Re: [IPsec] PAKE selection: PACE

[Dennis Kügler <dennis.kuegler@bsi.bund.de>]

Hi Dan,
>   Hi Dennis,
>
>   I have read the PACE submission. I believe claim 1 of the SPEKE patent,
> US 6,792,533, covers this protocol. If you do think otherwise, please
> explain why.

This is very simple. The password is only temporarily used to protect a nonce 
sent to the other party. The key derivation step is completely independent of 
the password.

>
>   Also, in PACE you compute CIPH=E(Pwd, s) where E() is the encryption
> function of some block cipher and Pwd is the shared password. You don't
> mention the block cipher but some block ciphers have weak keys and most
> take a fixed-length key. 

Pwd is a key derived from the password, so length constrainst are no problem. 
The block cipher is used as a permutation mapping random input to random 
output. The strength of the password-derived key is not very important as the 
entropy of the key is at most the entropy of the password - which is rather 
low.

> For a general specification like this I suggest 
> strengthening it by removing any kind of dependencies and also to bind
> the parties to the exchange. I suggest using an "extraction" function with
> the shared password and the identities of the two peers to distill the
> entropy from the password, bind the identities, and derive a key with
> which to do the encryption:
>
>    k = Extractor(Pwd | max(ID-A, ID-B) | min(ID-A, ID-B))
>    CIPH = E(k, s)
>
> where max(x,y) and min(x,y) output an ordering their inputs in some
> deterministic fashion, ID-A and ID-B are the identities of the two parties
> to the exchange, and "|" is concatenation.

I don't see the point of binding the key to identities, but I might miss 
something here.

Best regards,

Dennis