The Security Evaluated Standardized Password Authenticated Key Exchange (SESPAKE) Protocol
draft-smyshlyaev-sespake-14
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 8133.
|
|
|---|---|---|---|
| Authors | Stanislav V. Smyshlyaev , Evgeny Alekseev , Igor Oshkin , Vladimir Popov | ||
| Last updated | 2016-12-21 | ||
| RFC stream | Independent Submission | ||
| Formats | |||
| IETF conflict review | conflict-review-smyshlyaev-sespake, conflict-review-smyshlyaev-sespake, conflict-review-smyshlyaev-sespake, conflict-review-smyshlyaev-sespake, conflict-review-smyshlyaev-sespake, conflict-review-smyshlyaev-sespake | ||
| Additional resources | |||
| Stream | ISE state | Response to Review Needed | |
| Consensus boilerplate | Unknown | ||
| Document shepherd | (None) | ||
| IESG | IESG state | Became RFC 8133 (Informational) | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-smyshlyaev-sespake-14
Network Working Group S. Smyshlyaev, Ed.
Internet-Draft E. Alekseev
Intended status: Informational I. Oshkin
Expires: June 24, 2017 V. Popov
CRYPTO-PRO
December 21, 2016
The Security Evaluated Standardized Password Authenticated Key Exchange
(SESPAKE) Protocol
draft-smyshlyaev-sespake-14
Abstract
This document specifies the Security Evaluated Standardized Password
Authenticated Key Exchange (SESPAKE) protocol. The SESPAKE protocol
provides password authenticated key exchange for usage in the systems
for protection of sensitive information. The security proofs of the
protocol were made for the case of an active adversary in the
channel, including MitM attacks and attacks based on the
impersonation of one of the subjects.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 24, 2017.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Smyshlyaev, et al. Expires June 24, 2017 [Page 1]
Internet-Draft SESPAKE December 2016
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions used in this document . . . . . . . . . . . . . . 2
3. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Protocol description . . . . . . . . . . . . . . . . . . . . 4
4.1. Protocol parameters . . . . . . . . . . . . . . . . . . . 5
4.2. Initial values of the protocol counters . . . . . . . . . 6
4.3. Protocol steps . . . . . . . . . . . . . . . . . . . . . 6
5. Construction of points Q_1,...,Q_N . . . . . . . . . . . . . 11
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
7. Security Considerations . . . . . . . . . . . . . . . . . . . 12
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
8.1. Normative References . . . . . . . . . . . . . . . . . . 13
8.2. Informative References . . . . . . . . . . . . . . . . . 14
Appendix A. Test examples for GOST-based protocol implementation 14
A.1. Examples of points . . . . . . . . . . . . . . . . . . . 14
A.2. Test examples . . . . . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27
1. Introduction
The current document contains the description of the password
authenticated key exchange protocol SESPAKE (security evaluated
standardized password authenticated key exchange) for usage in the
systems for protection of sensitive information. The protocol is
intended to use for establishment of keys that are then used for
organization of secure channel for protection of sensitive
information. The security proofs of the protocol were made for the
case of an active adversary in the channel, including MitM attacks
and attacks based on the impersonation of one of the subjects.
2. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Smyshlyaev, et al. Expires June 24, 2017 [Page 2]
Internet-Draft SESPAKE December 2016
3. Notations
This document uses the following parameters of elliptic curves in
accordance with [RFC6090]:
E an elliptic curve defined over a finite prime field GF(p),
where p > 3;
p the characteristic of the underlying prime field;
a, b the coefficients of the equation of the elliptic curve in the
canonical form;
m the elliptic curve group order;
q the elliptic curve subgroup order;
P a generator of the subgroup of order q;
X, Y the coordinates of the elliptic curve point in the canonical
form;
O zero point (point of infinity) of the elliptic curve.
This memo uses the following functions:
HASH the underlying hash function;
HMAC the function for calculating a message authentication code,
based on a HASH function in accordance with [RFC2104];
F(PW, salt, n) the value of the function PBKDF2(PW,salt,n,len),
where PBKDF2(PW,salt,n,len) is calculated according to
[RFC2898] The parameter len is considered equal to minimal
integer that is a multiple of 8 and satisfies the following
condition:
len >= floor(log_2(q)).
This document uses the following terms and definitions for the sets
and operations on the elements of these sets
B_n the set of byte strings of size n, n >= 0, for n = 0 the B_n
set consists of a single empty string of size 0; if b is an
element of B_n, then b = (b_1,...,b_n), where b_1,...,b_n are
elements of {0,...,255};
|| concatenation of byte strings A and C, i.e., if A in B_n1, C
in B_n2, A = (a_1,a_2,...,a_n1) and C = (c_1,c_2,...,c_n2),
Smyshlyaev, et al. Expires June 24, 2017 [Page 3]
Internet-Draft SESPAKE December 2016
then A||C = (a_1,a_2,...,a_n1,c_1,c_2,...,c_n2) is an element
of B_(n1+n2);
int(A) for the byte string A= (a_1,...,a_n) in B_n an integer int(A)
= 256^(n-1)a_n +...+ 256^(0)a_1;
bytes_n(X) the byte string A in B_n such that int(A) = X, where X is
integer, 0 <= X < 256^n;
BYTES(Q) for Q in E, the byte string bytes_n(X) || bytes_n(Y), where
X, Y are standard Weierstrass coordinates of point Q and n =
ceil(log_{256}(p)).
4. Protocol description
The main point of the SESPAKE protocol is that parties sharing a weak
key (a password) generate a strong common key. The active adversary
who has an access to a channel is not able to obtain any information
that can be used to find a key in offline mode, i.e. without
interaction with legitimate participants.
The protocol is used by the subjects A (client) and B (server) that
share some secret parameter that was established in an out-of-band
mechanism: a client is a participant who stores a password as a
secret parameter and a server is a participant who stores a password-
based computed point of the elliptic curve.
The SESPAKE protocol consists of two steps: the key agreement step
and the key confirmation step. During the first step (the key
agreement step) the parties exchange keys using Diffie-Hellman with
public components masked by an element that depends on the password -
one of the predefined elliptic curve points multiplied by the
password-based coefficient. This approach provides an implicit key
authentication, which means that after this step one party is assured
that no other party aside from a specifically identified second party
may gain access to the generated secret key. During the second step
(the key confirmation step) the parties exchange strings that
strongly depend on the generated key. After this step the parties
are assured that a legitimate party and no one else actually has
possession of the secret key.
To protect against online guessing attacks the failed connections
counters were introduced in the SESPAKE protocol. There is also a
special way of a small order point processing and a mechanism that
provides a reflection attack protection by using different operations
for different sides.
Smyshlyaev, et al. Expires June 24, 2017 [Page 4]
Internet-Draft SESPAKE December 2016
4.1. Protocol parameters
Various elliptic curves can be used in the protocol. For each
elliptic curve supported by clients the following values MUST be
defined:
o the protocol parameters identifier ID_ALG (which can also define a
HASH function, PRF used in PBKDF2 function, etc.), that is a byte
string of an arbitrary length;
o the point P, that is a generator point of the subgroup of order q
of the curve;
o the set of distinct curve points {Q_1,Q_2,...,Q_N} of order q,
where the total number of points N is defined for protocol
instance.
The method of generation of the points {P,Q_1,Q_2,...,Q_N} is
described in Section 5.
The protocol parameters that are used by subject A are the following:
1. The secret password value PW, which is a byte string that is
uniformly randomly chosen from a subset of cardinality 10^10 or
greater of the set B_k, where k ? 6 is password length.
2. The list of curve identifiers supported by A.
3. Sets of points {Q_1,Q_2,...,Q_N}, corresponding to curves
supported by A.
4. The C_1^A counter, that tracks the total number of unsuccessful
authentication trials in a row, and a value of CLim_1 that stores
the maximum possible number of such events.
5. The C_2^A counter, that tracks the total number of unsuccessful
authentication events during the period of usage of the specific
PW, and a value of CLim_2 that stores the maximum possible number
of such events.
6. The C_3^A counter, that tracks the total number of authentication
events (successful and unsuccessful) during the period of usage
of the specific PW, and a value of CLim_3 that stores the maximum
possible number of such events.
