Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA
"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Fri, 30 September 2016 11:57 UTC
Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEC3412B0BB for <cfrg@ietfa.amsl.com>; Fri, 30 Sep 2016 04:57:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lk6c3PVCt9nV for <cfrg@ietfa.amsl.com>; Fri, 30 Sep 2016 04:57:46 -0700 (PDT)
Received: from mail-lf0-x230.google.com (mail-lf0-x230.google.com [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50EE512B0BC for <cfrg@irtf.org>; Fri, 30 Sep 2016 04:57:46 -0700 (PDT)
Received: by mail-lf0-x230.google.com with SMTP id t81so36368901lfe.0 for <cfrg@irtf.org>; Fri, 30 Sep 2016 04:57:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:content-transfer-encoding:message-id:date:subject:from :in-reply-to:references:to:cc; bh=d3fhhxolW6WVINHGK9g5ci+CiXchdfzC9xcqm6kb2dA=; b=MnBYmCO1NQqBNBcRuSlCxDIsJAVoHWkp/W6nZ3pivL9+CCIT7B6LdV2lBN0va+QMJ6 qtAQdBDiF2w6lw5NuSxeuTPAHjiA6kAMhvZAbYzKzYDcxMOgBkFQivRhNBjb4rTiVxjE ZORbWQuDfVch3fI91n2OGnyro5Zs2FkcBLk46g1+m7Og1nGgX4r4EUyj7GXsT8witrLe q8petLmuUrer8w6vmLiGR3PPdoW51jZe7s6B4VPuTWPztnrSXb+i3a6NHOVGc7xjHBcN KE4+o1KGVGC32AF4xKSkDQkI4ozzjjkYjJW5DdFVftI2m46uYBpaCU3/17sJ8fogwyoD KXPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:content-transfer-encoding :message-id:date:subject:from:in-reply-to:references:to:cc; bh=d3fhhxolW6WVINHGK9g5ci+CiXchdfzC9xcqm6kb2dA=; b=mSF7LX13TBImPbdTpDaJRVYSHkuC0aVZvDnCMt+xOmnd/RDr7cD6Dq0DNm92nPpUXE 7Gr8h8lbLF3ld/u42LVKwdqTaFE5uqyh22+ME/Qa6mH64gYTDMzEvRIcMh3k5iXDyMDb hiGnAGLL4WtXI9aZrl37XX5LUAEyZ8XASKVwXgC3HOZSdrAWpc2OGYNrtx9KCMGulyOi D4lO87n98qnVO5SDsgoVkoW3urTbNCiu/SbpTg1Hkg/NSmQlsWvaYExF62X4OQm/b5A6 beX4mlMc2G/gjRWWU9HHSUUBlaTMzp5pfyiEHuDg2vHkiu/czp/94Fi37xtIxBQYX5j8 xhuA==
X-Gm-Message-State: AA6/9RkX67cuYYGM6w0A8VdQKdAQWw/OR1lb/Wy4NqZ+ybVlskr2T7TyO8QDZX4WahAOAQ==
X-Received: by 10.46.0.97 with SMTP id 94mr2826024lja.61.1475236664305; Fri, 30 Sep 2016 04:57:44 -0700 (PDT)
Received: from [127.0.0.1] ([213.87.147.189]) by smtp.gmail.com with ESMTPSA id g201sm2910240lfg.8.2016.09.30.04.57.43 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 30 Sep 2016 04:57:43 -0700 (PDT)
Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Mailer: BlackBerry Email (10.3.2.2876)
Message-ID: <20160930115742.5926994.13826.7659@gmail.com>
Date: Fri, 30 Sep 2016 14:57:42 +0300
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
In-Reply-To: <D4121C90.A249D%paul@marvell.com>
References: <D411B584.A2445%paul@marvell.com> <CAMr0u6n_OEe772s2b55iND7zYL_CN0F8k6DFaq6K7z-0gH1Mpg@mail.gmail.com> <D4121C90.A249D%paul@marvell.com>
To: Paul Lambert <paul@marvell.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/nHaJ9amLANCD0q8xRW2IItHDGH0>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2016 11:57:49 -0000
От: Paul Lambert Отправлено: четверг, 29 сентября 2016 г., 11:54 Кому: Stanislav V. Smyshlyaev Копия: cfrg@irtf.org Тема: Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA |
Dear Stanislav,
Thank you for these links – they give a slightly new viewpoint on PAKEs applications (I think the most discussed question will be "for which applications will combining public keys and passwords be most useful?").
An editorial comment on the description of the protocol in the slides: it seemts that after the second message A should check that "R_B - w*M_B == x_B * P_B", not "R_B == x_B * P_B" as it is shown now. Similarly with the B's check.
And a tiny remark: there is a misprint in the plaintext that A encrypts on sk_AB for the third message: "(x_A, P_A)" should be there, not "(m_A, P_A)".
About the protocol itself, I'll try my best to give you our opinion today or tomorrow.
At a glance, it seems to be useful to add some specific requirements for the used "encrypt" functions now or some concrete cipher modes (e.g. GCM or CTR + HMAC)
due to the words "decrypt is successful" (is it a real data authentication or just some padding check?). EMVco used to check PIN-blocks just by correctness of ECB decryption of IUN, so we should have more details here.
Kindest regards,Stanislav
2016-09-29 4:25 GMT+03:00 Paul Lambert <paul@marvell.com>:
The PKEX protocol ( https://tools.ietf.org/html/draft-harkins-pkex-00" rel="noreferrer nofollow" target="_blank"> https://tools.ietf.org/html/draft-harkins-pkex-00 )
provides PAKE functionality (with SPAKE2) and adds public key
authentication (PAKE+PKA).
In looking at alternatives to PKEX, combining an existing and evaluated
authenticated public key exchange with a PAKE seems like an interesting
design path. To this end, the SPAKE2 protocol (
https://tools.ietf.org/html/draft-irtf-cfrg-spake2-03" rel="noreferrer nofollow" target="_blank">https://tools.ietf.org/html/draft-irtf-cfrg-spake2-03 ) combines nicely
with mutually blinded Diffie-Hellman (mbDH). Blinded DH (bDH) is described
in https://www.emvco.com/specifications.aspx?id=285" rel="noreferrer nofollow" target="_blank"> https://www.emvco.com/specifications.aspx?id=285
A brief description of the resulting SPAKE2+mbDH protocol is contained in
slides 13 to 18 of:
https://mentor.ieee.org/802.11/dcn/16/11-16-1142-04-00ai-cryptographic-rev%0Aiew-and-pkex.ppt" rel="noreferrer nofollow" target="_blank"> https://mentor.ieee.org/802.11/dcn/16/11-16-1142-04-00ai- cryptographic-rev
iew-and-pkex.ppt
Comments would be appreciated.
If this protocol seems useful an RFC could be developed.
Paul
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg" rel="noreferrer nofollow" target="_blank">https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] SPAKE2+mbDH a PAKE+PKA Paul Lambert
- Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA Stanislav V. Smyshlyaev
- Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA Paul Lambert
- Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA Stanislav V. Smyshlyaev
- Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA Dan Harkins
- Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA Andy Lutomirski
- Re: [Cfrg] SPAKE2+mbDH a PAKE+PKA Paul Lambert