<?xmlversion='1.0' encoding='utf-8'?>version="1.0" encoding="utf-8"?> <!-- draft submitted in xml v3 --> <!DOCTYPErfc> <?xml-stylesheet type="text/xsl" href="rfc2629.xslt"?> <?rfc compact="yes"?> <?rfc subcompact="no"?> <?rfc toc="yes"?> <?rfc sortrefs="yes"?> <?rfc symrefs="yes"?> <?rfc rfcedstyle="yes"?> <?rfc autobreaks="yes"?> <?rfc docmapping="yes"?>rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF" category="std" docName="draft-ietf-kitten-krb-spake-preauth-13" number="9588" consensus="true" ipr="trust200902" obsoletes="" updates="" tocInclude="true" symRefs="true" sortRefs="true" xml:lang="en" version="3"> <front><title>Kerberos<title abbrev="Kerberos SPAKEPre-Authentication</title> <seriesInfo name="Internet-Draft" value="draft-ietf-kitten-krb-spake-preauth-13"/>Pre-authentication">Kerberos Simple Password-Authenticated Key Exchange (SPAKE) Pre-authentication</title> <seriesInfoname="std" value=""/>name="RFC" value="9588"/> <author fullname="Nathaniel McCallum" initials="N." surname="McCallum"> <organization>Red Hat, Inc.</organization> <address><email>nathaniel@mccallum.life</email></address> </author> <author fullname="Simo Sorce" initials="S." surname="Sorce"> <organization>Red Hat, Inc.</organization> <address><email>ssorce@redhat.com</email></address> </author> <author fullname="Robbie Harwood" initials="R." surname="Harwood"> <organization>Red Hat, Inc.</organization> <address><email>rharwood@pm.me</email></address> </author> <author fullname="Greg Hudson" initials="G." surname="Hudson"> <organization>MIT</organization> <address><email>ghudson@mit.edu</email></address> </author> <dateday="08" month="February" year="2024" /> <area>Security</area> <workgroup>Internet Engineering Task Force</workgroup>month="August" year="2024"/> <area>SEC</area> <workgroup>kitten</workgroup> <keyword>example</keyword> <abstract> <t>This document defines a new pre-authentication mechanism for the Kerberos protocol. The mechanism uses a password-authenticated key exchange (PAKE) to prevent brute-force password attacks, and it mayoptionallyincorporate a second factor. </t> </abstract> </front> <middle> <section><name>Introduction</name> <t>The Kerberos protocol <xref target="RFC4120"/> commonly uses password-derived long-term keys to secure the initial authentication exchange between a Kerberos client and a Key Distribution Center (KDC). As noted inSection 10 of<xreftarget="RFC4120"/>,target="RFC4120" section="10" sectionFormat="of"/>, an attacker can perform an offline dictionary attack against thepassword,password; this is performed either by initiating an authentication exchange to a principal for which the KDC does not requirepre-authentication,pre-authentication or after eavesdropping on a legitimate authentication exchange that uses encrypted timestamp pre-authentication(Section 5.2.7.2 of <xref target="RFC4120"/>).</t>(<xref target="RFC4120" section="5.2.7.2" sectionFormat="of"/>).</t> <t>This document defines a pre-authentication mechanism that authenticates using long-term keys but is resistant to offline dictionary attacks. The mechanism additionally enables the use ofsecond factorsecond-factor authentication without the need for aseparately-establishedseparately established secure channel, by leveraging the trust relationship established by the shared long-term key.</t> <section><name>Properties of PAKE</name><t>Password authenticated<t>Password-authenticated key exchange (PAKE) algorithms <xref target="RFC8125"/> provide several propertieswhichthat defend against offline dictionary attacks and make them ideal for use in a Kerberos pre-authentication mechanism. </t> <ol> <li>Each side of the exchange contributes entropy.</li> <li>Passive attackers cannot determine the shared key.</li> <li>Active attackers cannot perform a machine-in-the-middle attack.</li> </ol> <t>These properties of PAKE allow us to establish high-entropy encryption keys resistant to offlinebrute force attack,brute-force attacks, even when the passwords used are weak(low-entropy).</t>(low entropy).</t> </section> <section><name>PAKE Algorithm Selection</name> <t>The SPAKE algorithm (defined in <xref target="SPAKE"/>) works by encrypting the public keys of a Diffie-Hellman (DH) key exchange with a shared secret. SPAKE is selected for this pre-authentication mechanism for the following properties: </t> <ol><li>Because SPAKE's<li>SPAKE's encryption method ensures that the result is a member of the underlying group, so it can be used with elliptic curve cryptography, which is believed to provide equivalent security levels to finite-field DH key exchange at much smaller key sizes.</li> <li>It can compute the shared key after just one message from each party, minimizing the need for additional round trips and state.</li> <li>It requires a small number of groupoperations, andoperations; therefore, it canthereforebe implemented simply and efficiently.</li> </ol> </section> <section><name>PAKE and Two-Factor Authentication</name> <t>Using PAKE in a pre-authentication mechanism also has another benefit when used as a component of two-factor authentication (2FA). 2FA methods often require the secure transfer of plaintext material to the KDC for verification. This includes one-time passwords, challenge/responsesignaturessignatures, and biometric data. Encrypting this data using the long-term secret results in packets that are vulnerable to offline brute-forceattackattacks on the password, using either an authentication tag or statistical properties of the 2FA credentials to determine whether a password guess is correct.</t> <t>Inthe One-Time"One-Time Passwordpre-authentication(OTP) Pre-Authentication" <xreftarget="RFC6560"/> specification,target="RFC6560"/>, this problem is mitigatedbyusing flexible authentication secure tunneling (FAST)(Section 5.4 of <xref target="RFC6113"/>),(<xref target="RFC6113" section="5.4" sectionFormat="of"/>), which uses a secondary trust relationship to create a secure encryption channel within which pre-authentication data can be sent. However, the requirement for a secondary trust relationship has proven to be cumbersome to deploy and often introduces third parties into the trust chain (such as certification authorities). These requirements make it difficult to enable FAST without manual configuration of client hosts. In contrast, SPAKE pre-authentication,in contrast,can create a secure encryption channel implicitly, using the key exchange to negotiate a high-entropy encryption key. This key can then be used to securely encrypt 2FA plaintext data without the need for a secondary trust relationship. Further, if thesecond factorsecond-factor verifiers are sent at the same time as thefirst factorfirst-factor verifier, and the KDC is careful to prevent timing attacks, then an online brute-force attack cannot be used to attack the factors separately.</t> <t>For these reasons, this document departs from the advice given inSection 1 of<xreftarget="RFC6113">RFC 6113</xref>target="RFC6113" section="1" sectionFormat="of"/>, whichstates thatstates: "Mechanism designers should design FAST factors, instead of new pre-authentication mechanisms outside of FAST." However, the SPAKE pre-authentication mechanism does not intend to replaceFAST,FAST and may be used with it to further conceal the metadata of the Kerberos messages.</t> </section> <section><name>SPAKE Overview</name> <t>The SPAKE algorithm can be broadly described in a series of four steps:</t> <ol> <li>Calculation and exchange of the public key</li> <li>Calculation of the shared secret (K)</li> <li>Derivation of an encryption key (K')</li> <li>Verification of the derived encryption key (K')</li> </ol> <t>In this mechanism, key verification happens implicitly by a successful decryption of the 2FAdata,data or of a placeholder value when no second factor is required. This mechanism uses a tailored method of deriving encryption keys from the calculated shared secret K, for severalreasons: toreasons:</t> <ul> <li>to fit within the framework of <xreftarget="RFC3961"/>, totarget="RFC3961"/>,</li> <li>to ensure negotiation integrity using a transcripthash, tohash,</li> <li>to derive different keys for each use,and toand</li> <li>to bind the KDC-REQ-BODY to the pre-authenticationexchange.</t>exchange.</li> </ul> </section> </section> <sectionanchor="conventions"><name>Documentanchor="conventions"> <name>Document Conventions</name><t>The<t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t>here. </t> <t>This document refers to numerous terms and protocol messages defined in <xref target="RFC4120"/>.</t> <t>The terms "encryption type", "key generation seed length", and "random-to-key" are defined in <xref target="RFC3961"/>.</t> <t>The terms "FAST", "PA-FX-COOKIE", "KDC_ERR_PREAUTH_EXPIRED", "KDC_ERR_MORE_PREAUTH_DATA_REQUIRED", "KDC_ERR_PREAUTH_FAILED", "pre-authentication facility", and "authentication set" are defined in <xref target="RFC6113"/>.</t><t>The <xref<t><xref target="SPAKE"/>paperdefines SPAKE as a family of twokey exchangekey-exchange algorithms differing only in derivation of the final key. This mechanism uses a derivation similar to the second algorithm (SPAKE2). For simplicity, this document refers to the algorithm as "SPAKE".</t> <t>The terms"ASN.1" and "DER""Abstract Syntax Notation One (ASN.1)" and "Distinguished Encoding Rules (DER)" are defined in <xreftarget="CCITT.X680.2002"/>target="ITU-T.X680.2021"/> and <xreftarget="CCITT.X690.2002"/>target="ITU-T.X690.2021"/>, respectively.</t> <t>When discussing operations within algebraic groups, this document uses additive notation (as described inSection 2.2 of<xreftarget="RFC6090"/>).target="RFC6090" section="2.2" sectionFormat="of"/>). Group elements are denoted with uppercase letters, while scalar multiplier values are denoted with lowercase letters.