7. The unique identifier ID_A of the subject A (OPTIONAL), which is
a byte string of an arbitrary length.
Smyshlyaev, et al. Expires June 24, 2017 [Page 5]
Internet-Draft SESPAKE December 2016
The protocol parameters that are used by subject B are the following:
1. The values ind and salt, where ind is in {1,...,N}, salt is in
{1,...,2^128-1}.
2. The point Q_PW, satisfying the following equation:
Q_PW = int (F (PW, salt, 2000))*Q_ind.
It is possible that the point Q_PW is not stored and is
calculated using PW in the beginning of the protocol. In that
case B has to store PW and points Q_1,Q_2,...,Q_N.
3. The ID_ALG identifier.
4. The C_1^B counter, that tracks the total number of unsuccessful
authentication trials in a row, and a value of CLim_1 that stores
the maximum possible number of such events.
5. The C_2^B counter, that tracks the total number of unsuccessful
authentication events during the period of usage of the specific
PW, and a value of CLim_2 that stores the maximum possible number
of such events.
6. The C_3^B counter, that tracks the total number of authentication
events (successful and unsuccessful) during the period of usage
of the specific PW, and a value of CLim_3 that stores the maximum
possible number of such events.
7. The unique identifier ID_B of the subject B (OPTIONAL), which is
a byte string of an arbitrary length.
4.2. Initial values of the protocol counters
After the setup of a new password value PW the values of the counters
MUST be assigned as follows:
o C_1^A = C_1^B = CLim_1, where CLim_1 is in {3,...,5};
o C_2^A = C_2^B = CLim_2, where CLim_2 is in {7,...,20};
o C_3^A = C_3^B = CLim_3, where CLim_3 is in {10^3,10^3+1,...,10^5}.
4.3. Protocol steps
The basic SESPAKE steps are shown in the scheme below:
+-------------------------+-------------+---------------------------+
Smyshlyaev, et al. Expires June 24, 2017 [Page 6]
Internet-Draft SESPAKE December 2016
| A [A_ID, PW] | | B [B_ID, Q_PW , ind, |
| | | salt] |
+-------------------------+-------------+---------------------------+
| if C_1^A or C_2^A or | | |
| C_3^A = 0 ==> QUIT | | |
| | | |
| decrement C_1^A, C_2^A, | A_ID ---> | if C_1^B or C_2^B or |
| C_3^A by 1 | | C_3^B = 0 ==> QUIT |
| | | |
| z_A = 0 | <--- | decrement C_1^B, C_2^B, |
| | ID_ALG, | C_3^B by 1 |
| | B_ID | |
| | (OPTIONAL), | |
| | ind, salt | |
| | | |
| Q_PW^A = int(F(PW, | | |
| salt, 2000)) * Q_ind | | |
| | | |
| choose alpha randomly | | |
| from {1,...,q-1} | | |
| | | |
| u_1 = alpha*P - Q_PW^A | u_1 ---> | if u_1 not in E ==> QUIT |
| | | |
| | | z_B = 0 |
| | | |
| | | Q_B = u_1 + Q_PW |
| | | |
| | | choose betta randomly |
| | | from {1,...,q-1} |
| | | |
| | | if m/q*Q_B = O ==> Q_B = |
| | | betta*P, z_B = 1 |
| | | |
| | | K_B = HASH(BYTES((m/q*bet |
| | | ta*(mod q))*Q_B)) |
| | | |
| if u_2 not in E ==> | <--- u_2 | u_2 = betta*P + Q_PW |
| QUIT | | |
| | | |
| Q_A = u_2 - Q_PW^A | | |
| | | |
| if m/q*Q_A = O ==> Q_A | | |
| = alpha*P, z_A = 1 | | |
| | | |
| K_A = HASH(BYTES((m/q*a | | |
| lpha(mod q))*Q_A)) | | |
| | | |
| | | |
Smyshlyaev, et al. Expires June 24, 2017 [Page 7]
Internet-Draft SESPAKE December 2016
| | | |
| U_1 = BYTES(u_1), U_2 = | | |
| BYTES(u_2) | | |
| | | |
| MAC_A = HMAC(K_A, 0x01 | DATA_A, | U_1 = BYTES(u_1), U_2 = |
| || ID_A || ind || salt | MAC_A ---> | BYTES(u_2) |
| || U_1 || U_2 || ID_ALG | | |
| (OPTIONAL) || DATA_A) | | |
| | | |
| | | if MAC_A != HMAC(K_B, |
| | | 0x01 || ID_A || ind || |
| | | salt || U_1 || U_2 || |
| | | ID_ALG (OPTIONAL) || |
| | | DATA_A) ==> QUIT |
| | | |
| | | if z_B = 1 ==> QUIT |
| | | |
| | | C_1^B = CLim_1, increment |
| | | C_2^B by 1 |
| | | |
| if MAC_B != HMAC(K_A, | <--- | MAC_B = HMAC(K_B, 0x02 || |
| 0x02 || ID_B || ind || | DATA_B, | ID_B || ind || salt || |
| salt || U_1 || U_2 || | MAC_B | U_1 || U_2 || ID_ALG |
| ID_ALG (OPTIONAL) || | | (OPTIONAL) || DATA_A || |
| DATA_A || DATA_B) ==> | | DATA_B) |
| QUIT | | |
| | | |
| if z_A = 1 ==> QUIT | | |
| | | |
| C_1^A = CLim_1, | | |
| increment C_2^A by 1 | | |
+-------------------------+-------------+---------------------------+
Table 1: SESPAKE protocol steps
The full description of the protocol consists of the following steps:
1. If any of the counters C_1^A, C_2^A, C_3^A is equal to 0, A
finishes the protocol with an error that informs of exceeding
the number of trials that is controlled by the corresponding
counter.
2. A decrements each of the counters C_1^A, C_2^A, C_3^A by 1,
requests open authentication information from B and sends the
ID_A identifier.
3. If any of the counters C_1^B, C_2^B, C_3^B is equal to 0, B
finishes the protocol with an error that informs of exceeding
Smyshlyaev, et al. Expires June 24, 2017 [Page 8]
Internet-Draft SESPAKE December 2016
the number of trials that is controlled by the corresponding
counter.
4. B decrements each of the counters C_1^B, C_2^B, C_3^B by 1.
5. B sends the values of ind, salt and the ID_ALG identifier to A.
B also can OPTIONALLY send the ID_B identifier to A. All
following calculations are done by B in the elliptic curve group
defined by the ID_ALG identifier.
6. A sets the curve defined by the received ID_ALG identifier as
the used elliptic curve. All following calculations are done by
A in this elliptic curve group.
7. A calculates the point Q_PW^A = int (F (PW, salt, 2000))*Q_ind.
8. A chooses randomly (according to the uniform distribution) the
value alpha, alpha is in {1,...,q-1}, and assigns z_A = 0.
9. A sends the value u_1 = alpha*P - Q_PW^A to B.
10. After receiving u_1, B checks that u_1 is in E. If it is not, B
finishes with an error, considering the authentication process
unsuccessful.
11. B calculates Q_B = u_1 + Q_PW, assigns z_B = 0 and chooses
randomly (according to the uniform distribution) the value
betta, betta is in {1,...,q-1}.
12. If m/q*Q_B = O, B assigns Q_B = betta*P and z_B = 1.
13. B calculates K_B = HASH (BYTES(( m/q*betta*(mod q))*Q_B )).
14. B sends the value u_2 = betta*P + Q_PW to A.
15. After receiving u_2, A checks that u_2 is in E. If it is not, A
finishes with an error, considering the authentication process
unsuccessful.
16. A calculates Q_A = u_2 - Q_PW^A.
17. If m/q*Q_A = O, then A assigns Q_A = alpha*P and z_A = 1.
18. A calculates K_A = HASH (BYTES(( m/q*alpha(mod q))*Q_A )).
19. A calculates U_1 = BYTES(u_1), U_2 = BYTES(u_2).
Smyshlyaev, et al. Expires June 24, 2017 [Page 9]
Internet-Draft SESPAKE December 2016
20. A calculates MAC_A = HMAC (K_A, 0x01 || ID_A || ind || salt ||
U_1 || U_2 || ID_ALG (OPTIONAL) || DATA_A), where DATA_A is an
OPTIONAL string that is authenticated with MAC_A (if it is not
used, then DATA_A is considered to be of zero length).
