1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
|
Internet Engineering Task Force (IETF) S. Shin
Request for Comments: 6628 K. Kobara
Category: Experimental AIST
ISSN: 2070-1721 June 2012
Efficient Augmented Password-Only Authentication and
Key Exchange for IKEv2
Abstract
This document describes an efficient augmented password-only
authentication and key exchange (AugPAKE) protocol where a user
remembers a low-entropy password and its verifier is registered in
the intended server. In general, the user password is chosen from a
small set of dictionary words that allows an attacker to perform
exhaustive searches (i.e., off-line dictionary attacks). The AugPAKE
protocol described here is secure against passive attacks, active
attacks, and off-line dictionary attacks (on the obtained messages
with passive/active attacks), and also provides resistance to server
compromise (in the context of augmented PAKE security). In addition,
this document describes how the AugPAKE protocol is integrated into
the Internet Key Exchange Protocol version 2 (IKEv2).
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This document is a product of the Internet Engineering
Task Force (IETF). It represents the consensus of the IETF
community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are a candidate for any level of
Internet Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6628.
Shin & Kobara Experimental [Page 1]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
1.1. Keywords ...................................................4
2. AugPAKE Specification ...........................................4
2.1. Underlying Group ...........................................4
2.2. Notation ...................................................5
2.2.1. Password Processing .................................6
2.3. Protocol ...................................................7
2.3.1. Initialization ......................................7
2.3.2. Actual Protocol Execution ...........................7
3. Security Considerations .........................................9
3.1. General Assumptions ........................................9
3.2. Security against Passive Attacks ..........................10
3.3. Security against Active Attacks ...........................10
3.3.1. Impersonation Attacks on User U ....................10
3.3.2. Impersonation Attacks on Server S ..................11
3.3.3. Man-in-the-Middle Attacks ..........................11
3.4. Security against Off-line Dictionary Attacks ..............12
3.5. Resistance to Server Compromise ...........................12
4. Implementation Consideration ...................................13
5. AugPAKE for IKEv2 ..............................................13
5.1. Integration into IKEv2 ....................................13
5.2. Payload Formats ...........................................15
5.2.1. Notify Payload .....................................15
5.2.2. Generic Secure Password Method Payload .............16
6. IANA Considerations ............................................16
7. References .....................................................16
7.1. Normative References ......................................16
7.2. Informative References ....................................17
Appendix A. Evaluation by PAKE Selection Criteria.................19
Shin & Kobara Experimental [Page 2]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
1. Introduction
In the real world, many applications, such as Web mail and Internet
banking/shopping/trading, require secure channels between
participating parties. Such secure channels can be established by
using an authentication and key exchange (AKE) protocol, which allows
the involved parties to authenticate each other and to generate a
temporary session key. The temporary session key is used to protect
the subsequent communications between the parties.
Until now, password-only AKE (called PAKE) protocols have attracted
much attention because password-only authentication is very
convenient to the users. However, it is not trivial to design a
secure PAKE protocol due to the existence of off-line dictionary
attacks on passwords. These attacks are possible since passwords are
chosen from a relatively-small dictionary that allows for an attacker
to perform the exhaustive searches. This problem was brought forth
by Bellovin and Merritt [BM92], and many subsequent works have been
conducted in the literature (see some examples in [IEEEP1363.2]). A
PAKE protocol is said to be secure if the best attack an active
attacker can take is restricted to the on-line dictionary attacks,
which allows a guessed password to be checked only by interacting
with the honest party.
An augmented PAKE protocol (e.g., [BM93], [RFC2945], [ISO]) provides
extra protection for server compromise in the sense that an attacker,
who obtains a password verifier from a server, cannot impersonate the
corresponding user without performing off-line dictionary attacks on
the password verifier. This additional security is known as
"resistance to server compromise". The AugPAKE protocol described in
this document is an augmented PAKE, which also achieves measurable
efficiency over some previous works (i.e., SRP [RFC2945] and AMP
[ISO]). We believe the following (see [SKI10] for the formal
security proof): 1) The AugPAKE protocol is secure against passive
attacks, active attacks, and off-line dictionary attacks (on the
obtained messages with passive/active attacks), and 2) It provides
resistance to server compromise. At the same time, the AugPAKE
protocol has similar computational efficiency to the plain Diffie-
Hellman key exchange [DH76] that does not provide authentication by
itself. Specifically, the user and the server need to compute 2 and
2.17 modular exponentiations, respectively, in the AugPAKE protocol.