</t> </section> <section><name>Prerequisites</name> <section><name>PA-ETYPE-INFO2</name> <t>This mechanism requires the initial KDC pre-authentication state to contain a singular reply key. Therefore, a KDCwhichthat offers SPAKE pre-authentication as a stand-alone mechanismMUST<bcp14>MUST</bcp14> supply a PA-ETYPE-INFO2 value containing a single ETYPE-INFO2-ENTRY, following the guidance inSection 2.1 of<xreftarget="RFC6113"/>.target="RFC6113" section="2.1" sectionFormat="of"/>. PA-ETYPE-INFO2 is specified inSection 5.2.7.5 of<xreftarget="RFC4120"/>.</t>target="RFC4120" section="5.2.7.5" sectionFormat="of"/>.</t> </section> <section><name>Cookie Support</name> <t>KDCswhichthat implement SPAKE pre-authenticationMUST<bcp14>MUST</bcp14> have some secure mechanism for retaining state betweenAS-REQs.authentication service requests (AS-REQs). For stateless KDC implementations, this method will most commonly be an encrypted PA-FX-COOKIE. Clientswhichthat implement SPAKE pre-authenticationMUST<bcp14>MUST</bcp14> support PA-FX-COOKIE, as described inSection 5.2 of<xreftarget="RFC6113"/>.</t>target="RFC6113" section="5.2" sectionFormat="of"/>.</t> </section> <section><name>MorePre-AuthenticationPre-authentication Data Required</name> <t>Both KDCs and clientswhichthat implement SPAKE pre-authenticationMUST<bcp14>MUST</bcp14> support the use of KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, as described inSection 5.2 of<xreftarget="RFC6113"/>.</t>target="RFC6113" section="5.2" sectionFormat="of"/>.</t> </section> </section> <section><name>SPAKEPre-AuthenticationPre-authentication Message Protocol</name> <t>This mechanism uses the reply key and provides theClient Authenticationclient authentication andStrengthening Reply Keystrengthening reply key pre-authentication facilities(Section 3 of <xref target="RFC6113"/>).(<xref target="RFC6113" section="3" sectionFormat="of"/>). When the mechanism completes successfully, the client will have proved knowledge of the original reply key and possibly a second factor, and the reply key will be strengthened to a more uniform distribution based on the PAKE exchange. This mechanism also ensures the integrity of the KDC-REQ-BODY contents. This mechanism can be used in an authentication set; no pa-hint value is required or defined.</t> <t>This mechanism negotiates a choice of group for the SPAKE algorithm. Groups are defined in theIANA"Kerberos SPAKE Groups" registry created by thisdocument.document (see <xref target="SPAKE-Groups"/>). Each group definition specifies an associated hash function, which will be used for transcript protection and key derivation. Clients and KDCsMUST<bcp14>MUST</bcp14> implement the edwards25519 group, butMAYthey <bcp14>MAY</bcp14> choose not to offer or accept it by default.</t><t>This section<t>The subsections that follow will describe the flow of messages when performing SPAKE pre-authentication. We will begin by explaining the most verbose version of theprotocolprotocol, which all implementationsMUST<bcp14>MUST</bcp14> support.ThenThen, we will describe several optional optimizations to reduceround-trips.</t>round trips.</t> <t>Mechanism messages are communicated using PA-DATA elements within the padata field of KDC-REQ messages or within the METHOD-DATA in the e-data field of KRB-ERROR messages. All PA-DATA elements for this mechanismMUST<bcp14>MUST</bcp14> use the following padata-type: </t> <dl><dt>PA-SPAKE</dt><dd>151</dd></dl> <t> The padata-value for all PA-SPAKE PA-DATA valuesMUST<bcp14>MUST</bcp14> be empty or contain a DER encoding for the ASN.1 type PA-SPAKE.</t> <sourcecode type="asn.1"><![CDATA[ PA-SPAKE ::= CHOICE { support [0] SPAKESupport, challenge [1] SPAKEChallenge, response [2] SPAKEResponse, encdata [3] EncryptedData, ... } ]]></sourcecode> <section><name>First Pass</name> <t>The SPAKE pre-authentication exchange begins when the client sends an initial authentication service request (AS-REQ) without pre-authentication data. Upon receipt of this AS-REQ, a KDCwhichthat requires pre-authentication and supports SPAKESHOULD<bcp14>SHOULD</bcp14> (unless configuration indicates otherwise) reply with a KDC_ERR_PREAUTH_REQUIRED error, with METHOD-DATA containing an empty PA-SPAKE PA-DATA element (possibly in addition to other PA-DATA elements). This message indicates to the client that the KDC supports SPAKE pre-authentication.</t> </section> <section><name>Second Pass</name> <t>Once the client knows that the KDC supports SPAKE pre-authentication and the clientdesireswants to use it, the client will generate a new AS-REQ message containing a PA-SPAKE PA-DATA element using the support choice. This message indicates to the KDC which groups the client prefers for the SPAKE operation. The group numbers are defined in theIANA"Kerberos SPAKE Groups" registrycreated by this document.(see <xref target="SPAKE-Groups"/>). Thegroupsgroup's sequence is ordered from the most preferred group to the least preferred group.</t> <sourcecode type="asn.1"><![CDATA[ SPAKESupport ::= SEQUENCE { groups [0] SEQUENCE (SIZE(1..MAX)) OF Int32, ... } ]]></sourcecode> <t>Upon receipt of the support message, the KDC will select a group. The KDCSHOULD<bcp14>SHOULD</bcp14> choose a group from the groups provided by the support message. However, if the support message does not contain any group that is supported by the KDC, the KDCMAY<bcp14>MAY</bcp14> select another group in hopes that the client might support it. Otherwise, the KDCMUST<bcp14>MUST</bcp14> respond with a KDC_ERR_PREAUTH_FAILED error.</t> <t>The group selection determines the group order, which shall be a large prime p multiplied by a small cofactor h (possibly 1),as well asa generator P of a prime-ordersubgroupsubgroup, and two masking points M and N. The KDC selects a random integer x in the range 0 <= x < h*p, whichMUST<bcp14>MUST</bcp14> be divisible by h. The KDC computes a public key T=x*P+w*M, where w is computed from the initial reply key according to <xref target="spakeparams"/>.</t> <t>The KDC will reply to the client with a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error containing a PA-SPAKE PA-DATA element using the challenge choice.</t> <sourcecode type="asn.1"><![CDATA[ SPAKEChallenge ::= SEQUENCE { group [0] Int32, pubkey [1] OCTET STRING, factors [2] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor, ... } ]]></sourcecode> <t>The group field indicates the KDC-selected group used for all SPAKE calculations as defined in theIANA"Kerberos SPAKE Groups" registrycreated by this document.</t>(see <xref target="SPAKE-Groups"/>).</t> <t>The pubkey field indicates the KDC's public key T, serialized according to <xref target="spakeparams"/>.</t> <t>The factors field contains an unordered list of secondfactorsfactors, which can be used to complete the authentication. Each second factor is represented by a SPAKESecondFactor.</t> <sourcecode type="asn.1"><![CDATA[ SPAKESecondFactor ::= SEQUENCE { type [0] Int32, data [1] OCTET STRING OPTIONAL } ]]></sourcecode> <t>The type field is a unique integerwhichthat identifies thesecond factorsecond-factor type. The factors field of SPAKEChallengeMUST NOT<bcp14>MUST NOT</bcp14> contain more than one SPAKESecondFactor with the same type value.</t> <t>The data field contains optional challenge data. The contents in this field will depend upon thesecond factorsecond-factor type chosen. Note that this challenge is initially transmitted as unauthenticated plaintext; see <xref target="unauthtext"/>.</t> <t>The client and KDC will each initialize a transcript hash (<xref target="transcript"/>) using the hash function associated with the chosengroup,group and update it with the concatenation of the DER-encoded PA-SPAKE messages sent by the client and the KDC.</t> </section> <section><name>Third Pass</name> <t>Upon receipt of the challenge message, the client observes which group was selected by the KDC and deserializes the KDC's public key T. The client selects a random integer y in the range 0 <= x < h*p, whichMUST<bcp14>MUST</bcp14> be divisible by h. The client computes a public key S=y*P+w*N, where w is computed from the initial reply key according to <xref target="spakeparams"/>. The client computes a shared group element K=y*(T-w*M).</t> <t>The client will then choose one of thesecond factorsecond-factor types listed in the factors field of the challenge message and gather whatever data is required for the chosensecond factorsecond-factor type, possibly using the associated challenge data. Finally, the client will send an AS-REQ containing a PA-SPAKE PA-DATA element using the response choice.</t> <sourcecode type="asn.1"><![CDATA[ SPAKEResponse ::= SEQUENCE { pubkey [0] OCTET STRING, factor [1] EncryptedData, -- SPAKESecondFactor ... } ]]></sourcecode> <t>The client and KDC will update the transcript hash with the pubkeyvalue,value and use the resulting hash for all encryption key derivations.</t> <t>The pubkey field indicates the client's public key S, serialized according to <xref target="spakeparams"/>.</t> <t>The factor field indicates the client's chosensecond factorsecond-factor data. The key for this field is K'[1]as specified(specified in <xreftarget="keyderiv"/>.target="keyderiv"/>). The kvno field of the EncryptedData sequence is omitted. The key usage number for the encryption is KEY_USAGE_SPAKE. Theplain textplaintext inside the EncryptedData is an encoding of the SPAKESecondFactor. Once decoded, the SPAKESecondFactorcontainsprovides the type of the second factor and any optional data used. The contents of the data field will depend on thesecond factorsecond-factor type chosen. The clientMUST NOT<bcp14>MUST NOT</bcp14> send a response containing asecond factorsecond-factor typewhichthat was not listed in the factors field of the challenge message.