Network Working GroupIndependent Submission A. BrusilovskyInternet-DraftRequest for Comments: 5683 I. FaynbergExpires: September 2009Category: Informational Z. Zeltsan ISSN: 2070-1721 Alcatel-Lucent S. Patel Google, Inc.April 2009January 2010 Password-Authenticated Key (PAK) Diffie-Hellman Exchange Abstract This document proposes to add mutual authentication, based on a human-memorizable password, to the basic, unauthenticated Diffie- Hellman key exchange. The proposed algorithm is called the Password-Authenticated Key (PAK)draft-brusilovsky-pak-10.txtexchange. PAK allows two parties to authenticate themselves while performing the Diffie-Hellman exchange. The protocol is secure against all passive and active attacks. In particular, it does not allow either type of attacker to obtain any information that would enable an offline dictionary attack on the password. PAK provides Forward Secrecy. Status ofthisThis Memo ThisInternet-Draftdocument is not an Internet Standards Track specification; it issubmittedpublished for informational purposes. This is a contribution toIETF in full conformance withtheprovisions of BCP 78 and BCP 79. Internet-Drafts are working documentsRFC Series, independently ofthe Internet Engineering Task Force (IETF),any other RFC stream. The RFC Editor has chosen to publish this document at itsareas,discretion and makes no statement about itsworking groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents validvalue for implementation or deployment. Documents approved for publication by the RFC Editor are not amaximumcandidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status ofsix monthsthis document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. Ithttp://www.rfc-editor.org/info/rfc5683. IESG Note This RFC isinappropriatenot a candidate for any level of Internet Standard. The IETF disclaims any knowledge of the fitness of this RFC for any purpose and in particular notes that the decision touse Internet-Draftspublish is not based on IETF review for such things asreference materialsecurity, congestion control, orto cite them other than as "work in progress."inappropriate interaction with deployed protocols. Thelist of current Internet-Drafts can be accessedRFC Editor has chosen to publish this document athttp://www.ietf.org/ietf/1id-abstracts.txt. The listits discretion. Readers ofInternet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expirethis document should exercise caution inSeptember, 2009.evaluating its value for implementation and deployment. See RFC 3932 for more information. Copyright Notice Copyright (c)20092010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http:trustee.ietf.org/license-info) in effect on the date of publication of thisdocument (http://trustee.ietf.org/license-info).document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.AbstractThis documentproposes to add mutual authentication, based on human-memorizable password, to the basic unauthenticated Diffie-Hellman key exchange.may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. Theproposed algorithm is called Password-authenticated Key exchange (PAK). PAK allows two partiesperson(s) controlling the copyright in some of this material may not have granted the IETF Trust the right toauthenticate themselves while performingallow modifications of such material outside theDiffie-Hellman exchange. The protocol is secure against all passiveIETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, andactive attacks. In particular,derivative works of itdoesmay notallow either type of attackersbe created outside the IETF Standards Process, except toobtain any information that would enableformat it for publication as anoff-line dictionary attack on the password. PAK provides Forward Secrecy.RFC or to translate it into languages other than English. Table of Contents 1. Introduction ....................................................3 2. Conventions .....................................................3 3. Password-Authenticated KeyexchangeExchange .............................4 4. Selection ofparameters 4.1Parameters .........................................5 4.1. Generalconsiderations 4.2 OTASPConsiderations .....................................5 4.2. Over-the-Air Service Provisioning (OTASP) andWLANWireless Local Area Network (WLAN) Diffie-HellmanparametersParameters andkey expansion functionsKey Expansion Functions ....................................5 