After excluding pre-computable costs, the user and the server are
required to compute only 1 and 1.17 modular exponentiations,
respectively. Compared with SRP [RFC2945] and AMP [ISO], the AugPAKE
protocol is more efficient 1) than SRP in terms of the user's
computational costs and 2) than AMP in terms of the server's
computational costs.
Shin & Kobara Experimental [Page 3]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
This document also describes how the AugPAKE protocol is integrated
into IKEv2 [RFC5996].
1.1. Keywords
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. AugPAKE Specification
2.1. Underlying Group
The AugPAKE protocol can be implemented over the following group.
o Let p and q be sufficiently large primes such that q is a divisor
of ((p - 1) / 2), and every factor of ((p - 1) / 2) are also
primes comparable to q in size. This p is called a "secure"
prime. By G, we denote a multiplicative subgroup of prime order q
over the field GF(p), the integers modulo p. Let g be a generator
for the subgroup G so that all the subgroup elements are generated
by g. The group operation is denoted multiplicatively (in modulo
p).
By using a secure prime p, the AugPAKE protocol has computational
efficiency gains. Specifically, it does not require the order check
of elements received from the counterpart party. Note that the
groups defined in Discrete Logarithm Cryptography [SP800-56A] and RFC
5114 [RFC5114] are not necessarily the above secure prime groups.
Alternatively, one can implement the AugPAKE protocol over the
following groups.
o Let p and q be sufficiently large primes such that p = (2 * q) +
1. This p is called a "safe" prime. By G, we denote a
multiplicative subgroup of prime order q over the field GF(p), the
integers modulo p. Let g be any element of G other than 1. For
example, g = h^2 mod p where h is a primitive element. The group
operation is denoted multiplicatively (in modulo p).
o Let p and q be sufficiently large primes such that q is a divisor
of ((p - 1) / 2). By G, we denote a multiplicative subgroup of
prime order q over the field GF(p), the integers modulo p. Let g
be a generator for the subgroup G so that all the subgroup
elements are generated by g. The group operation is denoted
multiplicatively (in modulo p). If p is not a "secure" prime, the
AugPAKE protocol MUST perform the order check of received
elements.
Shin & Kobara Experimental [Page 4]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
2.2. Notation
The AugPAKE protocol is a two-party protocol where a user and a
server authenticate each other and generate a session key. The
following notation is used in this document:
U
The user's identity (e.g., as defined in [RFC4282]). It is a
string in {0,1}^* where {0,1}^* indicates a set of finite binary
strings.
S
The server's identity (e.g., as defined in [RFC4282]). It is a
string in {0,1}^*.
b = H(a)
A binary string a is given as input to a secure one-way hash
function H (e.g., SHA-2 family [FIPS180-3]), which produces a
fixed-length output b. The hash function H maps {0,1}^* to
{0,1}^k, where {0,1}^k indicates a set of binary strings of length
k and k is a security parameter.
b = H'(a)
A binary string a is given as input to a secure one-way hash
function H', which maps the input a in {0,1}^* to the output b in
Z_q^*, where Z_q^* is a set of positive integers modulo prime q.
a | b
It denotes a concatenation of binary strings a and b in {0,1}^*.
0x
A hexadecimal value is shown preceded by "0x".
X * Y mod p
It indicates a multiplication of X and Y modulo prime p.
X = g^x mod p
The g^x indicates a multiplication computation of g by x times.
The resultant value modulo prime p is assigned to X. The discrete
logarithm problem says that it is computationally hard to compute
the discrete logarithm x from X, g, and p.
w
The password remembered by the user. This password may be used as
an effective password (instead of itself) in the form of H'(0x00 |
U | S | w).
Shin & Kobara Experimental [Page 5]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
W
The password verifier registered in the server. This password
verifier is computed as follows: W = g^w mod p where the user's
password w is used itself, or W = g^w' mod p where the effective
password w' = H'(0x00 | U | S | w) is used.
bn2bin(X)
It indicates a conversion of a multiple precision integer X to the
corresponding binary string. If X is an element over GF(p), its
binary representation MUST have the same bit length as the binary
representation of prime p.
