| rfc9382xml2.original.xml | rfc9382.xml | |||
|---|---|---|---|---|
| <?xml version="1.0"?> | <?xml version="1.0" encoding="UTF-8"?> | |||
| <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [ | ||||
| <!ENTITY RFC2104 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC | <!DOCTYPE rfc [ | |||
| .2104.xml"> | <!ENTITY nbsp " "> | |||
| <!ENTITY RFC2119 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC | <!ENTITY zwsp "​"> | |||
| .2119.xml"> | <!ENTITY nbhy "‑"> | |||
| <!ENTITY RFC4493 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC | <!ENTITY wj "⁠"> | |||
| .4493.xml"> | ||||
| <!ENTITY RFC5480 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC | ||||
| .5480.xml"> | ||||
| <!ENTITY RFC5869 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC | ||||
| .5869.xml"> | ||||
| <!ENTITY RFC6234 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC | ||||
| .6234.xml"> | ||||
| <!ENTITY RFC7914 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC | ||||
| .7914.xml"> | ||||
| <!ENTITY RFC8032 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC | ||||
| .8032.xml"> | ||||
| <!ENTITY RFC8174 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC | ||||
| .8174.xml"> | ||||
| <!ENTITY RFC8265 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC | ||||
| .8265.xml"> | ||||
| <!ENTITY h2c SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.dr | ||||
| aft-irtf-cfrg-hash-to-curve-05.xml"> | ||||
| <!ENTITY opaque SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D | ||||
| .draft-irtf-cfrg-opaque-06.xml"> | ||||
| ]> | ]> | |||
| <?rfc toc="yes"?> | ||||
| <?rfc tocdepth="1"?> | <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft | |||
| <rfc category="info" ipr="trust200902" docName="draft-irtf-cfrg-spake2-26" submi | -irtf-cfrg-spake2-26" number="9382" submissionType="IRTF" category="info" | |||
| ssionType="IRTF"> | consensus="false" obsoletes="" updates="" xml:lang="en" tocInclude="true" tocDep | |||
| th="2" | ||||
| sortRefs="true" symRefs="true" version="3"> | ||||
| <!-- xml2rfc v2v3 conversion 3.12.1 --> | ||||
| <front> | <front> | |||
| <title>SPAKE2, a PAKE</title> | <title abbrev="SPAKE2">SPAKE2, a Password-Authenticated Key Exchange</title> | |||
| <seriesInfo name="RFC" value="9382"/> | ||||
| <author fullname="Watson Ladd" initials="W." surname="Ladd"> | <author fullname="Watson Ladd" initials="W." surname="Ladd"> | |||
| <organization>Sealance</organization> | ||||
| <address> | ||||
| <email>watsonbladd@gmail.com</email> | ||||
| </address> | ||||
| </author> | ||||
| <author role="editor" initials="B." surname="Kaduk" fullname="Benjamin Kaduk | ||||
| "> | ||||
| <organization abbrev="Akamai">Akamai Technologies</organization> | <organization abbrev="Akamai">Akamai Technologies</organization> | |||
| <address> | <address> | |||
| <email>kaduk@mit.edu</email> | <email>watsonbladd@gmail.com</email> | |||
| </address> | </address> | |||
| </author> | </author> | |||
| <date month="February" year="2022"/> | <date month="September" year="2023"/> | |||
| <workgroup> | <workgroup>Crypto Forum</workgroup> | |||
| Internet Research Task Force | <abstract> | |||
| </workgroup> | <t>This document describes SPAKE2, which is a protocol for two | |||
| <abstract> | ||||
| <t>This document describes SPAKE2 which is a protocol for two | ||||
| parties that share a password to derive a strong shared key | parties that share a password to derive a strong shared key | |||
| without disclosing the password. This method is compatible with | without disclosing the password. This method is compatible with | |||
| any group, is computationally efficient, and SPAKE2 has a | any group, is computationally efficient, and has a | |||
| security proof. This document predated the CFRG PAKE competition | security proof. This document predated the Crypto Forum | |||
| and it was not selected, however, given existing use of variants | Research Group (CFRG) password-authenticated key exchange (PAKE) competiti | |||
| in Kerberos and other applications it was felt publication was | on, | |||
| beneficial. Applications that need a symmetric PAKE (password authenticate | and it was not selected; however, given existing use of variants | |||
| d key exchange) and where hashing onto an elliptic curve | in Kerberos and other applications, it was felt that publication was | |||
| at execution time is not possible can use SPAKE2. This document is a produ | beneficial. | |||
| ct of the Crypto Forum | Applications that need a symmetric PAKE, but are unable to hash onto an | |||
| Research Group (CFRG) in the IRTF.</t> | elliptic curve at execution time, can use SPAKE2. This document is a product | |||
| of the Crypto Forum Research Group in the Internet Research Task Force (IRTF).</ | ||||
| t> | ||||
| </abstract> | </abstract> | |||
| </front> | </front> | |||
| <middle> | <middle> | |||
| <section anchor="intro" title="Introduction"> | <section anchor="intro" numbered="true" toc="default"> | |||
| <t>This document describes SPAKE2, a means for two parties that | <name>Introduction</name> | |||
| <t>This document describes SPAKE2, which is a means for two parties that | ||||
| share a password to derive a strong shared key without | share a password to derive a strong shared key without | |||
| disclosing the password. This password-based key exchange | disclosing the password. This password-based key exchange | |||
| protocol is compatible with any group (requiring only a | protocol is compatible with any group (requiring only a | |||
| scheme to map a random input of fixed length per group to a random | scheme to map a random input of a fixed length per group to a random | |||
| group element), is computationally efficient, and has a security | group element), is computationally efficient, and has a security | |||
| proof. Predetermined parameters for a selection of commonly | proof. Predetermined parameters for a selection of commonly | |||
| used groups are also provided for use by other protocols.</t> | used groups are also provided for use by other protocols.</t> | |||
| <t>SPAKE2 was not selected as the result of the CFRG PAKE selection | <t>SPAKE2 was not selected as the result of the CFRG PAKE selection | |||
| competition. However, given existing use of variants in Kerberos and | competition. However, given existing use of variants in Kerberos and | |||
| other applications it was felt publication was beneficial. This RFC | other applications, it was felt that publication was beneficial. This RFC | |||
| represents the individual opinion(s) of one or more members of | represents the individual opinion(s) of one or more members of | |||
| the Crypto Forum Research Group of the Internet Research Task | the Crypto Forum Research Group of the IRTF.</t> | |||
| Force (IRTF).</t> | ||||
| <t> Many of these applications predated methods to hash to | <t> Many of these applications predated methods to hash to | |||
| elliptic curves being available or predated the publication of | elliptic curves being available or predated the publication of | |||
| the PAKEs that were chosen as an outcome of the PAKE selection | the PAKEs that were chosen as an outcome of the PAKE selection | |||
| competition. In cases where a symmetric PAKE is needed, and | competition. In cases where a symmetric PAKE is needed and | |||
| hashing onto an elliptic curve at protocol execution time is not | hashing onto an elliptic curve at protocol execution time is not | |||
| available, SPAKE2 is useful.</t> | available, SPAKE2 is useful.</t> | |||
| </section> | </section> | |||
| <section anchor="notation" title="Requirements Notation"> | <section anchor="notation" numbered="true" toc="default"> | |||
| <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL | <name>Requirements Notation</name> | |||
| NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", | <t> | |||
| "MAY", and "OPTIONAL" in this document are to be interpreted as | The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU | |||
| described in BCP 14 <xref target="RFC2119" /> <xref target="RFC8174" /> | IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL | |||
| when, and only when, they | NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14> | |||
| appear in all capitals, as shown here.</t> | RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", | |||
| "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to | ||||
| be interpreted as | ||||
| described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> | ||||
| when, and only when, they appear in all capitals, as shown here. | ||||
| </t> | ||||
| </section> | </section> | |||
| <section anchor="definition" title="Definition of SPAKE2"> | <section anchor="definition" numbered="true" toc="default"> | |||
| <section title="Protocol Flow" anchor="flow"> | <name>Definition of SPAKE2</name> | |||
| <t>SPAKE2 is a two round protocol, wherein the first round establishes a | <section anchor="flow" numbered="true" toc="default"> | |||
| shared secret | <name>Protocol Flow</name> | |||
| <t>SPAKE2 is a two-round protocol, wherein the first round establishes a | ||||
| shared secret | ||||
| between A and B, and the second round serves as key confirmation. Prio r to invocation, A and B are provisioned with | between A and B, and the second round serves as key confirmation. Prio r to invocation, A and B are provisioned with | |||
| information such as the input password needed to run the protocol. We assume that the roles of A and B | information, such as the input password needed to run the protocol. We assume that the roles of A and B | |||
| are agreed upon by both sides: A goes first and uses M, and B goes seco nd and uses N. If this assignment | are agreed upon by both sides: A goes first and uses M, and B goes seco nd and uses N. If this assignment | |||
| of roles is not possible a symmetric variant MUST be used as described | of roles is not possible, a symmetric variant <bcp14>MUST</bcp14> be us | |||
