SPAKE2, a PAKE
draft-irtf-cfrg-spake2-04

Document Type Active Internet-Draft (cfrg RG)
Last updated 2017-10-16
Replaces draft-ladd-spake2
Stream IRTF
Intended RFC status Informational
Formats plain text xml pdf html bibtex
Stream IRTF state Active RG Document
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                            W. Ladd
Internet-Draft                                               UC Berkeley
Intended status: Informational                             B. Kaduk, Ed.
Expires: April 19, 2018                                           Akamai
                                                        October 16, 2017

                             SPAKE2, a PAKE
                       draft-irtf-cfrg-spake2-04

Abstract

   This Internet-Draft describes SPAKE2, a secure, efficient password
   based key exchange protocol.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 19, 2018.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Ladd & Kaduk             Expires April 19, 2018                 [Page 1]
Internet-Draft               SPAKE2, a PAKE                 October 2017

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Definition of SPAKE2  . . . . . . . . . . . . . . . . . . . .   2
   3.  Table of points for common groups . . . . . . . . . . . . . .   3
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   6.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   6
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   This document describes a means for two parties that share a password
   to derive a shared key.  This method is compatible with any group, is
   computationally efficient, and has a strong security proof.

2.  Definition of SPAKE2

2.1.  Setup

   Let G be a group in which the Diffie-Hellman problem is hard of order
   ph, with p a big prime and h a cofactor.  We denote the operations in
   the group additively.  Let H be a hash function from arbitrary
   strings to bit strings of a fixed length.  Common choices for H are
   SHA256 or SHA512.  We assume there is a representation of elements of
   G as byte strings: common choices would be SEC1 uncompressed [SEC1]
   for elliptic curve groups or big endian integers of a particular
   length for prime field DH.

   || denotes concatenation of strings.  We also let len(S) denote the
   length of a string in bytes, represented as an eight-byte little-
   endian number.

   We fix two elements M and N as defined in the table in this document
   for common groups, as well as a generator G of the group.  G is
   specified in the document defining the group, and so we do not recall
   it here.

   Let A and B be two parties.  We will assume that A and B are also
   representations of the parties such as MAC addresses or other names
   (hostnames, usernames, etc).  We assume they share an integer w.
   Typically w will be the hash of a user-supplied password, truncated
   and taken mod p.  Protocols using this protocol must define the
   method used to compute w: it may be necessary to carry out
   normalization.  The hashing algorithm SHOULD be designed to slow down
   brute force attackers.

Ladd & Kaduk             Expires April 19, 2018                 [Page 2]
Internet-Draft               SPAKE2, a PAKE                 October 2017

   We present two protocols below.  Note that it is insecure to use the
   same password with both protocols, this MUST NOT be done.
Show full document text