U -> S: msg
It indicates a message transmission that the user U sends a
message msg to the server S.
U:
It indicates a local computation of user U (without any outgoing
messages).
2.2.1. Password Processing
The input password MUST be processed according to the rules of the
[RFC4013] profile of [RFC3454]. The password SHALL be considered a
"stored string" per [RFC3454], and unassigned code points are
therefore prohibited. The output SHALL be the binary representation
of the processed UTF-8 character string. Prohibited output and
unassigned code points encountered in SASLprep pre-processing SHALL
cause a failure of pre-processing, and the output SHALL NOT be used
with the AugPAKE protocol.
The following table shows examples of how various character data is
transformed by the rules of the [RFC4013] profile.
# Input Output Comments
- ----- ------ --------
1 I<U+00AD>X IX SOFT HYPHEN mapped to nothing
2 user user no transformation
3 USER USER case preserved, will not match #2
4 <U+00AA> a output is NFKC, input in ISO 8859-1
5 <U+2168> IX output is NFKC, will match #1
6 <U+0007> Error - prohibited character
7 <U+0627><U+0031> Error - bidirectional check
Shin & Kobara Experimental [Page 6]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
2.3. Protocol
The AugPAKE protocol consists of two phases: initialization and
actual protocol execution. The initialization phase SHOULD be
finished in a secure manner between the user and the server, and it
is performed all at once. Whenever the user and the server need to
establish a secure channel, they can run the actual protocol
execution through an open network (i.e., the Internet) in which an
active attacker exists.
2.3.1. Initialization
U -> S: (U, W)
The user U computes W = g^w' mod p, where w' is the effective
password, and transmits W to the server S. The W is registered in
the server as the password verifier of user U. Of course, user U
just remembers password w only.
If resistance to server compromise is not necessary and a node needs
to act as both initiator and responder, e.g., as a gateway, then the
node can store w' instead of W even when it acts as server S. In
either case, server S SHOULD NOT store any plaintext passwords.
As noted above, this phase SHOULD be performed securely and all at
once.
2.3.2. Actual Protocol Execution
The actual protocol execution of the AugPAKE protocol allows the user
and the server to share an authenticated session key through an open
network (see Figure 1).
Shin & Kobara Experimental [Page 7]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
+-----------------+ +------------------+
| User U | | Server S (U,W) |
| | (U, X) | |
| |----------------------------->| |
| | | |
| | (S, Y) | |
| |<-----------------------------| |
| | | |
| | V_U | |
| |----------------------------->| |
| | | |
| | V_S | |
| |<-----------------------------| |
| | | |
+-----------------+ +------------------+
Figure 1: Actual Protocol Execution
U -> S: (U, X)
The user U chooses a random element x from Z_q^* and computes its
Diffie-Hellman public value X = g^x mod p. The user sends the
first message (U, X) to the server S.
S -> U: (S, Y)
If the received X from user U is 0, 1, or -1 (mod p), server S
MUST terminate the protocol execution. Otherwise, the server
chooses a random element y from Z_q^* and computes Y = (X *
(W^r))^y mod p where r = H'(0x01 | U | S | bn2bin(X)). Note that
X^y * g^(w * r * y) mod p can be computed from y and (w * r * y)
efficiently using Shamir's trick [MOV97]. Then, server S sends
the second message (S, Y) to the user U.
U -> S: V_U
If the received Y from server S is 0, 1, or -1 (mod p), user U
MUST terminate the protocol execution. Otherwise, the user
computes K = Y^z mod p where z = 1 / (x + (w * r)) mod q and r =
H'(0x01 | U | S | bn2bin(X)). Also, user U generates an
authenticator V_U = H(0x02 | U | S | bn2bin(X) | bn2bin(Y) |
bn2bin(K)). Then, the user sends the third message V_U to the
server S.
Shin & Kobara Experimental [Page 8]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
S -> U: V_S
If the received V_U from user U is not equal to H(0x02 | U | S |
bn2bin(X) | bn2bin(Y) | bn2bin(K)) where K = g^y mod p, server S
MUST terminate the protocol execution. Otherwise, the server
generates an authenticator V_S = H(0x03 | U | S | bn2bin(X) |
bn2bin(Y) | bn2bin(K)) and a session key SK = H(0x04 | U | S |
bn2bin(X) | bn2bin(Y) | bn2bin(K)). Then, server S sends the
fourth message V_S to the user U.