| later <xref target="variants"/>. For instance A may be the client when | ed, as described later <xref target="variants" format="default"/>. For instance, | |||
| using TCP or TLS as an underlying protocol and B the server. Most proto | A may be the client when | |||
| cols have such a distinction. | using TCP or TLS as an underlying protocol, and B may be the server. Mo | |||
| st protocols have such a distinction. | ||||
| During the first round, A sends a public value pA to B, and | During the first round, A sends a public value pA to B, and | |||
| B responds with its own public value pB. Both A and B then | B responds with its own public value pB. Both A and B then | |||
| derive a shared secret used to produce encryption and | derive a shared secret used to produce encryption and | |||
| authentication keys. The latter are used during the second | authentication keys. The latter are used during the second | |||
| round for key confirmation. (<xref target="keys"/> details | round for key confirmation. (<xref target="keys" format="default"/> de tails | |||
| the key derivation and confirmation steps.) In particular, A | the key derivation and confirmation steps.) In particular, A | |||
| sends a key confirmation message cA to B, and B responds | sends a key confirmation message cA to B, and B responds | |||
| with its own key confirmation message cB. A MUST NOT | with its own key confirmation message cB. A <bcp14>MUST NOT</bcp14> | |||
| consider the protocol complete until it receives and | consider the protocol complete until it receives and | |||
| verifies cB. Likewise, B MUST NOT consider the protocol | verifies cB. Likewise, B <bcp14>MUST NOT</bcp14> consider the protocol | |||
| complete until it receives and verifies cA.</t> | complete until it receives and verifies cA.</t> | |||
| <t>This sample flow is shown below.</t> | <t>This sample flow is shown below.</t> | |||
| <figure><artwork><![CDATA[ | <artwork name="" type="" align="left" alt=""><![CDATA[ | |||
| A B | A B | |||
| | (setup protocol) | | | | | |||
| | | | | | | |||
| (compute pA) | pA | | (compute pA) | pA | | |||
| |----------------->| | |---------------------->| | |||
| | pB | (compute pB) | | pB | (compute pB) | |||
| |<-----------------| | |<----------------------| | |||
| | | | | | | |||
| | (derive secrets) | | | (derive secrets) | | |||
| | | | | | | |||
| (compute cA) | cA | | (compute cA) | cA | | |||
| |----------------->| | |---------------------->| | |||
| | cB | (compute cB) | | cB | (compute cB) | |||
| | | (check cA) | | | (check cA) | |||
| |<-----------------| | |<----------------------| | |||
| (check cB) | | | (check cB) | | | |||
| ]]></artwork></figure> | ]]></artwork> | |||
| </section> | </section> | |||
| <section title="Setup" anchor="setup"> | <section anchor="setup" numbered="true" toc="default"> | |||
| <name>Setup</name> | ||||
| <t>Let G be a group in which the gap Diffie-Hellman (GDH) | <t>Let G be a group in which the gap Diffie-Hellman (GDH) | |||
| problem is hard. Suppose G has order p*h where p is a large prime; | problem is hard. Suppose G has order p*h, where p is a large prime and | |||
| h will be called the cofactor. Let I be the unit element in | h will be called the cofactor. Let I be the unit element in | |||
| G, e.g., the point at infinity if G is an elliptic curve group. We den ote the | G, e.g., the point at infinity if G is an elliptic curve group. We den ote the | |||
| operations in the group additively. We assume there is a representatio n of | operations in the group additively. We assume there is a representatio n of | |||
| elements of G as byte strings: common choices would be SEC1 <xref targ | elements of G as byte strings: common choices would be SEC1 <xref targ | |||
| et="SEC1"/> | et="SEC1" format="default"/> | |||
| uncompressed or compressed for elliptic curve groups or big | uncompressed or compressed for elliptic curve groups or big-endian int | |||
| endian integers of a fixed (per-group) length for prime field DH. Appl | egers of a fixed (per-group) length for prime field DH. Applications <bcp14>MUST | |||
| ications MUST | </bcp14> | |||
| specify this encoding, typically by referring to the document defining the group. | specify this encoding, typically by referring to the document defining the group. | |||
| We fix two elements M and N in the prime-order subgroup of G as define | We fix two elements, M and N, in | |||
| d | the prime-order subgroup of G, as defined in <xref target="spake2_ciphersuite | |||
| in the table in this document for common groups, as well as a generato | s"/> of this | |||
| r P | document for common groups, as well as generator P of the (large) | |||
| of the (large) prime-order subgroup of G. In the case of a composite o | prime-order subgroup of G. In the case of a composite order group, | |||
| rder group | ||||
| we will work in the quotient group. For common groups used in thi s document, | we will work in the quotient group. For common groups used in thi s document, | |||
| P is specified in the document defining the group, and so we do not re | P is specified in the document defining the group, so we do not repeat i | |||
| peat it here.</t> | t here.</t> | |||
| <t> For elliptic curves other than the ones in this document, the method | ||||
| <t> For elliptic curves other than the ones in this document the metho | s described in | |||
| ds of | <xref target="RFC9380" format="default"/> <bcp14>SHOULD</bcp14> be use | |||
| <xref target="I-D.irtf-cfrg-hash-to-curve"/> SHOULD be used to generat | d to generate M and N, e.g., via | |||
| e M and N, e.g. via | ||||
| M = hash_to_curve("M SPAKE2 seed OID x") and N = hash_to_curve("N SPAK E2 seed OID x"), where | M = hash_to_curve("M SPAKE2 seed OID x") and N = hash_to_curve("N SPAK E2 seed OID x"), where | |||
| x is an OID for the curve. Applications MAY include a DST tag in this | x is an OID for the curve. Applications <bcp14>MAY</bcp14> include a d | |||
| step, as specified | omain separation tag (DST) in this step, as specified | |||
| in <xref target="I-D.irtf-cfrg-hash-to-curve"/>, though this is not re | in <xref target="RFC9380" format="default"/>, though this is not requi | |||
| quired.</t> | red.</t> | |||
| <t>|| denotes concatenation of byte strings. We also let len(S) denote t he | <t>|| denotes concatenation of byte strings. We also let len(S) denote t he | |||
| length of a string in bytes, represented as an eight-byte little- | length of a string in bytes, represented as an eight-byte little-endia | |||
| endian number. Finally, let nil represent an empty string, i.e., | n number. Finally, let nil represent an empty string, i.e., | |||
| len(nil) = 0. Text strings in double quotes are treated as their ASCII encodings | len(nil) = 0. Text strings in double quotes are treated as their ASCII encodings | |||
| throughout this document.</t> | throughout this document.</t> | |||
| <t>KDF(ikm, salt, info, L) is a key-derivation function that | <t>KDF(ikm, salt, info, L) is a key-derivation function that | |||
| takes as input a salt, intermediate keying material (IKM), | takes as input a salt, input keying material (IKM), an | |||
| info string, and derived key length L to derive a | info string, and derived key length L to derive a | |||
| cryptographic key of length L. MAC(key, message) is a Message | cryptographic key of length L. MAC(key, message) is a Message | |||
| Authentication Code algorithm that takes a secret key and | Authentication Code algorithm that takes a secret key and | |||
| message as input to produce an output. Let Hash be a hash | message as input to produce an output. Let Hash be a hash | |||
| function from arbitrary strings to bit strings of a fixed | function from arbitrary strings to bit strings of a fixed | |||
| length, at least 256 bits long. Common choices for Hash are | length that is at least 256 bits long. Common choices for Hash are | |||
| SHA256 or SHA512 <xref target="RFC6234"/>. Let MHF be a | SHA-256 or SHA-512 <xref target="RFC6234" format="default"/>. Let MHF be | |||
| a | ||||
| memory-hard hash function designed to slow down brute-force | memory-hard hash function designed to slow down brute-force | |||
| attackers. Scrypt <xref target="RFC7914"/> is a common example | attackers. Scrypt <xref target="RFC7914" format="default"/> is a common example | |||
| of this function. The output length of MHF matches that of | of this function. The output length of MHF matches that of | |||
| Hash. Parameter selection for MHF is out of scope for this | Hash. Parameter selection for MHF is out of scope for this | |||
| document. <xref target="Ciphersuites"/> specifies variants of | document. <xref target="Ciphersuites" format="default"/> specifies vari | |||
| KDF, MAC, and Hash suitable for use with the protocols | ants of | |||
| KDF, MAC, and Hash that are suitable for use with the protocols | ||||
| contained herein.</t> | contained herein.</t> | |||
| <t>Let A and B be two parties. A and B may also have digital | <t>Let A and B be two parties. A and B may also have digital | |||
| representations of the parties' identities such as Media Access C | representations of the parties' identities, such as Media Access Contr | |||
| ontrol addresses | ol addresses | |||
| or other names (hostnames, usernames, etc). A and B may share Addition | or other names (hostnames, usernames, etc.). A and B may share additio | |||
| al | nal | |||
| Authenticated Data (AAD) of length at most 2^16 - 128 bits that is sep | authenticated data (AAD) of a length that is at most 2<sup>16</sup> - | |||
| arate | 128 bits and separate | |||
| from their identities which they may want to include in the protocol e | from their identities, which they may want to include in the protocol | |||
| xecution. | execution. | |||
| One example of AAD is a list of supported protocol versions if SPAKE2 were | One example of AAD is a list of supported protocol versions if SPAKE2 were | |||
| used in a higher-level protocol which negotiates use of a particular P | used in a higher-level protocol that negotiates use of a particular PA | |||
