Internet Engineering Task Force T.Kwon, Sejong University
INTERNET-DRAFT H. Yoon, Samsung SDS
Intended Status: Standards Track S. Kim, Samsung SDS
Expires: November 4, 2013 May 3, 2013
I-PAKE: Identity-Based Password Authenticated Key Exchange
draft-kwon-yoon-kim-ipake-01
Abstract
Although password authentication is the most widespread user
authentication method today, cryptographic protocols for mutual
authentication and key agreement, i.e., password authenticated key
exchange (PAKE), in particular authenticated key exchange (AKE) based
on a password only, are not actively used in the real world. This
document introduces a quite novel form of PAKE protocols that employ
a particular concept of ID-based encryption (IBE). The resulting
cryptographic protocol is the ID-based password authenticated key
exchange (I-PAKE) protocol which is a secure and efficient PAKE
protocol in both soft- and hard-augmented models. I-PAKE achieves the
security goals of AKE, PAKE, and hard-augmented PAKE. I-PAKE also
achieves the great efficiency by allowing the whole pre-computation
of the ephemeral Diffie-Hellman public keys by both server and
client.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Expires November 4, 2013 [Page 1]
INTERNET DRAFT I-PAKE May 3, 2013
Copyright and License Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 5
2.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Abbreviations . . . . . . . . . . . . . . . . . . . . . . . 5
2.3 Underlying Group . . . . . . . . . . . . . . . . . . . . . . 6
2.4 Notations . . . . . . . . . . . . . . . . . . . . . . . . . 6
3 Identity-Based Password Authenticated Key Exchange . . . . . . . 9
3.1 Initialization . . . . . . . . . . . . . . . . . . . . . . . 9
3.1.1 System Initialization . . . . . . . . . . . . . . . . . 9
3.1.2 Registration . . . . . . . . . . . . . . . . . . . . . . 9
3.2 Protocol Execution . . . . . . . . . . . . . . . . . . . . . 9
4 Security Considerations . . . . . . . . . . . . . . . . . . . . 13
4.1 General - Completeness . . . . . . . . . . . . . . . . . . . 13
4.1.1 Mutual Authentication . . . . . . . . . . . . . . . . . 13
4.1.2 Key Agreement . . . . . . . . . . . . . . . . . . . . . 13
4.2 I-PAKE - AKE Security . . . . . . . . . . . . . . . . . . . 13
4.2.1 Passive Attacks . . . . . . . . . . . . . . . . . . . . 13
4.2.2 Active Attacks . . . . . . . . . . . . . . . . . . . . . 14
4.2.3 Forward Secrecy . . . . . . . . . . . . . . . . . . . . 15
4.2.4 Known Session Key . . . . . . . . . . . . . . . . . . . 15
4.2.5 Key Control . . . . . . . . . . . . . . . . . . . . . . 16
4.3 I-PAKE - Dictionary Attack . . . . . . . . . . . . . . . . . 16
4.3.1 On-line Dictionary Attack . . . . . . . . . . . . . . . 16
4.3.2 Off-line Dictionary Attack . . . . . . . . . . . . . . . 17
4.4 I-PAKE - Server Compromise . . . . . . . . . . . . . . . . . 17
4.4.1 Soft-Augmented Model . . . . . . . . . . . . . . . . . . 17
4.4.2 Hard-Augmented Model . . . . . . . . . . . . . . . . . . 18
5 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 18
Expires November 4, 2013 [Page 2]
INTERNET DRAFT I-PAKE May 3, 2013
6 References . . . . . . . . . . . . . . . . . . . . . . . . . . 18
6.1 Normative References . . . . . . . . . . . . . . . . . . . 18
6.2 Informative References . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19
Expires November 4, 2013 [Page 3]
INTERNET DRAFT I-PAKE May 3, 2013
1 Introduction
The most widespread user authentication method today is obviously
password-based authentication; a user memorizes a textual and/or
numerical password and makes its direct entry for authentication.
There have been various attempts to enhance security of password-
based authentication. Password authenticated key exchange (PAKE) is a
cryptographic protocol to achieve both mutual authentication and
secure key agreement based on a password only, i.e., without
requiring a public key certificate [IEEE P1363.2]. That is, PAKE is
an authenticated key exchange (AKE) protocol based on the user-
memorable low-entropy password, so that both authenticated entities
can only agree on a fresh session key. Augmented PAKE protocols allow
a server to store a one-way function of password instead of the plain
text, so as to mitigate the server compromise [RFC2945].