U:
If the received V_S from server S is not equal to H(0x03 | U | S |
bn2bin(X) | bn2bin(Y) | bn2bin(K)), user U MUST terminate the
protocol execution. Otherwise, the user generates a session key
SK = H(0x04 | U | S | bn2bin(X) | bn2bin(Y) | bn2bin(K)).
In the actual protocol execution, the sequential order of message
exchanges is very important to avoid any possible attacks. For
example, if the server S sends the second message (S, Y) and the
fourth message V_S together, any attacker can easily derive the
correct password w with off-line dictionary attacks.
The session key SK, shared only if the user and the server
authenticate each other successfully, MAY be generated by using a key
derivation function (KDF) [SP800-108]. After generating SK, the user
and the server MUST delete all the internal states (e.g., Diffie-
Hellman exponents x and y) from memory.
For the formal proof [SKI10] of the AugPAKE protocol, we need to
slightly change the computation of Y (in the above S -> U: (S, Y))
and K (in the above S -> U: V_S) as follows: Y = (X * (W^r))^y' and K
= g^y' where y' = H'(0x05 | bn2bin(y)).
3. Security Considerations
This section shows why the AugPAKE protocol (i.e., the actual
protocol execution) is secure against passive attacks, active
attacks, and off-line dictionary attacks, and also provides
resistance to server compromise.
3.1. General Assumptions
o An attacker is computationally bounded.
o Any hash functions used in the AugPAKE protocol are secure in
terms of pre-image resistance (one-wayness), second pre-image
resistance, and collision resistance.
Shin & Kobara Experimental [Page 9]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
3.2. Security against Passive Attacks
An augmented PAKE protocol is said to be secure against passive
attacks in the sense that an attacker, who eavesdrops the exchanged
messages, cannot compute an authenticated session key (shared between
the honest parties in the protocol).
In the AugPAKE protocol, an attacker can get the messages (U, X),
(S,Y), V_U, V_S by eavesdropping, and then wants to compute the
session key SK. That is, the attacker's goal is to derive the
correct K from the obtained messages X and Y, because the hash
functions are secure and the only secret in the computation of SK is
K = g^y mod p. Note that
X = g^x mod p and
Y = (X * (W^r))^y = X^y * W^(r * y) = X^y * (g^y)^t = X^y * K^t
hold where t = w' * r mod q. Though t is determined from possible
password candidates and X, the only way for the attacker to extract K
from X and Y is to compute X^y. However, the probability for the
attacker to compute X^y is negligible in the security parameter for
the underlying groups since both x and y are random elements chosen
from Z_q^*. Therefore, the AugPAKE protocol is secure against
passive attacks.
3.3. Security against Active Attacks
An augmented PAKE protocol is said to be secure against active
attacks in the sense that an attacker, who completely controls the
exchanged messages, cannot compute an authenticated session key
(shared with the honest party in the protocol) with the probability
better than that of on-line dictionary attacks. In other words, the
probability for an active attacker to compute the session key is
restricted by the on-line dictionary attacks where it grows linearly
to the number of interactions with the honest party.
In the AugPAKE protocol, the user (respectively, the server) computes
the session key SK only if the received authenticator V_S
(respectively, V_U) is valid. There are three cases to be considered
in the active attacks.
3.3.1. Impersonation Attacks on User U
When an attacker impersonates the user U, the attacker can compute
the same SK (to be shared with the server S) only if the
authenticator V_U is valid. For a valid authenticator V_U, the
attacker has to compute the correct K from X and Y because the hash
Shin & Kobara Experimental [Page 10]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
functions are secure. In this impersonation attack, the attacker of
course knows the discrete logarithm x of X and guesses a password w''
from the password dictionary. So, the probability for the attacker
to compute the correct K is bounded by the probability of w = w''.
That is, this impersonation attack is restricted by the on-line
dictionary attacks where the attacker can try a guessed password
communicating with the honest server S. Therefore, the AugPAKE
protocol is secure against impersonation attacks on user U.