</t> <t>When the KDC receives the response message from the client, it deserializes the client's public key S, and computes the shared group element K=x*(S-w*N). The KDC derives K'[1] and decrypts the factors field. If decryption is successful, the first factor is successfully validated. The KDC then validates the second factor. If either factor fails to validate, the KDCMUST<bcp14>MUST</bcp14> respond with a KDC_ERR_PREAUTH_FAILED error.</t> <t>If validation of the second factor requires furtherround-trips,round trips, the KDCMUST<bcp14>MUST</bcp14> reply to the client with a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error containing a PA-SPAKE PA-DATA element using the encdata choice. The kvno field of the EncryptedData sequence is omitted. The key for the EncryptedData value is K'[2]as specified(specified in <xreftarget="keyderiv"/>,target="keyderiv"/>), and the key usage number is KEY_USAGE_SPAKE. Theplain textplaintext of this message contains a DER-encoded SPAKESecondFactor message. As before, the type field of this message will contain thesecond factor type,second-factor type and the data fieldwill optionallywill, optionally, containsecond factor typedata specificdata.</t>to the second-factor type.</t> </section> <section><name>Subsequent Passes</name> <t>Any number of additional round trips may occur using the encdata choice. The contents of the plaintexts are specific to thesecond factorsecond-factor type. If a client receives a PA-SPAKE PA-DATA element using the encdata choice from the KDC, itMUST<bcp14>MUST</bcp14> reply with a subsequent AS-REQ with a PA-SPAKE PA-DATA element using the encdatachoice,choice or abort the AS exchange.</t> <t>The key for client-originated encdata messages in subsequent passes is K'[3]as specified(specified in <xreftarget="keyderiv"/>target="keyderiv"/>) for the first subsequent pass, K'[5] for the second, and so on. The key for KDC-originated encdata messages is K'[4] for the first subsequent pass, K'[6] for the second, and so on.</t> </section> <section><name>Reply Key Strengthening</name> <t>When the KDC has successfully validated both factors, the reply key is strengthened and the mechanism is complete.To strengthenThe strengthening of the replykey,key is accomplished by the client and KDCreplacereplacing it with K'[0]as(as specified in <xreftarget="keyderiv"/>.target="keyderiv"/>). The KDC then replies with a KDC-REPmessage,message or continues on to the next mechanism in the authentication set. There is no final PA-SPAKE PA-DATA message from the KDC to the client.</t> <t>Reply key strengthening occurs onlyonceonce: at the end of the exchange. The client and KDCMUST<bcp14>MUST</bcp14> use the initial reply key as the base key for all K'[n] derivations.</t> </section> <section anchor="optimizations"><name>Optimizations</name> <t>The full protocol has two possible optimizations.</t> <t>First, the KDCMAY<bcp14>MAY</bcp14> reply to the initial AS-REQ (containing no pre-authentication data) with a PA-SPAKE PA-DATA element using the challengechoice,choice instead of an empty padata-value. In this case, the KDC optimistically selects a groupwhichthat the client may not support. If the group chosen by the challenge message is supported by the client, the clientMUST<bcp14>MUST</bcp14> skip to the third pass by issuing an AS-REQ with a PA-SPAKE message using the response choice. In thiscasecase, no SPAKESupport message is sent by the client, so the first update to the transcript hash contains only the KDC's optimistic challenge. If the KDC's chosen group is not supported by the client, the clientMUST<bcp14>MUST</bcp14> continue to the second pass. In thiscasecase, both the client and KDCMUST<bcp14>MUST</bcp14> reinitialize the transcript hash for the client's support message. ClientsMUST<bcp14>MUST</bcp14> support this optimization.</t> <t>Second, clientsMAY<bcp14>MAY</bcp14> skip the first pass and send an AS-REQ with a PA-SPAKE PA-DATA element using the support choice. If the KDC accepts the support message and generates a challenge, itMUST<bcp14>MUST</bcp14> include a PA-ETYPE-INFO2 value within the METHOD-DATA of the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error response, as the client may not otherwise be able to compute the initial reply key. If the KDC cannot continue with SPAKE (either because the initial reply key type is incompatible with SPAKE or because it does not support any of the client's groups) but can offer other pre-authentication mechanisms,it MUSTthe KDC <bcp14>MUST</bcp14> respond with a KDC_ERR_PREAUTH_FAILED error containing METHOD-DATA for the available mechanisms. A client supporting this optimizationMUST<bcp14>MUST</bcp14> continue after a KDC_ERR_PREAUTH_FAILED error as described inSection 2 of<xreftarget="RFC6113"/>.target="RFC6113" section="2" sectionFormat="of"/>. KDCsMUST<bcp14>MUST</bcp14> support this optimization.</t> </section> </section> <section anchor="spakeparams"><name>SPAKE Parameters and Conversions</name> <t>Group elements are converted to and from octet strings using the serialization method defined in theIANA"Kerberos SPAKE Groups" registrycreated by this document.</t>(see <xref target="SPAKE-Groups"/>).</t> <t>The SPAKE algorithm requires constants M and N for each group. These constants are defined in theIANA"Kerberos SPAKE Groups" registrycreated by this document.</t>(see <xref target="SPAKE-Groups"/>).</t> <t>The SPAKE algorithm requires a shared secret input w to be used as a scalar multiplier. This valueMUST<bcp14>MUST</bcp14> be produced from the initial reply key as follows: </t> <ol> <li>Determine the length of the multiplier octet string as defined in theIANA"Kerberos SPAKE Groups" registrycreated by this document.</li>(see <xref target="SPAKE-Groups"/>).</li> <li>Compose a pepper string by concatenating the string "SPAKEsecret" and the group number as a big-endian four-byte two's complement binary number.</li> <li>Produce an octet string of the required length using PRF+(K, pepper), where K is the initial reply key and PRF+ is as defined inSection 5.1 of<xreftarget="RFC6113"/>.</li>target="RFC6113" section="5.1" sectionFormat="of"/>.</li> <li>Convert the octet string to a multiplier scalar using the multiplier conversion method defined in theIANA"Kerberos SPAKE Groups" registrycreated by this document.</li>(see <xref target="SPAKE-Groups"/>).</li> </ol> <t>The KDC chooses a secret scalar value x and the client chooses a secret scalar value y. As required by the SPAKE algorithm, these values are chosen randomly and uniformly. The KDC and clientMUST NOT<bcp14>MUST NOT</bcp14> reuse x or y values for authentications involving different initial reply keys (see <xref target="kdcstate"/>).</t> </section> <section anchor="transcript"><name>Transcript Hash</name> <t>The transcript hash is an octet string of length equal to the output length of the hash function associated with the selected group.The initial value consists of allAll bits are set tozero.</t>zero in the initial value.</t> <t>When the transcript hash is updated with an octet string input, the new value is the hash function computed over the concatenation of the old value and the input.</t> <t>In the normal message flow or with the second optimization described in <xref target="optimizations"/>, the transcript hashis first updatedis:</t> <ol><li>updated with the concatenation of the client's support message and the KDC's challenge,and then updatedthen</li> <li>updated a second time with the client's pubkeyvalue. It thereforevalue.</li></ol> <t>Therefore, it incorporates the client's supported groups, the KDC's chosen group, the KDC's initial second-factor messages, and the client and KDC public values. Once the transcript hash is finalized, it is used without change for all key derivations (<xref target="keyderiv"/>). In particular, encrypted second-factor messages are not included in the transcript hash.</t> <t>If the first optimization described in <xref target="optimizations"/> is used successfully, the transcript hash isupdatedfirst updated with the KDC's challengemessage,message and updated a second time with the client's pubkey value.</t> <t>If the first optimization is used unsuccessfully(i.e.(i.e., the client does not accept the KDC's selected group), the transcript hash is computed as in the normal message flow, without including the KDC's optimistic challenge.</t> </section> <section anchor="keyderiv"><name>Key Derivation</name> <t>ImplementationsMUST NOT<bcp14>MUST NOT</bcp14> use the shared group element (denoted by K) directly for any cryptographic operation. Instead, the SPAKE result is used to derive keys K'[n]as defined(defined in thissection.</t>section).</t> <t>First, compute the hash function associated with the selected group over the concatenation of the following values:</t> <ul> <li>The fixed string "SPAKEkey".</li> <li>The group number as a big-endian four-byte two's complement binary number.</li> <li>The encryption type of the initial reply key as a big-endian four-byte two's complement binary number.</li> <li>The PRF+ output used to compute the initial secret input was(as specified in <xreftarget="spakeparams"/>.</li>target="spakeparams"/>).</li> <li>The SPAKE result K, converted to an octet stringas(as specified in <xreftarget="spakeparams"/>.</li>target="spakeparams"/>).</li> <li>The transcript hash.</li> <li>The KDC-REQ-BODY encoding for the request being sent or responded to. Within a FAST channel, the inner KDC-REQ-BODY encodingMUST<bcp14>MUST</bcp14> be used.</li> <li>The value n as abig-endian four-bytebig-endian, four-byte, and unsigned binary number.</li> <li>A single-byte blockcounter,counter with the initial value 0x01.