Re: [IPsec] PAKE selection: SPSK

Dennis Kügler <> Wed, 26 May 2010 12:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 80DC33A68F5 for <>; Wed, 26 May 2010 05:19:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.348
X-Spam-Status: No, score=-3.348 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Bjo5YBJ8gZER for <>; Wed, 26 May 2010 05:19:26 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 240863A68E9 for <>; Wed, 26 May 2010 05:19:25 -0700 (PDT)
Received: from (localhost []) by (8.13.8/8.13.8) with ESMTP id o4QCJEWa013329 for <>; Wed, 26 May 2010 14:19:14 +0200 (CEST)
Received: (from localhost) by (MSCAN) id 4/; Wed May 26 14:19:14 2010
X-Virus-Scanned: by amavisd-new at
From: Dennis Kügler <>
Organization: BSI Bonn
Date: Wed, 26 May 2010 14:18:56 +0200
User-Agent: KMail/1.9.10 (enterprise35 20100401.1112527)
References: <>
In-Reply-To: <>
X-KMail-QuotePrefix: >
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <>
X-AntiVirus: checked by Avira MailGate (version: 3.1.2; AVE:; VDF:; host:; id=21808-265Vwx
Subject: Re: [IPsec] PAKE selection: SPSK
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 May 2010 12:19:29 -0000

I finally had some time to have a look at your proposal and the evaluation. 
Please find some initial comments below.

- The design of SPSK is very close to SPEKE. It is based on the computation of 
a (secret) group generator from a shared password. SPEKE is patented and it 
looks like the patent is also applicable to SPSK. If not please indicate why 

- "Dragonfly is secure and has received cryptographic review". Please provide 
a reference to the cryptographically reviewed document. 

- The construction used for computing the group generator is susceptible to 
side channel (timing) attacks and may leak the shared password. I'd therefore 
recommend to replace the randomized search algorithm by a deterministc 

Best regards,


>   Hi,
>   To kick off the PAKE selection discussion I'd like to tout one of
> the candidate protocols. It is based on the dragonfly key exchange
> and is described in draft-harkins-ipsecme-spsk-auth. Variants of
> dragonfly have been proposed for IEEE 802.11 and as an EAP method.
>   The aforementioned draft contains a complete description of how
> to add dragonfly to IKE(v2), including the additional payloads
> needed, their construction and processing, their format, and how they
> fit into IKE(v2). While complete it isn't rigid; things (like the way
> this exchange is indicated) can change without affecting security.
>   I think the best way to start the discussion is to run through the
> enumerated selection criteria from draft-harkins-ipsecme-pake-criteria.
>   SEC1: dragonfly is based on a zero knowledge proof. It is resistant
>     to passive, active, and (off-line) dictionary attack.
>   SEC2: the PFS characteristics of IKE and its resistance to the
>     Denning-Sacco attack are unchanged by inclusion of this authentication
>     method. Dragonfly generates a shared key that has the properties of
>     PFS and it is resistant to the Denning-Sacco attack but the generated
>     key is used only for authentication.
>   SEC3: the dragonfly exchange happens after IKE(v2)'s Diffie-Hellman
>     key exchange and the subsequent payloads, including the ID payloads,
>     are protected by a derivative of the resulting key. ID protection is
>     not affected.
>   SEC4: the protocol does not effect the "crypto agility" of IKE(v2). It
>     uses the same Diffie-Hellman group that IKE(v2) uses, uses the same
>     prf+() construct, and can use the negotiated MAC in HMAC form. No
>     additional primitives (special modes of encryption, for example) are
>     needed.
>   SEC5: dragonfly has received cryptographic review in its other
>     instantiations (IEEE 802.11 and EAP) and is secure. A proof of
>     security in the Random Oracle model is underway but has not been
>     finished.
>   SEC6: the way dragonfly has been added to IKE(v2) is for authentication
>     of the exchange in which it resides only. Since dragonfly is key
>     generating though, it is possible to use it to parlay the weak secret
>     into a long-term credential.
>   SEC7: a secret element, based on the password, in the selected group
>     is used in the exchange. That element can be stored instead of the
>     password to resist exposure of the password in the case of compromise.
>   IPR1: dragonfly was first publicly disclosed in January of 2008.
>   IPR2: dragonfly was invented by me but I did not patent it nor did
>     my employer at the time of invention. It is believed to be patent-free.
>   IPR3: no IPR disclosure to the IETF has been made because one is not
>     needed.
>   MISC1: dragonfly adds one roundtrip to IKEv2 and to IKEv1's Main Mode.
>     It turns IKEv1's Aggressive Mode from a three message exchange to
>     a four message exchange.
>   MISC2: dragonfly requires three "scalar operations", point multiplication
>     for ECC or modular exponentiation for MODP. Basically, a "Diffie-
>     Hellman and a half".
>   MISC3: the nature of the shared secret (password, passphrase, long
>     random octet string) does not affect performance.
>   MISC4: internationalization can be supported as evidenced by the EAP
>     method employing the dragonfly exchange.
>   MISC5: dragonfly can use any of the ECP and MODP groups defined in the
>     IANA registry for IKE(v2). EC2N groups are disallowed because of
>     patent concerns and a desire to make implementation of dragonfly be
>     license free. There is no technical reason, though, why EC2N groups
>     couldn't be used.
>   MISC6: the protocol fits nicely into IKE(v2)'s request/response nature.
>     One single request and response is added and additional information
>     is piggy-backed on the final request and response in IKE(v2) already.
>   MISC7: no additional negotiation is needed: no new groups, no new
>     ciphers, no new cipher modes, no key wrapping.
>   MISC8: dragonfly does not require trusted third parties nor does it
>     require any clock synchronization.
>   MISC9: dragonfly requires use of an HMAC instantiation of a hash
>     algorithm. The current specification uses this as a "random function".
>     Another instantiation of dragonfly uses an HMAC'd hash function in
>     "extractor" and "expander" roles, effectively defining two roles for
>     the single random function. This can easily be done for IKE(v2) too.
>   MISC10: the protocol supports the use of elliptic curve cryptography.
>   MISC11: dragonfly is easily implemented. A reference implementation of
>     the IEEE 802.11 variant is a Source Forge project named "authsae".
>     It requires APIs for ECC and MODP operations found in most modern
>     crypto libraries (e.g. OpenSSL).
>   Dragonfly is easy to implement, license/royalty/patent free, has
> modest overhead, and fits easily into IKE(v2). I believe the current
> manner in which it has been added to IKE(v2) is fine but it can be
> changed if implementation concerns require it. Dragonfly is secure and
> has received cryptographic review. It does not require any additional
> group definitions and, aside from an HMAC'd hash algorithm, does not
> require additional use of any other cryptographic primitives like
> ciphers. It does not require any specific cipher modes (e.g. CBC or ECB)
> nor does it prohibit any (e.g. a stream cipher or a block cipher being
> used as a stream cipher). It is completely "crypto agile". I believe it is
> the best candidate to meet the requirements laid out in the new charter.
>   I solicit comments and questions on this proposal.
>   regards,
>   Dan.
> _______________________________________________
> IPsec mailing list