| AKE. Including | KE. Including this list would ensure that both parties agree upon the | |||
| this list would ensure that both parties agree upon the same set of su | same set of supported protocols and therefore prevents downgrade attacks. We a | |||
| pported protocols | lso assume A and B share integer w; | |||
| and therefore prevent downgrade attacks. We also assume A and B share | typically, w = MHF(pw) mod p for a user-supplied password, pw. | |||
| an integer w; | Standards, such as <xref target="NIST.SP.800-56Ar3"/>, suggest taking | |||
| typically w = MHF(pw) mod p, for a user-supplied password pw. | mod p of a | |||
| Standards such as NIST.SP.800-56Ar3 suggest taking mod p of a | ||||
| hash value that is 64 bits longer than that needed to represent p to r emove | hash value that is 64 bits longer than that needed to represent p to r emove | |||
| statistical bias introduced by the modulation. Protocols using this sp ecification MUST define | statistical bias introduced by the modulation. Protocols using this sp ecification <bcp14>MUST</bcp14> define | |||
| the method used to compute w. In some cases, it may be necessary to ca rry out various | the method used to compute w. In some cases, it may be necessary to ca rry out various | |||
| forms of normalization of the password before hashing <xref target="RF | forms of normalization of the password before hashing <xref target="RF | |||
| C8265" />. | C8265" format="default"/>. | |||
| The hashing algorithm SHOULD be a MHF so as to slow down brute-force | The hashing algorithm <bcp14>SHOULD</bcp14> be an MHF so as to slow do | |||
| wn brute-force | ||||
| attackers. </t> | attackers. </t> | |||
| </section> | </section> | |||
| <section anchor="spake2" numbered="true" toc="default"> | ||||
| <section title="SPAKE2" anchor="spake2"> | <name>SPAKE2</name> | |||
| <t>To begin, A picks x randomly and uniformly from the integers in [0,p) | <t>To begin, A picks x randomly and uniformly from the integers in [0,p) | |||
| , | and calculates X=x*P and pA=w*M+X. Then, it transmits pA to B.</t> | |||
| and calculates X=x*P and pA=w*M+X, then transmits pA to B.</t> | <t>B selects y randomly and uniformly from the integers in [0,p) and cal | |||
| culates | ||||
| <t>B selects y randomly and uniformly from the integers in [0,p), and ca | Y=y*P and pB=w*N+Y. Then, it transmits pB to A.</t> | |||
| lculates | <t>Both A and B calculate group element K. A calculates it | |||
| Y=y*P, pB=w*N+Y, then transmits pB to A.</t> | ||||
| <t>Both A and B calculate a group element K. A calculates it | ||||
| as h*x*(pB-w*N), while B calculates it as h*y*(pA-w*M). A knows pB | as h*x*(pB-w*N), while B calculates it as h*y*(pA-w*M). A knows pB | |||
| because it has received it, and likewise B knows pA. The | because it has received it, and likewise B knows pA. The | |||
| multiplication by h prevents small subgroup confinement | multiplication by h prevents small subgroup confinement | |||
| attacks by computing a unique value in the quotient | attacks by computing a unique value in the quotient | |||
| group.</t> | group.</t> | |||
| <t>K is a shared value, though it <bcp14>MUST NOT</bcp14> be used or out | ||||
| <t>K is a shared value, though it MUST NOT be used or output as a shared | put as a shared secret | |||
| secret | ||||
| from the protocol. Both A and B must derive two additional shared secr ets from | from the protocol. Both A and B must derive two additional shared secr ets from | |||
| the protocol transcript, which includes K. | the protocol transcript, which includes K. | |||
| This prevents man-in-the-middle attackers from inserting themselves in | This use of the transcript ensures any manipulation of the messages | |||
| to | sent is reflected in the keys. The transcript TT is encoded as follows:</t> | |||
| the exchange. The transcript TT is encoded as follows:</t> | <artwork name="" type="" align="left" alt=""><![CDATA[ | |||
| <figure><artwork><![CDATA[ | ||||
| TT = len(A) || A | TT = len(A) || A | |||
| || len(B) || B | || len(B) || B | |||
| || len(pA) || pA | || len(pA) || pA | |||
| || len(pB) || pB | || len(pB) || pB | |||
| || len(K) || K | || len(K) || K | |||
| || len(w) || w | || len(w) || w | |||
| ]]></artwork></figure> | ]]></artwork> | |||
| <t> Here, w is encoded as a big-endian number padded to the length of p. | ||||
| <t> Here w is encoded as a big endian number padded to the length of p. | This representation | |||
| This representation | prevents timing attacks that otherwise would reveal the length of w. le | |||
| prevents timing attacks that otherwise would reveal the length of w. len | n(w) is thus a constant for a given group. | |||
| (w) is thus a constant. | ||||
| We include it for consistency.</t> | We include it for consistency.</t> | |||
| <t>If an identity is absent, it is encoded as a zero-length string. | <t>If an identity is absent, it is encoded as a zero-length string. | |||
| This MUST only be done for applications in which identities are implicit | This <bcp14>MUST</bcp14> only be done for applications in which identiti | |||
| . Otherwise, | es are implicit. Otherwise, | |||
| the protocol risks unknown key share attacks, where both sides of a conn | the protocol risks unknown key-share attacks, where both sides of a conn | |||
| ection disagree over who is authenticated.</t> | ection disagree over who is authenticated.</t> | |||
| <t>Upon completion of this protocol, A and B compute shared secrets Ke, | ||||
| <t>Upon completion of this protocol, A and B compute shared secrets Ke, | KcA, and KcB, as | |||
| KcA, and KcB as | specified in <xref target="keys" format="default"/>. A <bcp14>MUST</ | |||
| specified in <xref target="keys"/>. A MUST send B a key confirmation | bcp14> send B a key confirmation message | |||
| message | so that both parties agree upon these shared secrets. The confirmati | |||
| so both parties agree upon these shared secrets. This confirmation m | on message cA | |||
| essage cA | is computed as a MAC over the protocol transcript TT, using KcA as f | |||
| is computed as a MAC over the protocol transcript TT using KcA, as f | ollows: | |||
| ollows: | cA = MAC(KcA, TT). Similarly, B <bcp14>MUST</bcp14> send A a confirm | |||
| cA = MAC(KcA, TT). Similarly, B MUST send A a confirmation message u | ation message using a MAC that is | |||
| sing a MAC | computed equivalently, except with the use of KcB. Key confirmation | |||
| computed equivalently except with the use of KcB. Key confirmation v | verification | |||
| erification | requires computing cA (or cB, respectively) and checking for equalit | |||
| requires computing cB and checking for equality against that which w | y against that which was received.</t> | |||
| as received.</t> | ||||
| </section> | </section> | |||
| </section> | </section> | |||
| <section title="Key Schedule and Key Confirmation" anchor="keys"> | <section anchor="keys" numbered="true" toc="default"> | |||
| <t>The protocol transcript TT, as defined in <xref target="spake2"/>, i | <name>Key Schedule and Key Confirmation</name> | |||
| s unique and secret to A and B. | <t>The protocol transcript TT, as defined in <xref target="spake2" format | |||
| Both parties use TT to derive shared symmetric secrets Ke and Ka as | ="default"/>, is unique and secret to A and B (though it contains some substring | |||
| Ke || Ka = Hash(TT), with |Ke| = |Ka|. | s that are not secret). | |||
| The length of each key is equal to half of the digest output, e.g., | Both parties use TT to derive shared symmetric secrets Ke and Ka as Ke || | |||
| 128 bits for SHA-256. Keys MUST be at least | Ka = Hash(TT), with |Ke| = |Ka|. The length of each key is equal to half of the | |||
| digest output, e.g., 128 bits for SHA-256. Keys <bcp14>MUST</bcp14> be at least | ||||
| 128 bits in length.</t> | 128 bits in length.</t> | |||
| <t>Both endpoints use Ka to derive subsequent MAC keys for key confirmatio | ||||
| <t>Both endpoints use Ka to derive subsequent MAC keys for key confirmat | n messages. | |||
| ion messages. | Specifically, KcA and KcB are the MAC keys used by A and B, respecti | |||
| Specifically, let KcA and KcB be the MAC keys used by A and B, respe | vely. | |||
| ctively. | ||||
| A and B compute them as KcA || KcB = KDF(Ka, nil, "ConfirmationKeys" || AAD, L), where AAD | A and B compute them as KcA || KcB = KDF(Ka, nil, "ConfirmationKeys" || AAD, L), where AAD | |||
| is the associated data each given to each endpoint, or nil if none w as provided. | is the associated data given to each endpoint or AAD is nil if none was provided. | |||
| The length of each of KcA and KcB is equal to half of the underlying hash output length, e.g., | The length of each of KcA and KcB is equal to half of the underlying hash output length, e.g., | |||
| |KcA| = |KcB| = 128 bits for HKDF(SHA256), with L=256 bits. </t> | |KcA| = |KcB| = 128 bits for HKDF(SHA256), with L=256 bits. </t> | |||
| <t>The resulting key schedule for this protocol, given transcript TT | ||||
| <t>The resulting key schedule for this protocol, given transcript TT and | and | |||
| additional associated | AAD, is as follows.</t> | |||
| data AAD, is as follows.</t> | <artwork name="" type="" align="left" alt=""><![CDATA[ | |||
| <figure><artwork><![CDATA[ | ||||
| TT -> Hash(TT) = Ke || Ka | TT -> Hash(TT) = Ke || Ka | |||
| AAD -> KDF(Ka, nil, "ConfirmationKeys" || AAD) = KcA || KcB | AAD -> KDF(Ka, nil, "ConfirmationKeys" || AAD) = KcA || KcB | |||
| ]]></artwork></figure> | ]]></artwork> | |||
| <t>A and B output Ke as the shared secret from the protocol. Ka and its de | ||||
| <t>A and B output Ke as the shared secret from the protocol. Ka and its | rived keys are not | |||
| derived keys are not | ||||
| used for anything except key confirmation.</t> | used for anything except key confirmation.</t> | |||
| </section> | </section> | |||
| <section title="Per-User M and N and M=N" anchor="variants"> | <section anchor="variants" numbered="true" toc="default"> | |||