</li> </ul> <t> If the hash output is too small for the encryption type's key generation seed length, the block counter value is incremented and the hash functionre-computedis recomputed to produce as many blocks as are required. The result is truncated to the key generation seed length, and the random-to-key function is used to produce an intermediate key with the same encryption type as the initial reply key.</t> <t>The key K'[n] has the same encryption type as the initial reply key, and has the value KRB-FX-CF2(initial-reply-key, intermediate-key, "SPAKE", "keyderiv"), where KRB-FX-CF2 is defined inSection 5.1 of<xreftarget="RFC6113"/>.</t>target="RFC6113" section="5.1" sectionFormat="of"/>.</t> </section><section><name>Second Factor<section><name>Second-Factor Types</name> <t>This document defines onesecond factorsecond-factor type:</t> <dl><dt>SF-NONE</dt><dd>1</dd></dl> <t>Thissecond factorsecond-factor type indicates that no second factor is used. Whenever a SPAKESecondFactor is used with SF-NONE, the data fieldMUST<bcp14>MUST</bcp14> be omitted. The SF-NONE second factor always successfully validates.</t> </section> <section><name>Hint for Authentication Sets</name> <t>If a KDC offers SPAKE pre-authentication as part of an authentication set(Section 5.3 of <xref target="RFC6113"/>),(<xref target="RFC6113" section="5.3" sectionFormat="of"/>), itSHOULD<bcp14>SHOULD</bcp14> provide a pa-hint value containing the DER encoding of the ASN.1 typePA-SPAKE-HINT, to helpPA-SPAKE-HINT. This helps the client determine whether SPAKE pre-authentication is likely to succeed if the authentication set is chosen.</t> <sourcecode type="asn.1"><![CDATA[ PA-SPAKE-HINT ::= SEQUENCE { groups [0] SEQUENCE (SIZE(1..MAX)) OF Int32, factors [1] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor } ]]></sourcecode> <t>The groups field indicates the KDC's supported groups. The factors field indicates the KDC's supported second factors. The KDCMAY<bcp14>MAY</bcp14> omit the data field of values in the factors list.</t> <t>A KDCMUST NOT<bcp14>MUST NOT</bcp14> include a PA-SPAKE-HINT message directly in a pa-value field; hints must only be provided within authentication sets. A KDCSHOULD<bcp14>SHOULD</bcp14> include a hint if SPAKE pre-authentication is offered as the second or later element of an authentication set.</t> <t>The PA-SPAKE-HINT message is not part of the transcript, and it does not replace any part of the SPAKE message flow.</t> </section> <section><name>Security Considerations</name> <section><name>SPAKE Computations</name> <t>The deserialized public keys S and TMUST<bcp14>MUST</bcp14> be verified to be elements of thegroup,group to prevent invalid curve attacks. It is not necessary to verify that they are members of the prime-ordersubgroup, assubgroup; the computation of K by both parties involves a multiplication by the cofactor h.</t> <t>The aforementioned cofactor multiplication is accomplished by choosing private scalars x andyy, which are divisible by the cofactor. If the client or KDC chooses a scalarwhichthat might not be divisible by the cofactor, an attacker might be able to coerce values of Kwhichthat are not members of the prime-ordersubgroup,subgroup and deduce a limited amount of information about w from the order of K.</t> <t>The scalars x and yMUST<bcp14>MUST</bcp14> be chosenuniformly, and must notuniformly. They <bcp14>MUST NOT</bcp14> be reused for different initial reply keys. If an x or y value is reused for pre-authentications involving two different initial reply keys, an attacker who observes both authentications and knows one of the initial reply keys can conduct an offline dictionary attack to recover the other one.</t> <t>The M and N values for a groupMUST NOT<bcp14>MUST NOT</bcp14> have known discrete logs. An attacker who knows the discrete log of M or N can perform an offline dictionary attack on passwords.ItTherefore, it isthereforeimportant to demonstrate that the M and N values for each group were computed without multiplying a known value by the generator P.</t> </section> <section anchor="unauthtext"><name>Unauthenticated Plaintext</name> <t>This mechanism includes unauthenticated plaintext in the support and challenge messages. Beginning with the third pass, the integrity of this plaintext is ensured by incorporating the transcript hash into the derivation of the final reply key andsecond factorsecond-factor encryption keys. Downgrade attacks on support and challenge messages will result in the client and KDC deriving different reply keys and EncryptedData keys. The KDC-REQ-BODY contents are also incorporated into key derivation, ensuring their integrity. The unauthenticated plaintext in the KDC-REP message is not protected by this mechanism.</t> <t>Unless FAST is used, the factors field of a challenge message is notintegrity-protectedintegrity protected until the response is verified.Second factorSecond-factor typesMUST<bcp14>MUST</bcp14> account for this when specifying the semantics of the data field. In particular,second factorsecond-factor data in the challenge should not be included in userprompts, asprompts: it could be modified by an attacker to contain misleading or offensive information.</t> <t>Unless FAST is used, the factors field of a challenge message is visible to an attacker, who can use it to determine whether a second factor is required for the client.</t> <t>Subsequent factor data, including the data in the response, are encrypted in a derivative of the shared secret K. Therefore, it is not possible to exploit the untrustworthiness of the challenge to turn the client into an encryption or signing oracle for thesecond factorsecond-factor credentials, unless the attacker knows the client's long-term key.</t> <t>Unless FAST is used, any PA-SPAKE-HINT messagesincluded when SPAKE is advertised in authentication setsareunauthenticated,unauthenticated and are not protected by the transcripthash.hash if they are included when SPAKE is advertised in authentication sets. Since hints do not replace any part of the message flow, manipulation of hint messages can only affect the client's decision to use or not use an authentication set, which could more easily be accomplished by removing authentication sets entirely.</t> </section> <section><name>Side Channels</name> <t>An implementation of the SPAKE pre-authentication mechanism can have the property of indistinguishability, meaning that an attacker who guesses a long-term key and asecond factorsecond-factor value cannot determine whether one of the factors was correct unless both are correct. Indistinguishability is only maintained if the second factor can be validated solely based on the data in the response; the use of additional round trips will reveal to the attacker whether the long-term key is correct. Indistinguishability also requires that there are no side channels. Whenprocessingthe KDC processes a response message, whether or notthe KDC successfullyit decrypts the factor field, it must reply with the same error fields, take the same amount of time, and make the same observable communications to other servers.</t> <t>Both the size of the EncryptedData and the number of EncryptedData messages used for second-factor data (including the factor field of the SPAKEResponse message and messages using the encdata PA-SPAKE choice) may reveal information about the second factor used in an authentication. Care should be taken to keepsecond factorsecond-factor messages as small and as few as possible.</t> <t>Any side channels in the creation of the shared secret input w, or in the multiplications wM and wN, could allow an attacker to recover the client long-term key. ImplementationsMUST<bcp14>MUST</bcp14> take care to avoid side channels, particularly timing channels. Generation of the secret scalar values x and y need not take constant time, but the amount of time takenMUST NOT<bcp14>MUST NOT</bcp14> provide information about the resulting value.</t> <t>The conversion of the scalar multiplier for the SPAKE w parameter may produce a multiplier that is larger than the order of the group. Some group implementations may be unable to handle such a multiplier. Others may silently accept such amultiplier,multiplier but proceed to perform multiplication that is not constant time. This is only a minor risk in mostcommonly-usedcommonly used groups, but it is a more serious risk for P-521 due to the extra seven high bits in the input octet string. A common solution to this problem is achieved by reducing the multiplier modulo the group order, taking care to ensure constant time operation.</t> </section> <section anchor="kdcstate"><name>KDC State</name> <t>A stateless KDC implementation generally must use a PA-FX-COOKIE value to remember its private scalar value x and the transcript hash. The KDCMUST<bcp14>MUST</bcp14> maintain confidentiality and integrity of the cookie value, perhaps by encrypting it in a key known only to the realm's KDCs. Cookie values may be replayed by attackers, perhaps by splicing them into different SPAKE exchanges. The KDCSHOULD<bcp14>SHOULD</bcp14> limit the time window of replays using a timestamp, andSHOULDit <bcp14>SHOULD</bcp14> prevent cookie values from being applied to other pre-authentication mechanisms or other client principals. Within the validity period of a cookie, an attacker can replay the final message of a pre-authentication exchange to any of the realm's KDCs and make it appear that the client has authenticated.</t> <t>The SPAKE pre-authentication mechanism is not designed to provide forward secrecy. Nevertheless, some measure of forward secrecy may result depending on implementation choices. A passive attacker who determines the client long-term key after the exchange generally will not be able to recover the ticket session key; however, an attacker who also determines the PA-FX-COOKIE encryption key (if the KDC uses an encrypted cookie) will be able to recover the ticket session key. If the KDC or client retains the x or y value for reuse with the same client long-term key, an attacker who recovers the x or y value and the long-term key will be able to recover the ticket session key.