5. SecurityconsiderationsConsiderations .........................................7 6.IANA considerations 7.Acknowledgments8..................................................8 7. References8.1......................................................8 7.1. Normativereferences 8.2References .......................................8 7.2. Informativereferences Authors' and contributors' addressesReferences .....................................8 1. Introduction PAK has the following advantages: - It provides asecuresecure, authenticatedkey exchangekey-exchange protocol. - It is secure against offline dictionary attacks when passwords are used. - It ensures Forward Secrecy. - Itis provedhas been proven to be as secure as the Diffie-Hellman solution. The PAK protocol[BMP00],([BMP00], [MP05],[X.1035][X.1035]) has been proven to be as secure as the Diffie-Hellman[RFC2631], [DH76]([RFC2631], [DH76]) in the random oracle model [BR93]. That is, PAK retains its security when used withlow-entropylow- entropy passwords. Therefore, it can be seamlessly integrated into existing applications, requiring secure authentication based on such low-entropy shared secrets. 2. Conventions - A is an identity ofAliceAlice. - B is an identity ofBobBob. - Ra is a secret random exponent selected byAA. - Rb is a secret random exponent selected byBB. - Xab denotes a value (X presumably computed by A) as derived byBB. - Yba denotes a value (Y presumably computed by B) as derived byAA. -aA mod b denotes the least non-negative remainder when a is divided byb;b. - Hi(u) denotes an agreed-on function (e.g., based on SHA-1,SHA-256,SHA- 256, etc.) computed over a string u;Thethe various H() act as independent random functions. H1(u) and H2(u) are the key derivation functions. H3(u), H4(u), and H5(u) are the hash functions. - s|t denotes concatenation of the strings s andt;t. - ^ denotesexponentiation;exponentiation. -multiplication,Multiplication, division, and exponentiation are performed over (Zp)*; in other words: 1) a*b always means a*b (modp)p). 2) a/b always means a * x (mod p), where x is the multiplicative inverse of b modulopp. 3) a^b means a^b (mod p). 3.Password AuthenticatedPassword-Authenticated KeyexchangeExchange Diffie-Hellman key agreement requires that both the sender and recipient of a message create their ownsecretsecret, random numbers and exchange the exponentiation of their respective numbers. PAK has two parties, Alice (A) and Bob (B), sharing a secret password PW that satisfies the following conditions:-H1(A|B|PW) != 0-H2(A|B|PW) !=0.0 The global Diffie-Hellmanpublicly-knownpublicly known constants, a prime p and a generator g, are carefully selected so that: 1. A safe prime p is large enough to make the computation of discrete logarithmsinfeasibleinfeasible, and 2. Powers of g modulo p cover the entire range of p-1 integers from 1 to p-1. (References demonstrate workingexampleexamples of selections). Initially, Alice (A) selects asecretsecret, random exponent Ra and computes g^Ra; Bob (B) selects asecretsecret, random exponent Rb and computes g^Rb. For efficiency purposes, short exponents could be used for Ra andRbRb, provided they have a certain minimum size. Then:-A --> B: {A, X = H1(A|B|PW)*(g^Ra)} (The above precondition on PW ensures that X !=0);0) Bob receives Q (presumably Q = X), verifies that Q != 0 (if Q = 0, Bob aborts the procedure); divides Q by H1(A|B|PW) to get Xab, the recovered value ofg^Ra; -g^Ra B --> A: {Y = H2(A|B|PW)*(g^Rb), S1 = H3(A|B|PW|Xab|g^Rb|(Xab)^Rb)} (The above precondition on PW ensures that Y != 0) Alice verifies that Y != 0; divides Y by H2(A|B|PW) to get Yba, the recovered value ofg^Rbg^Rb, and computes S1' = H3(A|B|PW|g^Ra|Yba|(Yba)^Ra); authenticates Bob by checking whether S1'equals= the received S1; if authenticated, then sets key K = H5(A|B|PW|g^Ra|Yba|(Yba)^Ra)-A --> B: S2 = H4(A|B|PW|g^Ra|Yba|(Yba)^Ra) Bob Computes S2' = H4(A|B|PW|Xab|g^Rb|(Xab)^Rb) and authenticates Alice by checking whether S2'equals= the received S2; ifauthenticatedauthenticated, then sets K = H5(A|B|PW|Xab|g^Rb|(Xab)^Rb) If any of the above verifications fails, the protocol halts; otherwise, both parties have authenticated each other and established the key. 4. Selection ofparametersParameters This section provides guidance on selection of the PAK parameters. First, it addresses general considerations, then it reports on specific