Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2
RFC 6628
| Document | Type |
RFC - Experimental
(June 2012; No errata)
Was draft-shin-augmented-pake (individual in sec area)
|
|
|---|---|---|---|
| Last updated | 2015-10-14 | ||
| Stream | IETF | ||
| Formats | plain text pdf html bibtex | ||
| Reviews | |||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 6628 (Experimental) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Sean Turner | ||
| IESG note | Paul Hoffman is the document shepherd (paul.hoffman@vpnc.org). | ||
| Send notices to | paul.hoffman@vpnc.org | ||
Internet Engineering Task Force (IETF) S. Shin
Request for Comments: 6628 K. Kobara
Category: Experimental AIST
ISSN: 2070-1721 June 2012
Efficient Augmented Password-Only Authentication and
Key Exchange for IKEv2
Abstract
This document describes an efficient augmented password-only
authentication and key exchange (AugPAKE) protocol where a user
remembers a low-entropy password and its verifier is registered in
the intended server. In general, the user password is chosen from a
small set of dictionary words that allows an attacker to perform
exhaustive searches (i.e., off-line dictionary attacks). The AugPAKE
protocol described here is secure against passive attacks, active
attacks, and off-line dictionary attacks (on the obtained messages
with passive/active attacks), and also provides resistance to server
compromise (in the context of augmented PAKE security). In addition,
this document describes how the AugPAKE protocol is integrated into
the Internet Key Exchange Protocol version 2 (IKEv2).
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This document is a product of the Internet Engineering
Task Force (IETF). It represents the consensus of the IETF
community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are a candidate for any level of
Internet Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6628.
Shin & Kobara Experimental [Page 1]
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
1.1. Keywords ...................................................4
2. AugPAKE Specification ...........................................4
2.1. Underlying Group ...........................................4
2.2. Notation ...................................................5
2.2.1. Password Processing .................................6
2.3. Protocol ...................................................7
2.3.1. Initialization ......................................7
2.3.2. Actual Protocol Execution ...........................7
3. Security Considerations .........................................9
3.1. General Assumptions ........................................9
3.2. Security against Passive Attacks ..........................10
3.3. Security against Active Attacks ...........................10
3.3.1. Impersonation Attacks on User U ....................10
3.3.2. Impersonation Attacks on Server S ..................11
3.3.3. Man-in-the-Middle Attacks ..........................11
3.4. Security against Off-line Dictionary Attacks ..............12
3.5. Resistance to Server Compromise ...........................12
4. Implementation Consideration ...................................13
5. AugPAKE for IKEv2 ..............................................13
5.1. Integration into IKEv2 ....................................13
5.2. Payload Formats ...........................................15
5.2.1. Notify Payload .....................................15
5.2.2. Generic Secure Password Method Payload .............16
6. IANA Considerations ............................................16
7. References .....................................................16
7.1. Normative References ......................................16
7.2. Informative References ....................................17
Appendix A. Evaluation by PAKE Selection Criteria.................19
Show full document text