Re: [Cfrg] SESPAKE password-authenticated key exchange protocol
"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Mon, 30 November 2015 08:54 UTC
Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DFA71B2D0E for <cfrg@ietfa.amsl.com>; Mon, 30 Nov 2015 00:54:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.2
X-Spam-Level:
X-Spam-Status: No, score=-1.2 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BlsHy1E-bIIv for <cfrg@ietfa.amsl.com>; Mon, 30 Nov 2015 00:54:50 -0800 (PST)
Received: from mail-vk0-x233.google.com (mail-vk0-x233.google.com [IPv6:2607:f8b0:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9452B1A1A0B for <cfrg@irtf.org>; Mon, 30 Nov 2015 00:54:50 -0800 (PST)
Received: by vkha189 with SMTP id a189so97635287vkh.2 for <cfrg@irtf.org>; Mon, 30 Nov 2015 00:54:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=3h/DtYmVbcUsclWmpdETsbsQQSPYH8wA8Mn7dDUR8qA=; b=0vz8w3N7+ov/jI3EFiYx6FVfy1Ao9EuFvdYMxlzjkpjjErc/XLwn6/Wb8Zk/6xGSUX Ke+PdXZsvgvWin4MjTfz9s9iI/VXsqEnk9WoxsZ4xBYEGqcpDUzCc3OBXZ8dkxnF1UEs w9nI2NPXpIrpvylQinPAsiPyXzf15iV+bngMlW/9ZkoVXKj1mhPiBZptY93CbqgXmbxw RsBCTHguklmv3b9CppNGU7IWhaVgwk+jGJAidb5gMtq7b/hhob5AJxKaz1kKUnhYWNO7 TIXNk1uGMt9bUlALMcS/Fi8LMHs6eG3nIcLNn8gKZwVGWuct7WP1I11WrJ7YkrllUVA8 UoUQ==
MIME-Version: 1.0
X-Received: by 10.31.11.204 with SMTP id 195mr53979927vkl.23.1448873689727; Mon, 30 Nov 2015 00:54:49 -0800 (PST)
Received: by 10.31.63.78 with HTTP; Mon, 30 Nov 2015 00:54:49 -0800 (PST)
In-Reply-To: <CAMr0u6njH0rvwwr7Ab0NCj08gJxMEE-+tkznLGa4xVmETTJMVA@mail.gmail.com>
References: <CAMr0u6njH0rvwwr7Ab0NCj08gJxMEE-+tkznLGa4xVmETTJMVA@mail.gmail.com>
Date: Mon, 30 Nov 2015 11:54:49 +0300
Message-ID: <CAMr0u6=kC8QvRHwuHqb-9N-MCHA9z65LcyS4oZiL-Tk2jsBbUQ@mail.gmail.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>, Григорий Маршалко <marshalko_gb@tc26.ru>, "matyukhin_dv@gov.ru" <matyukhin_dv@gov.ru>, "alexey.melnikov@isode.com" <alexey.melnikov@isode.com>, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>, "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Content-Type: multipart/alternative; boundary="001a114560ce99cb6e0525be31ac"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/6MxqIjBCTAbJ5kO3ptS5QGqACqY>
Subject: Re: [Cfrg] SESPAKE password-authenticated key exchange protocol
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2015 08:54:53 -0000
Dear colleagues, To make our contribution in the process with PAKE protocols, we've published a SESPAKE Internet Draft: https://tools.ietf.org/html/draft-smyshlyaev-sespake-00. The original document with SESPAKE is now an official document in the Russian standardization system: it was approved by the Russian standardization system (ROSSTANDART) Technical Committee on Cryptography (TC26) on 26 of November 2015. The current draft is based on the Russian algorithms only, but we are ready to widen it for the multi-algorithm support if it is considered necessary. The description of the protocol in the current draft is given in text form; a scheme is presented in my previous message. We are in process of translating our security proofs now – we hope to publish the document with the proofs on ePrint in the middle of December. Best regards, Stanislav V. Smyshlyaev, Ph.D., Head of Information Security Department, CryptoPro LLC 2015-11-02 16:55 GMT+03:00 