implementations.4.14.1. GeneralconsiderationsConsiderations In general implementations, the parameters must be selected to meet algorithm requirements of [BMP00].4.2 OTASP4.2. Over-the-Air Service Provisioning (OTASP) andWLANWireless Local Area Network (WLAN) Diffie-HellmanparametersParameters andkey expansion functionsKey Expansion Functions [OTASP],[TIA 683],[TIA683], and [WLAN] pre-set public parameters p and g to their "published" values. This is necessary to protect against an attacker sending bogus p and gvaluesvalues, tricking the legitimate user to engage in improper Diffie-Hellman exponentiation and leaking some information about the password. According to [OTASP],[TIA 683],[TIA683], and [WLAN], g shall be set to 00001101, and p to the following 1024-bit prime number(Most-significant-bit(most significant bit first): 0xFFFFFFFF 0xFFFFFFFF 0xC90FDAA2 0x2168C234 0xC4C6628B 0x80DC1CD1 0x29024E08 0x8A67CC74 0x020BBEA6 0x3B139B22 0x514A0879 0x8E3404DD 0xEF9519B3 0xCD3A431B 0x302B0A6D 0xF25F1437 0x4FE1356D 0x6D51C245 0xE485B576 0x625E7EC6 0xF44C42E9 0xA637ED6B 0x0BFF5CB6 0xF406B7ED 0xEE386BFB 0x5A899FA5 0xAE9F2411 0x7C4B1FE6 0x49286651 0xECE65381 0xFFFFFFFF 0xFFFFFFFF In addition, if short exponents [MP05] are used for Diffie-Hellman parameters Ra and Rb, then they should have a minimum size of 384 bits. Theindependentindependent, random functions H1 and H2 should each output 1152bitsbits, assuming prime p is 1024 bits long and session keys K are 128 bits long. H3, H4, and H5 each output 128 bits. More information on instantiating random functions using hash functions can be found in [BR93]. We use the FIPS 180 SHA-1 hashing function [FIPS180] below to instantiate the random function as done in[WLAN],[WLAN]; however, SHA-256 can also be used: H1(z): SHA-1(1|1|z) mod 2^128 | SHA-1(1|2|z) mod 2^128|. . .||...| | SHA-1(1|9|z) mod 2^128 H2(z): SHA-1(2|1|z) mod 2^128 | SHA-1(2|2|z) mod 2^128|. . .||...| | SHA-1(2|9|z) mod 2^128 H3(z): SHA-1(3|len(z)|z|z) mod 2^128 H4(z): SHA-1(4|len(z)|z|z) mod 2^128 H5(z): SHA-1(5|len(z)|z|z) mod 2^128 In order to create 1152 output bits for H1 and H2, nine calls to SHA-1 are made and the 128least-significantleast significant bits of each output are used. The input payload of each call to SHA-1 consists of: a) 32 bits of functiontypetype, which for H1 is set to 1 and for H2 is set to 2; b) a32 bit32-bit counter value, which is incremented from 1 to 9 for each call to SHA-1; c) the argument z [for (A|B|PW)]. The functions H3, H4, and H5 require only one call to the SHA-1 hashing function and their respective payloads consist of: a) 32 bits of function type(e.g.(e.g., 3 for H3); b) a32 bit32-bit value for the bit length of the argument z; c) the actual argument repeated twice. Finally, the 128least-significantleast significant bits of the output are used. 5. Security Considerations Security considerationsThoseare as follows: - Identifiers Any protocol that uses PAK must specify a method for producing a single representation of identity strings. - Shared secret PAK involves the use of a shared secret. Protection of the shared values and managing (limiting) their exposure over time isessential,essential anditcan be achieved using well-known security policies and measures. If a single secret is shared among more than two entities (e.g., Alice, Bob, and Mallory), then Mallory can represent himself as Alice to Bob without Bob being any the wiser. - Selection of Diffie-Hellman parameters Theparameters,parameters p andg,g must be carefully selected in order not to compromise the shared secret. Only previouslyagreed uponagreed-upon values for parameters p and g should be used in the PAK protocol. This is necessary to protect against an attacker sending bogus p and g values and thus tricking the other communicating party in an improper Diffie-Hellman exponentiation. Both parties also need to randomly select a new exponent each time thekey agreementkey-agreement protocol is executed. If both parties re-use the same values, then Forward Secrecy property is lost. In addition, if short exponents Ra and Rb areusedused, then they should have a minimum size of 384 bits (assuming that 128-bit session keys are used). Historically, the developers, who strived for 128-bit security (and thus selected 256-bitexponents)exponents), added 128 bits to the exponents to ensure the securityreductionsreduction proofs. This should explain how an "odd" length of 384 has been arrived at. - Protection against attacks a) There is a potential attack, the so-called discrete logarithm attack on the multiplicative group of congruencies modulo p, in which an adversary can construct a table of discrete logarithms to be used as a "dictionary". A sufficiently large prime, p, must be selected to protect against such an attack. A proper 1024-bit value for p and an appropriate value for g are published in [WLAN] and[TIA 683].