PAKE protocols, however, have not been deployed actively despite of
their merits. Instead, for example, Web applications employ the
SSL/TLS suite for secure transport of password information at the
cost of manipulating and relying on server's public key certificates
with regard to long-term security. This is in part due to that the
password transport over SSL/TLS is easier for migration of existing
password-based systems on the Web and also that PAKE protocols
require a large amount of computation for security enhancement, e.g.,
for encrypting ephemeral Diffie-Hellman public keys under the low-
entropy password. There still remains a security concern as for the
augmented PAKE protocols. The protocols which said to resist a server
compromise are prone to off-line guessing attacks if the server is
really compromised. The password information stored in the server's
storage for verification purposes can be exploited by adversaries to
derive real passwords. Consequently, users are still in great
danger.
This document raises the fundamental questions as above to the
existing form of PAKE protocols and attempts to provide a novel
design to resolve these problems. We depart from the previous way of
encrypting the ephemeral Diffie-Hellman public keys under the low-
entropy password. Instead we map <ID, password> to <salt, verifier>
for authentication. To the protocol, the former pair is the user
input derived from the user's memory, while the latter is the server
input fetched from the server's storage. We also introduce the hard-
augmented model which enhances the previous, soft-augmented model for
sever compromise security, based on the hardware security module
(HSM). For the purposes, a particular concept of identity-based
encryption (IBE) is employed. At the cost of pre-computation of the
salt alphabet as for the ID alphabet, we can reduce the amount of
computation in real time, i.e., at registration and authentication.
Expires November 4, 2013 [Page 4]
INTERNET DRAFT I-PAKE May 3, 2013
The resulting cryptographic protocol is the ID-based password
authenticated key exchange (IPAKE) protocol which is a secure and
efficient PAKE protocol in both soft- and hard-augmented models.
IPAKE achieves the security goals of AKE, PAKE, and hard-augmented
PAKE. IPAKE also achieves the great efficiency by allowing the whole
pre-computation of the ephemeral Diffie-Hellman public keys by both
server and client.
1.1 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Requirements Notation
2.1 Definitions
Identity Based Encryption (IBE): Identity-based encryption (IBE) is a
public-key encryption technology that allows a public key to be
calculated from an identity and a set of public mathematical
parameters and that allows for the corresponding private key to be
calculated from an identity, a set of public mathematical parameters,
and a domain-wide secret value [RFC5408]. The IBE framework is
defined in [RFC5091], [RFC5408], and [RFC5409].
Password Authenticated Key Exchange (PAKE): Password authenticated
key exchange (PAKE) is a cryptographic protocol to achieve both
mutual authentication and key agreement securely based on a password
only, i.e., without requiring a public key certificate. That is, PAKE
is a form of authenticated key exchange (AKE) which is in particular
based on the password for authentication. The PAKE framework is
defined in [IEEE P1363.2], [ISO/IEC 11770-4], and [RFC2945].
2.2 Abbreviations
TDL Trapdoor Discrete Logarithm
IBE Identity Based Encryption
I-PAKE Identity-Based Password Authenticated Key Exchange
AKE Authenticated Key Exchange
Expires November 4, 2013 [Page 5]
INTERNET DRAFT I-PAKE May 3, 2013
PKG Private Key Generator
HSM Hardware Security Module
MAC Message Authentication Code
SSL/TLS Secure Socket Layer/Transport Layer Security
CDH problem Computational Diffie-Hellman problem
2.3 Underlying Group
The I-PAKE protocol can be implemented over the following group.
Let N =p*q where p and q are sufficiently large B-smooth prime such
that p = 3 (mod 4), q = 3 (mod 4), gcd(p - 1, q - 1) = 2. Let G be a
multiplicative cyclic subgroup of Z_N^* with a generator g = g_m^2
where g_m is a generator of a maximal cyclic subgroup of Z_N^* of
order phi(N)/2. The order of g is phi(N)/4.
2.4 Notations
a||b
A concatenation of a and b.
A
The alphabet of ID. An alphanumeric set is commonly used.
T
The alphabet of salt. A set of discrete logarithms of the A's
elements in G. This set is maintained privately by the server's
HSM_s.