21. A sends DATA_A, MAC_A to B.
22. B calculates U_1 = BYTES(u_1), U_2 = BYTES(u_2).
23. B checks that the values MAC_A and HMAC (K_B, 0x01 || ID_A ||
ind || salt || U_1 || U_2 || ID_ALG (OPTIONAL) || DATA_A) are
equal. If they are not, it finishes with an error, considering
the authentication process unsuccessful.
24. If z_B = 1, B finishes, considering the authentication process
unsuccessful.
25. B sets the value of C_1^B to CLim_1 and increments C_2^B by 1.
26. B calculates MAC_B = HMAC(K_B, 0x02 || ID_B || ind || salt ||
U_1 || U_2 || ID_ALG (OPTIONAL) || DATA_A || DATA_B), where
DATA_B is an OPTIONAL string that is authenticated with MAC_B
(if it is not used, then DATA_B is considered to be of zero
length).
27. B sends DATA_B, MAC_B to A.
28. A checks that the values MAC_B and HMAC (K_A, 0x02 || ID_B ||
ind || salt || U_1 || U_2 || ID_ALG (OPTIONAL) || DATA_A ||
DATA_B) are equal. If they are not, it finishes with an error,
considering the authentication process unsuccessful.
29. If z_A = 1, A finishes, considering the authentication process
unsuccessful.
30. A sets the value of C_1^A to CLim_1 and increments C_2^A by 1.
After the successful finish of the procedure the subjects A and B are
mutually authenticated and each subject has an explicitly
authenticated value of K = K_A = K_B.
N o t e s :
1. In the case when the interaction process can be initiated by any
subject (client or server) the ID_A and ID_B options MUST be used
and the receiver MUST check that the identifier he had received
is not equal to his own, otherwise, it finishes the protocol. If
an OPTIONAL parameter ID_A (or ID_B) is not used in the protocol,
Smyshlyaev, et al. Expires June 24, 2017 [Page 10]
Internet-Draft SESPAKE December 2016
it SHOULD be considered equal to a fixed byte string (zero-length
string is allowed) defined by a specific implementation.
2. The ind, ID_A, ID_B and salt parameters can be agreed in advance.
If some parameter is agreed in advance, it is possible not to
send it during a corresponding step. Nevertheless, all
parameters MUST be used as corresponding inputs to HMAC function
during stages 20, 23, 26 and 28.
3. The ID_ALG parameter can be fixed or agreed in advance.
4. The ID_ALG parameter is RECOMMENDED to be used in HMAC during
stages 20, 23, 26 and 28.
5. Continuation of protocol interaction in case of any of the
counters C_1^A, C_1^B being equal to zero MAY be done without
changing password. In this case these counters can be used for
protection against denial-of-service attacks. For example,
continuation of interaction can be allowed after a certain delay.
6. Continuation of protocol interaction in case of any of the
counters C_2^A, C_3^A, C_2^B, C_3^B being equal to zero MUST be
done only after changing password.
7. It is RECOMMENDED that during the stages 9 and 14 the points u_1
and u_2 are sent in a non-compressed format (BYTES(u_1) and
BYTES(u_2)). However, the point compression MAY be used.
8. The use of several Q points can reinforce the independence of the
data streams in case of working with several applications, when,
for example, two high-level protocols can use two different
points. However, the use of more than one point is OPTIONAL.
5. Construction of points Q_1,...,Q_N
This section provides an example of possible algorithm for generation
of each point Q_i in the set {Q_1,...,Q_N} that corresponds to the
given elliptic curve E.
The algorithm is based on choosing points with coordinates with a
known preimages of a cryptographic hash function H, which is the GOST
R 34.11-2012 hash function (see [RFC6986]) with 256-bit output, if
2^254 < q < 2^256, and the GOST R 34.11-2012 hash function (see
[RFC6986]) with 512-bit output , if 2^508 < q < 2^512.
The algorithm consists of the following steps:
1. Set i = 1, SEED = bytes_s(0), where s = 4 or more.
Smyshlyaev, et al. Expires June 24, 2017 [Page 11]
Internet-Draft SESPAKE December 2016
2. Calculate X = int(HASH(BYTES(P)||SEED)) mod p.
3. Check that the value of X^3 + aX + b is a quadratic residue in
the field F_p. If it is not, set SEED = bytes_s(int(SEED) + 1)
and return to Step 2.
4. Choose the value of Y arbitrarily from the set
{+sqrt(R),-sqrt(R)}, where R = X^3 + aX + b. Here sqrt(R) is an
element of F_p, for which (sqrt(R))^2 = R mod p.
5. Check that for point Q = (X,Y) the following relations hold: Q !=
O and q*Q = O. If they do, go to Step 6, if not, set SEED =
bytes_s(int(SEED) + 1) and return to Step 2.
6. Set Q_i = Q. If i < N, then set i = i+1 and go to Step 2, else
FINISH.
With the defined algorithm for any elliptic curve E point sets
{Q_1,...,Q_N} are constructed. Constructed points in one set MUST
have distinct X-coordinates.
N o t e : The knowledge of a hash function preimage prevents
knowledge of the multiplicity of any point related to generator point
P. It is of primary importance, because such a knowledge could be
used to implement an attack against protocol with exhaustive search
of password.
6. Acknowledgments
We thank Lolita Sonina, Georgiy Borodin, Sergey Agafin and Ekaterina
Smyshlyaeva for their careful readings and useful comments.
7. Security Considerations
Any cryptographic algorithms, particularly HASH function and HMAC
function, that are used in the SESPAKE protocol MUST be carefully
designed and MUST be able to withstand all known types of
cryptanalytic attack.
It is RECOMMENDED that the HASH function satisfies the following
condition:
hashlen <= log_2(q) + 4, where hashlen is the lengths of the HASH
function output.
The output length of hash functions that are used in the SESPAKE
protocol is RECOMMENDED to be greater or equal to 256 bits.
Smyshlyaev, et al. Expires June 24, 2017 [Page 12]
Internet-Draft SESPAKE December 2016
The points Q_1, Q_2,...,Q_N and P MUST be chosen in such a way that
they are provable pseudorandom. As a practical matter, this means
that the algorithm for generation of each point Q_i in the set
{Q_1,...,Q_N} (see Section 5) ensures that multiplicity of any point
under any other point is unknown.
For a certain ID_ALG using N = 1 is RECOMMENDED.
N o t e: The exact adversary models, which have been considered
during the security evaluation, can be found in the paper
[SESPAKE-SECURITY], containing the security proofs.
8. References
8.1. Normative References
[GOST3410-2012]
Federal Agency on Technical Regulating and Metrology (In
Russian), "Information technology. Cryptographic data
security. Signature and verification processes of
[electronic] digital signature", GOST R 34.10-2012, 2012.
[GOST3411-2012]
Federal Agency on Technical Regulating and Metrology (In
Russian), "Information technology. Cryptographic Data
Security. Hashing function", GOST R 34.11-2012, 2012.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997,
<http://www.rfc-editor.org/info/rfc2104>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography
Specification Version 2.0", RFC 2898,
DOI 10.17487/RFC2898, September 2000,
<http://www.rfc-editor.org/info/rfc2898>.
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
Curve Cryptography Algorithms", RFC 6090,
DOI 10.17487/RFC6090, February 2011,
<http://www.rfc-editor.org/info/rfc6090>.
Smyshlyaev, et al. Expires June 24, 2017 [Page 13]
Internet-Draft SESPAKE December 2016
[RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012:
Hash Function", RFC 6986, DOI 10.17487/RFC6986, August
2013, <http://www.rfc-editor.org/info/rfc6986>.
[RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012:
Digital Signature Algorithm", RFC 7091,
DOI 10.17487/RFC7091, December 2013,
<http://www.rfc-editor.org/info/rfc7091>.
[RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V.,
Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines
on the Cryptographic Algorithms to Accompany the Usage of
Standards GOST R 34.10-2012 and GOST R 34.11-2012",
RFC 7836, DOI 10.17487/RFC7836, March 2016,
<http://www.rfc-editor.org/info/rfc7836>.
8.2. Informative References
[SESPAKE-SECURITY]
Smyshlyaev, S., Oshkin, I., Alekseev, E., and L.
Ahmetzyanova, "On the Security of One Password
Authenticated Key Exchange Protocol", 2015,
<http://eprint.iacr.org/2015/1237.pdf>.
Appendix A. Test examples for GOST-based protocol implementation
The following test examples are made for the protocol implementation
that is based on the Russian national standards GOST R 34.10-2012
[GOST3410-2012] and GOST R 34.11-2012 [GOST3411-2012]. The English
versions of these standards can be found in [RFC7091] and [RFC6986].
A.1. Examples of points
There is one point Q_1 for each of the elliptic curves below. This
points were constructed using the method described in Section 5, in
case when N = 1, where the GOST R 34.11-2012 hash function (see
[RFC6986]) with 256-bit output is used if 2^254 < q < 2^256, the GOST
R 34.11-2012 hash function (see [RFC6986]) with 512-bit output is
used if 2^508 < q < 2^512.
Each of the points complies with the GOST R 34.10-2012
[GOST3410-2012] standard and is represented by a pair of (X, Y)
coordinates in the canonical form and by a pair of (U, V) coordinates
in the twisted Edwards form in accordance with the document [RFC7836]
for the curves that have the equivalent representation in this form.
There is a SEED value for each point, by which it was generated.
A.1.1. Curve id-GostR3410-2001-CryptoPro-A-ParamSet
Smyshlyaev, et al. Expires June 24, 2017 [Page 14]
Internet-Draft SESPAKE December 2016
Point Q_1
X = 0x309dbc97423220b250bb9932bfaa84c26a56be4801f11b2b2eb2d6d5656722df
Y = 0xd74935344e2c0698fee963ef7df0205becbf4e2dc9c9fe3047e0721da418cc31
SEED:
00 00 00 00
A.1.2. Curve id-GostR3410-2001-CryptoPro-B-ParamSet
Point Q_1
X = 0x41c1f2635cde577b65e2711e82b1d9bffd91ce913f94ba2618eb2f218765c921
Y = 0x2a0637ce2e808540b80fcf06e496ce4495e2c7ce112990e9f54e9771318c9e01
SEED:
00 00 00 00
A.1.3. Curve id-GostR3410-2001-CryptoPro-C-ParamSet
Point Q_1
X = 0x06eed2bc5de91de8da7728fddfa70659604bb12bf9f111282da313db8fa2cb0c
Y = 0x881f29348d5e1d29b123a0e9d222c9c541dde0f6d9f5958dabc372768b12c5f6
SEED:
04 00 00 00
A.1.4. Curve id-tc26-gost-3410-2012-512-paramSetA
Point Q_1
X = 0x2a17f8833a32795327478871b5c5e88aefb91126c64b4b8327289bea62559425
d18198f133f400874328b220c74497cd240586cb249e158532cb8090776cd61c
Y = 0x8d70f3b58c4b725be316d7ca7052d94b8591f6b16c9d4517daa607c3223b13c5
b98942c8f812150b327a16696a39b3dbe1239dd417823f30780ae0bc9808da02
SEED:
01 00 00 00
A.1.5. Curve id-tc26-gost-3410-2012-512-paramSetB
Point Q_1
X = 0x7e1fae8285e035bec244bef2d0e5ebf436633cf50e55231dea9c9cf21d4c8c33
df85d4305de92971f0a4b4c07e00d87bdbc720eb66e49079285aaf12e0171149
Y = 0x2cc89998b875d4463805ba0d858a196592db20ab161558ff2f4ef7a85725d209
53967ae621afdeae89bb77c83a2528ef6fce02f68bda4679d7f2704947dbc408
SEED:
00 00 00 00
A.1.6. Curve id-tc26-gost-3410-2012-256-paramSetA
Point Q_1
X = 0x79507c89b398d65666110c4a0b1aa72cd1e31e49fc0f8b28623d1376d86c5924
Y = 0x88ff65cb730d2aeeb81f8c2b45afa2a5e3f34558dc7cbc42e7db56e063f18041
U = 0x0bf57df52df22001e604b64b13f1a73691d87ee44ac2f8f31343e32d7569104e
V = 0x7282b17987112925f2b9cad1926b7c7a6efd8a0454cc7e96ff079a6063dabde6
SEED:
15 00 00 00
A.1.7. Curve id-tc26-gost-3410-2012-512-paramSetC
Smyshlyaev, et al. Expires June 24, 2017 [Page 15]
Internet-Draft SESPAKE December 2016
Point Q_1
X = 0x489c91784e02e98f19a803abca319917f37689e5a18965251ce2ff4e8d8b298f
5ba7470f9e0e713487f96f4a8397b3d09a270c9d367eb5e0e6561adeeb51581d
Y = 0x97b1577a5359b150e4c011c93f7ad5c41c427fee4f10e71dfc0078fd72914a24
d3ebb5f2338ed89abd4028d35d5bc05b0b6c625992659f86c38fb5736b1e8eaf
U = 0xc5cb690681694c7b65b058249f026c7a7421766a71b41142fa594cdebde94c83
6265a9ff891815a68eb7d74e7040106690036740c2360d2c34f12c95f2952f3f
V = 0x52d884c8bf0ad6c5f7b3973e32a668daa1f1ed092eff138dae6203b2ccdec561
47464d35fec4b727b2480eb143074712c76550c7a54ff3ea26f70059480dcb50
SEED:
13 00 00 00
A.2. Test examples
This protocol implementation uses the GOST R 34.11-2012 hash function
(see [RFC6986]) with 256-bit output as the H function and the
HMAC_GOSTR3411_2012_512 function defined in [RFC7836] as a PRF
function for the F function. The parameter len is considered equal
to 256, if 2^254 < q < 2^256, and equal to 512, if 2^508 < q < 2^512.
The test examples for the point of each curve in Appendix A.1 are
given below.