</t> </section> <section><name>Dictionary Attacks</name> <t>Although the SPAKE pre-authentication mechanism is designed to prevent an offline dictionary attack by an active attacker posing as the KDC, such an attacker can attempt to downgrade the client to the encryptedtimestamp.timestamp pre-authentication mechanism. Client implementationsSHOULD<bcp14>SHOULD</bcp14> provide a configuration option to enable or disable the encrypted timestamp mechanism on a per-realm basis to mitigate this attack.</t> <t>If the user enters the wrong password, the client might fall back to the encrypted timestamp mechanism after receiving a KDC_ERR_PREAUTH_FAILED error from the KDC, if the encrypted timestamp mechanism is offered by the KDC and not disabled by client configuration. This fallback will enable a passive attacker to mount an offline dictionary attack against the incorrect password, which may be similar to the correct password. Client implementationsSHOULD<bcp14>SHOULD</bcp14> assume that the encrypted timestamp and encrypted challenge mechanisms are unlikely to succeed if SPAKE pre-authentication fails in the second pass and SF-NONE was used.</t> <t>Like any other pre-authentication mechanism using the client long-term key, the SPAKE pre-authentication mechanism does not prevent online password guessing attacks. The KDC is made aware of unsuccessfulguesses,guesses and can apply facilities such as rate limiting to mitigate the risk of online attacks.</t> </section><section><name>Brute Force<section><name>Brute-Force Attacks</name> <t>The selected group's resistance to offline brute-force attacks may not correspond to the size of the reply key. For performance reasons, a KDCMAY<bcp14>MAY</bcp14> select a group whose brute-force work factor is less than the reply key length. A passive attacker who solves the group discrete logarithm problem after the exchange will be able to conduct an offline attack against the client long-term key. Although the use of password policies and costly, salted string-to-key functions may increase the cost of such an attack, the resulting cost will likely not be higher than the cost of solving the group discrete logarithm.</t> </section><section><name>Denial of Service<section><name>Denial-of-Service Attacks</name> <t>Elliptic curve group operations are more computationally expensive than secret-key operations. As a result, the use of this mechanism may affect the KDC's performance under normal load and its resistance todenial of servicedenial-of-service attacks.</t> </section> <section><name>Reflection Attacks</name> <t>The encdata choice of PA-SPAKE can be used in eitherdirection, anddirection; the factor-specific plaintext does not necessarily indicate a direction. However, each encdata message is encrypted using a derived key K'[n], with client-originated messages using only odd values of n and KDC-originated messages using only even values.AnTherefore, an attempted reflection attack wouldthereforeresult in a failed decryption.</t> </section><section><name>Reply-Key<section><name>Reply Key Encryption Type</name> <t>This mechanism does not upgrade the encryption type of the initial replykey,key and relies on that encryption type for confidentiality, integrity, andpseudo-randompseudorandom functions. If the client long-term key uses a weak encryption type, an attacker might be able to subvert the exchange, and the replaced reply key will also be of the same weak encryption type.</t> </section> <section><name>KDC Authentication</name> <t>This mechanism does not directly provide the KDC Authentication pre-authenticationfacility,facility because it does not send a key confirmation from the KDC to the client. When used as a stand-alone mechanism, thetraditionalpreexisting KDC authentication provided by the KDC-REP enc-part still applies.</t> </section> </section> <section><name>Assigned Constants</name> <t>The following key usage values are assigned for this mechanism:</t> <dl><dt>KEY_USAGE_SPAKE</dt><dd>65</dd></dl> </section> <section><name>IANA Considerations</name> <t>IANA has assigned the following number for PA-SPAKE in the "Pre-authentication and Typed Data" registry:</t> <table align="center"> <thead> <tr><th>Type</th><th>Value</th><th>Reference</th></tr> </thead> <tbody><tr><td>PA-SPAKE</td><td>151</td><td>[this document]</td></tr><tr><td>PA-SPAKE</td><td>151</td><td>RFC 9588</td></tr> </tbody> </table> <t>This document establishes two registries (see Sections <xref target="Second-Factor" format="counter"/> and <xref target="SPAKE-Groups" format="counter"/>) with the following procedure, in accordance with <xref target="RFC8126"/>:</t> <t>Registry entries are to be evaluated using the Specification Required method. All specifications must bebepublished prior to entry inclusion in the registry. Once published, they can be submitted directly to the krb5-spake-review@ietf.org mailing list, where there will be athree-week longthree-week-long review period byDesignated Experts.</t>designated experts.</t> <t>TheDesignated Expertsdesignated experts ensure that the specification is publicly available.The Designated ExpertsThey may provide additional in-depth reviews, but their approval should not be taken as endorsement of the specification.</t> <t>Prior to the end of the review period, theDesignated Expertsdesignated experts must approve or deny the request. This decision is conveyed to both IANA and the submitter. Since the mailing list archives are not public, it should include both a reasonably detailed explanation in the case of a denial as well as whether the request can be resubmitted.</t> <t>IANA must only accept registry updates from the designated experts and should direct all requests for registration to the review mailing list.</t><section><name>Kerberos Second Factor<section anchor="Second-Factor"><name>Kerberos Second-Factor Types</name> <t>This sectionspeciesspecifies theIANA"KerberosSecond FactorSecond-Factor Types"registry. This registryregistry, which records the number, name, and reference for eachsecond factorsecond-factor protocol.</t> <section><name>Registration Template</name> <dl> <dt>ID Number:</dt> <dd>This is aA value that uniquely identifies this entry. It is a signed integer in the range -2147483648 to 2147483647, inclusive. Positive values must be assigned only for algorithms specified in accordance with these rules for use with Kerberos and related protocols. Negative values should be used for private and experimental algorithms only. Zero is reserved and must not be assigned. Values should be assigned in increasing order. </dd> <dt>Name:</dt><dd>Brief,<dd>A brief, unique, human-readable name for this algorithm.</dd> <dt>Reference:</dt> <dd> A URI or otherwise unique identifier for where the details of this algorithm can be found. It should be as specific as reasonably possible. </dd> </dl> </section> <section><name>Initial Registry Contents</name> <dl spacing="compact"> <dt>ID Number:</dt><dd>0</dd> <dt>Name:</dt><dd>Reserved</dd> <dt>Reference:</dt><dd>RFC 9588</dd> </dl> <dl spacing="compact"> <dt>ID Number:</dt><dd>1</dd> <dt>Name:</dt><dd>SF-NONE</dd><dt>Reference:</dt><dd>[this document]</dd><dt>Reference:</dt><dd>RFC 9588</dd> </dl> </section> </section><section><name>Kerberos<section anchor="SPAKE-Groups"><name>Kerberos SPAKE Groups</name> <t>This section specifies theIANA"Kerberos SPAKE Groups"registry. This registryregistry, which records the number, name, specification, serialization, multiplier length, multiplier conversion, SPAKE M and N constants, and associated hashfunction.</t>function for each SPAKE Group.</t> <section><name>Registration Template</name> <dl> <dt>ID Number:</dt> <dd>This is aA value that uniquely identifies this entry. It is a signed integer in the range -2147483648 to 2147483647, inclusive. Positive values must be assigned only for algorithms specified in accordance with these rules for use with Kerberos and related protocols. Negative values should be used for private and experimental use only. Zero is reserved and must not be assigned. Values should be assigned in increasing order. </dd> <dt>Name:</dt> <dd>Brief,A brief, unique,human readablehuman-readable name for this entry. </dd> <dt>Specification:</dt> <dd>ReferenceA reference to the definition of the group parameters and operations. </dd> <dt>Serialization:</dt> <dd>ReferenceA reference to the definition of the method used to serialize and deserialize group elements. </dd> <dt>Multiplier Length:</dt> <dd> The length of the input octet string to multiplication operations. </dd> <dt>Multiplier Conversion:</dt> <dd>ReferenceA reference to the definition of the method used to convert an octet string to a multiplier scalar. </dd> <dt>SPAKE M Constant:</dt> <dd> The serialized value of the SPAKE M constant in hexadecimal notation. </dd> <dt>SPAKE N Constant:</dt> <dd> The serialized value of the SPAKE N constant in hexadecimal notation. </dd> <dt>Hash Function:</dt> <dd> The group's associated hash function. </dd> </dl> </section> <section><name>Initial Registry Contents</name> <section><name>Edwards 25519</name><dl spacing="compact"> <dt>ID Number:</dt><dd>1</dd> <dt>Name:</dt><dd>edwards25519</dd> <dt>Specification:</dt><dd>Section 4.1 of <xref target="RFC7748"/><dd><xref target="RFC7748" section="4.1" sectionFormat="of"/> (edwards25519)</dd> <dt>Serialization:</dt><dd>Section 3.1 of <xref target="RFC8032"/></dd><dd><xref target="RFC8032" section="3.1" sectionFormat="of"/></dd> <dt>Multiplier Length:</dt><dd>32</dd> <dt>Multiplier Conversion:</dt><dd>Section 3.1 of <xref target="RFC8032"/></dd><dd><xref target="RFC8032" section="3.1" sectionFormat="of"/></dd> <dt>SPAKE