3.3.2. Impersonation Attacks on Server S
When an attacker impersonates the server S, the attacker can compute
the same SK (to be shared with the user U) only if the authenticator
V_S is valid. For a valid authenticator V_S, the attacker has to
compute the correct K from X and Y because the hash functions are
secure. In this impersonation attack, the attacker chooses a random
element y and guesses a password w'' from the password dictionary so
that
Y = (X * (W'^r))^y = X^y * W'^(r * y) = X^y * (g^y)^t'
where t' = w'' * r mod q. The probability for the attacker to
compute the correct K is bounded by the probability of w = w''.
Also, the attacker knows whether the guessed password is equal to w
or not by seeing the received authenticator V_U. However, when w is
not equal to w'', the probability for the attacker to compute the
correct K is negligible in the security parameter for the underlying
groups since the attacker has to guess the discrete logarithm x
(chosen by user U) as well. That is, this impersonation attack is
restricted by the on-line dictionary attacks where the attacker can
try a guessed password communicating with the honest user U.
Therefore, the AugPAKE protocol is secure against impersonation
attacks on server S.
3.3.3. Man-in-the-Middle Attacks
When an attacker performs the man-in-the-middle attack, the attacker
can compute the same SK (to be shared with the user U or the server
S) only if one of the authenticators V_U, V_S is valid. Note that if
the attacker relays the exchanged messages honestly, it corresponds
to the passive attacks. In order to generate a valid authenticator
V_U or V_S, the attacker has to compute the correct K from X and Y
because the hash functions are secure. So, the attacker is in the
same situation as discussed above. Though the attacker can test two
passwords (one with user U and the other with server S), it does not
change the fact that this attack is restricted by the on-line
dictionary attacks where the attacker can try a guessed password
Shin & Kobara Experimental [Page 11]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
communicating with the honest party. Therefore, the AugPAKE protocol
is also secure against man-in-the-middle attacks.
3.4. Security against Off-line Dictionary Attacks
An augmented PAKE protocol is said to be secure against off-line
dictionary attacks in the sense that an attacker, who completely
controls the exchanged messages, cannot reduce the possible password
candidates better than on-line dictionary attacks. Note that in the
on-line dictionary attacks, an attacker can test one guessed password
by running the protocol execution (i.e., communicating with the
honest party).
As discussed in Section 3.2, an attacker in the passive attacks does
not compute X^y (and the correct K = g^y mod p) from the obtained
messages X, Y. This security analysis also indicates that, even if
the attacker can guess a password, the K is derived independently
from the guessed password. Next, we consider an active attacker
whose main goal is to perform the off-line dictionary attacks in the
AugPAKE protocol. As in Section 3.3, the attacker can 1) test one
guessed password by impersonating the user U or the server S, or 2)
test two guessed passwords by impersonating the server S (to the
honest user U) and impersonating the user U (to the honest server S)
in the man-in-the-middle attacks. Whenever the honest party receives
an invalid authenticator, the party terminates the actual protocol
execution without sending any message. In fact, this is important to
prevent an attacker from testing more than one password in the active
attacks. Since passive attacks and active attacks cannot remove the
possible password candidates more efficiently than on-line dictionary
attacks, the AugPAKE protocol is secure against off-line dictionary
attacks.
3.5. Resistance to Server Compromise
We consider an attacker who has obtained a (user's) password verifier
from a server. In the (augmented) PAKE protocols, there are two
limitations [BJKMRSW00]: 1) the attacker can find out the correct
password from the password verifier with the off-line dictionary
attacks because the verifier has the same entropy as the password;
and 2) if the attacker impersonates the server with the password
verifier, this attack is always possible because the attacker has
enough information to simulate the server. An augmented PAKE
protocol is said to provide resistance to server compromise in the
sense that the attacker cannot impersonate the user without
performing off-line dictionary attacks on the password verifier.
