idnits 2.17.1 draft-ladd-spake2-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There is 1 instance of lines with control characters in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The "Author's Address" (or "Authors' Addresses") section title is misspelled. -- The document date (9 October 2014) is 3485 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'TODO' is mentioned on line 100, but not defined Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft W. Ladd 3 UC Berkeley 4 Category: Informational 5 Expires 9 July 2015 9 October 2014 7 SPAKE2, a PAKE 8 10 Status of this Memo 12 Distribution of this memo is unlimited. 14 This Internet-Draft is submitted in full conformance with the 15 provisions of BCP 78 and BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on date. 35 Copyright Notice 37 Copyright (c) 2014 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. 47 Abstract 49 This Internet-Draft describes SPAKE2, a secure, efficient password 50 based key exchange 52 Table of Contents 54 1. Introduction ....................................................3 55 2. Defintion of SPAKE2..............................................3 56 3. Table of points .................................................3 57 4. Security considerations .........................................4 58 5. IANA actions ....................................................4 59 6. References.......................................................4 60 1. Introduction 62 This document describes a means for two parties that share a password 63 to derive a shared key. 65 2. Definition of SPAKE2 67 Let G be a group in which the Diffie-Hellman problem is hard of prime 68 order p, written additively. Let H be a hash function from arbitrary 69 strings to bit strings of a fixed length. Common choices for H are 70 SHA256 or SHA512. We assume there is a representation of elements of 71 G as byte strings. 73 || denotes concatenation of strings. We also let len(S) denote the 74 length of a string in bytes, rrepresented as an eight-byte big-endian 75 number. 77 We fix two elements M and N as defined in the table in this document 78 for common groups, as well as a generator g of the group. 80 Let A and B be two parties. We will assume that A and B are also 81 representations of the parties such as MAC addresses or other names 82 (hostnames, usernames, etc). We assume they share an element of Zp w. 83 Typically w will be the hash of a user-supplied password, truncated 84 and taken mod p. Protocols using this protocol must define w. 86 A picks x randomly and uniformly from the integers in [0,p), and 87 calculates X=xg and T=wM+X, then transmits T to B. 89 B selects y randomly and uniformly from the integers in [0,p), and 90 calculates Y=yg, S=wN+Y, then transmits S to A. 92 Both A and B calculate a group element K. A calculates it as x(S-wN), 93 while B calculates it as y(T-wM). 95 Both A and B can now calculate a shared key as 96 H(len(A)||len(B)||len(S)||len(T)||A||B||S||T||K). 98 3. Table of points 100 [TODO] 102 4. Security Considerations 104 A security proof is found in [REF]. Note that the choice of M and N 105 is critical: anyone who is aware of an x such that xN=M, or xg=N or M 106 can break the scheme above. The points in the table of points were 107 picked in standard ways to eliminate this risk. 109 There is no key-confirmation as this is a one round protocol. It is 110 expected that a protocol using this key exchange mechanism provides 111 key confirmation separately if desired. 113 Elements should be checked for group membership: failure to properly 114 validate group elements can lead to attacks. 116 5. IANA Considerations 118 No IANA action is required. 120 6. References 122 [REF] Abdalla, M. and Pointcheval, D. Simple Password-Based Encrypted 123 Key Exchange Protocols. Appears in A. Menezes, editor. Topics in 124 Cryptography-CT-RSA 2005, Volume 3376 of Lecture Notes in Computer 125 Science, pages 191-208, San Francisco, CA, US Feb. 14-18, 2005. 126 Springer-Verlag, Berlin, Germany. 128 Author Addresses 129 Watson Ladd 130 watsonbladd@gmail.com 131 Berkeley, CA