Dragonfly Key Exchange
RFC 7664

Document Type RFC - Informational (November 2015; No errata)
Last updated 2015-11-11
Stream IRTF
Formats plain text pdf html bibtex
IETF conflict review conflict-review-irtf-cfrg-dragonfly
Stream IRTF state Published RFC
Consensus Boilerplate No
RFC Editor Note (None)
IESG IESG state RFC 7664 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
IANA IANA review state IANA OK - No Actions Needed
IANA action state No IC
Internet Research Task Force (IRTF)                      D. Harkins, Ed.
Request for Comments: 7664                                Aruba Networks
Category: Informational                                    November 2015
ISSN: 2070-1721

                         Dragonfly Key Exchange

Abstract

   This document specifies a key exchange using discrete logarithm
   cryptography that is authenticated using a password or passphrase.
   It is resistant to active attack, passive attack, and offline
   dictionary attack.  This document is a product of the Crypto Forum
   Research Group (CFRG).

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Research Task Force
   (IRTF).  The IRTF publishes the results of Internet-related research
   and development activities.  These results might not be suitable for
   deployment.  This RFC represents the individual opinion(s) of one or
   more members of the Crypto Forum Research Group of the Internet
   Research Task Force (IRTF).  Documents approved for publication by
   the IRSG are not a candidate for any level of Internet Standard; see
   Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7664.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Harkins                       Informational                     [Page 1]
RFC 7664                        Dragonfly                  November 2015

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   2
     1.2.  Definitions . . . . . . . . . . . . . . . . . . . . . . .   3
       1.2.1.  Notations . . . . . . . . . . . . . . . . . . . . . .   3
       1.2.2.  Resistance to Dictionary Attack . . . . . . . . . . .   3
   2.  Discrete Logarithm Cryptography . . . . . . . . . . . . . . .   4
     2.1.  Elliptic Curve Cryptography . . . . . . . . . . . . . . .   4
     2.2.  Finite Field Cryptography . . . . . . . . . . . . . . . .   5
   3.  The Dragonfly Key Exchange  . . . . . . . . . . . . . . . . .   6
     3.1.  Assumptions . . . . . . . . . . . . . . . . . . . . . . .   7
     3.2.  Derivation of the Password Element  . . . . . . . . . . .   8
       3.2.1.  Hunting and Pecking with ECC Groups . . . . . . . . .  10
       3.2.2.  Hunting and Pecking with MODP Groups  . . . . . . . .  12
     3.3.  The Commit Exchange . . . . . . . . . . . . . . . . . . .  13
     3.4.  The Confirm Exchange  . . . . . . . . . . . . . . . . . .  14
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .  15
   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  16
     5.1.  Normative References  . . . . . . . . . . . . . . . . . .  16
     5.2.  Informative References  . . . . . . . . . . . . . . . . .  16
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  18
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  18

1.  Introduction

   Passwords and passphrases are the predominant way of doing
   authentication in the Internet today.  Many protocols that use
   passwords and passphrases for authentication exchange password-
   derived data as a proof-of-knowledge of the password (for example,
   [RFC7296] and [RFC5433]).  This opens the exchange up to an offline
   dictionary attack where the attacker gleans enough knowledge from
   either an active or passive attack on the protocol to run through a
   pool of potential passwords and compute verifiers until it is able to
   match the password-derived data.

   This protocol employs discrete logarithm cryptography to perform an
   efficient exchange in a way that performs mutual authentication using
   a password that is provably resistant to an offline dictionary
   attack.  Consensus of the CFRG for this document was rough.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].
Show full document text