In order to show resistance to server compromise in the AugPAKE
protocol, we consider an attacker who has obtained the password
Shin & Kobara Experimental [Page 12]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
verifier W and then tries to impersonate the user U without off-line
dictionary attacks on W. As a general attack, the attacker chooses
two random elements c and d from Z_q^*, and computes
X = (g^c) * (W^d) mod p
and sends the first message (U, X) to the server S. In order to
impersonate user U successfully, the attacker has to compute the
correct K = g^y mod p where y is randomly chosen by server S. After
receiving Y from the server, the attacker's goal is to find out a
value e satisfying Y^e = K mod p. That is,
log_g (Y^e) = log_g K mod q
(c + (w' * d) + (w' * r)) * y * e = y mod q
(c + w' * (d + r)) * e = 1 mod q
where log_g K indicates the logarithm of K to the base g. Since
there is no off-line dictionary attacks on W, the above solution is
that e = 1 / c mod q and d = -r mod q. However, the latter is not
possible since r is determined by X (i.e., r = H'(0x01 | U | S |
bn2bin(X))) and H' is a secure hash function. Therefore, the AugPAKE
protocol provides resistance to server compromise.
4. Implementation Consideration
As discussed in Section 3, the AugPAKE protocol is secure against
passive attacks, active attacks, and off-line dictionary attacks, and
provides resistance to server compromise. However, an attacker in
the on-line dictionary attacks can check whether one password
(guessed from the password dictionary) is correct or not by
interacting with the honest party. Let N be the number of possible
passwords within a dictionary. Certainly, the attacker's success
probability grows with the probability of (I / N) where I is the
number of interactions with the honest party. In order to provide a
reasonable security margin, implementation SHOULD take a
countermeasure to the on-line dictionary attacks. For example, it
would take about 90 years to test 2^(25.5) passwords with a one
minute lock-out for 3 failed password guesses (see Appendix A in
[SP800-63]).
5. AugPAKE for IKEv2
5.1. Integration into IKEv2
IKE is a primary component of IPsec in order to provide mutual
authentication and establish security associations between two peers.
Shin & Kobara Experimental [Page 13]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
The AugPAKE protocol, described in Section 2, can be easily
integrated into IKEv2 [RFC5996] as a "weak" pre-shared key
authentication method (see Figure 2). This integrated protocol
preserves the IKEv2 structure and security guarantees (e.g., identity
protection). Note that the AugPAKE protocol can be used in three
scenarios for IKEv2: "Security Gateway to Security Gateway Tunnel",
"Endpoint-to-Endpoint Transport", and "Endpoint to Security Gateway
Tunnel".
Initiator Responder
----------- -----------
IKE_SA_INIT:
HDR, SAi1, KEi, Ni,
N(SECURE_PASSWORD_METHODS) -->
<-- HDR, SAr1, KEr, Nr,
N(SECURE_PASSWORD_METHODS)
IKE_AUTH:
HDR, SK {IDi, GSPM(PVi), [IDr,]
SAi2, TSi, TSr} -->
<-- HDR, SK {IDr, GSPM(PVr)}
HDR, SK {AUTHi} -->
<-- HDR, SK {AUTHr, SAr2, TSi, TSr}
Figure 2: AugPAKE into IKEv2
The changes from IKEv2 are summarized as follows:
o In addition to IKEv2, one round trip is added.
o The initiator (respectively, the responder) sends an
N(SECURE_PASSWORD_METHODS) notification to indicate its
willingness to use AugPAKE in the IKE_SA_INIT exchange.
o The added values GSPM(PVi) and GSPM(PVr) in the IKE_AUTH exchange
correspond to X and Y of the AugPAKE protocol in Section 2,
respectively.
o From K (represented as an octet string) derived in Section 2, the
AUTH values in the IKE_AUTH exchange are computed as
AUTHi = prf( prf(K, "AugPAKE for IKEv2"),
<InitiatorSignedOctets> | GSPM(PVi) | GSPM(PVr) | IDi | IDr)
Shin & Kobara Experimental [Page 14]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
AUTHr = prf( prf(K, "AugPAKE for IKEv2"),
<ResponderSignedOctets> | GSPM(PVr) | GSPM(PVi) | IDr | IDi)
5.2. Payload Formats
5.2.1. Notify Payload
The Notify Payload N(SECURE_PASSWORD_METHODS) [RFC6467], indicating a
willingness to use AugPAKE in the IKE_SA_INIT exchange, is defined as
follows:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload !C! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Protocol ID ! SPI Size ! Notify Message Type !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! !
~ Security Parameter Index (SPI) ~
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! !
~ Notification Data ~
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
As in [RFC5996], the Protocol ID and SPI Size SHALL be set to zero
and, therefore, the SPI field SHALL be empty. The Notify Message
Type will be 16424 [RFC6467].