A.2.1 Curve id-GostR3410-2001-CryptoPro-A-ParamSet
The input protocol parameters in this example take the following values:
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0x309DBC97423220B250BB9932BFAA84C26A56BE4801F11B2B2EB2D6D5656722DF
Y = 0xD74935344E2C0698FEE963EF7DF0205BECBF4E2DC9C9FE3047E0721DA418CC31
The function F (PW, salt, 2000) takes the following values:
F(PW,salt,2000):
BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71
D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67
The coordinates of the point Q_PW are:
X = 0x2961C9B3E975FDFD31A9A87618BF3E00DFD6F52CA9C3A3AEBAA6F39F445F7356
Y = 0x7458C27A6D161D3ECAC57BCEC9ECBAE9EF14F60DC85AE28F6642429265409864
During the calculation of the message u_1 on the subject A the parameter
alpha, the point alpha*P and the message u_1 take the following values:
alpha=0x1F2538097D5A031FA68BBB43C84D12B3DE47B7061C0D5E24993E0C873CDBA6B3
Smyshlyaev, et al. Expires June 24, 2017 [Page 16]
Internet-Draft SESPAKE December 2016
alpha*P:
X = 0xBBC77CF42DC1E62D06227935379B4AA4D14FEA4F565DDF4CB4FA4D31579F9676
Y = 0x8E16604A4AFDF28246684D4996274781F6CB80ABBBA1414C1513EC988509DABF
u_1:
X = 0x6952DF3333193201A4C946EB6B6D0F85C68222B4AF993B0A7A816C5BD684F979
Y = 0xC15106B7D8CB5A89F813CB6308CDB2A8B848F60C1C9F225E06A7EB4EA5C0D58E
During processing a message u_1, calculation the K_B key and the message
u_2 on the subject B the parameters betta, src, K_B = HASH(src), betta*P
and u_2 take the following values:
betta=0xDC497D9EF6324912FD367840EE509A2032AEDB1C0A890D133B45F596FCCBD45D
src:
2E 01 A3 D8 4F DB 7E 94 7B B8 92 9B E9 36 3D F5
F7 25 D6 40 1A A5 59 D4 1A 67 24 F8 D5 F1 8E 2C
A0 DB A9 31 05 CD DA F4 BF AE A3 90 6F DD 71 9D
BE B2 97 B6 A1 7F 4F BD 96 DC C7 23 EA 34 72 A9
K_B:
1A 62 65 54 92 1D C2 E9 2B 4D D8 D6 7D BE 5A 56
62 E5 62 99 37 3F 06 79 95 35 AD 26 09 4E CA A3
betta*P:
X = 0x6097341C1BE388E83E7CA2DF47FAB86E2271FD942E5B7B2EB2409E49F742BC29
Y = 0xC81AA48BDB4CA6FA0EF18B9788AE25FE30857AA681B3942217F9FED151BAB7D0
u_2:
X = 0xFE005686A8CA25A91EFAA891EE301F95881A1EBB95A3314445BCC2D46C2F7F76
Y = 0x3B9D486451A663165F7C4534AAE15FA17925DB6AB88B975C4B4FBA4E540E0ED1
During processing a message u_2 and calculation the key on the subject A
the K_A key takes the following value:
K_A:
1A 62 65 54 92 1D C2 E9 2B 4D D8 D6 7D BE 5A 56
62 E5 62 99 37 3F 06 79 95 35 AD 26 09 4E CA A3
The message MAC_A=HMAC (K_A, 0x01 || ID_A || ind || salt || u_1 || u_2)
from the subject A takes the following value:
MAC_A:
AF 49 FE D1 96 9E 09 5E 1B 00 45 D5 E7 48 2D F7
DD 07 7B 3B 13 33 58 31 85 EB F3 51 06 E9 9B 24
The message MAC_B=HMAC (K_B, 0x02 || ID_B || ind || salt || u_1 || u_2)
from the subject B takes the following value:
MAC_B:
17 81 15 B6 C7 5F 77 E1 8D 9A 6F 63 47 45 49 2A
74 D7 29 7A FA 93 98 F5 B7 D5 0A 7E 19 C6 F4 3C
A.2.2 Curve id-GostR3410-2001-CryptoPro-B-ParamSet
The input protocol parameters in this example take the following values:
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
Smyshlyaev, et al. Expires June 24, 2017 [Page 17]
Internet-Draft SESPAKE December 2016
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0x41C1F2635CDE577B65E2711E82B1D9BFFD91CE913F94BA2618EB2F218765C921
Y = 0x2A0637CE2E808540B80FCF06E496CE4495E2C7CE112990E9F54E9771318C9E01
The function F (PW, salt, 2000) takes the following values:
F(PW,salt,2000):
BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71
D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67
The coordinates of the point Q_PW are:
X = 0x09472603E9B4091241349C7355148D245C2477B7C5027BD7A846600B10C19CE0
Y = 0x20D8BF5708998671E5D40431AED9BCB92D37E0FB74ED15B7265DE8B8620815EF
During the calculation of the message u_1 on the subject A the parameter
alpha, the point alpha*P and the message u_1 take the following values:
alpha=0x499D72B90299CAB0DA1F8BE19D9122F622A13B32B730C46BD0664044F2144FAD
alpha*P:
X = 0x61D6F916DB717222D74877F179F7EBEF7CD4D24D8C1F523C048E34A1DF30F8DD
Y = 0x3EC48863049CFCFE662904082E78503F4973A4E105E2F1B18C69A5E7FB209000
u_1:
X = 0x2375FDFC25F6E8BC73572909CC0535C765A10695B4192DC658EBF548D989243C
Y = 0x755B0C4F57D55443312DFDB2457799A1706B94DF0F52AD6A2BD99B6FA1D6DA0F
During processing a message u_1, calculation the K_B key and the message
u_2 on the subject B the parameters betta, src, K_B = HASH(src), betta*P
and u_2 take the following values:
betta=0x0F69FF614957EF83668EDC2D7ED614BE76F7B253DB23C5CC9C52BF7DF8F4669D
src:
50 14 0A 5D ED 33 43 EF C8 25 7B 79 E6 46 D9 F0
DF 43 82 8C 04 91 9B D4 60 C9 7A D1 4B A3 A8 6B
00 C4 06 B5 74 4D 8E B1 49 DC 8E 7F C8 40 64 D8
53 20 25 3E 57 A9 B6 B1 3D 0D 38 FE A8 EE 5E 0A
K_B:
A6 26 DE 01 B1 68 0F F7 51 30 09 12 2B CE E1 89
68 83 39 4F 96 03 01 72 45 5C 9A E0 60 CC E4 4A
betta*P:
X = 0x33BC6F7E9C0BA10CFB2B72546C327171295508EA97F8C8BA9F890F2478AB4D6C
Y = 0x75D57B396C396F492F057E9222CCC686437A2AAD464E452EF426FC8EEED1A4A6
u_2:
X = 0x2B68ECA785C336DD6DAC136F81BC7DF626629FB5843B51CC613E84B932E89C2A
Y = 0x5E2D3621E6365AFFD90B294E3AB86C68FF51A2F8A730F2861DC67BDC693C407F
During processing a message u_2 and calculation the key on the subject A
the K_A key takes the following value:
K_A:
A6 26 DE 01 B1 68 0F F7 51 30 09 12 2B CE E1 89
68 83 39 4F 96 03 01 72 45 5C 9A E0 60 CC E4 4A
The message MAC_A=HMAC (K_A, 0x01 || ID_A || ind || salt || u_1 || u_2)
from the subject A takes the following value:
Smyshlyaev, et al. Expires June 24, 2017 [Page 18]
Internet-Draft SESPAKE December 2016
MAC_A:
92 78 0B 53 0D 0A CE B8 03 48 75 5E 52 0A 6A 7A
C8 78 B1 EA BF BD BB 2F 3B 4C 55 6E 57 8E 8F 53
The message MAC_B=HMAC (K_B, 0x02 || ID_B || ind || salt || u_1 || u_2)
from the subject B takes the following value:
MAC_B:
0D 53 A2 C3 0B B6 B8 F6 F0 7F 30 FE 83 F9 85 32
2B F7 C2 29 0E 11 93 D5 1B 3F 20 36 D2 10 32 F5
A.2.3 Curve id-GostR3410-2001-CryptoPro-C-ParamSet