M Constant:</dt> <dd>d048032c6ea0b6d697ddc2e86bda85a33adac920f1bf18e1b0c6d166a5cecdaf</dd> <dt>SPAKE N Constant:</dt> <dd>d3bfb518f44f3430f29d0c92af503865a1ed3281dc69b35dd868ba85f886c4ab</dd> <dt>Hash function:</dt><dd>SHA-256(<xref target="RFC6234"/>)</dd><xref target="RFC6234"/></dd> </dl></section> <section><name>P-256</name><dl spacing="compact"> <dt>ID Number:</dt><dd>2</dd> <dt>Name:</dt><dd>P-256</dd> <dt>Specification:</dt> <dd>Section 2.4.2 of <xref target="SEC2"/></dd> <dt>Serialization:</dt> <dd>Section 2.3.3 of <xref target="SEC1"/> (compressed format)</dd> <dt>Multiplier Length:</dt><dd>32</dd> <dt>Multiplier Conversion:</dt> <dd>Section 2.3.8 of <xref target="SEC1"/></dd> <dt>SPAKE M Constant:</dt> <dd>02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f</dd> <dt>SPAKE N Constant:</dt> <dd>03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49</dd> <dt>Hash function:</dt><dd>SHA-256(<xref target="RFC6234"/>)</dd><xref target="RFC6234"/></dd> </dl></section> <section><name>P-384</name><dl spacing="compact"> <dt>ID Number:</dt><dd>3</dd> <dt>Name:</dt><dd>P-384</dd> <dt>Specification:</dt> <dd>Section 2.5.1 of <xref target="SEC2"/></dd> <dt>Serialization:</dt> <dd>Section 2.3.3 of <xref target="SEC1"/> (compressed format)</dd> <dt>Multiplier Length:</dt><dd>48</dd> <dt>Multiplier Conversion:</dt> <dd>Section 2.3.8 of <xref target="SEC1"/></dd> <dt>SPAKE M Constant:</dt> <dd>030ff0895ae5ebf6187080a82d82b42e2765e3b2f8749c7e05eba366434b363d3dc36f15314739074d2eb8613fceec2853</dd> <dt>SPAKE N Constant:</dt> <dd>02c72cf2e390853a1c1c4ad816a62fd15824f56078918f43f922ca21518f9c543bb252c5490214cf9aa3f0baab4b665c10</dd> <dt>Hash function:</dt><dd>SHA-384(<xref target="RFC6234"/>)</dd><xref target="RFC6234"/></dd> </dl></section> <section><name>P-521</name><dl spacing="compact"> <dt>ID Number:</dt><dd>4</dd> <dt>Name:</dt><dd>P-521</dd> <dt>Specification:</dt> <dd>Section 2.6.1 of <xref target="SEC2"/></dd> <dt>Serialization:</dt> <dd>Section 2.3.3 of <xref target="SEC1"/> (compressed format)</dd> <dt>Multiplier Length:</dt><dd>48</dd> <dt>Multiplier Conversion:</dt> <dd>Section 2.3.8 of <xref target="SEC1"/></dd> <dt>SPAKE M Constant:</dt> <dd>02003f06f38131b2ba2600791e82488e8d20ab889af753a41806c5db18d37d85608cfae06b82e4a72cd744c719193562a653ea1f119eef9356907edc9b56979962d7aa</dd> <dt>SPAKE N Constant:</dt> <dd>0200c7924b9ec017f3094562894336a53c50167ba8c5963876880542bc669e494b2532d76c5b53dfb349fdf69154b9e0048c58a42e8ed04cef052a3bc349d95575cd25</dd> <dt>Hash function:</dt><dd>SHA-512(<xref target="RFC6234"/>)</dd><xref target="RFC6234"/></dd> </dl></section> </section> </section> </section> </middle> <back><references><name>Normative<references> <name>References</name> <references> <name>Normative References</name> <xi:includehref='https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml'/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:includehref='https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3961.xml'/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3961.xml"/> <xi:includehref='https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4120.xml'/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4120.xml"/> <xi:includehref='https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6113.xml'/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6113.xml"/> <xi:includehref='https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6234.xml'/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6234.xml"/> <xi:includehref='https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml'/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml"/> <xi:includehref='https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8032.xml'/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8032.xml"/> <xi:includehref='https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml'/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"/> <xi:includehref='https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml'/> <xi:include href='https://xml2rfc.ietf.org/public/rfc/bibxml2/reference.CCITT.X680.2002.xml'/> <xi:include href='https://xml2rfc.ietf.org/public/rfc/bibxml2/reference.CCITT.X690.2002.xml'/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <reference anchor='ITU-T.X680.2021'> <front> <title>Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation</title> <author> <organization>ITU-T</organization> </author> <date month="February" year="2021"/> </front> <seriesInfo name="ITU-T Recommendation" value="X.680"/> <seriesInfo name="ISO/IEC" value="8824-1:2021"/> </reference> <reference anchor='ITU-T.X690.2021'> <front> <title>Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)</title> <author> <organization>ITU-T</organization> </author> <date month="February" year="2021"/> </front> <seriesInfo name="ITU-T Recommendation" value="X.690"/> <seriesInfo name="ISO/IEC" value="8825-1:2021"/> </reference> <reference anchor='SEC1'> <front> <title>SEC 1: Elliptic Curve Cryptography</title><author><organization>Standards<author> <organization>Standards for Efficient CryptographyGroup</organization></author>Group</organization> </author> <date month="May" year="2009" /> </front> </reference> <reference anchor='SEC2'> <front> <title>SEC 2: Recommended Elliptic Curve Domain Parameters</title><author><organization>Standards<author> <organization>Standards for Efficient CryptographyGroup</organization></author>Group</organization> </author> <date month="January" year="2010" /> </front> </reference> </references><references><name>Informative<references> <name>Informative References</name> <xi:includehref='https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6090.xml'/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6090.xml"/> <xi:includehref='https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6560.xml'/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6560.xml"/> <xi:includehref='https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8125.xml'/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8125.xml"/> <reference anchor="SPAKE"> <front> <title>Simple Password-Based Encrypted Key Exchange Protocols</title> <author surname="Abdalla"initials="M." />initials="M."/> <author surname="Pointcheval"initials="D. " />initials="D."/> <date month="February"year="2005" />year="2005"/> </front><refcontent>Cryptography-CT-RSA<refcontent>CT-RSA 2005, Lecture Notes in Computer Science, Volume 3376, pages 191-208, Springer</refcontent> <seriesInfo name="DOI" value="10.1007/978-3-540-30574-3_14"/> </reference> </references> </references> <section><name>ASN.1 Module</name> <sourcecode type="asn.1"><![CDATA[ KerberosV5SPAKE { iso(1) identified-organization(3) dod(6) internet(1) security(5) kerberosV5(2) modules(4) spake(8) } DEFINITIONS EXPLICIT TAGS ::= BEGIN IMPORTS EncryptedData, Int32 FROM KerberosV5Spec2 { iso(1) identified-organization(3) dod(6) internet(1) security(5) kerberosV5(2) modules(4) krb5spec2(2) }; -- as defined in RFC 4120. SPAKESupport ::= SEQUENCE { groups [0] SEQUENCE (SIZE(1..MAX)) OF Int32, ... } SPAKEChallenge ::= SEQUENCE { group [0] Int32, pubkey [1] OCTET STRING, factors [2] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor, ... } SPAKESecondFactor ::= SEQUENCE { type [0] Int32, data [1] OCTET STRING OPTIONAL } SPAKEResponse ::= SEQUENCE { pubkey [0] OCTET STRING, factor [1] EncryptedData, -- SPAKESecondFactor ... } PA-SPAKE ::= CHOICE { support [0] SPAKESupport, challenge [1] SPAKEChallenge, response [2] SPAKEResponse, encdata [3] EncryptedData, ... } PA-SPAKE-HINT ::= SEQUENCE { groups [0] SEQUENCE (SIZE(1..MAX)) OF Int32, factors [1] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor } END ]]></sourcecode> </section> <section><name>SPAKE M and N Value Selection</name> <t>The M and N values for the initial contents of the SPAKE group registry were generated using the following Python snippet, which assumes an elliptic curve implementation following the interface of Edwards25519Point.stdbase() and Edwards448Point.stdbase() inAppendix A of<xreftarget="RFC8032"/>:</t>target="RFC8032" sectionFormat="of" section="A"/>:</t> <sourcecode type="python"><![CDATA[ def iterhash(seed, n): h = seed for i in range(n): h = hashlib.sha256(h).digest() return h def bighash(seed, start, sz): n = -(-sz // 32) hashes = [iterhash(seed, i) for i in range(start, start + n)] return b''.join(hashes)[:sz] def canon_pointstr(ecname, s): if ecname == 'edwards25519': return s elif ecname == 'edwards448': return s[:-1] + bytes([s[-1] & 0x80]) else: return bytes([(s[0] & 1) | 2]) + s[1:] def gen_point(seed, ecname, ec): for i in range(1, 1000): hval = bighash(seed, i, len(ec.encode())) pointstr = canon_pointstr(ecname, hval) try: p = ec.decode(pointstr) if p != ec.zero_elem() and p * p.l() == ec.zero_elem(): return pointstr, i except Exception: pass ]]></sourcecode> <t>Theseedinitial seed stringsare:</t>are as follows:</t> <ul> <li>For group 1 M: edwards25519 point generation seed (M)</li> <li>For group 1 N: edwards25519 point generation seed (N)</li> <li>For group 2 M: 1.2.840.10045.3.1.7 point generation seed (M)</li> <li>For group 2 N: 1.2.840.10045.3.1.7 point generation seed (N)</li> <li>For group 3 M: 1.3.132.0.34 point generation seed (M)</li> <li>For group 3 N: 1.3.132.0.34 point generation seed (N)</li> <li>For group 4 M: 1.3.132.0.35 point generation seed (M)</li> <li>For group 4 N: 1.3.132.0.35 point generation seed (N)</li> </ul> </section> <section><name>Test Vectors</name> <t>For the following text vectors:</t> <ul> <li>The key is the string-to-key of "password" with the salt "ATHENA.MIT.EDUraeburn" for the designated initial reply key encryption type.</li> <li>x and y were chosen randomly within the order of the designated group, then multiplied by thecofactor..</li>cofactor.