The Notification Data contains the list of the 16-bit secure password
method numbers:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Secure Password Method #1 ! Secure Password Method #2 !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Secure Password Method #3 ! ... !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The response Notify Payload contains exactly one 16-bit secure
password method number (i.e., for AugPAKE here) inside the
Notification Data field.
Shin & Kobara Experimental [Page 15]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
5.2.2. Generic Secure Password Method Payload
The Generic Secure Password Method (GSPM) Payload, denoted GSPM(PV)
in Section 5.1, is defined as follows:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload !C! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! !
~ ~
! Data Specific to the Secure Password Method !
~ ~
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The GSPM Payload Type will be 49 [RFC6467].
Since the GSPM(PV) value is a group element, the encoded octet string
is actually used in the "Data Specific to the Secure Password Method"
field.
6. IANA Considerations
IANA has assigned value 2 to the method name "AugPAKE" from the
"IKEv2 Secure Password Methods" registry in [IKEV2-IANA].
7. References
7.1. Normative References
[FIPS180-3] Information Technology Laboratory, "Secure Hash
Standard (SHS)", NIST FIPS Publication 180-3, October
2008, <http://csrc.nist.gov/publications/fips/
fips180-3/fips180-3_final.pdf>.
[IKEV2-IANA] IANA, "Internet Key Exchange Version 2 (IKEv2)
Parameters",
<http://www.iana.org/assignments/ikev2-parameters>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3454] Hoffman, P. and M. Blanchet, "Preparation of
Internationalized Strings ("stringprep")", RFC 3454,
December 2002.
Shin & Kobara Experimental [Page 16]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
[RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User
Names and Passwords", RFC 4013, February 2005.
[RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The
Network Access Identifier", RFC 4282, December 2005.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)", RFC
5996, September 2010.
[SP800-108] Chen, L., "Recommendation for Key Derivation Using
Pseudorandom Functions (Revised)", NIST Special
Publication 800-108, October 2009,
<http://csrc.nist.gov/publications/
nistpubs/800-108/sp800-108.pdf>.
7.2. Informative References
[BJKMRSW00] Bellare, M., Jablon, D., Krawczyk, H., MacKenzie, P.,
Rogaway, P., Swaminathan, R., and T. Wu, "Proposal for
P1363 Study Group on Password-Based
Authenticated-Key-Exchange Methods", IEEE P1363.2:
Password-Based Public-Key Cryptography, Submissions to
IEEE P1363.2 , February 2000, <http://grouper.ieee.org/
groups/1363/passwdPK/contributions/p1363-pw.pdf>.
[BM92] Bellovin, S. and M. Merritt, "Encrypted Key Exchange:
Password-based Protocols Secure against Dictionary
Attacks", Proceedings of the IEEE Symposium on Security
and Privacy, IEEE Computer Society, 1992.
[BM93] Bellovin, S. and M. Merritt, "Augmented Encrypted Key
Exchange: A Password-based Protocol Secure against
Dictionary Attacks and Password File Compromise",
Proceedings of the 1st ACM Conference on Computer and
Communication Security, ACM Press, 1993.
[DH76] Diffie, W. and M. Hellman, "New Directions in
Cryptography", IEEE Transactions on Information Theory
Volume IT-22, Number 6, 1976.
Shin & Kobara Experimental [Page 17]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
[H10] Harkins, D., "Password-Based Authentication in IKEv2:
Selection Criteria and Considerations", Work in
Progress, October 2010.
[IEEEP1363.2] IEEE P1363.2, "Password-Based Public-Key Cryptography",
Submissions to IEEE P1363.2 , <http://grouper.ieee.org/
groups/1363/passwdPK/submissions.html>.
[ISO] ISO/IEC JTC 1/SC 27 11770-4, "Information technology --
Security techniques -- Key management -- Part 4:
Mechanisms based on weak secrets", April 2006,
<http://www.iso.org/iso/iso_catalogue/catalogue_tc/
catalogue_detail.htm?csnumber=39723>.
[MOV97] Menezes, A., Oorschot, P., and S. Vanstone,
"Simultaneous Multiple Exponentiation", in Handbook of
Applied Cryptography, CRC Press, 1997.
[RFC2945] Wu, T., "The SRP Authentication and Key Exchange
System", RFC 2945, September 2000.