The input protocol parameters in this example take the following values:
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0x06EED2BC5DE91DE8DA7728FDDFA70659604BB12BF9F111282DA313DB8FA2CB0C
Y = 0x881F29348D5E1D29B123A0E9D222C9C541DDE0F6D9F5958DABC372768B12C5F6
The function F (PW, salt, 2000) takes the following values:
F(PW,salt,2000):
BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71
D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67
The coordinates of the point Q_PW are:
X = 0x5CA067EC57D7376CF270C808A7E7D37736788E0575CAD74BFDC07AF541421DD3
Y = 0x9B0DCD79979AF5689D85EE9E8304053E5C3EEA6565428156BDDA995FC588C66C
During the calculation of the message u_1 on the subject A the parameter
alpha, the point alpha*P and the message u_1 take the following values:
alpha=0x3A54AC3F19AD9D0B1EAC8ACDCEA70E581F1DAC33D13FEAFD81E762378639C1A8
alpha*P:
X = 0x96B7F09C94D297C257A7DA48364C0076E59E48D221CBA604AE111CA3933B446A
Y = 0x54E4953D86B77ECCEB578500931E822300F7E091F79592CA202A020D762C34A6
u_1:
X = 0x919ACF0D8969A17F2D5CF8D2340237C26C747BD266BFC6CB8A17ABC95872EF26
Y = 0x18A4759F43951D553FCEF2D6C2F1013ED3BFD89243CE323EF5B5D87A68445ACD
During processing a message u_1, calculation the K_B key and the message
u_2 on the subject B the parameters betta, src, K_B = HASH(src), betta*P
and u_2 take the following values:
betta=0x448781782BF7C0E52A1DD9E6758FD3482D90D3CFCCF42232CF357E59A4D49FD4
src:
16 A1 2D 88 54 7E 1C 90 06 BA A0 08 E8 CB EC C9
D1 68 91 ED C8 36 CF B7 5F 8E B9 56 FA 76 11 94
D2 8E 25 DA D3 81 8D 16 3C 49 4B 05 9A 8C 70 A5
Smyshlyaev, et al. Expires June 24, 2017 [Page 19]
Internet-Draft SESPAKE December 2016
A1 B8 8A 7F 80 A2 EE 35 49 30 18 46 54 2C 47 0B
K_B:
BE 7E 7E 47 B4 11 16 F2 C7 7E 3B 8F CE 40 30 72
CA 82 45 0D 65 DE FC 71 A9 56 49 E4 DE EA EC EE
betta*P:
X = 0x4B9C0AB55A938121F282F48A2CC4396EB16E7E0068B495B0C1DD4667786A3EB7
Y = 0x223460AA8E09383E9DF9844C5A0F2766484738E5B30128A171B69A77D9509B96
u_2:
X = 0x8F306F662D05C8B1E41828D8AA9C9E2B12F16D7FAF7D04C7FE92243EBB708C15
Y = 0x05783E1516FC20E93D69070D0199EA1C65DACE6375174B11D99216FD5EE53A23
During processing a message u_2 and calculation the key on the subject A
the K_A key takes the following value:
K_A:
BE 7E 7E 47 B4 11 16 F2 C7 7E 3B 8F CE 40 30 72
CA 82 45 0D 65 DE FC 71 A9 56 49 E4 DE EA EC EE
The message MAC_A=HMAC (K_A, 0x01 || ID_A || ind || salt || u_1 || u_2)
from the subject A takes the following value:
MAC_A:
94 6E A7 88 94 59 39 D0 67 8A CA 21 8C DB 3C 71
F4 8A C3 2D 4F 96 AE C9 E6 D1 58 EF 77 7E 5F A3
The message MAC_B=HMAC (K_B, 0x02 || ID_B || ind || salt || u_1 || u_2)
from the subject B takes the following value:
MAC_B:
31 CD DB F2 D0 1C 6E 96 59 CE 68 B7 A7 51 E5 ED
D5 88 8D 1E 02 61 AA 2D F4 70 2F 47 64 E7 66 A7
A.2.4 Curve id-tc26-gost-3410-2012-512-paramSetA
The input protocol parameters in this example take the following values:
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0x2A17F8833A32795327478871B5C5E88AEFB91126C64B4B8327289BEA62559425
D18198F133F400874328B220C74497CD240586CB249E158532CB8090776CD61C
Y = 0x8D70F3B58C4B725BE316D7CA7052D94B8591F6B16C9D4517DAA607C3223B13C5
B98942C8F812150B327A16696A39B3DBE1239DD417823F30780AE0BC9808DA02
The function F (PW, salt, 2000) takes the following values:
F(PW,salt,2000):
BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71
D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67
1C 62 13 E3 93 0E FD DA 26 45 17 92 C6 20 81 22
Smyshlyaev, et al. Expires June 24, 2017 [Page 20]
Internet-Draft SESPAKE December 2016
EE 60 D2 00 52 0D 69 5D FD 9F 5F 0F D5 AB A7 02
The coordinates of the point Q_PW are:
X = 0x0C0AB53D0E0A9C607CAD758F558915A0A7DC5DC87B45E9A58FDDF30EC3385960
283E030CD322D9E46B070637785FD49D2CD711F46807A24C40AF9A42C8E2D740
Y = 0x206C57FED4792C5C2B075B2B7825EA038C614CE4DF4C4F17373FCD5507F8D39C
C83082A4BFB8E61A4BBF83BE265CDE95F735963D8EB7B16128D47555AD1D723C
During the calculation of the message u_1 on the subject A the parameter
alpha, the point alpha*P and the message u_1 take the following values:
alpha=0x3CE54325DB52FE798824AEAD11BB16FA766857D04A4AF7D468672F16D90E7396
046A46F815693E85B1CE5464DA9270181F82333B0715057BBE8D61D400505F0E
alpha*P:
X = 0xB93093EB0FCC463239B7DF276E09E592FCFC9B635504EA4531655D76A0A3078E
2B4E51CFE2FA400CC5DE9FBE369DB204B3E8ED7EDD85EE5CCA654C1AED70E396
Y = 0x809770B8D910EA30BD2FA89736E91DC31815D2D9B31128077EEDC371E9F69466
F497DC64DD5B1FADC587F860EE256109138C4A9CD96B628E65A8F590520FC882
u_1:
X = 0x81D5279D82647E0C294FF8D812E034D7B5260EB906279EB17A61A17A3B9B0FBC
E40DEA14329CE2DF5F89F74E833BFD023A5B8CD88AB8B4AC9B74572D5D33C58B
Y = 0x06648C66E449DF2F2FD59C07B60DAC6787A212FD7033F76D6A447403A10F91E2
B50F64C2E769DFC56B126546DA5CFD43E41E47A30A69C437996A3E9D5E5922D2
During processing a message u_1, calculation the K_B key and the message
u_2 on the subject B the parameters betta, src, K_B = HASH(src), betta*P
and u_2 take the following values:
betta=0xB5C286A79AA8E97EC0E19BC1959A1D15F12F8C97870BA9D68CC12811A56A3BB1
1440610825796A49D468CDC9C2D02D76598A27973D5960C5F50BCE28D8D345F4
src:
84 59 C2 0C B5 C5 32 41 6D B9 28 EB 50 C0 52 0F
B2 1B 9C D3 9A 4E 76 06 B2 21 BE 15 CA 1D 02 DA
08 15 DE C4 49 79 C0 8C 7D 23 07 AF 24 7D DA 1F
89 EC 81 20 69 F5 D9 CD E3 06 AF F0 BC 3F D2 6E
D2 01 B9 53 52 A2 56 06 B6 43 E8 88 30 2E FC 8D
3E 95 1E 3E B4 68 4A DB 5C 05 7B 8F 8C 89 B6 CC
0D EE D1 00 06 5B 51 8A 1C 71 7F 76 82 FF 61 2B
BC 79 8E C7 B2 49 0F B7 00 3F 94 33 87 37 1C 1D
K_B:
53 24 DE F8 48 B6 63 CC 26 42 2F 5E 45 EE C3 4C
51 D2 43 61 B1 65 60 CA 58 A3 D3 28 45 86 CB 7A
betta*P:
X = 0x238B38644E440452A99FA6B93D9FD7DA0CB83C32D3C1E3CFE5DF5C3EB0F9DB91
E588DAEDC849EA2FB867AE855A21B4077353C0794716A6480995113D8C20C7AF
Y = 0xB2273D5734C1897F8D15A7008B862938C8C74CA7E877423D95243EB7EBD02FD2
C456CF9FC956F078A59AA86F19DD1075E5167E4ED35208718EA93161C530ED14
u_2:
X = 0xDB665DF5A55A855A807445BD816398AFD810A1FF9328D39C2E7C92B350592EB9
15188922C58CD82DCD09480F8C6C9E714683F759CFB0C69314ACFE4814C482B4
Y = 0x1280DB5628E13CD177B06D5F4745104B09260BEAF4089917B96EC61953A42EDF
DC24852CA32C8DEA84D6F1B745EABF23E3042AFAE32FD6A25E652128B83C2B00
During processing a message u_2 and calculation the key on the subject A
Smyshlyaev, et al. Expires June 24, 2017 [Page 21]
Internet-Draft SESPAKE December 2016
the K_A key takes the following value:
K_A:
53 24 DE F8 48 B6 63 CC 26 42 2F 5E 45 EE C3 4C
51 D2 43 61 B1 65 60 CA 58 A3 D3 28 45 86 CB 7A
The message MAC_A=HMAC (K_A, 0x01 || ID_A || ind || salt || u_1 || u_2)
from the subject A takes the following value:
MAC_A:
D6 8B 7B A4 3B E5 38 DB 16 3B 91 0B 62 FF 9B 06
C1 89 1C F4 E9 5E DE CB 92 26 21 89 F2 3D 28 D6
The message MAC_B=HMAC (K_B, 0x02 || ID_B || ind || salt || u_1 || u_2)
from the subject B takes the following value:
MAC_B:
02 B1 AA 10 48 AF 93 7B C8 78 D0 7C 3C 83 D2 A6
63 FC 1E A3 4F 97 BA 0A 37 03 AA CC C9 96 2D A8
A.2.5 Curve id-tc26-gost-3410-2012-512-paramSetB
The input protocol parameters in this example take the following values:
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0x7E1FAE8285E035BEC244BEF2D0E5EBF436633CF50E55231DEA9C9CF21D4C8C33
DF85D4305DE92971F0A4B4C07E00D87BDBC720EB66E49079285AAF12E0171149
Y = 0x2CC89998B875D4463805BA0D858A196592DB20AB161558FF2F4EF7A85725D209
53967AE621AFDEAE89BB77C83A2528EF6FCE02F68BDA4679D7F2704947DBC408
The function F (PW, salt, 2000) takes the following values:
F(PW,salt,2000):
BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71
D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67
1C 62 13 E3 93 0E FD DA 26 45 17 92 C6 20 81 22
EE 60 D2 00 52 0D 69 5D FD 9F 5F 0F D5 AB A7 02
The coordinates of the point Q_PW are:
X = 0x7D03E65B8050D1E12CBB601A17B9273B0E728F5021CD47C8A4DD822E4627BA5F
9C696286A2CDDA9A065509866B4DEDEDC4A118409604AD549F87A60AFA621161
Y = 0x16037DAD45421EC50B00D50BDC6AC3B85348BC1D3A2F85DB27C3373580FEF87C
2C743B7ED30F22BE22958044E716F93A61CA3213A361A2797A16A3AE62957377
During the calculation of the message u_1 on the subject A the parameter
alpha, the point alpha*P and the message u_1 take the following values:
alpha=0x715E893FA639BF341296E0623E6D29DADF26B163C278767A7982A989462A3863
FE12AEF8BD403D59C4DC4720570D4163DB0805C7C10C4E818F9CB785B04B9997
alpha*P:
Smyshlyaev, et al. Expires June 24, 2017 [Page 22]
Internet-Draft SESPAKE December 2016
X = 0x10C479EA1C04D3C2C02B0576A9C42D96226FF033C1191436777F66916030D87D
02FB93738ED7669D07619FFCE7C1F3C4DB5E5DF49E2186D6FA1E2EB5767602B9
Y = 0x039F6044191404E707F26D59D979136A831CCE43E1C5F0600D1DDF8F39D0CA3D
52FBD943BF04DDCED1AA2CE8F5EBD7487ACDEF239C07D015084D796784F35436
u_1:
X = 0x45C05CCE8290762F2470B719B4306D62B2911CEB144F7F72EF11D10498C7E921
FF163FE72044B4E7332AD8CBEC3C12117820F53A60762315BCEB5BC6DA5CF1E0
Y = 0x5BE483E382D0F5F0748C4F6A5045D99E62755B5ACC9554EC4A5B2093E121A2DD
5C6066BC9EDE39373BA19899208BB419E38B39BBDEDEB0B09A5CAAEAA984D02E
During processing a message u_1, calculation the K_B key and the message
u_2 on the subject B the parameters betta, src, K_B = HASH(src), betta*P
and u_2 take the following values:
betta=0x30FA8C2B4146C2DBBE82BED04D7378877E8C06753BD0A0FF71EBF2BEFE8DA8F3
DC0836468E2CE7C5C961281B6505140F8407413F03C2CB1D201EA1286CE30E6D
src:
3F 04 02 E4 0A 9D 59 63 20 5B CD F4 FD 89 77 91
9B BA F4 80 F8 E4 FB D1 25 5A EC E6 ED 57 26 4B
D0 A2 87 98 4F 59 D1 02 04 B5 F4 5E 4D 77 F3 CF
8A 63 B3 1B EB 2D F5 9F 8A F7 3C 20 9C CA 8B 50
B4 18 D8 01 E4 90 AE 13 3F 04 F4 F3 F4 D8 FE 8E
19 64 6A 1B AF 44 D2 36 FC C2 1B 7F 4D 8F C6 A1
E2 9D 6B 69 AC CE ED 4E 62 AB B2 0D AD 78 AC F4
FE B0 ED 83 8E D9 1E 92 12 AB A3 89 71 4E 56 0C
K_B:
D5 90 E0 5E F5 AE CE 8B 7C FB FC 71 BE 45 5F 29
A5 CC 66 6F 85 CD B1 7E 7C C7 16 C5 9F F1 70 E9
betta*P:
X = 0x34C0149E7BB91AE377B02573FCC48AF7BFB7B16DEB8F9CE870F384688E3241A3
A868588CC0EF4364CCA67D17E3260CD82485C202ADC76F895D5DF673B1788E67
Y = 0x608E944929BD643569ED5189DB871453F13333A1EAF82B2FE1BE8100E775F13D
D9925BD317B63BFAF05024D4A738852332B64501195C1B2EF789E34F23DDAFC5
u_2:
X = 0x0535F95463444C4594B5A2E14B35760491C670925060B4BEBC97DE3A3076D1A5
81F89026E04282B040925D9250201024ACA4B2713569B6C3916A6F3344B840AD
Y = 0x40E6C2E55AEC31E7BCB6EA0242857FC6DFB5409803EDF4CA20141F72CC3C7988
706E076765F4F004340E5294A7F8E53BA59CB67502F0044558C854A7D63FE900
During processing a message u_2 and calculation the key on the subject A
the K_A key takes the following value:
K_A:
D5 90 E0 5E F5 AE CE 8B 7C FB FC 71 BE 45 5F 29
A5 CC 66 6F 85 CD B1 7E 7C C7 16 C5 9F F1 70 E9
The message MAC_A=HMAC (K_A, 0x01 || ID_A || ind || salt || u_1 || u_2)
from the subject A takes the following value:
MAC_A:
DE 46 BB 4C 8C E0 8A 6E F3 B8 DF AC CC 1A 39 B0
8D 8C 27 B6 CB 0F CF 59 23 86 A6 48 F4 E5 BD 8C
The message MAC_B=HMAC (K_B, 0x02 || ID_B || ind || salt || u_1 || u_2)
from the subject B takes the following value:
Smyshlyaev, et al. Expires June 24, 2017 [Page 23]
Internet-Draft SESPAKE December 2016
MAC_B:
EC B1 1D E2 06 1C 55 F1 D1 14 59 CB 51 CE 31 40
99 99 99 2F CA A1 22 2F B1 4F CE AB 96 EE 7A AC
A.2.6 Curve id-tc26-gost-3410-2012-256-paramSetA
The input protocol parameters in this example take the following values:
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0x79507C89B398D65666110C4A0B1AA72CD1E31E49FC0F8B28623D1376D86C5924
Y = 0x88FF65CB730D2AEEB81F8C2B45AFA2A5E3F34558DC7CBC42E7DB56E063F18041
The function F (PW, salt, 2000) takes the following values:
F(PW,salt,2000):
BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71
D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67
The coordinates of the point Q_PW are:
X = 0x310C046307536414C193126268A2F28B969D262B318A45F3765DD1E31C06D4DE
Y = 0x156F7711D121329F7FA5AB0708A694BF1DE799CFC467EAAB83707521B1DDD652
During the calculation of the message u_1 on the subject A the parameter