| <name>Per-User M and N and M=N</name> | ||||
| <t> | <t> | |||
| To avoid concerns that an attacker needs to solve a single ECDH instance t | To avoid concerns that an attacker needs to solve a single Elliptic Curve | |||
| o break the authentication of SPAKE2, it is | Diffie-Hellman (ECDH) instance to break the authentication of SPAKE2, it is | |||
| possible to vary M and N using <xref target="I-D.irtf-cfrg-hash-to-curve"/ | possible to vary M and N using <xref target="RFC9380" format="default"/> a | |||
| > as follows: | s follows: | |||
| <figure><artwork><![CDATA[ | </t> | |||
| <artwork name="" type="" align="left" alt=""><![CDATA[ | ||||
| M = hash_to_curve(Hash("M SPAKE2" || len(A) || A || len(B) || B)) | M = hash_to_curve(Hash("M SPAKE2" || len(A) || A || len(B) || B)) | |||
| N = hash_to_curve(Hash("N SPAKE2" || len(A) || A || len(B) || B)) | N = hash_to_curve(Hash("N SPAKE2" || len(A) || A || len(B) || B)) | |||
| ]]></artwork></figure> | ]]></artwork> | |||
| <t> | ||||
| There is also a symmetric variant where M=N. For this variant we set | There is also a symmetric variant where M=N. For this variant, we set: | |||
| <figure><artwork><![CDATA[ | </t> | |||
| <artwork name="" type="" align="left" alt=""><![CDATA[ | ||||
| M = hash_to_curve(Hash("M AND N SPAKE2")) | M = hash_to_curve(Hash("M AND N SPAKE2")) | |||
| ]]></artwork></figure> | ]]></artwork> | |||
| <t> | ||||
| This variant MUST be used when it is not possible to determine which of A | This variant <bcp14>MUST</bcp14> be used when it is not possible to determine | |||
| and B | whether | |||
| should use M or N, due to asymmetries in the protocol flows or the desire | A or B should use M (or N), due to asymmetries in the protocol | |||
| to use only a single shared secret with | flows or the desire to use only a single shared secret with nil | |||
| nil identities for authentication. The security of these variants is exam | identities for authentication. The security of these variants is examined in | |||
| ined in <xref | <xref target="MNVAR" format="default"/>. The variant with per-user M and N may n | |||
| target="MNVAR"/>. The variant with per-user M and N may not be | ot be | |||
| suitable for protocols that require the initial messages to be | suitable for protocols that require the initial messages to be | |||
| generated by each party at the same time and do not know the | generated by each party at the same time and that do not know the | |||
| exact identity of the parties before the flow begins. | exact identity of the parties before the flow begins. | |||
| </t> | </t> | |||
| </section> | </section> | |||
| <section title="Ciphersuites" anchor="Ciphersuites"> | <section anchor="Ciphersuites" numbered="true" toc="default"> | |||
| <t> | <name>Ciphersuites</name> | |||
| <t> | ||||
| This section documents SPAKE2 ciphersuite | This section documents SPAKE2 ciphersuite | |||
| configurations. A ciphersuite indicates a group, | configurations. A ciphersuite indicates a group, | |||
| cryptographic hash function, and pair of KDF and MAC | cryptographic hash function, and pair of KDF and MAC | |||
| functions, e.g., SPAKE2-P256-SHA256-HKDF-HMAC. This | functions, e.g., SPAKE2-P256-SHA256-HKDF-HMAC. This | |||
| ciphersuite indicates a SPAKE2 protocol instance over | ciphersuite indicates a SPAKE2 protocol instance over | |||
| P-256 that uses SHA256 along with HKDF <xref | P-256 that uses SHA-256, along with HMAC-based Key Derivation Functi | |||
| target="RFC5869"/> and HMAC <xref target="RFC2104"/> for | on (HKDF) <xref target="RFC5869" format="default"/> and Hashed Message Authentic | |||
| G, Hash, KDF, and MAC functions, respectively. For Ed25519 | ation Code (HMAC) <xref target="RFC2104" format="default"/> for | |||
| the compressed encoding is used <xref target="RFC8032"/>, | G, Hash, KDF, and MAC functions, respectively. For Ed25519, | |||
| the compressed encoding is used <xref target="RFC8032" format="defau | ||||
| lt"/>; | ||||
| all others use the uncompressed SEC1 encoding.</t> | all others use the uncompressed SEC1 encoding.</t> | |||
| <table anchor="spake2_ciphersuites" align="center"> | ||||
| <texttable anchor="spake2_ciphersuites" title="SPAKE2 Ciphersuites"> | <name>SPAKE2 Ciphersuites</name> | |||
| <ttcol align='center'>G</ttcol> | <thead> | |||
| <ttcol align='center'>Hash</ttcol> | <tr> | |||
| <ttcol align='center'>KDF</ttcol> | <th align="center">G</th> | |||
| <ttcol align='center'>MAC</ttcol> | <th align="center">Hash</th> | |||
| <th align="center">KDF</th> | ||||
| <!-- P256-SHA256-HKDF-HMAC --> | <th align="center">MAC</th> | |||
| <c>P-256</c> | </tr> | |||
| <c>SHA256 <xref target="RFC6234"/></c> | </thead> | |||
| <c>HKDF <xref target="RFC5869"/></c> | <tbody> | |||
| <c>HMAC <xref target="RFC2104"/></c> | <tr> | |||
| <td align="center">P-256</td> | ||||
| <!-- P256-SHA512-HKDF-HMAC --> | <td align="center">SHA256 <xref target="RFC6234" format="default"/>< | |||
| <c>P-256</c> | /td> | |||
| <c>SHA512 <xref target="RFC6234"/></c> | <td align="center">HKDF <xref target="RFC5869" format="default"/></t | |||
| <c>HKDF <xref target="RFC5869"/></c> | d> | |||
| <c>HMAC <xref target="RFC2104"/></c> | <td align="center">HMAC <xref target="RFC2104" format="default"/></t | |||
| d> | ||||
| <!-- P384-SHA256-HKDF-HMAC --> | </tr> | |||
| <c>P-384</c> | <tr> | |||
| <c>SHA256 <xref target="RFC6234"/></c> | <td align="center">P-256</td> | |||
| <c>HKDF <xref target="RFC5869"/></c> | <td align="center">SHA512 <xref target="RFC6234" format="default"/>< | |||
| <c>HMAC <xref target="RFC2104"/></c> | /td> | |||
| <td align="center">HKDF <xref target="RFC5869" format="default"/></t | ||||
| <!-- P384-SHA512-HKDF-HMAC --> | d> | |||
| <c>P-384</c> | <td align="center">HMAC <xref target="RFC2104" format="default"/></t | |||
| <c>SHA512 <xref target="RFC6234"/></c> | d> | |||
| <c>HKDF <xref target="RFC5869"/></c> | </tr> | |||
| <c>HMAC <xref target="RFC2104"/></c> | <tr> | |||
| <td align="center">P-384</td> | ||||
| <!-- P521-SHA512-HKDF-HMAC --> | <td align="center">SHA256 <xref target="RFC6234" format="default"/>< | |||
| <c>P-521</c> | /td> | |||
| <c>SHA512 <xref target="RFC6234"/></c> | <td align="center">HKDF <xref target="RFC5869" format="default"/></t | |||
| <c>HKDF <xref target="RFC5869"/></c> | d> | |||
| <c>HMAC <xref target="RFC2104"/></c> | <td align="center">HMAC <xref target="RFC2104" format="default"/></t | |||
| d> | ||||
| <!-- edwards25519-SHA256-HKDF-HMAC --> | </tr> | |||
| <c>edwards25519 <xref target="RFC8032"/></c> | <tr> | |||
| <c>SHA256 <xref target="RFC6234"/></c> | <td align="center">P-384</td> | |||
| <c>HKDF <xref target="RFC5869"/></c> | <td align="center">SHA512 <xref target="RFC6234" format="default"/>< | |||
| <c>HMAC <xref target="RFC2104"/></c> | /td> | |||
| <td align="center">HKDF <xref target="RFC5869" format="default"/></t | ||||
| <!-- edwards448-SHA512-HKDF-HMAC --> | d> | |||
| <c>edwards448 <xref target="RFC8032"/></c> | <td align="center">HMAC <xref target="RFC2104" format="default"/></t | |||
| <c>SHA512 <xref target="RFC6234"/></c> | d> | |||
| <c>HKDF <xref target="RFC5869"/></c> | </tr> | |||
| <c>HMAC <xref target="RFC2104"/></c> | <tr> | |||
| <td align="center">P-521</td> | ||||
| <!-- P256-SHA256-HKDF-CMAC --> | <td align="center">SHA512 <xref target="RFC6234" format="default"/>< | |||
| <c>P-256</c> | /td> | |||
| <c>SHA256 <xref target="RFC6234"/></c> | <td align="center">HKDF <xref target="RFC5869" format="default"/></t | |||
| <c>HKDF <xref target="RFC5869"/></c> | d> | |||
| <c>CMAC-AES-128 <xref target="RFC4493"/></c> | <td align="center">HMAC <xref target="RFC2104" format="default"/></t | |||
| d> | ||||
| <!-- P256-SHA512-HKDF-CMAC --> | </tr> | |||
| <c>P-256</c> | <tr> | |||
| <c>SHA512 <xref target="RFC6234"/></c> | <td align="center">edwards25519 <xref target="RFC8032" format="defau | |||
| <c>HKDF <xref target="RFC5869"/></c> | lt"/></td> | |||
| <c>CMAC-AES-128 <xref target="RFC4493"/></c> | <td align="center">SHA256 <xref target="RFC6234" format="default"/>< | |||
| </texttable> | /td> | |||
| <td align="center">HKDF <xref target="RFC5869" format="default"/></t | ||||
| <t>The following points represent permissible point generation seeds | d> | |||
| for the groups listed in the Table <xref target="spake2_ciphersuites | <td align="center">HMAC <xref target="RFC2104" format="default"/></t | |||
| "/>, | d> | |||
| using the algorithm presented in <xref target="pointgen"/>. | </tr> | |||
| These bytestrings are compressed points as in <xref target="SEC1" /> | <tr> | |||
| for curves from <xref target="SEC1" />.</t> | <td align="center">edwards448 <xref target="RFC8032" format="default | |||
| "/></td> | ||||
| <t>For P256:</t> | <td align="center">SHA512 <xref target="RFC6234" format="default"/>< | |||
| /td> | ||||
| <figure><artwork><![CDATA[ | <td align="center">HKDF <xref target="RFC5869" format="default"/></t | |||
| d> | ||||
| <td align="center">HMAC <xref target="RFC2104" format="default"/></t | ||||
| d> | ||||
| </tr> | ||||
| <tr> | ||||
| <td align="center">P-256</td> | ||||
| <td align="center">SHA256 <xref target="RFC6234" format="default"/>< | ||||
| /td> | ||||
| <td align="center">HKDF <xref target="RFC5869" format="default"/></t | ||||
| d> | ||||
| <td align="center">CMAC-AES-128 <xref target="RFC4493" format="defau | ||||
| lt"/></td> | ||||
| </tr> | ||||
| <tr> | ||||
| <td align="center">P-256</td> | ||||
| <td align="center">SHA512 <xref target="RFC6234" format="default"/>< | ||||
| /td> | ||||
| <td align="center">HKDF <xref target="RFC5869" format="default"/></t | ||||
| d> | ||||
| <td align="center">CMAC-AES-128 <xref target="RFC4493" format="defau | ||||
| lt"/></td> | ||||
| </tr> | ||||
| </tbody> | ||||
| </table> | ||||
| <t>The following points represent permissible point generation seeds | ||||
| for the groups listed in <xref target="spake2_ciphersuites" format=" | ||||
| default"/>, | ||||
| using the algorithm presented in <xref target="pointgen" format="def | ||||
| ault"/>. | ||||