[RFC5114] Lepinski, M. and S. Kent, "Additional Diffie-Hellman
Groups for Use with IETF Standards", RFC 5114, January
2008.
[RFC6467] Kivinen, T., "Secure Password Framework for Internet
Key Exchange Version 2 (IKEv2)", RFC 6467, December
2011.
[SKI10] Shin, S., Kobara, K., and H. Imai, "Security Proof of
AugPAKE", Cryptology ePrint Archive: Report 2010/334,
June 2010, <http://eprint.iacr.org/2010/334>.
[SP800-56A] Barker, E., Johnson, D., and M. Smid, "Recommendation
for Pair-Wise Key Establishment Schemes Using Discrete
Logarithm Cryptography (Revised)", NIST Special
Publication 800-56A, March 2007, <http://csrc.nist.gov/
publications/nistpubs/800-56A/
SP800-56A_Revision1_Mar08-2007.pdf>.
[SP800-63] Burr, W., Dodson, D., and W. Polk, "Electronic
Authentication Guideline", NIST Special Publication
800-63 Version 1.0.2, April 2006,
<http://csrc.nist.gov/publications/
nistpubs/800-63/SP800-63V1_0_2.pdf>.
Shin & Kobara Experimental [Page 18]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
Appendix A. Evaluation by PAKE Selection Criteria
Below is a self-evaluation of the AugPAKE protocol following PAKE
selection criteria [H10].
SEC1: AugPAKE is zero knowledge (password) proof. It is secure
against passive/active/off-line dictionary attacks. It is also
resistant to server-compromise impersonation attacks.
SEC2: AugPAKE provides Perfect Forward Secrecy (PFS) and is secure
against Denning-Sacco attack.
SEC3: IKEv2 identity protection is preserved.
SEC4: Any cryptographically secure Diffie-Hellman groups can be used.
SEC5: The formal security proof of AugPAKE can be found at [SKI10].
SEC6: AugPAKE can be easily used with strong credentials.
SEC7: In the case of server compromise, an attacker has to perform
off-line dictionary attacks while computing modular
exponentiation with a password candidate.
SEC8: AugPAKE is secure regardless of the transform negotiated by
IKEv2.
IPR1: AugPAKE was publicly disclosed on Oct. 2008.
IPR2: AIST applied for a patent in Japan on July 10, 2008. AIST
would provide royal-free license of AugPAKE.
IPR3: IPR disclosure (see https://datatracker.ietf.org/ipr/1284/)
MISC1: AugPAKE adds one round trip to IKEv2.
MISC2: The initiator needs to compute only 2 modular exponentiation
computations while the responder needs to compute 2.17
modular exponentiation computations. AugPAKE needs to
exchange 2 group elements and 2 hash values. This is almost
the same computation/communication costs as the plain Diffie-
Hellman (DH) key exchange. If we use a large (e.g.,
2048/3072-bits) parent group, the hash size would be
relatively small.
MISC3: AugPAKE has the same performance for any type of secret.
Shin & Kobara Experimental [Page 19]
^L
RFC 6628 Most Efficient Augmented PAKE for IKEv2 June 2012
MISC4: Internationalization of character-based passwords can be
supported.
MISC5: AugPAKE can be implemented over any ECP (Elliptic Curve Group
over GF[P]), EC2N (Elliptic Curve Group over GF[2^N]), and
MODP (Modular Exponentiation Group) groups.
MISC6: AugPAKE has request/response nature of IKEv2.
MISC7: No additional negotiation is needed.
MISC8: No Trusted Third Party (TTP) and clock synchronization
MISC9: No additional primitive (e.g., Full Domain Hashing (FDH)
and/or ideal cipher) is needed.
MISC10: As above, AugPAKE can be implemented over any ECP/EC2N
groups.
MISC11: Easy implementation. We already implemented AugPAKE and have
been testing in AIST.
Authors' Addresses
SeongHan Shin
AIST
Central 2, 1-1-1, Umezono
Tsukuba, Ibaraki 305-8568
JP
Phone: +81 29-861-2670
EMail: seonghan.shin@aist.go.jp
Kazukuni Kobara
AIST
EMail: kobara_conf@m.aist.go.jp
Shin & Kobara Experimental [Page 20]
^L
|