</li> <li>The SPAKESupport message contains only the designated group's number.</li> <li>The SPAKEChallenge message offers only the SF-NONEsecond factorsecond-factor type.</li> <li>The KDC-REQ-BODY messagecontains nodoes not contain KDC options, but does contain the client principal name "raeburn@ATHENA.MIT.EDU", the server principal name "krbtgt/ATHENA.MIT.EDU", the realm "ATHENA.MIT.EDU", the till field "19700101000000Z", the nonce zero, and an etype list containing only the designated encryption type.</li> </ul><artwork><![CDATA[<sourcecode type="test-vector"><![CDATA[ des3-cbc-sha1 edwards25519 key: 850bb51358548cd05e86768c313e3bfef7511937dcf72c3e w (PRF+ output): 686d84730cb8679ae95416c6567c6a63 f2c9cef124f7a3371ae81e11cad42a37 w (reduced multiplier): a1f1a25cbd8e3092667e2fddba8ecd24 f2c9cef124f7a3371ae81e11cad42a07 x: 201012d07bfd48ddfa33c4aac4fb1e229fb0d043cfe65ebfb14399091c71a723 y: 500b294797b8b042aca1bedc0f5931a4f52c537b3608b2d05cc8a2372f439f25 X: ec274df1920dc0f690c8741b794127233745444161016ef950ad75c51db58c3e Y: d90974f1c42dac1cd4454561ac2d49af762f2ac87bf02436d461e7b661b43028 T: 18f511e750c97b592acd30db7d9e5fca660389102e6bf610c1bfbed4616c8362 S: 5d10705e0d1e43d5dbf30240ccfbde4a0230c70d4c79147ab0b317edad2f8ae7 K: 25bde0d875f0feb5755f45ba5e857889d916ecf7476f116aa31dc3e037ec4292 SPAKESupport: a0093007a0053003020101 SPAKEChallenge: a1363034a003020101a122042018f511e750c97b592acd30 db7d9e5fca660389102e6bf610c1bfbed4616c8362a20930 073005a003020101 Transcript hash after challenge: 22bb2271e34d329d52073c70b1d11879 73181f0bc7614266bb79ee80d3335175 Final transcript hash after pubkey: eaaa08807d0616026ff51c849efbf35b a0ce3c5300e7d486da46351b13d4605b KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 1b077261656275726ea2101b0e415448454e412e4d49542e 454455a3233021a003020102a11a30181b066b7262746774 1b0e415448454e412e4d49542e454455a511180f31393730 303130313030303030305aa703020100a8053003020110 K'[0]: baf12fae7cd958cbf1a29bfbc71f89ce49e03e295d89dafd K'[1]: 64f73dd9c41908206bcec1f719026b574f9d13463d7a2520 K'[2]: 0454520b086b152c455829e6baeff78a61dfe9e3d04a895d K'[3]: 4a92260b25e3ef94c125d5c24c3e5bced5b37976e67f25c4 rc4-hmac edwards25519 key: 8846f7eaee8fb117ad06bdd830b7586c w (PRF+ output): 7c86659d29cf2b2ea93bfe79c3cefb88 50e82215b3ea6fcd896561d48048f49c w (reduced multiplier): 2713c1583c53861520b849bfef0525cd 4fe82215b3ea6fcd896561d48048f40c x: c8a62e7b626f44cad807b2d695450697e020d230a738c5cd5691cc781dce8754 y: 18fe7c1512708c7fd06db270361f04593775bc634ceaf45347e5c11c38aae017 X: b0bcbbdd25aa031f4608d0442dd4924be7731d49c089a8301859d77343ffb567 Y: 7d1ab8aeda1a2b1f9eab8d11c0fda60b616005d0f37d1224c5f12b8649f579a5 T: 7db465f1c08c64983a19f560bce966fe5306c4b447f70a5bca14612a92da1d63 S: 38f8d4568090148ebc9fd17c241b4cc2769505a7ca6f3f7104417b72b5b5cf54 K: 03e75edd2cd7e7677642dd68736e91700953ac55dc650e3c2a1b3b4acdb800f8 SPAKESupport: a0093007a0053003020101 SPAKEChallenge: a1363034a003020101a12204207db465f1c08c64983a19f5 60bce966fe5306c4b447f70a5bca14612a92da1d63a20930 073005a003020101 Transcript hash after challenge: 3cde9ed9b562a09d816885b6c225f733 6d9e2674bb4df903dfc894d963a2af42 Final transcript hash after pubkey: f4b208458017de6ef7f6a307d47d87db 6c2af1d291b726860f68bc08bfef440a KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 1b077261656275726ea2101b0e415448454e412e4d49542e 454455a3233021a003020102a11a30181b066b7262746774 1b0e415448454e412e4d49542e454455a511180f31393730 303130313030303030305aa703020100a8053003020117 K'[0]: 770b720c82384cbb693e85411eedecba K'[1]: 621deec88e2865837c4d3462bb50a1d5 K'[2]: 1cc8f6333b9fa3b42662fd9914fbd5bb K'[3]: edb4032b7fc3806d5211a534dcbc390c aes128-cts-hmac-sha1-96 edwards25519 key: fca822951813fb252154c883f5ee1cf4 w (PRF+ output): 0d591b197b667e083c2f5f98ac891d3c 9f99e710e464e62f1fb7c9b67936f3eb w (reduced multiplier): 17c2a9030afb7c37839bd4ae7fdfeb17 9e99e710e464e62f1fb7c9b67936f30b x: 50be049a5a570fa1459fb9f666e6fd80602e4e87790a0e567f12438a2c96c138 y: b877afe8612b406d96be85bd9f19d423e95be96c0e1e0b5824127195c3ed5917 X: e73a443c678913eb4a0cad5cbd3086cf82f65a5a91b611e01e949f5c52efd6dd Y: 473c5b44ed2be9cb50afe1762b535b3930530489816ea6bd962622cccf39f6e8 T: 9e9311d985c1355e022d7c3c694ad8d6f7ad6d647b68a90b0fe46992818002da S: fbe08f7f96cd5d4139e7c9eccb95e79b8ace41e270a60198c007df18525b628e K: c2f7f99997c585e6b686ceb62db42f17cc70932def3bb4cf009e36f22ea5473d SPAKESupport: a0093007a0053003020101 SPAKEChallenge: a1363034a003020101a12204209e9311d985c1355e022d7c 3c694ad8d6f7ad6d647b68a90b0fe46992818002daa20930 073005a003020101 Transcript hash after challenge: 4512310282c01b39dd9aebd0cc2a5e53 2ed077a6c11d4c973c4593d525078797 Final transcript hash after pubkey: 951285f107c87f0169b9c918a1f51f60 cb1a75b9f8bb799a99f53d03add94b5f KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 1b077261656275726ea2101b0e415448454e412e4d49542e 454455a3233021a003020102a11a30181b066b7262746774 1b0e415448454e412e4d49542e454455a511180f31393730 303130313030303030305aa703020100a8053003020111 K'[0]: 548022d58a7c47eae8c49dccf6baa407 K'[1]: b2c9ba0e13fc8ab3a9d96b51b601cf4a K'[2]: 69f0ee5fdb6c237e7fcd38d9f87df1bd K'[3]: 78f91e2240b5ee528a5cc8d7cbebfba5 aes256-cts-hmac-sha1-96 edwards25519 key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1 w (PRF+ output): e902341590a1b4bb4d606a1c643cccb3 f2108f1b6aa97b381012b9400c9e3f4e w (reduced multiplier): 35b35ca126156b5bf4ec8b90e9545060 f2108f1b6aa97b381012b9400c9e3f0e x: 88c6c0a4f0241ef217c9788f02c32d00b72e4310748cd8fb5f94717607e6417d y: 88b859df58ef5c69bacdfe681c582754eaab09a74dc29cff50b328613c232f55 X: 23c48eaff2721051946313840723b38f563c59b92043d6ffd752f95781af0327 Y: 3d51486ec1d9be69bc45386bb675c013db87fd0488f6a9cacf6b43e8c81a0641 T: 6f301aacae1220e91be42868c163c5009aeea1e9d9e28afcfc339cda5e7105b5 S: 9e2cc32908fc46273279ec75354b4aeafa70c3d99a4d507175ed70d80b255dda K: cf57f58f6e60169d2ecc8f20bb923a8e4c16e5bc95b9e64b5dc870da7026321b SPAKESupport: a0093007a0053003020101 SPAKEChallenge: a1363034a003020101a12204206f301aacae1220e91be428 68c163c5009aeea1e9d9e28afcfc339cda5e7105b5a20930 073005a003020101 Transcript hash after challenge: 23a5e72eb4dedd1ca860f43736c458f0 775c3bb1370a26af8a9374d521d70ec9 Final transcript hash after pubkey: 1c605649d4658b58cbe79a5faf227acc 16c355c58b7dade022f90c158fe5ed8e KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 1b077261656275726ea2101b0e415448454e412e4d49542e 454455a3233021a003020102a11a30181b066b7262746774 1b0e415448454e412e4d49542e454455a511180f31393730 303130313030303030305aa703020100a8053003020112 K'[0]: a9bfa71c95c575756f922871524b6528 8b3f695573ccc0633e87449568210c23 K'[1]: 1865a9ee1ef0640ec28ac007391cac62 4c42639c714767a974e99aa10003015f K'[2]: e57781513fefdb978e374e156b0da0c1 a08148f5eb26b8e157ac3c077e28bf49 K'[3]: 008e6487293c3cc9fabbbcdd8b392d6d cb88222317fd7fe52d12fbc44fa047f1 aes256-cts-hmac-sha1-96 P-256 key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1 w (PRF+ output): eb2984af18703f94dd5288b8596cd369 88d0d4e83bfb2b44de14d0e95e2090bd w (reduced multiplier): eb2984af18703f94dd5288b8596cd369 88d0d4e83bfb2b44de14d0e95e2090bd x: 935ddd725129fb7c6288e1a5cc45782198a6416d1775336d71eacd0549a3e80e y: e07405eb215663abc1f254b8adc0da7a16febaa011af923d79fdef7c42930b33 X: 03bc802165aea7dbd98cc155056249fe0a37a9c203a7c0f7e872d5bf687bd105e2 Y: 0340b8d91ce3852d0a12ae1f3e82c791fc86df6b346006431e968a1b869af7c735 T: 024f62078ceb53840d02612195494d0d0d88de21feeb81187c71cbf3d01e71788d S: 021d07dc31266fc7cfd904ce2632111a169b7ec730e5f74a7e79700f86638e13c8 K: 0268489d7a9983f2fde69c6e6a1307e9d252259264f5f2dfc32f58cca19671e79b SPAKESupport: a0093007a0053003020102 SPAKEChallenge: a1373035a003020102a1230421024f62078ceb53840d0261 2195494d0d0d88de21feeb81187c71cbf3d01e71788da209 30073005a003020101 Transcript hash after challenge: 0a142afca77c2e92b066572a90389eac 40a6b1f1ed8b534d342591c0e7727e00 Final transcript hash after pubkey: 20ad3c1a9a90fc037d1963a1c4bfb15a b4484d7b6cf07b12d24984f14652de60 KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 1b077261656275726ea2101b0e415448454e412e4d49542e 454455a3233021a003020102a11a30181b066b7262746774 1b0e415448454e412e4d49542e454455a511180f31393730 303130313030303030305aa703020100a8053003020112 K'[0]: 7d3b906f7be49932db22cd3463f032d0 6c9c078be4b1d076d201fc6e61ef531e K'[1]: 17d74e36f8993841fbb7feb12fa4f011 243d3ae4d2ace55b39379294bbc4db2c K'[2]: d192c9044081a2aa6a97a6c69e2724e8 e5671c2c9ce073dd439cdbaf96d7dab0 K'[3]: 41e5bad6b67f12c53ce0e2720dd6a988 7f877bf9463c2d5209c74c36f8d776b7 aes256-cts-hmac-sha1-96 P-384 key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1 w (PRF+ output): 0304cfc55151c6bbe889653db96dbfe0ba4acafc024c1e88 40cb3a486f6d80c16e1b8974016aa4b7fa43042a9b3825b1 w (reduced multiplier): 0304cfc55151c6bbe889653db96dbfe0 ba4acafc024c1e8840cb3a486f6d80c1 6e1b8974016aa4b7fa43042a9b3825b1 x: f323ca74d344749096fd35d0adf20806e521460637176e84d977e9933c49d76f cfc6e62585940927468ff53d864a7a50 y: 5b7c709acb175a5afb82860deabca8d0b341facdff0ac0f1a425799aa905d750 7e1ea9c573581a81467437419466e472 X: 0211e3334f117b76635dd802d4022f601680a1fd066a56606b7f246493a10351 7797b81789b225bd5bb1d9ae1da2962250 Y: 0383dfa413496e5e7599fc8c6430f8d6910d37cf326d81421bc92c0939b555c4 ca2ef6a993f6d3db8cb7407655ef60866e T: 02a1524603ef14f184696f854229d3397507a66c63f841ba748451056be07879 ac298912387b1c5cdff6381c264701be57 S: 020d5adfdb92bc377041cf5837412574c5d13e0f4739208a4f0c859a0a302bc6 a533440a245b9d97a0d34af5016a20053d K: 0264aa8c61da9600dfb0beb5e46550d63740e4ef29e73f1a30d543eb43c25499 037ad16538586552761b093cf0e37c703a SPAKESupport: a0093007a0053003020103 SPAKEChallenge: a1473045a003020103a133043102a1524603ef14f184696f 854229d3397507a66c63f841ba748451056be07879ac2989 12387b1c5cdff6381c264701be57a20930073005a0030201 01 Transcript hash after challenge: 4d4095d9f94552e15015881a3f2cf458 1be83217cf7ad830d2f051dba3ec8caa 6e354eaa85738d7035317ac557f8c294 Final transcript hash after pubkey: 