| These byte strings are compressed points, as in <xref target="SEC1" | ||||
| format="default"/>, | ||||
| for curves from <xref target="SEC1" format="default"/>.</t> | ||||
| <t>For P-256:</t> | ||||
| <artwork name="" type="" align="left" alt=""><![CDATA[ | ||||
| M = | M = | |||
| 02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f | 02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f | |||
| seed: 1.2.840.10045.3.1.7 point generation seed (M) | seed: 1.2.840.10045.3.1.7 point generation seed (M) | |||
| N = | N = | |||
| 03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49 | 03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49 | |||
| seed: 1.2.840.10045.3.1.7 point generation seed (N) | seed: 1.2.840.10045.3.1.7 point generation seed (N) | |||
| ]]></artwork></figure> | ]]></artwork> | |||
| <t>For P-384:</t> | ||||
| <t>For P384:</t> | <artwork name="" type="" align="left" alt=""><![CDATA[ | |||
| <figure><artwork><![CDATA[ | ||||
| M = | M = | |||
| 030ff0895ae5ebf6187080a82d82b42e2765e3b2f8749c7e05eba366434b363d3dc | 030ff0895ae5ebf6187080a82d82b42e2765e3b2f8749c7e05eba366434b363d3dc | |||
| 36f15314739074d2eb8613fceec2853 | 36f15314739074d2eb8613fceec2853 | |||
| seed: 1.3.132.0.34 point generation seed (M) | seed: 1.3.132.0.34 point generation seed (M) | |||
| N = | N = | |||
| 02c72cf2e390853a1c1c4ad816a62fd15824f56078918f43f922ca21518f9c543bb | 02c72cf2e390853a1c1c4ad816a62fd15824f56078918f43f922ca21518f9c543bb | |||
| 252c5490214cf9aa3f0baab4b665c10 | 252c5490214cf9aa3f0baab4b665c10 | |||
| seed: 1.3.132.0.34 point generation seed (N) | seed: 1.3.132.0.34 point generation seed (N) | |||
| ]]></artwork></figure> | ]]></artwork> | |||
| <t>For P-521:</t> | ||||
| <t>For P521:</t> | <artwork name="" type="" align="left" alt=""><![CDATA[ | |||
| <figure><artwork><![CDATA[ | ||||
| M = | M = | |||
| 02003f06f38131b2ba2600791e82488e8d20ab889af753a41806c5db18d37d85608 | 02003f06f38131b2ba2600791e82488e8d20ab889af753a41806c5db18d37d85608 | |||
| cfae06b82e4a72cd744c719193562a653ea1f119eef9356907edc9b56979962d7aa | cfae06b82e4a72cd744c719193562a653ea1f119eef9356907edc9b56979962d7aa | |||
| seed: 1.3.132.0.35 point generation seed (M) | seed: 1.3.132.0.35 point generation seed (M) | |||
| N = | N = | |||
| 0200c7924b9ec017f3094562894336a53c50167ba8c5963876880542bc669e494b25 | 0200c7924b9ec017f3094562894336a53c50167ba8c5963876880542bc669e494b25 | |||
| 32d76c5b53dfb349fdf69154b9e0048c58a42e8ed04cef052a3bc349d95575cd25 | 32d76c5b53dfb349fdf69154b9e0048c58a42e8ed04cef052a3bc349d95575cd25 | |||
| seed: 1.3.132.0.35 point generation seed (N) | seed: 1.3.132.0.35 point generation seed (N) | |||
| ]]></artwork></figure> | ]]></artwork> | |||
| <t>For edwards25519:</t> | <t>For edwards25519:</t> | |||
| <figure><artwork><![CDATA[ | <artwork name="" type="" align="left" alt=""><![CDATA[ | |||
| M = | M = | |||
| d048032c6ea0b6d697ddc2e86bda85a33adac920f1bf18e1b0c6d166a5cecdaf | d048032c6ea0b6d697ddc2e86bda85a33adac920f1bf18e1b0c6d166a5cecdaf | |||
| seed: edwards25519 point generation seed (M) | seed: edwards25519 point generation seed (M) | |||
| N = | N = | |||
| d3bfb518f44f3430f29d0c92af503865a1ed3281dc69b35dd868ba85f886c4ab | d3bfb518f44f3430f29d0c92af503865a1ed3281dc69b35dd868ba85f886c4ab | |||
| seed: edwards25519 point generation seed (N) | seed: edwards25519 point generation seed (N) | |||
| ]]></artwork></figure> | ]]></artwork> | |||
| <t>For edwards448:</t> | <t>For edwards448:</t> | |||
| <figure><artwork><![CDATA[ | <artwork name="" type="" align="left" alt=""><![CDATA[ | |||
| M = | M = | |||
| b6221038a775ecd007a4e4dde39fd76ae91d3cf0cc92be8f0c2fa6d6b66f9a12 | b6221038a775ecd007a4e4dde39fd76ae91d3cf0cc92be8f0c2fa6d6b66f9a12 | |||
| 942f5a92646109152292464f3e63d354701c7848d9fc3b8880 | 942f5a92646109152292464f3e63d354701c7848d9fc3b8880 | |||
| seed: edwards448 point generation seed (M) | seed: edwards448 point generation seed (M) | |||
| N = | N = | |||
| 6034c65b66e4cd7a49b0edec3e3c9ccc4588afd8cf324e29f0a84a072531c4db | 6034c65b66e4cd7a49b0edec3e3c9ccc4588afd8cf324e29f0a84a072531c4db | |||
| f97ff9af195ed714a689251f08f8e06e2d1f24a0ffc0146600 | f97ff9af195ed714a689251f08f8e06e2d1f24a0ffc0146600 | |||
| seed: edwards448 point generation seed (N) | seed: edwards448 point generation seed (N) | |||
| ]]></artwork></figure> | ]]></artwork> | |||
| </section> | </section> | |||
| <section title="Security Considerations"> | <section numbered="true" toc="default"> | |||
| <name>Security Considerations</name> | ||||
| <t>A security proof of SPAKE2 for prime order groups is found in | <t>A security proof of SPAKE2 for prime order groups is found in | |||
| <xref target="REF" />, reducing the security of SPAKE2 to the | <xref target="REF" format="default"/>, reducing the security of SPAKE2 to | |||
| gap Diffie-Hellman assumption. Note that the choice of M and N | the | |||
| GDH assumption. Note that the choice of M and N | ||||
| is critical for the security proof. The generation methods | is critical for the security proof. The generation methods | |||
| specified in this document are designed to eliminate concerns | specified in this document are designed to eliminate concerns | |||
| related to knowing discrete logs of M and N.</t> | related to knowing discrete logs of M and N.</t> | |||
| <t>Elements received from a peer <bcp14>MUST</bcp14> be checked for group | ||||
| <t>Elements received from a peer MUST be checked for group | membership. Failure to properly deserialize and validate group | |||
| membership: failure to properly deserialize and validate group | elements can lead to attacks. An endpoint <bcp14>MUST</bcp14> abort the pr | |||
| elements can lead to attacks. An endpoint MUST abort the protocol | otocol | |||
| if any received public value is not a member of G.</t> | if any received public value is not a member of G.</t> | |||
| <t>The choices of random numbers <bcp14>MUST</bcp14> be uniform. Randomly | ||||
| <t>The choices of random numbers MUST BE uniform. Randomly | generated values, e.g., x and y, <bcp14>MUST NOT</bcp14> be reused; such r | |||
| generated values, e.g., x and y, MUST NOT be reused; such reuse | euse | |||
| violates the security assumptions of the protocol and results in significa nt insecurity. | violates the security assumptions of the protocol and results in significa nt insecurity. | |||
| It is RECOMMENDED | It is <bcp14>RECOMMENDED</bcp14> | |||
| to generate these uniform numbers using rejection sampling.</t> | to generate these uniform numbers using rejection sampling.</t> | |||
| <t>Some implementations of elliptic curve multiplication may | <t>Some implementations of elliptic curve multiplication may | |||
| leak information about the length of the scalar. These MUST NOT | leak information about the length of the scalar. These <bcp14>MUST NOT</bc p14> | |||
| be used. All operations on elliptic curve points must take time | be used. All operations on elliptic curve points must take time | |||
| independent of the inputs. Hashing of the transcript may take | independent of the inputs. Hashing of the transcript may take | |||
| time depending only on the length of the transcript, but not the | time depending only on the length of the transcript but not the | |||
| contents.</t> | contents.</t> | |||
| <t>SPAKE2 does not support augmentation. As a result, the server | <t>SPAKE2 does not support augmentation. As a result, the server | |||
| has to store a password equivalent. This is considered a | has to store a password equivalent. This is considered a | |||
| significant drawback in some use cases. Applications that need | significant drawback in some use cases. Applications that need | |||
| augmented PAKEs should use <xref target="I-D.irtf-cfrg-opaque"/>.</t> | augmented PAKEs should use <xref target="I-D.irtf-cfrg-opaque" format="def | |||
| ault"/>.</t> | ||||
| <t>The HMAC keys in this document are shorter than recommended | <t>The HMAC keys in this document are shorter than recommended | |||
| in <xref target="RFC8032" />. This is appropriate as the | in <xref target="RFC8032" format="default"/>. | |||
| This is appropriate, as the | ||||
| difficulty of the discrete logarithm problem is comparable with | difficulty of the discrete logarithm problem is comparable with | |||
| the difficulty of brute forcing the keys.</t> | the difficulty of brute forcing the keys.</t> | |||
| </section> | ||||
| <section title="IANA Considerations"> | ||||
| <t>No IANA action is required.</t> | ||||
| </section> | </section> | |||
| <section title="Acknowledgments"> | <section numbered="true" toc="default"> | |||
| <t>Special thanks to Nathaniel McCallum and Greg Hudson for | <name>IANA Considerations</name> | |||
| generation of M and N, and Chris Wood for test vectors. Thanks | <t>This document has no IANA actions.</t> | |||
| to Mike Hamburg for advice on how to deal with cofactors. Greg | ||||
| Hudson also suggested the addition of warnings on the reuse of x | ||||
| and y. Thanks to Fedor Brunner, Adam Langley, Liliya | ||||
| Akhmetzyanova, and the members of the CFRG for comments and | ||||
| advice. Thanks to Scott Fluhrer and those Crypto Panel experts | ||||
| involved in the PAKE selection process | ||||
| (https://github.com/cfrg/pake-selection) who have provided | ||||
| valuable comments. Chris Wood contributed substantial text and | ||||
| reformatting to address the excellent review comments from Kenny | ||||
| Paterson. </t> | ||||
| </section> | </section> | |||
| </middle> | </middle> | |||
| <back> | <back> | |||
| <references title="Normative References"> | ||||
| &h2c; | ||||
| &RFC2104; | ||||
| &RFC2119; | ||||
| &RFC4493; | ||||
| &RFC5480; | ||||
| &RFC5869; | ||||
| &RFC6234; | ||||
| &RFC7914; | ||||
| &RFC8032; | ||||
| &RFC8174; | ||||
| </references> | ||||
| <references title="Informative References"> | ||||
| <reference anchor="SEC1"> | ||||
| <front> | ||||
| <title>SEC 1: Elliptic Curve Cryptography</title> | ||||
| <author> | ||||
| <organization> Standards for Efficient Cryptography Group</organizati | ||||