P
The alphabet of password. An alphanumeric set with special
characters is commonly used.
User
A human user who actually remembers a pair of ID and password for
authentication.
ID
User's identity which is represented ID = ID_1||ID_2|| ... ||
ID_alpha where the ID_i is an element of Set A for all i in {1,2,
..., alpha}.
Client or C
Expires November 4, 2013 [Page 6]
INTERNET DRAFT I-PAKE May 3, 2013
A protocol entity providing a user interface to User for ID and
password entry, and a system interface to a remote server for
running the protocol. Client represents User in the protocol.
Server or S
A protocol entity providing a system interface to Client for
running the protocol, and storing a 3-tuple of ID, salt, and
password-verifier for authentication.
HSM_t and HSM_v
Private hardware attached to Server. HSM_t stores Set T and is
used for deriving salt given ID. HSM_v is only used in the hard-
augmented model for computing a password-verifier.
h
A known random hash function which takes an arbitrary finite bit
string and assigns it to an element of Z_N^*, where Z_N^* is a set
of positive integers modulo N which are not zero divisors. In
practice, a cryptographically secure one-way hash function is
used.
H
It is defined as H(ID) = (h(ID))^2 for an ID. By definition, H
takes an ID and assigns it to an elements of G. That is H(ID) = I
is in G. In fact, ID = ID_1||ID_2|| ... || ID_alpha, H(ID) is
calculated as H(ID_1) * H(ID_2) * ... * H(ID_alpha).
h_i (i = 0, 1, 2, 3, 4, 5, 6)
Known random hash functions. In practice, a cryptographically
secure one-way hash function is used with distinct indices i. Each
h_i takes an arbitrary finite bit string and assigns it to a
finite string. The bit size of output of each h_i can be different
from each other.
t_ID
The secret key of the client whose identity is ID. t_ID is a
discrete logarithm of I = H(ID) based on g. That is, t_ID = log_g
H(ID) = log_g H(ID_1) * H(ID_2) * ... * H(ID_alpha) = log_g
H(ID_1) + log_g H(ID_2) + ... + log_g H(ID_alpha) = t_ID_1 +
t_ID_2 + ... + t_ID_alpha.
pw and PW
"pw" is the password maintained by Client. Importantly, pw can be
a plaintext of password, exactly remembered by User, or a one-way
hash function of it, depending on the protocol and Server
implementation. "PW" is the password maintained by Server.
Importantly, PW can be equal to pw, exactly maintained by Client,
or a one-way hash function of it, or a MAC of it, depending on the
Expires November 4, 2013 [Page 7]
INTERNET DRAFT I-PAKE May 3, 2013
protocol and Server implementation.
V_PW
A password-verifier maintained by Server, such that V_PW =
h(ID,t_ID,PW). This value is derived from PW by hashing in the
soft-augmented model or MAC in the hard-augmented model. That is
PW = h'(pw) or PW = MAC_hk(pw), where h' is a cryptographically
secure one-way hash function, MAC_hk is a message authentication
code that takes an element in P and assigns it to a finite bit
string where hk is a secret key of HSM_v.
X and Y
Ephemeral Diffie-Hellman public keys. X=g^x mod N and Y=g^y mod N,
respectively, for randomly chosen x and y in Z_N^*.
E_K(pw)
Encryption of pw under the ephemeral high-entropy key K. The
encryption function E is a secure symmetric key encryption
function, for example, AES.
C_1 and C_2
Confirmation messages in the protocol.
'
An indicator that discriminates the values computed by the server
from the same values computed by the client. For instance, sk and
sk' might be the same values but computed by respective parties.
Expires November 4, 2013 [Page 8]
INTERNET DRAFT I-PAKE May 3, 2013
3 Identity-Based Password Authenticated Key Exchange
I-PAKE is a two-party protocol where Client and Server authenticate
each other and generate a session key together, based on a human-
memorable password and ID information. For the purpose, the client
and the server exchange messages involving ephemeral keying
information and agree on a fresh session key.
3.1 Initialization
The initialization SHOULD be finished before the I-PAKE protocol
execution.
3.1.1 System Initialization
Server MAY negotiate with PKG or play the role of PKG by itself, so
as to generate system parameters including underlying group
parameters, ID and salt alphabets, and required functions.
Server MUST keep the salt alphabet, T, secure, e.g., in HSM_t, after
the initialization.