Stanislav V. Smyshlyaev <smyshsv@gmail.com>: > Dear colleagues, > > We would like to take part in the process with PAKE protocols. We would > like to draw your attention to the protocol that is used (for a few years > already) in Russian cryptographic products (for the most relevant example > of a popular product, wireless cryptographic tokens). > > It is a processed document (in an editorial part now) in the Russian > standardization system; we've got a full security proof of the protocol > (including key authentication part); . > > During standardization process in Russia the protocol was named SESPAKE > (security evaluated standardized) – we are planning to continue using this > abbreviation in our future letters and documents regarding to it. > > In the current letter we provide a sketch description of the protocol. If > you do not mind, in a short time we will present a translated English > version of the security proof and considerations on connections between the > proposed protocol, the existing PAKE drafts (AugPAKE, SPAKE2, requirements) > and other PAKE schemes. > > We would be grateful for any comments and for taking part in the process > with considering SESPAKE protocol in CFRG/IRTF/IETF. > > > > A stores: | | B stores: > * PW | | * ind in {1,...,N} > * A_ID | | * salt > * {Q_1, ..., Q_N} | | * QB_PW (or PW and Q_ind) > > ================================================================================= > A | | B > > ================================================================================= > | A_ID | > |-------->| > | | > |ind,salt | > |<--------| > | | > * w = int( F(PW, salt) ) | | > * QA_PW = w * Q_ind | | > * z_A = 0 | | > * a = random from {1,...,q-1} | | > * u_1 = a * P - QA_PW | | > | u_1 | > |-------->| > | | * if u_1 not on E > | | => FINISH > | | * Q_B = u_1 + QB_PW > | | * z_B = 0 > | | * b = random from > {1,...,q-1} > | | * if (m/q) * Q_B == 0_E > | | => Q_B = P > | | => z_B = 1 > | | * src = ( (m/q) * b mod q ) > * Q_B > | | * K_B = H_256(src) > | | * u_2 = b * P + QB_PW > | u_2 | > |<--------| > * if u_2 not on E | | > => FINISH | | > * Q_A = u_2 - QA_PW | | > * if (m/q) * Q_A == 0_E | | > => Q_A = P | | > => z_A = 1 | | > * src = ( (m/q) * a mod q ) * Q_A | | > * K_A = H_256(src) | | > > --------------------------------------------------------------------------------- > * src_MAC = | | > = TA||A_ID||ind||salt||u_1||u_2 | | > * M_A = HMAC_{K_A}( src_MAC ) | | > | M_A | > |-------->| > | | * srcA_MAC = > | | = > TA||A_ID||ind||salt||u_1||u_2 > | | * M = HMAC_{K_B}( srcA_MAC ) > | | * if ( M != M_A ) or ( z_B > != 0 ) > | | => FINISH > | | * src_MAC = > | | = > TB||A_ID||ind||salt||u_1||u_2 > | | * M_B = HMAC_{K_B}( src_MAC > ) > | M_B | > |<--------| > * srcB_MAC = | | > = TB||A_ID||ind||salt||u_1||u_2 | | > * M = HMAC_{K_A}( srcB_MAC ) | | > * if ( M != M_B ) or ( z_A != 0 ) | | > => FINISH | | > | | > > > > > Best regards, > Stanislav V. Smyshlyaev, Ph.D., > Head of Information Security Department, > CryptoPro LLC >
- [Cfrg] Fwd: SESPAKE password-authenticated key ex… Stanislav V. Smyshlyaev
- Re: [Cfrg] SESPAKE password-authenticated key exc… Stanislav V. Smyshlyaev
- Re: [Cfrg] SESPAKE password-authenticated key exc… Stanislav V. Smyshlyaev
- Re: [Cfrg] SESPAKE password-authenticated key exc… Иван Лавриков