5ac0d99ef9e5a73998797fe64f074673 e3952dec4c7d1aacce8b75f64d2b0276 a901cb8539b4e8ed69e4db0ce805b47b KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 1b077261656275726ea2101b0e415448454e412e4d49542e 454455a3233021a003020102a11a30181b066b7262746774 1b0e415448454e412e4d49542e454455a511180f31393730 303130313030303030305aa703020100a8053003020112 K'[0]: b917d37c16dd1d8567fbe379f64e1ee3 6ca3fd127aa4e60f97e4afa3d9e56d91 K'[1]: 93d40079dab229b9c79366829f4e7e72 82e6a4b943ac7bac69922d516673f49a K'[2]: bfc4f16f12f683e71589f9a888e23287 5ef293ac9793db6c919567cd7b94bcd4 K'[3]: 3630e2b5b99938e7506733141e8ec344 166f6407e5fc2ef107c156e764d1bc20 aes256-cts-hmac-sha1-96 P-521 key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1 w (PRF+ output): de3a095a2b2386eff3eb15b735398da1caf95bc8425665d8 2370aff58b0471f34a57bccddf1ebf0a2965b58a93ee5b45 e85d1a5435d1c8c83662999722d542831f9a w (reduced multiplier): 003a095a2b2386eff3eb15b735398da1 caf95bc8425665d82370aff58b0471f3 4cce63791cfed967f0c94c16054b3e17 03133681bece1e05219f5426bc944b0f bfb3 x: 017c38701a14b490b6081dfc83524562be7fbb42e0b20426465e3e37952d30bc ab0ed857010255d44936a1515607964a870c7c879b741d878f9f9cdf5a865306 f3f5 y: 003e2e2950656fa231e959acdd984d125e7fa59cec98126cbc8f3888447911eb cd49428a1c22d5fdb76a19fbeb1d9edfa3da6cf55b158b53031d05d51433ade9 b2b4 X: 03003e95272223b210b48cfd908b956a36add04a7ff443511432f94ddd87e064 1d680ba3b3d532c21fa6046192f6bfae7af81c4b803aa154e12459d1428f8f2f 56e9f2 Y: 030064916687960df496557ecab08298bf075429eca268c6dabbae24e258d568 c62841664dc8ecf545369f573ea84548faa22f118128c0a87e1d47315afabb77 3bb082 T: 02017d3de19a3ec53d0174905665ef37947d142535102cd9809c0dfbd0dfe007 353d54cf406ce2a59950f2bb540df6fbe75f8bbbef811c9ba06cc275adbd9675 6696ec S: 02004d142d87477841f6ba053c8f651f3395ad264b7405ca5911fb9a55abd454 fef658a5f9ed97d1efac68764e9092fa15b9e0050880d78e95fd03abf5931791 6822b5 K: 03007c303f62f09282cc849490805bd4457a6793a832cbeb55df427db6a31e99 b055d5dc99756d24d47b70ad8b6015b0fb8742a718462ed423b90fa3fe631ac1 3fa916 SPAKESupport: a0093007a0053003020104 SPAKEChallenge: a1593057a003020104a145044302017d3de19a3ec53d0174 905665ef37947d142535102cd9809c0dfbd0dfe007353d54 cf406ce2a59950f2bb540df6fbe75f8bbbef811c9ba06cc2 75adbd96756696eca20930073005a003020101 Transcript hash after challenge: 554405860f8a80944228f1fa2466411d cf236162aa385e1289131b39e1fd59f2 5e58b4c281ff059c28dc20f5803b87c6 7571ce64cea01b39a21819d1ef1cdc7f Final transcript hash after pubkey: 8d6a89ae4d80cc4e47b6f4e48ea3e579 19cc69598d0d3dc7c8bd49b6f1db1409 ca0312944cd964e213aba98537041102 237cff5b331e5347a0673869b412302e KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 1b077261656275726ea2101b0e415448454e412e4d49542e 454455a3233021a003020102a11a30181b066b7262746774 1b0e415448454e412e4d49542e454455a511180f31393730 303130313030303030305aa703020100a8053003020112 K'[0]: 1eb3d10bee8fab483adcd3eb38f3ebf1 f4feb8db96ecc035f563cf2e1115d276 K'[1]: 482b92781ce57f49176e4c94153cc622 fe247a7dbe931d1478315f856f085890 K'[2]: a2c215126dd3df280aab5a27e1e0fb7e 594192cbff8d6d8e1b6f1818d9bb8fac K'[3]: cc06603de984324013a01f888de6d43b 410a4da2dea53509f30e433c352fb668 aes256-cts-hmac-sha1-96 edwards25519, accepted optimistic challenge key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1 w (PRF+ output): e902341590a1b4bb4d606a1c643cccb3 f2108f1b6aa97b381012b9400c9e3f4e w (reduced multiplier): 35b35ca126156b5bf4ec8b90e9545060 f2108f1b6aa97b381012b9400c9e3f0e x: 70937207344cafbc53c8a55070e399c584cbafce00b836980dd4e7e74fad2a64 y: 785d6801a2490df028903ac6449b105f2ff0db895b252953cdc2076649526103 X: 13841224ea50438c1d9457159d05f2b7cd9d05daf154888eeed223e79008b47c Y: d01fc81d5ce20d6ea0939a6bb3e40ccd049f821baaf95e323a3657309ef75d61 T: 83523b35f1565006cbfc4f159885467c2fb9bc6fe23d36cb1da43d199f1a3118 S: 2a8f70f46cee9030700037b77f22cec7970dcc238e3e066d9d726baf183992c6 K: d3c5e4266aa6d1b2873a97ce8af91c7e4d7a7ac456acced7908d34c561ad8fa6 SPAKEChallenge: a1363034a003020101a122042083523b35f1565006cbfc4f 159885467c2fb9bc6fe23d36cb1da43d199f1a3118a20930 073005a003020101 Transcript hash after challenge: 0332da8ba3095ccd127c51740cb905ba c76e90725e769570b9d8338e6d62a7f2 Final transcript hash after pubkey: 26f07f9f8965307434d11ea855461d41 e0cbabcc0a1bab48ecee0c6c1a4292b7 KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 1b077261656275726ea2101b0e415448454e412e4d49542e 454455a3233021a003020102a11a30181b066b7262746774 1b0e415448454e412e4d49542e454455a511180f31393730 303130313030303030305aa703020100a8053003020112 K'[0]: 4569ec08b5de5c3cc19d941725913ace 8d74524b521a341dc746acd5c3784d92 K'[1]: 0d96ce1a4ac0f2e280a0cfc31742b064 61d83d04ae45433db2d80478dd882a4c K'[2]: 58018c19315a1ba5d5bb9813b58029f0 aec18a6f9ca59e0847de1c60bc25945c K'[3]: ed7e9bffd68c54d86fb19cd3c03f317f 88a71ad9a5e94c28581d93fc4ec72b6a aes256-cts-hmac-sha1-96 P-521, rejected edwards25519 challenge key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1 w (PRF+ output): de3a095a2b2386eff3eb15b735398da1caf95bc8425665d8 2370aff58b0471f34a57bccddf1ebf0a2965b58a93ee5b45 e85d1a5435d1c8c83662999722d542831f9a w (reduced multiplier): 003a095a2b2386eff3eb15b735398da1 caf95bc8425665d82370aff58b0471f3 4cce63791cfed967f0c94c16054b3e17 03133681bece1e05219f5426bc944b0f bfb3 x: 01687b59051bf40048d7c31d5a973d792fa12284b7a447e7f5938b5885ca0bb2 c3f0bd30291a55fea08e143e2e04bdd7d19b753c7c99032f06cab0d9c2aa8f83 7ef7 y: 01ded675ebf74fe30c9a53710f577e9cf84f09f6048fe245a4600004884cc167 733f9a9e43108fb83babe8754cd37cbd7025e28bc9ff870f084c7244f536285e 25b4 X: 03001bed88af987101ef52db5b8876f6287eb49a72163876c2cf99deb94f4c74 9bfd118f0f400833cc8daad81971fe40498e6075d8ba0a2acfac35eb9ec8530e e0edd5 Y: 02007bd3bf214200795ea449852976f241c9f50f445f78ff2714fffe42983f25 cd9c9094ba3f9d7adadd6c251e9dc0991fc8210547e7769336a0ac406878fb94 be2f1f T: 02014cb2e5b592ece5990f0ef30d308c061de1598bc4272b4a6599bed466fd15 21693642abcf4dbe36ce1a2d13967de45f6c4f8d0fa8e14428bf03fb96ef5f1e d3e645 S: 02016c64995e804416f748fd5fa3aa678cbc7cbb596a4f523132dc8af7ce84e5 41f484a2c74808c6b21dcf7775baefa6753398425becc7b838b210ac5daa0cb0 b710e2 K: 0200997f4848ae2e7a98c23d14ac662030743ab37fccc2a45f1c721114f40bcc 80fe6ec6aba49868f8aea1aa994d50e81b86d3e4d3c1130c8695b68907c673d9 e5886a Optimistic SPAKEChallenge: a1363034a003020102a122042047ca8c 24c3a4a70b6eca228322529dadcfa85c f58faceecf5d5c02907b9e2deba20930 073005a003020101 SPAKESupport: a0093007a0053003020104 SPAKEChallenge: a1593057a003020104a145044302014cb2e5b592ece5990f 0ef30d308c061de1598bc4272b4a6599bed466fd15216936 42abcf4dbe36ce1a2d13967de45f6c4f8d0fa8e14428bf03 fb96ef5f1ed3e645a20930073005a003020101 Transcript hash after challenge: cb925b8baeae5e2867ab5b10ae1c941c 4ff4b58a4812c1f7bd1c862ad480a8e1 c6fcd5e88d846a2045e385841c91a75a d2035f0ff692717608e2a5a90842eff2 Final transcript hash after pubkey: d0efed5e3e2c39c26034756d92a66fec 3082ad793d0197f3f89ad36026f146a3 996e548aa3fc49e2e82f8cac5d132c50 5aa475b39e7be79cded22c26c41aa777 KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 1b077261656275726ea2101b0e415448454e412e4d49542e 454455a3233021a003020102a11a30181b066b7262746774 1b0e415448454e412e4d49542e454455a511180f31393730 303130313030303030305aa703020100a8053003020112 K'[0]: 631fcc8596e7f40e59045950d72aa0b7 bac2810a07b767050e983841cf3a2d4c K'[1]: 881464920117074dbc67155a8f3341d1 121ef65f78ea0380bfa81a134c1c47b1 K'[2]: 377b72ac3af2caad582d73ae4682fd56 b531ee56706200dd6c38c42b8219837a K'[3]: 35ad8e4d580ed3f0d15ad928329773c0 81bd19f9a56363f3a5f77c7e66108c26]]></artwork>]]></sourcecode> <t>There are currently no encryption types with a seed size large enough to require multiple hash blocks during key derivation with any of the assigned hash functions. To exercise this possibility, the following test vector illustrates what keys would be derived if there were a copy of the edwards25519 group with group number -1 and associated hash function SHA-1:</t><artwork><![CDATA[<sourcecode type="test-vector"><![CDATA[ AES256 edwards25519 SHA-1 group number -1 key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1 w (PRF+ output): 26da6b118cee6fa5ea795ed32d61490d 82b2f11102312f3f2fc04fb01c93df91 w (reduced multiplier): d166c7cc9e72ca8c61f6a9185a987251 81b2f11102312f3f2fc04fb01c93df01 x: 606c1b668008ed78fe2eee942e8f08007f3f1dcbef66d37fd69033525bda2030 y: 10fc4e0bb1a902e58f632a1ea0bceb366360ac985f46996d956a02572bfcf050 X: 389621509665abad35eaab26eab3a0f593c7b4380562aa5513c1140fd78ce048 Y: de3ed05986eeac518958b566f9bad065b321402025cd188f3d198dc55c6d6b8d T: 2289a4f3c613e6e1df95e94aaa3c127dc062b9fceec3f9b62378dc729d61d0e3 S: f9a7fa352930dedb422d567700bfcd39ba221e7f9ac3e6b36f2b63b68b88642c K: 6f61d6b18323b6c3ddaac7c56712845335384f095d3e116f69feb926a04f1340 SPAKESupport: a0093007a00530030201ff SPAKEChallenge: a1363034a0030201ffa12204202289a4f3c613e6e1df95e9 4aaa3c127dc062b9fceec3f9b62378dc729d61d0e3a20930 073005a003020101 Transcript hash after challenge: f5c051eb75290f92142c bbe80557ec2c85902c94 Final transcript hash after pubkey: 9e26a3b148400c8f9cb8 545331e4e7dcab399cc0 KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 1b077261656275726ea2101b0e415448454e412e4d49542e 454455a3233021a003020102a11a30181b066b7262746774 1b0e415448454e412e4d49542e454455a511180f31393730 303130313030303030305aa703020100a8053003020112 K'[0]: 40bceb51bba474fd29ae65950022b704 17b80d973fa8d8d6cd39833ff89964ad K'[1]: c29a7315453dc1cce938fa12a9e5c0db 2894b2194da14c9cd4f7bc3a6a37223d K'[2]: f261984dba3c230fad99d324f871514e 5aad670e44f00daef3264870b0851c25 K'[3]: d24b2b46bab7c4d1790017d9116a7eeb ca88b0562a5ad8989c826cb7dab715c7]]></artwork>]]></sourcecode> </section><section><name>Acknowledgements</name> <artwork><![CDATA[ Nico Williams (Cryptonector) Taylor Yu (MIT) ]]></artwork><section numbered="false"><name>Acknowledgements</name> <t><contact fullname="Nico Williams"/> (Cryptonector)</t> <t><contact fullname="Taylor Yu"/> (MIT)</t> </section> </back> </rfc>