| on> | ||||
| </author> | ||||
| <date month="May" year="2009"/> | ||||
| </front> | ||||
| </reference> | ||||
| <reference anchor="MNVAR"> | ||||
| <front> | ||||
| <title> Universally Composable Relaxed Password Authentication</title> | ||||
| <author initials="M." surname="Abdalla"/> | ||||
| <author initials="M." surname="Barbosa"/> | ||||
| <author initials="T." surname="Bradley"/> | ||||
| <author initials="S." surname="Jarecki"/> | ||||
| <author initials="J." surname="Katz"/> | ||||
| <author initials="J." surname="Xu"/> | ||||
| <date month="August" year="2020"/> | ||||
| </front> | ||||
| <annotation> Appears in Micciancio D., Ristenpart T. (eds) | ||||
| Advances in Cryptology -CRYPTO 2020. Crypto 2020. Lecture | ||||
| notes in Computer Science volume 12170. Springer.</annotation> | ||||
| </reference> | ||||
| <reference anchor="REF"> | ||||
| <front> | ||||
| <title>Simple Password-Based Encrypted Key Exchange Protocols.</title> | ||||
| <author initials="M." surname="Abdalla" /> | ||||
| <author initials="D." surname="Pointcheval" /> | ||||
| <date month="Feb" year="2005" /> | ||||
| </front> | ||||
| <annotation>Appears in A. Menezes, editor. Topics in | ||||
| Cryptography-CT-RSA 2005, Volume 3376 of Lecture Notes in Computer | ||||
| Science, pages 191-208, San Francisco, CA, US. Springer-Verlag, | ||||
| Berlin, Germany. | ||||
| </annotation> | ||||
| </reference> | ||||
| <reference anchor="TDH"> | ||||
| <front> | ||||
| <title>The Twin-Diffie Hellman Problem and Applications</title> | ||||
| <author initials="D." surname="Cash" /> | ||||
| <author initials="E." surname="Kiltz" /> | ||||
| <author initials="V." surname="Shoup" /> | ||||
| <date year="2008" /> | ||||
| </front> | ||||
| <annotation>EUROCRYPT 2008. Volume 4965 of Lecture notes in Computer | ||||
| Science, pages 127-145. Springer-Verlag, Berlin, Germany. | ||||
| </annotation> | ||||
| </reference> | ||||
| &RFC8265; | ||||
| &opaque; | ||||
| </references> | ||||
| <section anchor="pointgen" title="Algorithm used for Point Generation"> | ||||
| <t>This section describes the algorithm that was used to generate | ||||
| the points M and N in the table in <xref target="Ciphersuites"/>.</t> | ||||
| <t>For each curve in the table below, we construct a string | <displayreference target="I-D.irtf-cfrg-opaque" to="CFRG-OPAQUE"/> | |||
| using the curve OID from <xref target="RFC5480" /> (as an ASCII | ||||
| <references> | ||||
| <name>References</name> | ||||
| <references> | ||||
| <name>Normative References</name> | ||||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2 | ||||
| 104.xml"/> | ||||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2 | ||||
| 119.xml"/> | ||||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4 | ||||
| 493.xml"/> | ||||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | ||||
| 480.xml"/> | ||||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 | ||||
| 869.xml"/> | ||||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 | ||||
| 234.xml"/> | ||||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7 | ||||
| 914.xml"/> | ||||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 | ||||
| 032.xml"/> | ||||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 | ||||
| 174.xml"/> | ||||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9 | ||||
| 380.xml"/> | ||||
| </references> | ||||
| <references> | ||||
| <name>Informative References</name> | ||||
| <reference anchor="SEC1"> | ||||
| <front> | ||||
| <title>SEC 1: Elliptic Curve Cryptography</title> | ||||
| <author> | ||||
| <organization>Standards for Efficient Cryptography Group</organiza | ||||
| tion> | ||||
| </author> | ||||
| <date month="May" year="2009"/> | ||||
| </front> | ||||
| </reference> | ||||
| <reference anchor="MNVAR"> | ||||
| <front> | ||||
| <title>Universally Composable Relaxed Password Authenticated Key Exc | ||||
| hange</title> | ||||
| <author initials="M." surname="Abdalla"/> | ||||
| <author initials="M." surname="Barbosa"/> | ||||
| <author initials="T." surname="Bradley"/> | ||||
| <author initials="S." surname="Jarecki"/> | ||||
| <author initials="J." surname="Katz"/> | ||||
| <author initials="J." surname="Xu"/> | ||||
| <date month="August" year="2020"/> | ||||
| </front> | ||||
| <refcontent>in | ||||
| Advances in Cryptology - CRYPTO 2020, Lecture | ||||
| Notes in Computer Science, Volume 12170, Springer</refcontent> | ||||
| <seriesInfo name="DOI" value="10.1007/978-3-030-56784-2_10"/> | ||||
| </reference> | ||||
| <reference anchor="REF"> | ||||
| <front> | ||||
| <title>Simple Password-Based Encrypted Key Exchange Protocols</title | ||||
| > | ||||
| <author initials="M." surname="Abdalla"/> | ||||
| <author initials="D." surname="Pointcheval"/> | ||||
| <date month="February" year="2005"/> | ||||
| </front> | ||||
| <refcontent> | ||||
| Cryptography-CT-RSA 2005, Lecture Notes in Computer | ||||
| Science, Volume 3376, pages 191-208, Springer | ||||
| </refcontent> | ||||
| <seriesInfo name="DOI" value="10.1007/978-3-540-30574-3_14"/> | ||||
| </reference> | ||||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 | ||||
| 265.xml"/> | ||||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.irtf-cfr | ||||
| g-opaque.xml"/> | ||||
| <reference anchor="NIST.SP.800-56Ar3"> | ||||
| <front> | ||||
| <title>Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete | ||||
| Logarithm Cryptography</title> | ||||
| <author> | ||||
| <organization>National Institute of Standards and Technology</organization | ||||
| > | ||||
| </author> | ||||
| <date month="April" year="2018"/> | ||||
| </front> | ||||
| <refcontent>Revision 3</refcontent> | ||||
| <seriesInfo name="NIST Special Publication" value="800-56A"/> | ||||
| <seriesInfo name="DOI" value="10.6028/NIST.SP.800-56Ar3"/> | ||||
| </reference> | ||||
| </references> | ||||
| </references> | ||||
| <section anchor="pointgen" numbered="true" toc="default"> | ||||
| <name>Algorithm Used for Point Generation</name> | ||||
| <t> This section describes the algorithm that was used to generate | ||||
| points M and N in <xref target="spake2_ciphersuites"/>.</t> | ||||
| <t>For each curve in <xref target="spake2_ciphersuites"/>, we construct a | ||||
| string | ||||
| using the curve OID from <xref target="RFC5480" format="default"/> (as an | ||||
| ASCII | ||||
| string) or its name, | string) or its name, | |||
| combined with the needed constant, e.g., "1.3.132.0.35 | combined with the needed constant, e.g., "1.3.132.0.35 | |||
| point generation seed (M)" for P-521. This string is turned | point generation seed (M)" for P-521. This string is turned | |||
| into a series of blocks by hashing with SHA256, and hashing that | into a series of blocks by hashing with SHA-256 and hashing that | |||
| output again to generate the next 32 bytes, and so on. This | output again to generate the next 32 bytes and so on. This | |||
| pattern is repeated for each group and value, with the string | pattern is repeated for each group and value, with the string | |||
| modified appropriately.</t> | modified appropriately.</t> | |||
| <t>A byte string of a length equal to that of an encoded group | ||||
| <t>A byte string of length equal to that of an encoded group | ||||
| element is constructed by concatenating as many blocks as are | element is constructed by concatenating as many blocks as are | |||
| required, starting from the first block, and truncating to the | required, starting from the first block and truncating to the | |||
| desired length. The byte string is then formatted as required | desired length. The byte string is then formatted as required | |||
| for the group. In the case of Weierstrass curves, we take the | for the group. In the case of Weierstrass curves, we take the | |||
| desired length as the length for representing a compressed point | desired length as the length for representing a compressed point | |||
| (section 2.3.4 of <xref target="SEC1" />), | (Section 2.3.4 of <xref target="SEC1" format="default"/>) | |||
| and use the low-order bit of the first byte as the sign bit. | and use the low-order bit of the first byte as the sign bit. | |||
| In order to obtain the correct format, the value of the first | In order to obtain the correct format, the value of the first | |||
| byte is set to 0x02 or 0x03 (clearing the first six bits | byte is set to 0x02 or 0x03 (clearing the first six bits | |||
| and setting the seventh bit), leaving the sign bit as it was | and setting the seventh bit), leaving the sign bit as it was | |||
| in the byte string constructed by concatenating hash blocks. | in the byte string constructed by concatenating hash blocks. | |||
| For the <xref target="RFC8032" /> curves a different procedure is used. | For the curves in <xref target="RFC8032" format="default"/>, a different | |||
| For edwards448 the 57-byte input has the least-significant 7 bits of the | procedure is used. | |||
| last byte set to zero, and for edwards25519 the 32-byte input is | For edwards448, the 57-byte input has the least-significant 7 bits of the | |||
| not modified. For both the <xref target="RFC8032" /> curves the | last byte set to zero, and for edwards25519, the 32-byte input is | |||
| (modified) input is then interpreted | not modified. For both the curves in <xref target="RFC8032" format="defau | |||
| lt"/>, | ||||
| the (modified) input is then interpreted | ||||
| as the representation of the group element. | as the representation of the group element. | |||
| If this interpretation yields a valid group element with the | If this interpretation yields a valid group element with the | |||
| correct order (p), the (modified) byte string is the output. Otherwise, | correct order (p), the (modified) byte string is the output. Otherwise, | |||
| the initial hash block is discarded and a new byte string constructed | the initial hash block is discarded and a new byte string is constructed | |||
| from the remaining hash blocks. The procedure of constructing a | from the remaining hash blocks. The procedure of constructing a | |||