In the hard-augmented model, Server MUST initialize HSM_v as well.
3.1.2 Registration
User SHOULD select ID and a memorable password, and register them to
Server through a secure channel. The secure channel at registration
is out of scope in this document.
Client MAY receive the User's input and set the password as pw, so as
to submit ID and pw to Server.
Server MUST fetch the discrete logarithms of H(ID_i) from T for ID,
and set their sum as User's salt, t_ID. Server MAY set the received
pw as PW, so as to compute a password-verifier.
In the hard-augmented model, Server MUST negotiate with HSM_v for
obtaining PW such that PW = MAC_hk(pw). In the soft-augmented model,
Server MAY set PW as a function of pw.
Server SHOULD store ID, t_ID, and V_PW in its storage after computing
the password-verifier such that V_PW = h(ID,t_ID,PW)
User MAY update the memorable password with a new one, and register
it to Server again.
3.2 Protocol Execution
Expires November 4, 2013 [Page 9]
INTERNET DRAFT I-PAKE May 3, 2013
User MUST input ID and password at the user interface provided by
Client. The protocol SHOULD be executed between Server and Client.
+------------+ +-------------+
| | | |
| Client | MESSAGE_1 | Server |
| | -------------> | |
| | MESSAGE_2 | |
| | <------------ | |
| | MESSAGE_3 | |
| | -------------> | | +-------+
| | MESSAGE_4 | | --- | HSM_v |
| | <------------- | | +-------+
| | | |
+------------+ +-------------+
Client ----> Server
Client SHALL choose a random x from Z_N^* and computes its
ephemeral Diffie-Hellman public key X = g^x mod N. It is an
OPTION that this computation MAY be done as pre-computation.
MESSAGE_1 = ID, X
Server ----> Client
If the received value X is 1, 0, or -1, then Server MUST
terminate this protocol execution. Upon receiving MESSAGE_1,
Server SHALL select a random y from Z_N^* and compute Y=g^y mod
N. It is an OPTION that this computation MAY be done as pre-
computation.
MESSAGE_2 = Y
Client ----> Server
If the received value Y is 1, 0, or -1, then Client MUST
terminate this protocol execution. Upon receiving MESSAGE_2,
Client SHALL perform the following:
o Action 1: Calculate I = H(ID).
o Action 2: Calculate e = h_0(ID,C,S,X,Y,I).
o Action 3: Calculate Z = (YI^e)^x mod N.
Expires November 4, 2013 [Page 10]
INTERNET DRAFT I-PAKE May 3, 2013
o Action 4: Calculate the secret key K = h_1(ID,C,S,X,Y,I,Z).
o Action 5: Calculate the session key sk = h_2(ID,C,S,X,Y,I,Z).
o Action 6: Encrypt the password pw using the secret key K,
E_K(pw).
o Action 7: Calculate C_1 = h_3(ID,C,S,X,Y,I,sk).
MESSAGE_3 = E_K(pw), C_1
Server ----> Client
Upon receiving MESSAGE_3, Server SHALL perform the following:
o Action 1: Calculate I = H(ID).
o Action 2: Calculate e = h_0(ID,C,S,X,Y,I).
o Action 3: Calculate Z' = X^(y+t_ID*e) mod N.
o Action 4: Calculate the secret key K' = h_1(ID,C,S,X, Y, I,
Z').
o Action 5: Calculate the session key sk' = h_2(ID,C,S,X, Y, I,
Z').
o Action 6: Decrypt the received E_K(pw) using the secret key
K'.
o Action 7: Calculate the password verifier V_PW =
h(ID,t_ID,PW), where PW is MAC_hk(pw) in the hard-augmented
model or h(pw) in the soft-augmented model.
If the calculated V_PW is not equal to the saved V_PW then
Server MUST terminate this protocol execution. Otherwise, Server
SHALL perform the following:
o Action 8: Calculate C_1' = h_3(ID,C,S,X,Y,I,sk).
If the received C_1 in MESSAGE_3 is not equal to C_1' then
Server MUST terminate this protocol execution. Otherwise, Server
shall perform the following:
o Action 9: Calculate C_2 = h_4(ID,C,S,X,Y,I,sk').