[TIA683]. For the moment, this is what has been implemented; however, a larger prime (i.e., one that is2048-bit long2048 bits long, or even larger) will definitely provide better protection. It is important to note that once this is done, the generator must bechanged,changed too, so this task must be approached with extreme care. b) Anon-lineonline password attack can be launched by an attacker by repeatedly guessing the password and attempting to authenticate. The implementers of PAK should consider employing mechanisms (such as lockouts) for preventing such attacks. - Recommendations on H() functions Theindependentindependent, random functions H1 and H2 should output 1152 bits each, assuming prime p is 1024 bits long and session keys K are 128 bits long. The random functions H3, H4, and H5 should output 128 bits. An example of secure implementation of PAK is provided in[Plan 9].[Plan9]. 6.IANA considerations No IANA considerations at this time 7.Acknowledgments The authors are grateful for the thoughtful comments received from Shehryar Qutub,Yaron Sheffer, andRayPerlner.Perlner, and Yaron Sheffer. Special thanks go to Alfred Hoenes, Tim Polk, and Jim Schaad forthetheir careful reviews and invaluable help in preparing the final version of this document.8.7. References8.17.1. NormativereferencesReferences [X.1035]ITU-T Recommendation X.1035 (2007), Password-authenticatedITU-T, "Password-authenticated key exchange (PAK)protocol [TIA 683] Over-the-Airprotocol", ITU-T Recommendation X.1035, 2007. [TIA683] TIA, "Over-the-Air Service Provisioning of Mobile Stations in Spread SpectrumSystems, TIA TIA-683-D 8.2Systems", TIA-683-D, May 2006. 7.2. Informativereferences [Plan 9] PlanReferences [Plan9] Alcatel-Lucent, "Plan 9? An open source operating system, which implements PAK http://netlib.bell-labs.com/plan9dist/from Bell Labs", http://netlib.bell-labs.com/plan9/. [BMP00]V.Boyko,P.V., MacKenzie, P., and S. Patel,Provably"Provably secure password authentication and key exchange usingDiffie-Hellman, Proc.Diffie- Hellman", Proceedings of Eurocrypt 2000. [BR93] Bellare, M.Bellareand P. Rogaway,Random"Random Oracles are Practical: A Paradigm for Designing EfficientProtocols, Proc. Of the fifth annual conferenceProtocols", Proceedings of the 5th Annual ACM Conference oncomputerComputer andcommunications security, 1993.Communications Security, 1998. [DH76] Diffie, W.Diffieand M.E. Hellman,New"New directions incryptography,cryptography", IEEE Transactions on Information Theory 22 (1976), 644-654. [FIPS180] NIST Federal Information Processing Standards, Publication FIPS 180-3,2008 [IEEE1363] IEEE P1363.2, April 24, 2002, The PAK suite: Protocols for Password-Authentication Key Exchange, P. MacKenzie"Secure Hash Standard", 2008. [MP05]P.MacKenzie, P. and S. Patel,Hard"Hard Bits of the Discrete Log with Applications to PasswordAuthentication,Authentication", CT-RSA 2005. [OTASP]Over-the-Air3GPP2, "Over-the-Air Service Provisioning of Mobile Stations in Spread SpectrumSystems,Systems", 3GPP2 C.S0016-C v. 1.0 5,3GPP2, 10/2004.October 2004. [RFC2631]IETF RFC 2631, E.Rescorla,Diffie-HellmanE., "Diffie-Hellman Key AgreementMethod, Standards track,1999Method", RFC 2631, June 1999. [WLAN]Wireless3GPP2, "Wireless Local Area Network (WLAN)Interworking,Interworking", 3GPP2 X.S0028-0, v.1.0,3GPP2, 4/2005April 2005. Authors'and Contributors'Addresses Alec Brusilovsky Alcatel-Lucent Room 9B-226, 1960 Lucent Lane Naperville, IL 60566-7217U SUSA Tel: +1 630 979 5490Email:EMail: abrusilovsky@alcatel-lucent.com Igor Faynberg Alcatel-Lucent Room 2D-144, 600 Mountain Avenue Murray Hill, NJ 07974 USA Tel: +1 908 582 2626Email:EMail: faynberg@alcatel-lucent.com Sarvar Patel Google, Inc. 76 Ninth Avenue New York, NY 10011 USA Tel: +1 212 565 5907Email:EMail: sarvar@google.com Zachary Zeltsan Alcatel-Lucent Room 2D-150, 600 Mountain Avenue Murray Hill, NJ 07974 USA Tel: +1 908 582 2359Email:EMail: zeltsan@alcatel-lucent.comIntellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.