| byte string of the appropriate length, formatting it as | byte string of the appropriate length, formatting it as | |||
| required for the curve, and checking if it is a valid point of the correct | required for the curve, and checking if it is a valid point of the correct | |||
| order, is repeated | order is repeated until a valid element is found.</t> | |||
| until a valid element is found.</t> | <t>The following Python snippet generates the above points, | |||
| assuming an elliptic curve implementation follows the | ||||
| <t>The following python snippet generates the above points, | ||||
| assuming an elliptic curve implementation following the | ||||
| interface of Edwards25519Point.stdbase() and | interface of Edwards25519Point.stdbase() and | |||
| Edwards448Point.stdbase() in Appendix A of <xref target="RFC8032" />:</t> | Edwards448Point.stdbase() in <xref target="RFC8032" format="default" secti | |||
| onFormat="of" section="A"/>:</t> | ||||
| <figure><artwork><![CDATA[ | <sourcecode type="python"><![CDATA[ | |||
| def iterated_hash(seed, n): | def iterated_hash(seed, n): | |||
| h = seed | h = seed | |||
| for i in range(n): | for i in range(n): | |||
| h = hashlib.sha256(h).digest() | h = hashlib.sha256(h).digest() | |||
| return h | return h | |||
| def bighash(seed, start, sz): | def bighash(seed, start, sz): | |||
| n = -(-sz // 32) | n = -(-sz // 32) | |||
| hashes = [iterated_hash(seed, i) for i in range(start, start + n)] | hashes = [iterated_hash(seed, i) | |||
| for i in range(start, start + n)] | ||||
| return b''.join(hashes)[:sz] | return b''.join(hashes)[:sz] | |||
| def canon_pointstr(ecname, s): | def canon_pointstr(ecname, s): | |||
| if ecname == 'edwards25519': | if ecname == 'edwards25519': | |||
| return s | return s | |||
| elif ecname == 'edwards448': | elif ecname == 'edwards448': | |||
| return s[:-1] + bytes([s[-1] & 0x80]) | return s[:-1] + bytes([s[-1] & 0x80]) | |||
| else: | else: | |||
| return bytes([(s[0] & 1) | 2]) + s[1:] | return bytes([(s[0] & 1) | 2]) + s[1:] | |||
| def gen_point(seed, ecname, ec): | def gen_point(seed, ecname, ec): | |||
| for i in range(1, 1000): | for i in range(1, 1000): | |||
| hval = bighash(seed, i, len(ec.encode())) | hval = bighash(seed, i, len(ec.encode())) | |||
| pointstr = canon_pointstr(ecname, hval) | pointstr = canon_pointstr(ecname, hval) | |||
| try: | try: | |||
| p = ec.decode(pointstr) | p = ec.decode(pointstr) | |||
| if p != ec.zero_elem() and p * p.l() == ec.zero_elem(): | if p != ec.zero_elem() and p * p.l() == ec.zero_elem(): | |||
| return pointstr, i | return pointstr, i | |||
| except Exception: | except Exception: | |||
| pass | pass | |||
| ]]></artwork></figure> | ]]></sourcecode> | |||
| </section> | </section> | |||
| <section anchor="testvectors" numbered="true" toc="default"> | ||||
| <section anchor="testvectors" title="Test Vectors"> | <name>SPAKE2 Test Vectors</name> | |||
| <t>This section contains test vectors for SPAKE2 using | <t>This section contains test vectors for SPAKE2, using | |||
| the P256-SHA256-HKDF-HMAC ciphersuite. (Choice of MHF is omitted | the P256-SHA256-HKDF-HMAC ciphersuite. (The choice of MHF is omitted, | |||
| and values for w, x, and y are provided directly.) All points are | and the values for w, x, and y are provided directly.) All points are | |||
| encoded using the uncompressed format, i.e., with a 0x04 octet | encoded using the uncompressed format, i.e., with a 0x04 octet | |||
| prefix, specified in <xref target="SEC1"/> A and B identity strings | prefix, specified in <xref target="SEC1" format="default"/>. A and B ide ntity strings | |||
| are provided in the protocol invocation. | are provided in the protocol invocation. | |||
| </t> | </t> | |||
| <t>Line breaks have been added due to line-length limitations.</t> | ||||
| <section title="SPAKE2 Test Vectors"> | <artwork name="" type="" align="left" alt=""><![CDATA[ | |||
| <figure><artwork><![CDATA[ | ||||
| spake2: A='server', B='client' | spake2: A='server', B='client' | |||
| w = 0x2ee57912099d31560b3a44b1184b9b4866e904c49d12ac5042c97dca461b1a5f | w = 0x2ee57912099d31560b3a44b1184b9b4866e904c49d12ac5042c97dca461b1a5f | |||
| x = 0x43dd0fd7215bdcb482879fca3220c6a968e66d70b1356cac18bb26c84a78d729 | x = 0x43dd0fd7215bdcb482879fca3220c6a968e66d70b1356cac18bb26c84a78d729 | |||
| pA = 0x04a56fa807caaa53a4d28dbb9853b9815c61a411118a6fe516a8798434751470 | pA = 0x04a56fa807caaa53a4d28dbb9853b9815c61a411118a6fe516a8798434751470 | |||
| f9010153ac33d0d5f2047ffdb1a3e42c9b4e6be662766e1eeb4116988ede5f912c | f9010153ac33d0d5f2047ffdb1a3e42c9b4e6be662766e1eeb4116988ede5f912c | |||
| y = 0xdcb60106f276b02606d8ef0a328c02e4b629f84f89786af5befb0bc75b6e66be | y = 0xdcb60106f276b02606d8ef0a328c02e4b629f84f89786af5befb0bc75b6e66be | |||
| pB = 0x0406557e482bd03097ad0cbaa5df82115460d951e3451962f1eaf4367a420676 | pB = 0x0406557e482bd03097ad0cbaa5df82115460d951e3451962f1eaf4367a420676 | |||
| d09857ccbc522686c83d1852abfa8ed6e4a1155cf8f1543ceca528afb591a1e0b7 | d09857ccbc522686c83d1852abfa8ed6e4a1155cf8f1543ceca528afb591a1e0b7 | |||
| K = 0x0412af7e89717850671913e6b469ace67bd90a4df8ce45c2af19010175e37eed | K = 0x0412af7e89717850671913e6b469ace67bd90a4df8ce45c2af19010175e37eed | |||
| 69f75897996d539356e2fa6a406d528501f907e04d97515fbe83db277b715d3325 | 69f75897996d539356e2fa6a406d528501f907e04d97515fbe83db277b715d3325 | |||
| TT = 0x06000000000000007365727665720600000000000000636c69656e744100000 | TT = 0x06000000000000007365727665720600000000000000636c69656e744100000 | |||
| 00000000004a56fa807caaa53a4d28dbb9853b9815c61a411118a6fe516a8798434751 | 00000000004a56fa807caaa53a4d28dbb9853b9815c61a411118a6fe516a8798434751 | |||
| 470f9010153ac33d0d5f2047ffdb1a3e42c9b4e6be662766e1eeb4116988ede5f912c4 | 470f9010153ac33d0d5f2047ffdb1a3e42c9b4e6be662766e1eeb4116988ede5f912c4 | |||
| 1000000000000000406557e482bd03097ad0cbaa5df82115460d951e3451962f1eaf43 | 1000000000000000406557e482bd03097ad0cbaa5df82115460d951e3451962f1eaf43 | |||
| 67a420676d09857ccbc522686c83d1852abfa8ed6e4a1155cf8f1543ceca528afb591a | 67a420676d09857ccbc522686c83d1852abfa8ed6e4a1155cf8f1543ceca528afb591a | |||
| 1e0b741000000000000000412af7e89717850671913e6b469ace67bd90a4df8ce45c2a | 1e0b741000000000000000412af7e89717850671913e6b469ace67bd90a4df8ce45c2a | |||
| f19010175e37eed69f75897996d539356e2fa6a406d528501f907e04d97515fbe83db2 | f19010175e37eed69f75897996d539356e2fa6a406d528501f907e04d97515fbe83db2 | |||
| 77b715d332520000000000000002ee57912099d31560b3a44b1184b9b4866e904c49d1 | 77b715d332520000000000000002ee57912099d31560b3a44b1184b9b4866e904c49d1 | |||
| 2ac5042c97dca461b1a5f | 2ac5042c97dca461b1a5f | |||
| Hash(TT) = 0x0e0672dc86f8e45565d338b0540abe6915bdf72e2b35b5c9e5663168e960a91b | HASH(TT) = 0x0e0672dc86f8e45565d338b0540abe6915bdf72e2b35b5c9e5663168e9 | |||
| 60a91b | ||||
| Ke = 0x0e0672dc86f8e45565d338b0540abe69 | Ke = 0x0e0672dc86f8e45565d338b0540abe69 | |||
| Ka = 0x15bdf72e2b35b5c9e5663168e960a91b | Ka = 0x15bdf72e2b35b5c9e5663168e960a91b | |||
| KcA = 0x00c12546835755c86d8c0db7851ae86f | KcA = 0x00c12546835755c86d8c0db7851ae86f | |||
| KcB = 0xa9fa3406c3b781b93d804485430ca27a | KcB = 0xa9fa3406c3b781b93d804485430ca27a | |||
| A conf = 0x58ad4aa88e0b60d5061eb6b5dd93e80d9c4f00d127c65b3b35b1b5281fee38f0 | A conf = 0x58ad4aa88e0b60d5061eb6b5dd93e80d9c4f00d127c65b3b35b1b5281f | |||
| B conf = 0xd3e2e547f1ae04f2dbdbf0fc4b79f8ecff2dff314b5d32fe9fcef2fb26dc459b | ee38f0 | |||
| B conf = 0xd3e2e547f1ae04f2dbdbf0fc4b79f8ecff2dff314b5d32fe9fcef2fb26 | ||||
| dc459b | ||||
| ]]></artwork> | ||||
| <artwork><![CDATA[ | ||||
| spake2: A='', B='client' | spake2: A='', B='client' | |||
| w = 0x0548d8729f730589e579b0475a582c1608138ddf7054b73b5381c7e883e2efae | w = 0x0548d8729f730589e579b0475a582c1608138ddf7054b73b5381c7e883e2efae | |||
| x = 0x403abbe3b1b4b9ba17e3032849759d723939a27a27b9d921c500edde18ed654b | x = 0x403abbe3b1b4b9ba17e3032849759d723939a27a27b9d921c500edde18ed654b | |||
| pA = 0x04a897b769e681c62ac1c2357319a3d363f610839c4477720d24cbe32f5fd85f | pA = 0x04a897b769e681c62ac1c2357319a3d363f610839c4477720d24cbe32f5fd8 | |||
| 44fb92ba966578c1b712be6962498834078262caa5b441ecfa9d4a9485720e918a | 5f44fb92ba966578c1b712be6962498834078262caa5b441ecfa9d4a9485720e918a | |||
| y = 0x903023b6598908936ea7c929bd761af6039577a9c3f9581064187c3049d87065 | y = 0x903023b6598908936ea7c929bd761af6039577a9c3f9581064187c3049d87065 | |||
| pB = 0x04e0f816fd1c35e22065d5556215c097e799390d16661c386e0ecc84593974a6 | pB = 0x04e0f816fd1c35e22065d5556215c097e799390d16661c386e0ecc84593974 | |||
| 1b881a8c82327687d0501862970c64565560cb5671f696048050ca66ca5f8cc7fc | a61b881a8c82327687d0501862970c64565560cb5671f696048050ca66ca5f8cc7fc | |||
| K = 0x048f83ec9f6e4f87cc6f9dc740bdc2769725f923364f01c84148c049a39a735e | K = 0x048f83ec9f6e4f87cc6f9dc740bdc2769725f923364f01c84148c049a39a735e | |||
| bda82eac03e00112fd6a5710682767cff5361f7e819e53d8d3c3a2922e0d837aa6 | bda82eac03e00112fd6a5710682767cff5361f7e819e53d8d3c3a2922e0d837aa6 | |||
| TT = 0x00000000000000000600000000000000636c69656e74410000000000000004a | TT = 0x00000000000000000600000000000000636c69656e74410000000000000004a | |||
| 897b769e681c62ac1c2357319a3d363f610839c4477720d24cbe32f5fd85f44fb92ba9 | 897b769e681c62ac1c2357319a3d363f610839c4477720d24cbe32f5fd85f44fb92ba9 | |||
| 66578c1b712be6962498834078262caa5b441ecfa9d4a9485720e918a4100000000000 | 66578c1b712be6962498834078262caa5b441ecfa9d4a9485720e918a4100000000000 | |||
| 00004e0f816fd1c35e22065d5556215c097e799390d16661c386e0ecc84593974a61b8 | 00004e0f816fd1c35e22065d5556215c097e799390d16661c386e0ecc84593974a61b8 | |||
| 81a8c82327687d0501862970c64565560cb5671f696048050ca66ca5f8cc7fc4100000 | 81a8c82327687d0501862970c64565560cb5671f696048050ca66ca5f8cc7fc4100000 | |||
| 000000000048f83ec9f6e4f87cc6f9dc740bdc2769725f923364f01c84148c049a39a7 | 000000000048f83ec9f6e4f87cc6f9dc740bdc2769725f923364f01c84148c049a39a7 | |||
| 35ebda82eac03e00112fd6a5710682767cff5361f7e819e53d8d3c3a2922e0d837aa62 | 35ebda82eac03e00112fd6a5710682767cff5361f7e819e53d8d3c3a2922e0d837aa62 | |||