Expires November 4, 2013 [Page 11]
INTERNET DRAFT I-PAKE May 3, 2013
MESSAGE_4 = C_2
Since (YI^e)^x = (g^y * (g^sID)^e)^x = g^xy * g^((s_ID)ex) = X^y
* X^(s_ID * e) = X^(y + s_ID*e), K = K' and sk = sk'. That is,
Server calculates the same secret key with Client and can
decrypt the MESSAGE_3 and obtain the same password pw. Server
can confirm that Client is now operated by authenticated User
and agree on the session key sk to be shared with Client.
Client
Upon receiving MESSAGE_4, Client SHALL perform the following:
o Action 1: Calculate C_2' = h_4(ID,C,S,X,Y,I,sk').
If the received C_2 does not equal to C_2' then Client MUST
terminate this protocol execution. Otherwise, Client can confirm
that Server is authenticated and agree on the session key sk to
be shared with Server.
Expires November 4, 2013 [Page 12]
INTERNET DRAFT I-PAKE May 3, 2013
4 Security Considerations
4.1 General - Completeness
The I-PAKE protocol is a cryptographic protocol that achieves
mutual authentication and key agreement, based on a human-
memorable password and ID information, between two entities.
4.1.1 Mutual Authentication
A user is authenticated by a server through a pair of ID and
memorable password pw in the I-PAKE protocol. For the purpose, a
client of the user should submit the encryption of pw under a
correct fresh encryption key K, along with the user's ID, in the
protocol. Note that pw can be a secure one-way hash function of
real memorable password.
The server is authenticated by the client through the salt, that
is, the user's ID information based on IBE, in the I-PAKE
protocol. For the purpose, the server must show the confirmation
that the same session key has been derived based on the salt.
4.1.2 Key Agreement
A client and a server both exchange ephemeral Diffie-Hellman
public keys, X and Y, and agree on the same key incorporating
the correct Diffie-Hellman key based on them.
4.2 I-PAKE - AKE Security
The I-PAKE protocol is an AKE protocol based on a memorable
password and ID information. Thus, it fulfills the requirements
of AKE security.
4.2.1 Passive Attacks
We say that an AKE protocol is secure against passive attacks if
an adversary who merely observes honest entities carrying out
the protocol, fails to derive a session key, which was
authenticated and agreed by the honest entities.
IPAKE is a secure AKE protocol because the messages, (U, X), (S,
Y), C1, and C2, eavesdropped by a passive attacker, do not
reveal the corresponding session key, sk, due to the CDH problem
and the secure one-way hash function.
More specifically, sk and K are secure one-way hash functions of
Expires November 4, 2013 [Page 13]
INTERNET DRAFT I-PAKE May 3, 2013
protocol messages involving the seed key, zk, denoted as
follows.
zk=Z*Z'^e mod N
Note that Z is a Diffie-Hellman key of X and Y, i.e., Z=g^(xy)
mod N; Z' can be seen as another form of the Diffie-Hellman key
of X and I, i.e., Z=g^(xt) mod N; and e is a secure one-way hash
function of protocol messages involving X, Y, and I, i.e.,
e=h0(U,S,X,Y,I).
The confirmation messages, C1 and C2, are secure one-way hash
functions of protocol messages involving sk.
The I-PAKE protocol is secure against the passive attacks.
4.2.2 Active Attacks
We say that an AKE protocol is secure against active attacks if
an adversary who controls the protocol messages, e.g., by
injection, interception, replay, and/or modification, fails to
subvert the communications of the honest entities.
o Impersonation of client: In order to impersonate a client of a
target user, an adversary should obtain the encryption of pw
under a fresh encryption key K and its confirmation message C1.
(1) Although the adversary can inject a new message X to the
protocol and derive K from x and Y, the probability of
constructing the correct encryption of pw is bounded by the
password space. (2) Although the adversary can replay the old
message X' generated previously by the honest client, the new
encryption key K must be different from the old encryption key
K' due to the server's new ephemeral key Y that is different
from the old ephemeral key Y'. In both cases, the adversary
cannot construct the correct encryption of pw and its
confirmation message C1, and thus fails to impersonate the
client.
