[IPsec] PAKE selection: PACE
Dennis Kügler <dennis.kuegler@bsi.bund.de> Wed, 26 May 2010 11:37 UTC
Return-Path: <dennis.kuegler@bsi.bund.de>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 671683A6861 for <ipsec@core3.amsl.com>; Wed, 26 May 2010 04:37:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.348
X-Spam-Level:
X-Spam-Status: No, score=-3.348 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AMGmPDUNVa0Y for <ipsec@core3.amsl.com>; Wed, 26 May 2010 04:37:44 -0700 (PDT)
Received: from m4-bn.bund.de (m4-bn.bund.de [77.87.228.76]) by core3.amsl.com (Postfix) with ESMTP id 1D1963A68E9 for <ipsec@ietf.org>; Wed, 26 May 2010 04:37:43 -0700 (PDT)
Received: from m4.mfw.bn.ivbb.bund.de (localhost [127.0.0.1]) by m4-bn.bund.de (8.13.8/8.13.8) with ESMTP id o4QBbWt6007556 for <ipsec@ietf.org>; Wed, 26 May 2010 13:37:32 +0200 (CEST)
Received: (from localhost) by m4.mfw.bn.ivbb.bund.de (MSCAN) id 4/m4.mfw.bn.ivbb.bund.de/smtp-gw/mscan; Wed May 26 13:37:31 2010
X-Virus-Scanned: by amavisd-new at bsi.bund.de
From: Dennis Kügler <dennis.kuegler@bsi.bund.de>
Organization: BSI Bonn
To: IPsecme WG <ipsec@ietf.org>
Date: Wed, 26 May 2010 13:37:14 +0200
User-Agent: KMail/1.9.10 (enterprise35 20100401.1112527)
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <201005261337.14090.dennis.kuegler@bsi.bund.de>
X-AntiVirus: checked by Avira MailGate (version: 3.1.2; AVE: 8.2.1.242; VDF: 7.10.7.177; host: sgasmtp2.bsi.de); id=21301-5eQRv7
Subject: [IPsec] PAKE selection: PACE
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2010 11:37:45 -0000
The evaluation of the PACE proposal according to the criteria draft is already contained in the draft itself (http://www.ietf.org/id/draft-kuegler-ipsecme-pace-ikev2-00.txt) for completeness and for convenience you'll find a copy below. PACE was designed to avoid existing patents (and is not patented) and to allow for implementations without any cryptographic restrictions other than that the primitives have to be secure on their own. A proof of the security of the protocol is available. PACE is currently used and standardized in the context of contactless smartcards, especially for electronic passports and ID-cards. The OpenPACE project also provides a patch to implement PACE on top of OpenSSL. Best regards, Dennis SEC1: PACE is a zero knowledge protocol. SEC2: The protocol supports perfect forward secrecy and is resistant to replay attacks. SEC3: The identity protection provided by IKEv2 remains unchanged. SEC4: Any cryptographically secure Diffie-Hellman group can be used. SEC5: The protocol is proven secure in the Bellare-Pointcheval- Rogaway model. SEC6: Strong session keys are generated. SEC7: A transform of the password can be used instead of the password itself. IPR1: The first draft of [TR03110] was published on May 21, 2007. IPR2: BSI has developed PACE aiming to be free of patents. BSI has not applied for a patent on PACE. IPR3: The protocol itself is believed to be free of IPR. MISC1: One additional exchange is required. MISC2: The protocol requires the following operations per entity: o one key derivation from the password, o one symmetric encryption or decryption, o one multi-exponentiation for the mapping, o one exponentiation for the key pair generation, o one exponentiation for the shared secret calculation, and o two symmetric authentications (generation & verification). MISC3: The performance is independent of the type/size of password. MISC4: Internationalization of character-based passwords is supported. MISC5: The protocol uses the same group as negotiated for IKEv2. MISC6: The protocol fits into the request/response nature of IKE. MISC7: The password-based symmetric encryption must be additionally negotiated. MISC8: Neither trusted third parties nor clock synchronization are required. MISC9: Only general cryptographic primitives are required. MISC10: Any secure variant of Diffie Hellman (e.g. standard or Elliptic Curve) can be used. MISC11: The protocol can be implemented easily based on existing cryptographic primitives.
- [IPsec] PAKE selection: PACE Dennis Kügler
- Re: [IPsec] PAKE selection: PACE Dan Harkins
- Re: [IPsec] PAKE selection: PACE Dennis Kügler
- Re: [IPsec] PAKE selection: PACE Dan Harkins
- Re: [IPsec] PAKE selection: PACE Dan Harkins