| 0000000000000000548d8729f730589e579b0475a582c1608138ddf7054b73b5381c7e | 0000000000000000548d8729f730589e579b0475a582c1608138ddf7054b73b5381c7e | |||
| 883e2efae | 883e2efae | |||
| Hash(TT) = 0x642f05c473c2cd79909f9a841e2f30a70bf89b18180af97353ba198789c2b963 | Hash(TT) = 0x642f05c473c2cd79909f9a841e2f30a70bf89b18180af97353ba198789 | |||
| c2b963 | ||||
| Ke = 0x642f05c473c2cd79909f9a841e2f30a7 | Ke = 0x642f05c473c2cd79909f9a841e2f30a7 | |||
| Ka = 0x0bf89b18180af97353ba198789c2b963 | Ka = 0x0bf89b18180af97353ba198789c2b963 | |||
| KcA = 0xc6be376fc7cd1301fd0a13adf3e7bffd | KcA = 0xc6be376fc7cd1301fd0a13adf3e7bffd | |||
| KcB = 0xb7243f4ae60440a49b3f8cab3c1fba07 | KcB = 0xb7243f4ae60440a49b3f8cab3c1fba07 | |||
| A conf = 0x47d29e6666af1b7dd450d571233085d7a9866e4d49d2645e2df975489521232b | A conf = 0x47d29e6666af1b7dd450d571233085d7a9866e4d49d2645e2df9754895 | |||
| B conf = 0x3313c5cefc361d27fb16847a91c2a73b766ffa90a4839122a9b70a2f6bd1d6df | 21232b | |||
| B conf = 0x3313c5cefc361d27fb16847a91c2a73b766ffa90a4839122a9b70a2f6b | ||||
| d1d6df | ||||
| ]]></artwork> | ||||
| <artwork><![CDATA[ | ||||
| spake2: A='server', B='' | spake2: A='server', B='' | |||
| w = 0x626e0cdc7b14c9db3e52a0b1b3a768c98e37852d5db30febe0497b14eae8c254 | w = 0x626e0cdc7b14c9db3e52a0b1b3a768c98e37852d5db30febe0497b14eae8c254 | |||
| x = 0x07adb3db6bc623d3399726bfdbfd3d15a58ea776ab8a308b00392621291f9633 | x = 0x07adb3db6bc623d3399726bfdbfd3d15a58ea776ab8a308b00392621291f9633 | |||
| pA = 0x04f88fb71c99bfffaea370966b7eb99cd4be0ff1a7d335caac4211c4afd855e2 | pA = 0x04f88fb71c99bfffaea370966b7eb99cd4be0ff1a7d335caac4211c4afd855e2 | |||
| e15a873b298503ad8ba1d9cbb9a392d2ba309b48bfd7879aefd0f2cea6009763b0 | e15a873b298503ad8ba1d9cbb9a392d2ba309b48bfd7879aefd0f2cea6009763b0 | |||
| y = 0xb6a4fc8dbb629d4ba51d6f91ed1532cf87adec98f25dd153a75accafafedec16 | y = 0xb6a4fc8dbb629d4ba51d6f91ed1532cf87adec98f25dd153a75accafafedec16 | |||
| pB = 0x040c269d6be017dccb15182ac6bfcd9e2a14de019dd587eaf4bdfd353f031101 | pB = 0x040c269d6be017dccb15182ac6bfcd9e2a14de019dd587eaf4bdfd353f031101 | |||
| e7cca177f8eb362a6e83e7d5e729c0732e1b528879c086f39ba0f31a9661bd34db | e7cca177f8eb362a6e83e7d5e729c0732e1b528879c086f39ba0f31a9661bd34db | |||
| K = 0x0445ee233b8ecb51ebd6e7da3f307e88a1616bae2166121221fdc0dadb986afa | K = 0x0445ee233b8ecb51ebd6e7da3f307e88a1616bae2166121221fdc0dadb986afa | |||
| f3ec8a988dc9c626fa3b99f58a7ca7c9b844bb3e8dd9554aafc5b53813504c1cbe | f3ec8a988dc9c626fa3b99f58a7ca7c9b844bb3e8dd9554aafc5b53813504c1cbe | |||
| TT = 0x06000000000000007365727665720000000000000000410000000000000004f | TT = 0x06000000000000007365727665720000000000000000410000000000000004f | |||
| 88fb71c99bfffaea370966b7eb99cd4be0ff1a7d335caac4211c4afd855e2e15a873b2 | 88fb71c99bfffaea370966b7eb99cd4be0ff1a7d335caac4211c4afd855e2e15a873b2 | |||
| 98503ad8ba1d9cbb9a392d2ba309b48bfd7879aefd0f2cea6009763b04100000000000 | 98503ad8ba1d9cbb9a392d2ba309b48bfd7879aefd0f2cea6009763b04100000000000 | |||
| 000040c269d6be017dccb15182ac6bfcd9e2a14de019dd587eaf4bdfd353f031101e7c | 000040c269d6be017dccb15182ac6bfcd9e2a14de019dd587eaf4bdfd353f031101e7c | |||
| ca177f8eb362a6e83e7d5e729c0732e1b528879c086f39ba0f31a9661bd34db4100000 | ca177f8eb362a6e83e7d5e729c0732e1b528879c086f39ba0f31a9661bd34db4100000 | |||
| 0000000000445ee233b8ecb51ebd6e7da3f307e88a1616bae2166121221fdc0dadb986 | 0000000000445ee233b8ecb51ebd6e7da3f307e88a1616bae2166121221fdc0dadb986 | |||
| afaf3ec8a988dc9c626fa3b99f58a7ca7c9b844bb3e8dd9554aafc5b53813504c1cbe2 | afaf3ec8a988dc9c626fa3b99f58a7ca7c9b844bb3e8dd9554aafc5b53813504c1cbe2 | |||
| 000000000000000626e0cdc7b14c9db3e52a0b1b3a768c98e37852d5db30febe0497b1 | 000000000000000626e0cdc7b14c9db3e52a0b1b3a768c98e37852d5db30febe0497b1 | |||
| 4eae8c254 | 4eae8c254 | |||
| Hash(TT) = 0x005184ff460da2ce59062c87733c299c3521297d736598fc0a1127600efa1afb | Hash(TT) = 0x005184ff460da2ce59062c87733c299c3521297d736598fc0a1127600e | |||
| fa1afb | ||||
| Ke = 0x005184ff460da2ce59062c87733c299c | Ke = 0x005184ff460da2ce59062c87733c299c | |||
| Ka = 0x3521297d736598fc0a1127600efa1afb | Ka = 0x3521297d736598fc0a1127600efa1afb | |||
| KcA = 0xf3da53604f0aeecea5a33be7bddf6edf | KcA = 0xf3da53604f0aeecea5a33be7bddf6edf | |||
| KcB = 0x9e3f86848736f159bd92b6e107ec6799 | KcB = 0x9e3f86848736f159bd92b6e107ec6799 | |||
| A conf = 0xbc9f9bbe99f26d0b2260e6456e05a86196a3307ec6663a18bf6ac825736533b2 | A conf = 0xbc9f9bbe99f26d0b2260e6456e05a86196a3307ec6663a18bf6ac8257365 | |||
| B conf = 0xc2370e1bf813b086dff0d834e74425a06e6390f48f5411900276dcccc5a297ec | 33b2 | |||
| B conf = 0xc2370e1bf813b086dff0d834e74425a06e6390f48f5411900276dcccc5a2 | ||||
| 97ec | ||||
| ]]></artwork> | ||||
| <artwork><![CDATA[ | ||||
| spake2: A='', B='' | spake2: A='', B='' | |||
| w = 0x7bf46c454b4c1b25799527d896508afd5fc62ef4ec59db1efb49113063d70cca | w = 0x7bf46c454b4c1b25799527d896508afd5fc62ef4ec59db1efb49113063d70cca | |||
| x = 0x8cef65df64bb2d0f83540c53632de911b5b24b3eab6cc74a97609fd659e95473 | x = 0x8cef65df64bb2d0f83540c53632de911b5b24b3eab6cc74a97609fd659e95473 | |||
| pA = 0x04a65b367a3f613cf9f0654b1b28a1e3a8a40387956c8ba6063e8658563890f4 | pA = 0x04a65b367a3f613cf9f0654b1b28a1e3a8a40387956c8ba6063e8658563890f4 | |||
| 6ca1ef6a676598889fc28de2950ab8120b79a5ef1ea4c9f44bc98f585634b46d66 | 6ca1ef6a676598889fc28de2950ab8120b79a5ef1ea4c9f44bc98f585634b46d66 | |||
| y = 0xd7a66f64074a84652d8d623a92e20c9675c61cb5b4f6a0063e4648a2fdc02d53 | y = 0xd7a66f64074a84652d8d623a92e20c9675c61cb5b4f6a0063e4648a2fdc02d53 | |||
| pB = 0x04589f13218822710d98d8b2123a079041052d9941b9cf88c6617ddb2fcc0494 | pB = 0x04589f13218822710d98d8b2123a079041052d9941b9cf88c6617ddb2fcc0494 | |||
| 662eea8ba6b64692dc318250030c6af045cb738bc81ba35b043c3dcb46adf6f58d | 662eea8ba6b64692dc318250030c6af045cb738bc81ba35b043c3dcb46adf6f58d | |||
| K = 0x041a3c03d51b452537ca2a1fea6110353c6d5ed483c4f0f86f4492ca3f378d40 | K = 0x041a3c03d51b452537ca2a1fea6110353c6d5ed483c4f0f86f4492ca3f378d40 | |||
| a994b4477f93c64d928edbbcd3e85a7c709b7ea73ee97986ce3d1438e135543772 | a994b4477f93c64d928edbbcd3e85a7c709b7ea73ee97986ce3d1438e135543772 | |||
| TT = 0x00000000000000000000000000000000410000000000000004a65b367a3f613 | TT = 0x00000000000000000000000000000000410000000000000004a65b367a3f613 | |||
| cf9f0654b1b28a1e3a8a40387956c8ba6063e8658563890f46ca1ef6a676598889fc28 | cf9f0654b1b28a1e3a8a40387956c8ba6063e8658563890f46ca1ef6a676598889fc28 | |||
| de2950ab8120b79a5ef1ea4c9f44bc98f585634b46d66410000000000000004589f132 | de2950ab8120b79a5ef1ea4c9f44bc98f585634b46d66410000000000000004589f132 | |||
| 18822710d98d8b2123a079041052d9941b9cf88c6617ddb2fcc0494662eea8ba6b6469 | 18822710d98d8b2123a079041052d9941b9cf88c6617ddb2fcc0494662eea8ba6b6469 | |||
| 2dc318250030c6af045cb738bc81ba35b043c3dcb46adf6f58d4100000000000000041 | 2dc318250030c6af045cb738bc81ba35b043c3dcb46adf6f58d4100000000000000041 | |||
| a3c03d51b452537ca2a1fea6110353c6d5ed483c4f0f86f4492ca3f378d40a994b4477 | a3c03d51b452537ca2a1fea6110353c6d5ed483c4f0f86f4492ca3f378d40a994b4477 | |||
| f93c64d928edbbcd3e85a7c709b7ea73ee97986ce3d1438e1355437722000000000000 | f93c64d928edbbcd3e85a7c709b7ea73ee97986ce3d1438e1355437722000000000000 | |||
| 0007bf46c454b4c1b25799527d896508afd5fc62ef4ec59db1efb49113063d70cca | 0007bf46c454b4c1b25799527d896508afd5fc62ef4ec59db1efb49113063d70cca | |||
| Hash(TT) = 0xfc6374762ba5cf11f4b2caa08b2cd1b9907ae0e26e8d6234318d91583cd74c86 | Hash(TT) = 0xfc6374762ba5cf11f4b2caa08b2cd1b9907ae0e26e8d6234318d91583c | |||
| d74c86 | ||||
| Ke = 0xfc6374762ba5cf11f4b2caa08b2cd1b9 | Ke = 0xfc6374762ba5cf11f4b2caa08b2cd1b9 | |||
| Ka = 0x907ae0e26e8d6234318d91583cd74c86 | Ka = 0x907ae0e26e8d6234318d91583cd74c86 | |||
| KcA = 0x5dbd2f477166b7fb6d61febbd77a5563 | KcA = 0x5dbd2f477166b7fb6d61febbd77a5563 | |||
| KcB = 0x7689b4654407a5faeffdc8f18359d8a3 | KcB = 0x7689b4654407a5faeffdc8f18359d8a3 | |||
| A conf = 0xdfb4db8d48ae5a675963ea5e6c19d98d4ea028d8e898dad96ea19a80ade95dca | A conf = 0xdfb4db8d48ae5a675963ea5e6c19d98d4ea028d8e898dad96ea19a80ade9 | |||
| B conf = 0xd0f0609d1613138d354f7e95f19fb556bf52d751947241e8c7118df5ef0ae175 | 5dca | |||
| B conf = 0xd0f0609d1613138d354f7e95f19fb556bf52d751947241e8c7118df5ef0a | ||||
| ]]></artwork></figure> | e175 | |||
| ]]></artwork> | ||||
| </section> | </section> | |||
| <section numbered="false" toc="default"> | ||||
| <name>Acknowledgements</name> | ||||
| <t>Special thanks to <contact fullname="Nathaniel McCallum"/> and | ||||
| <contact fullname="Greg Hudson"/> for | ||||
| generating M and N and <contact fullname="Chris Wood"/> for generating tes | ||||
| t vectors. Thanks | ||||
| to <contact fullname="Mike Hamburg"/> for advice on how to deal with cofac | ||||
| tors. | ||||
| <contact fullname="Greg | ||||
| Hudson"/> also suggested the addition of warnings on the reuse of x | ||||
| and y. Thanks to <contact fullname="Fedor Brunner"/>, | ||||
| <contact fullname="Adam Langley"/>, <contact fullname="Liliya | ||||
| Akhmetzyanova"/>, and the members of the CFRG for comments and | ||||
| advice. Thanks to <contact fullname="Scott Fluhrer"/> and those Crypto Pan | ||||
| el experts | ||||
| involved in the PAKE selection process | ||||
| (<eref target="https://github.com/cfrg/pake-selection"/>) who have provide | ||||
| d | ||||
| valuable comments. <contact fullname="Chris Wood"/> contributed substantia | ||||
| l text and | ||||
| reformatting to address the excellent review comments from <contact fullna | ||||
| me="Kenny | ||||
| Paterson"/>. </t> | ||||
| </section> | ||||
| <section numbered="false" toc="default"> | ||||
| <name>Contributors</name> | ||||
| <author initials="B." surname="Kaduk" fullname="Benjamin Kaduk"> | ||||
| <organization abbrev="Akamai">Akamai Technologies</organization> | ||||
| <address> | ||||
| <email>kaduk@mit.edu</email> | ||||
| </address> | ||||
| </author> | ||||
| </section> | </section> | |||
| </back> | </back> | |||
| </rfc> | </rfc> | |||
| End of changes. 109 change blocks. | ||||
| 496 lines changed or deleted | 570 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||