o Impersonation of server: In order to impersonate a server, an
adversary should obtain a correct encryption key K and its
confirmation message C2. (1) Although the adversary can inject a
new message Y to the protocol, the probability of computing K is
bounded by the salt space. (2) Although the adversary can replay
the old message Y' generated previously by the honest server,
the new decryption key K must be different from the old
encryption key K' due to the client's new ephemeral key X that
is also distinct from the old ephemeral key X'. (3) Although the
adversary can modify a new message Y, e.g., Y=g^y*I^(1/e') mod
Expires November 4, 2013 [Page 14]
INTERNET DRAFT I-PAKE May 3, 2013
N, for the purpose of canceling out I and so the slat s when
computing a fresh key K from X, Y, and the secure one-way hash
function e, the probability of obtaining e' such that e'=e must
be bounded by the collision resistance of the hash function. In
all cases, the adversary cannot obtain a correct encryption key
K and its confirmation message C2, and thus fails to impersonate
the server.
o Man-in-the-middle attack: In order to reside as a middle man
in the protocol, an adversary should enforce a fresh encryption
key K, encryption of pw, and confirmation messages C1 and C2,
according to her own key X' and Y', respectively. Although the
adversary can intercept X and Y, and inject her own key X' and
Y' to replace them, respectively, into the protocol, the
probability of computing K against a client is bounded by the
salt space while that of constructing the encryption of pw
against the server is bounded by the password space. The
adversary fails to reside as a middle man in the protocol.
The I-PAKE protocol is secure against the active attacks.
4.2.3 Forward Secrecy
We say AKE provides forward secrecy when the secrecy of previous
session keys is not affected even if long-term secrets, such as
passwords and salt in the I-PAKE protocol, of one or more
entities are compromised.
If the password is compromised, an adversary should inspect the
protocol messages of the previous sessions that incorporate the
password but only is the encryption of pw from a conventional
block cipher system. Due to the security assumption of the block
cipher, the ephemeral encryption key K is not derivable. Even if
K is also compromised, the previous session key is not derivable
due to the security assumption of one-way hash function.
If the salt is compromised, the adversary should inspect the
protocol messages of the previous sessions that incorporate the
salt but only is the ID information. Due to the hardness
assumption of the Diffie-Hellman problem, the previous session
key is not derivable from X and Y.
The I-PAKE protocol provides the forward secrecy.
4.2.4 Known Session Key
We say AKE is secure against known session key attacks if the
protocol achieves its goal even if an adversary learned some
Expires November 4, 2013 [Page 15]
INTERNET DRAFT I-PAKE May 3, 2013
previous session keys.
If the previous session key sk is compromised, an adversary
should inspect the protocol messages of the previous and/or
future sessions but only is the confirmation message. Due to the
hardness assumption of the Diffie-Hellman problem and the
security assumption of one-way hash function, the old session
keys neither reveal the password and salt information nor
enforce forged key agreement.
The I-PAKE protocol is secure against the known session key
attacks.
4.2.5 Key Control
We say AKE is secure against key control attacks if neither
entity is able to force the session key to be a function of a
pre-selected value, such as either X or Y.
Due to the the hardness assumption of the Diffie-Hellman
problem, neither entity can enforce the key agreement on a pre-
selected value.
The I-PAKE protocol is secure against the key control attacks.
4.3 I-PAKE - Dictionary Attack
The I-PAKE protocol is a PAKE protocol that incorporates IBE.
Thus, it fulfills the requirements of PAKE security against
dictionary attacks.
4.3.1 On-line Dictionary Attack
We say PAKE is secure against on-line dictionary attacks if an
active adversary in the client side is only able to test a
single guess from a password dictionary per on-line attempt
while a server is able to count the number of failed attempts
consistently, and also in the server side cannot test any guess
from the password dictionary per on-line attempt. Note that the
second requirement is very important in practical settings.
In order to test a guessed password on-line in the client side,
the adversary should send the honest server the encryption of
guessed password and its confirmation C1 after exchanging X and
Y. The adversary can verify the guess according to the response
of the server, while the server can also verify it and count its
failure due to the decryption result. If the failure count gets
to the limit, the server can lock the corresponding account.
Expires November 4, 2013 [Page 16]
INTERNET DRAFT I-PAKE May 3, 2013
In order to test a guessed password on-line in the server side,
the adversary should decrypt out the password which was
encrypted by the honest client after exchanging X and Y. The
adversary cannot verify the guess because the corresponding
decryption key K is not derivable.
The I-PAKE protocol is secure against the on-line dictionary
attacks.
