Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Kerberos Preauth
Nathaniel McCallum <npmccallum@redhat.com> Tue, 10 February 2015 12:57 UTC
Return-Path: <npmccallum@redhat.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A5081A01F2 for <cfrg@ietfa.amsl.com>; Tue, 10 Feb 2015 04:57:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Level:
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, J_CHICKENPOX_46=0.6, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aHlz82qZonIa for <cfrg@ietfa.amsl.com>; Tue, 10 Feb 2015 04:57:47 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DE781A019B for <cfrg@irtf.org>; Tue, 10 Feb 2015 04:57:47 -0800 (PST)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t1ACvjfC015677 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 10 Feb 2015 07:57:45 -0500
Received: from vpn-62-18.rdu2.redhat.com (vpn-62-18.rdu2.redhat.com [10.10.62.18]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t1ACvgA1027361 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NO); Tue, 10 Feb 2015 07:57:44 -0500
Message-ID: <1423573062.7427.11.camel@redhat.com>
From: Nathaniel McCallum <npmccallum@redhat.com>
To: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 10 Feb 2015 13:57:42 +0100
In-Reply-To: <1422468737.26683.110.camel@redhat.com>
References: <1422460388.26683.62.camel@redhat.com> <CACsn0ckv09951WZ3d46ScoKVdSEs-GekQG55cSOmH+BSGx5Diw@mail.gmail.com> <1422468737.26683.110.camel@redhat.com>
Content-Type: multipart/mixed; boundary="=-8GnT5YHHwCbbe2Aq5mho"
Mime-Version: 1.0
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/ZvX3_prFkdkNiIAwMRqS90SlFdA>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Kerberos Preauth
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Feb 2015 12:57:50 -0000
On Wed, 2015-01-28 at 13:12 -0500, Nathaniel McCallum wrote: > On Wed, 2015-01-28 at 08:06 -0800, Watson Ladd wrote: > > On Wed, Jan 28, 2015 at 7:53 AM, Nathaniel McCallum < > > npmccallum@redhat.com> wrote: > > > I've only just now joined the mailing list, so I'm a bit late to > > > the party (though I see my name has been brought up in the > > > previous discussions). > > > > > > I am currently implementing a PAKE preauthentication mechanism > > > for Kerberos. https://github.com/npmccallum/krb5-pake > > > > > > One of the PAKEs we have chosen to use is SPAKE2. The > > > aforementioned program that I am using to generate M and N > > > constants is here: > > > https://github.com/npmccallum/krb5-pake/blob/master/src/pake/spake_constants.c > > > > > > This program uses two seed strings: > > > "OID point generation seed (M)" > > > "OID point generation seed (N)" > > > > > > OID is replaced by the OID of the curve. Since some curves have > > > multiple aliases, the use of OIDs removes any ambiguity to the > > > seed. > > > > > > The method use to generate the constants is fairly similar to > > > that used by Chromium, but differs in several ways: > > > http://src.chromium.org/viewvc/chrome/trunk/src/crypto/p224_spake.cc > > > > > > First, we calculate the length of the encoded value of a single > > > point on the curve. I'll call this $CURVE_SIZE. > > > > > > Second, we determine which is the smallest hash function (of SHA- > > > 1, SHA-2-*) which outputs at least $CURVE_SIZE bytes. So, for > > > instance, given P256, SHA-2-256 will be used. If no hash > > > function is larger than $CURVE_SIZE, we use the largest hash. > > > For example, P521 uses SHA-2-512. > > > > > > Third, we generate the seeds by filling in the OID value. > > > > > > Fourth, we begin a recursive process whereby we hash the seed > > > (or the previous hash of the seed) until the output of the hash > > > yields an X coordinate on the curve. The Y coordinate (+/-) is > > > chosen using the right-most bit of the hash. > > > > I don't think this is what your C code is doing, or if it is, I > > can't figure it out because of the way it uses OpenSSL internals. > > I may try coding that up in SAGE and seeing if it agrees in the > > output. (In particular I think the first byte of the digest might > > get mangled to have the decode function work). > > What internals? > > EC_GROUP *g = EC_GROUP_new_by_curve_name(NID_secp521r1); > EC_POINT *p = EC_POINT_new(); > BIGNUM *x = BN_new(hash(seed)); > int y = seed[-1] & 0x1; // Last bit > EC_POINT_set_compressed_coordinates_GFp(g, p, x, y); > > That seems straightforward to me. Attached is a (slightly different) method implemented in Java using Bouncy Castle. It depends on no system internals and only one hash. It should be sufficiently simple to grok. A description is given in a comment in the top of the file. This method is easily repeatable on every crypto-system I have tried (including both OpenSSL and libnss). Nathaniel
- [Cfrg] Using draft-irtf-cfrg-spake2-00 in Kerbero… Nathaniel McCallum
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Watson Ladd
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Nathaniel McCallum
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Dan Harkins
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Nathaniel McCallum
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Nathaniel McCallum
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Watson Ladd
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Watson Ladd
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Nathaniel McCallum
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Nathaniel McCallum
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Watson Ladd
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Nathaniel McCallum
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Nathaniel McCallum