Thanks,
Mark
--
Mark RISON, Standards Architect, WLAN English/Esperanto/Français
Samsung Cambridge Solution Centre Tel: +44 1223 434600
Innovation Park, Cambridge CB4 0DS Fax: +44 1223 434601
ROYAUME UNI WWW: http://www.samsung.com/uk
From: ***** 802.11 REVm - Revision Maintainance List ***** <STDS-802-11-TGM@xxxxxxxx> On Behalf Of M Montemurro
Sent: 17 September 2019 08:41
To: STDS-802-11-TGM@xxxxxxxxxxxxxxxxx
Subject: [STDS-802-11-TGM] Updates to document 11-19/1173
--- This message came from the IEEE 802.11 Task Group M Technical Reflector ---
I posted r16 of document 11-19/1173 based on the discussion yesterday:
The document updates includes:
1) 12.4.4.2.2 and 12.4.4.3.2: Replace “When a direct form of hashing to discover the PWE is not signaled by the AP, or if the SAE initiator does not signal its use in its SAE Commit message” with “If the AP does not advertise support for the Extended RSN Capability SAE hash-to-element or the SAE initiator does not set Status Code to SAE_HASH_TO_ELEMENT in its SAE Commit message”.
2) 12.4.4.2.3: remove the subscripts in the descriptive paragraph, changing x_1 and x_2 to x1 and x2.
3) 12.4.4.2.3: Fix the type in the sentence: "All operations shall be done in constant time"
With respect to the normative statement quoted in 3), I consulted Jouni and he has the following response:
“All operations shall be done in constant time” is really referring to all operations in the SSWU algorithm. This includes both the CSEL/CEQ functions that are explicitly noted as operating in constant time and all the mathematical operations. For me, “all operations” is pretty clear here, so I’m not sure what else to propose. One need to be careful not to open possibility for someone to interpret a more specific list of operations as something that would imply there are potential exceptions to this rule if something was not seen as being listed. For example, “All mathematical operations” would be confusing since it could leave LSB() out from the operations that shall be in constant time.
As a side note, the importance of all these operations being constant time (and really, constant memory access behavior to avoid the cache attacks) is much less important in H2E case compared to the hunting-and-pecking design since this calculation happens offline and an attacker has no means for inputting different data to it. In other words, it would be very difficult to do attacks similar to ones described in the Dragonblood paper since there would be only one data point that would provide timing or memory access differences based on the password and even if that same operation would be repeated multiple times, it would provide the exact same information since this part does not take in MAC addresses or anything else that can change between iterations. All that said, it would still be appropriate to state that the operations need to be done in constant time."
I'd like to request some agenda time today or tomorrow to discuss this response and I intend to make a motion this week to adopt this proposal.
Cheers,
Mike
To unsubscribe from the STDS-802-11-TGM list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGM&A=1
