IETF Logo Mail Archive

[IPsec] PAKE selection: PACE

Dennis Kügler <dennis.kuegler@bsi.bund.de> Wed, 26 May 2010 11:37 UTC

Return-Path: <dennis.kuegler@bsi.bund.de>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 671683A6861 for <ipsec@core3.amsl.com>; Wed, 26 May 2010 04:37:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.348
X-Spam-Level:
X-Spam-Status: No, score=-3.348 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AMGmPDUNVa0Y for <ipsec@core3.amsl.com>; Wed, 26 May 2010 04:37:44 -0700 (PDT)
Received: from m4-bn.bund.de (m4-bn.bund.de [77.87.228.76]) by core3.amsl.com (Postfix) with ESMTP id 1D1963A68E9 for <ipsec@ietf.org>; Wed, 26 May 2010 04:37:43 -0700 (PDT)
Received: from m4.mfw.bn.ivbb.bund.de (localhost [127.0.0.1]) by m4-bn.bund.de (8.13.8/8.13.8) with ESMTP id o4QBbWt6007556 for <ipsec@ietf.org>; Wed, 26 May 2010 13:37:32 +0200 (CEST)
Received: (from localhost) by m4.mfw.bn.ivbb.bund.de (MSCAN) id 4/m4.mfw.bn.ivbb.bund.de/smtp-gw/mscan; Wed May 26 13:37:31 2010
X-Virus-Scanned: by amavisd-new at bsi.bund.de
From: Dennis Kügler <dennis.kuegler@bsi.bund.de>
Organization: BSI Bonn
To: IPsecme WG <ipsec@ietf.org>
Date: Wed, 26 May 2010 13:37:14 +0200
User-Agent: KMail/1.9.10 (enterprise35 20100401.1112527)
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <201005261337.14090.dennis.kuegler@bsi.bund.de>
X-AntiVirus: checked by Avira MailGate (version: 3.1.2; AVE: 8.2.1.242; VDF: 7.10.7.177; host: sgasmtp2.bsi.de); id=21301-5eQRv7
Subject: [IPsec] PAKE selection: PACE
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2010 11:37:45 -0000

The evaluation of the PACE proposal according to the criteria draft is already 
contained in the draft itself 
(http://www.ietf.org/id/draft-kuegler-ipsecme-pace-ikev2-00.txt) for 
completeness and for convenience you'll find a copy below.

PACE was designed to avoid existing patents (and is not patented) and to allow 
for implementations without any cryptographic restrictions other than that 
the primitives have to be secure on their own. A proof of the security of the 
protocol is available.

PACE is currently used and standardized in the context of contactless 
smartcards, especially for electronic passports and ID-cards. The OpenPACE 
project also provides a patch to implement PACE on top of OpenSSL.

Best regards,

Dennis


   SEC1:   PACE is a zero knowledge protocol.
   SEC2:   The protocol supports perfect forward secrecy and is
           resistant to replay attacks.
   SEC3:   The identity protection provided by IKEv2 remains unchanged.
   SEC4:   Any cryptographically secure Diffie-Hellman group can be
           used.
   SEC5:   The protocol is proven secure in the Bellare-Pointcheval-
           Rogaway model.
   SEC6:   Strong session keys are generated.
   SEC7:   A transform of the password can be used instead of the
           password itself.

   IPR1:   The first draft of [TR03110] was published on May 21, 2007.
   IPR2:   BSI has developed PACE aiming to be free of patents. BSI has
           not applied for a patent on PACE.
   IPR3:   The protocol itself is believed to be free of IPR.

   MISC1:  One additional exchange is required.
   MISC2:  The protocol requires the following operations per entity: 
           o  one key derivation from the password,
           o  one symmetric encryption or decryption,
           o  one multi-exponentiation for the mapping,
           o  one exponentiation for the key pair generation,
           o  one exponentiation for the shared secret calculation, and 
           o  two symmetric authentications (generation & verification).
   MISC3:  The performance is independent of the type/size of password.
   MISC4:  Internationalization of character-based passwords is
           supported.
   MISC5:  The protocol uses the same group as negotiated for IKEv2.
   MISC6:  The protocol fits into the request/response nature of IKE.
   MISC7:  The password-based symmetric encryption must be additionally
           negotiated.
   MISC8:  Neither trusted third parties nor clock synchronization are
           required.
   MISC9:  Only general cryptographic primitives are required.
   MISC10: Any secure variant of Diffie Hellman (e.g. standard or
           Elliptic Curve) can be used.
   MISC11: The protocol can be implemented easily based on existing
           cryptographic primitives.

v2.23.0 | Report a Bug | By Email