4.3.2 Off-line Dictionary Attack
We say PAKE is secure against off-line dictionary attacks if an
active adversary is only able to remove at most a single guess
from a password dictionary per session, and a passive adversary
cannot remove any guess from the dictionary.
As described in the on-line dictionary attack, the active
adversary can only remove a single guess from the dictionary in
the client side, and no guess in the server side per session.
As described in the passive attack, the passive adversary cannot
derive a decryption key K, and thus cannot remove any guess from
the dictionary per session.
The I-PAKE protocol is secure against the off-line dictionary
attacks.
4.4 I-PAKE - Server Compromise
The I-PAKE protocol is an augmented PAKE protocol that fulfills
the requirements of PAKE security against server compromise, not
only in the previous (soft-) augmented model but also in the new
hard-augmented model.
4.4.1 Soft-Augmented Model
We say PAKE is secure against the server compromise in the soft-
augmented model if an adversary who obtained a password
verification directory stored by the server cannot impersonate
the client of the target user directly, i.e., without launching
the off-line dictionary attack. Note that the off-line
dictionary attack is possible for the server compromise in the
soft-augmented model.
Since the server stores only ID, salt, and verifier in the
password verification directory, the adversary who obtained the
directory cannot construct the encryption of password.
Expires November 4, 2013 [Page 17]
INTERNET DRAFT I-PAKE May 3, 2013
The I-PAKE protocol is secure against the server compromise in
the soft-augmented model.
4.4.2 Hard-Augmented Model
We say PAKE is secure against the server compromise in the hard-
augmented model if an adversary who obtained a password
verification directory stored by the server cannot impersonate
the client of the target user and launch the off-line dictionary
attack. The basic assumption is that the HSM module is never
compromised.
Since the server stores only ID, salt, and verifier in the
password verification directory, the adversary who obtained the
directory cannot construct the encryption of password.
Since the verifier is the MAC of password information under the
MAC key which is only stored in the HSM module, the adversary
who obtained the directory cannot launch the off-line dictionary
attack.
The I-PAKE protocol is secure against the server compromise in
the hard-augmented model.
5 IANA Considerations
This document includes no request to IANA.
6 References
6.1 Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2945] Wu, T., "The SRP Authentication and Key Exchange System",
RFC 2945, September 2000.
6.2 Informative References
[RFC5408] Appenzeller, G., Martin, L., and M. Schertler, "Identity-
Based Encryption Architecture and Supporting Data
Structures", RFC 5408, January 2009.
[RFC5409] Martin, L. and M. Schertler, "Using the Boneh-Franklin and
Expires November 4, 2013 [Page 18]
INTERNET DRAFT I-PAKE May 3, 2013
Boneh-Boyen Identity-Based Encryption Algorithms with the
Cryptographic Message Syntax (CMS)", RFC 5409, January
2009.
[RFC5091] Boyen, X. and L. Martin, "Identity-Based Cryptography
Standard (IBCS) #1: Supersingular Curve Implementations of
the BF and BB1 Cryptosystems", RFC 5091, December 2007.
[IEEE P1363.2]
IEEE P1363.2, "Password-Based Public-Key Cryptography",
Submissions to IEEE P1363.2, <http://grouper.ieee.org/
groups/1363/passwdPK/submissions.html>.
[ISO/IEC 11770-4]
ISO/IEC JTC 1/SC 27 11770-4, "Information technology -
Security techniques - Key management - Part 4: Mechanisms
based on weak secrets", May 2006, <http://
www.iso.org/iso/iso_catalogue/catalogue_tc/
catalogue_detail.htm?csnumber=39723>.
Authors' Addresses
Taekyoung Kwon
Sejong University
98 Kunja-dong, Kwangjin-gu
Seoul 143-747, Korea
EMail: tkwon@sejong.edu
Hyojin Yoon
Samsung SDS
5th Fl., Medison Bldg.,
Daechi-dong, Gangnam-gu,
Seoul 135-280, Korea
EMail: hj1230.yoon@samsung.com
Sangyoub Kim
Samsung SDS
4th Fl., Medison Bldg.,
Daechi-dong, Gangnam-gu,
Seoul 135-280, Korea
Expires November 4, 2013 [Page 19]
INTERNET DRAFT I-PAKE May 3, 2013
EMail: sy9.kim@samsung.com
Expires November 4, 2013 [Page 20]