Re: [IPsec] PAKE selection: SPSK

[Dennis Kügler <dennis.kuegler@bsi.bund.de>]

Hi Dan,

Let's have a closer look at the patent.

>   You don't mention any specific claim from the SPEKE patent so let me
> address the first independent claim (there are many claims dependent on
> that one). The patent I'm referring to is US 6,792,533 dated Sept 14, 2004.
> The claim says:
>
>   "A cryptographic method for providing authentication, comprising:

What's claimed is a method comprising four parts. All of them are contained in 
SPSK.


>      providing a password-based value to a first party and a second party;

A value derived from the password is given to (calculated by) both parties. 
This is clearly the case in SPSK as psk is derived from the password.


>      selecting a parameter based on said password-based value, said
>         parameter defining one of a plurality of unauthenticated key
>         distribution techniques;

SPSK selects a parameter, SKE, from the password-based value psk. SKE is then 
used as the generator for a (masked) Diffie-Hellman key agreement. Due to the 
group generator SKE, a pluralty of key distribution techniques is defined - 
one for each possible (and secret) value of SKE.


>      generating by said first party, in cooperation with said second party,
>         a cryptographic key based on said one of the plurality of
>         unauthenticated key distribution techniques, wherein said second
>         party cooperates in generating said cryptographic key by using
>         said one of the plurality of unauthenticated key distribution
>         techniques defined by said first value; and

The derived shared secret ss is a cryptographic key derived from a masked 
Diffie-Hellman key agreement based on the secret group generator SKE.

>      providing authentication of said first party to said second party
>         based on said cryptographic key."

This is the calculation of the Tag using the cryptographic key ss.

>
>   Now first of all, that is very broadly worded. Every password-based
> protocol provides a password to the first party and second party. But
> there's more to this claim so SPEKE doesn't cover every single protocol
> that distributes and uses passwords.

Actually, in contrast to other patents this one is rather clear. It describes 
exactly a key distribution mechanism based on a parameter derived from a 
password. This is what SPSK does similarly.

>
>   The next part talks about selecting a parameter based on the password
> value and dragonfly certainly does that but the important part of this
> portion of the claim, and the following part of the claim, is the
> "plurality of unauthenticated key distribution techniques". What is that?

See above. By selecting an alternative group generator (SKE instead of g) and 
using an anonymous (and masked) Diffie-Hellman key exchange a plurality of 
unauthenticated key distribution techniques is defined.

>
>   There are different kinds of public key distribution systems where there
> is a "private key" and a "public key" which is based on the "private
> key". Earlier in the descriptive portion of the patent (which is not
> part of a claim but can be used to interpret a claim) it says "SPEKE can
> also use other unauthenticated public-key distribution systems, such as
> the Modified Diffie-Hellman" and goes on to show an example of that. I
> don't believe that the Modified D-H alone comprises a "plurality of
> unauthenticated key distribution techniques." I would also imagine that
> a static-ephemeral D-H or a static-static D-H that used a password-derived
> parameter to perform that particular type of unauthenticated key
> distribution technique would probably be covered.

I don't get your point. This is probably to make clear that e.g. a masked 
Diffie-Hellman is also covered by the patent???

>
>   What is common on all these unauthenticated key distribution
> techniques is how a public key based on the private key is distributed
> to the other party. The private key is communicated in an obfuscated
> form based on the discrete logarithm problem-- e.g. pub = g^priv mod p.
> That is not done in dragonfly.

There are two general approaches: The first approach is to "scramble" the 
public key (EKE) and to keep the private key unaltered and the other approach 
is to send the public key in clear but to indirectly alter the private by 
modifying the parameters.

>
>   In dragonfly the private key is obfuscated by adding it to a random
> number modulus the order of the group. The random number is unmasked
> in a fashion that gives the private key to the second party in a form
> that does not let it know the private key. Such a technique is new and
> novel and not part of any known "plurality of unauthenticated key
> distribution techniques".

The obfuscation is cryptographically not sound. As you transmit both Scalar = 
(private + mask) and Element = SKE^(-mask) simultaneously anyone can compute 
the public key SKE^private = Element*SKE^Scalar (in which case we're back to 
SPEKE). This construction however unnecessarily risks to leak the private 
key, as any bias in the random number generation will reveal information on 
the private key. Especially when computing random numbers modulo a prime 
preventing a bias is not trivial.


>
>   So it is my contention that for this claim to apply then both a
> password-based parameter must be used AND that password-based parameter
> must be used with a known technique of unauthenticated key distribution.
> It is not and this claim does not apply to dragonfly.

I disagree. It does very well apply to SPSK/dragonfly.

>
>   If it was not claim 1 that you were referring to above then please
> say exactly what claim in the SPEKE patent you are talking about.
>
> > - "Dragonfly is secure and has received cryptographic review". Please
> > provide
> > a reference to the cryptographically reviewed document.
>
>   Both the IEEE 802.11 TGs Draft and the EAP-pwd variant have been
> reviewed.

So nothing has been published and has been reviewed by the cryptographic 
community?

>
> > - The construction used for computing the group generator is susceptible
> > to
> > side channel (timing) attacks and may leak the shared password. I'd
> > therefore
> > recommend to replace the randomized search algorithm by a deterministc
> > algorithm.
>
>   I had a discussion about that. The IEEE 802.11 TGs Draft had a password
> element created based on the password before the exchange started
> (it was computed a configuration time when a particular group was
> selected). Then, when the exchange started the identities of the two
> parties were run through the random function and used in the "scalar-op"
> to derive a pair-wise unique element with which to do dragonfly. This
> would foil the side channel attack. But I was convinced that this was not
> so important and eliminated the extra step to provide ease of analysis.
> If you think this is important the SPSK draft could certainly introduce
> this technique to get around a side channel attack.

I think that should be addressed.

>
>   I'm not so sure how important that is though (basically I was convinced
> it's not so important). If you know I can find a solution to the curve the
> first time you can eliminate some passwords from the pool of potential
> passwords but you don't know which ones unless you have run them all
> through the algorithm beforehand. And even if you have run all possible
> password through the algorithm it certainly doesn't leak the shared
> password, it just allows the attacker to eliminate some passwords from
> the pool of potential passwords. And to do so this attack has to be
> mounted and that is not a trivial attack.

If the attacker can eleminate only a few passwords every time you execute the 
protocol he's done with the attack quickly.

Best regards,

Dennis