alpha, the point alpha*P and the message u_1 take the following values:
alpha=0x147B72F6684FB8FD1B418A899F7DBECAF5FCE60B13685BAA95328654A7F0707F
alpha*P:
X = 0x33FBAC14EAE538275A769417829C431BD9FA622B6F02427EF55BD60EE6BC2888
Y = 0x22F2EBCF960A82E6CDB4042D3DDDA511B2FBA925383C2273D952EA2D406EAE46
u_1:
X = 0x88736306F23710439D24AD67EA89CEF401856C4DC1D717DFBB781FD29B1A7353
Y = 0x067EFCB7A00E752C92EDF694B7D3D04948A1B457793495A466078F776F3E951F
During processing a message u_1, calculation the K_B key and the message
u_2 on the subject B the parameters betta, src, K_B = HASH(src), betta*P
and u_2 take the following values:
betta=0x30D5CFADAA0E31B405E6734C03EC4C5DF0F02F4BA25C9A3B320EE6453567B4CB
src:
A3 39 A0 B8 9C EF 1A 6F FD 4C A1 28 04 9E 06 84
DF 4A 97 75 B6 89 A3 37 84 1B F7 D7 91 20 7F 35
11 86 28 F7 28 8E AA 0F 7E C8 1D A2 0A 24 FF 1E
69 93 C6 3D 9D D2 6A 90 B7 4D D1 A2 66 28 06 63
K_B:
7D F7 1A C3 27 ED 51 7D 0D E4 03 E8 17 C6 20 4B
C1 91 65 B9 D1 00 2B 9F 10 88 A6 CD A6 EA CF 27
betta*P:
Smyshlyaev, et al. Expires June 24, 2017 [Page 24]
Internet-Draft SESPAKE December 2016
X = 0x2B2D89FAB735433970564F2F28CFA1B57D640CB902BC6334A538F44155022CB2
Y = 0x10EF6A82EEF1E70F942AA81D6B4CE5DEC0DDB9447512962874870E6F2849A96F
u_2:
X = 0xA7D1F51754416E65D3DEAEF33E93FB72572AA954392D306F15DC28922A73A4CC
Y = 0x5F8CE8692B52EE616BE3554A42983E9B6C22CF14521F625FE9A9A0D4B35C7408
During processing a message u_2 and calculation the key on the subject A
the K_A key takes the following value:
K_A:
7D F7 1A C3 27 ED 51 7D 0D E4 03 E8 17 C6 20 4B
C1 91 65 B9 D1 00 2B 9F 10 88 A6 CD A6 EA CF 27
The message MAC_A=HMAC (K_A, 0x01 || ID_A || ind || salt || u_1 || u_2)
from the subject A takes the following value:
MAC_A:
9C 39 A4 4F B4 B0 41 4B 3C 7E 0D 93 7E 5D 18 86
90 15 66 88 74 24 92 6C 22 B3 F8 93 F2 F8 13 98
The message MAC_B=HMAC (K_B, 0x02 || ID_B || ind || salt || u_1 || u_2)
from the subject B takes the following value:
MAC_B:
4C CB 94 EB 2E 29 E5 4E 47 15 61 F3 B9 19 F3 3F
47 6D DD 10 28 56 59 8C 59 78 9B 86 FC 2B 47 BB
A.2.7 Curve id-tc26-gost-3410-2012-512-paramSetC
The input protocol parameters in this example take the following values:
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0x489C91784E02E98F19A803ABCA319917F37689E5A18965251CE2FF4E8D8B298F
5BA7470F9E0E713487F96F4A8397B3D09A270C9D367EB5E0E6561ADEEB51581D
Y = 0x97B1577A5359B150E4C011C93F7AD5C41C427FEE4F10E71DFC0078FD72914A24
D3EBB5F2338ED89ABD4028D35D5BC05B0B6C625992659F86C38FB5736B1E8EAF
The function F (PW, salt, 2000) takes the following values:
F(PW,salt,2000):
BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71
D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67
1C 62 13 E3 93 0E FD DA 26 45 17 92 C6 20 81 22
EE 60 D2 00 52 0D 69 5D FD 9F 5F 0F D5 AB A7 02
The coordinates of the point Q_PW are:
X = 0x0185AE6271A81BB7F236A955F7CAA26FB63849813C0287D96C83A15AE6B6A864
67AB13B6D88CE8CD7DC2E5B97FF5F28FAC2C108F2A3CF3DB5515C9E6D7D210E8
Y = 0x12FDDF06D1088E58E39B133886792483FC2C84C1D54C17C0CD31A1F8B589D13F
Smyshlyaev, et al. Expires June 24, 2017 [Page 25]
Internet-Draft SESPAKE December 2016
7DAC361DEFD478ACD99ED8A3B4E2E92D87632543A7530208CE7218F549B0F40F
During the calculation of the message u_1 on the subject A the parameter
alpha, the point alpha*P and the message u_1 take the following values:
alpha=0x332F930421D14CFE260042159F18E49FD5A54167E94108AD80B1DE60B13DE799
9A34D611E63F3F870E5110247DF8EC7466E648ACF385E52CCB889ABF491EDFF0
alpha*P:
X = 0x561655966D52952E805574F4281F1ED3A2D498932B00CBA9DECB42837F09835B
FFBFE2D84D6B6B242FE7B57F92E1A6F2413E12DDD6383E4437E13D72693469AD
Y = 0xF6B18328B2715BD7F4178615273A36135BC0BF62F7D8BB9F080164AD36470AD0
3660F51806C64C6691BADEF30F793720F8E3FEAED631D6A54A4C372DCBF80E82
u_1:
X = 0xC20633FEA34B846489F627BBB1835E436FAA3DBA002C9C47921F28A976384962
A159C3E7F3F85797E1BAA86F17B290DD9DA86D829241422D37AB144D2C088BB4
Y = 0x31D6F6B1639D175C285316459B08713D69033166D854EEB1C72B27CBAA6916C4
606830B58F231CAC380797F81492EDE7558C21FEC01088A5C562BCD4D6E50F6C
During processing a message u_1, calculation the K_B key and the message
u_2 on the subject B the parameters betta, src, K_B = HASH(src), betta*P
and u_2 take the following values:
betta=0x38481771E7D054F96212686B613881880BD8A6C89DDBC656178F014D2C093432
A033EE10415F13A160D44C2AD61E6E2E05A7F7EC286BCEA3EA4D4D53F8634FA2
src:
4F 4D 64 B5 D0 70 08 E9 E6 85 87 4F 88 2C 3E 1E
60 A6 67 5E ED 42 1F C2 34 16 3F DE B4 4C 69 18
B7 BC CE AB 88 A0 F3 FB 78 8D A8 DB 10 18 51 FF
1A 41 68 22 BA 37 C3 53 CE C4 C5 A5 23 95 B7 72
AC 93 C0 54 E3 F4 05 5C ED 6F F0 BE E4 A6 A2 4E
D6 8B 86 FE FA 70 DE 4A 2B 16 08 51 42 A4 DF F0
5D 32 EC 7D DF E3 04 F5 C7 04 FD FA 06 0F 64 E9
E8 32 14 00 25 F3 92 E5 03 50 77 0E 3F B6 2C AC
K_B:
A0 83 84 A6 2F 4B E1 AE 48 98 FC A3 6D AA 3F AA
45 1B 3E C5 B5 9C E3 75 F8 9E 92 9F 4B 13 25 8C
betta*P:
X = 0xB7C5818687083433BC1AFF61CB5CA79E38232025E0C1F123B8651E62173CE687
3F3E6FFE7281C2E45F4F524F66B0C263616ED08FD210AC4355CA3292B51D71C3
Y = 0x497F14205DBDC89BDDAF50520ED3B1429AD30777310186BE5E68070F016A44E0
C766DB08E8AC23FBDFDE6D675AA4DF591EB18BA0D348DF7AA40973A2F1DCFA55
u_2:
X = 0x5C371E68D05C2919FE0B82B74E0B44F267F9A76EC8FE4DCD0B0D60C16D497BFE
5B741FDB98BBE0C254BE39F81FE53B907F07947723C92784F9724DF014F07346
Y = 0xF55086C0B4737A566F0CD27EF24905E686F168C3F07E294DBCD21ECF01FAF82A
56925311046B8029098232FA61DA9A1B756FE5CFCCCC23101766C113E1226B42
During processing a message u_2 and calculation the key on the subject A
the K_A key takes the following value:
K_A:
A0 83 84 A6 2F 4B E1 AE 48 98 FC A3 6D AA 3F AA
45 1B 3E C5 B5 9C E3 75 F8 9E 92 9F 4B 13 25 8C
The message MAC_A=HMAC (K_A, 0x01 || ID_A || ind || salt || u_1 || u_2)
Smyshlyaev, et al. Expires June 24, 2017 [Page 26]
Internet-Draft SESPAKE December 2016
from the subject A takes the following value:
MAC_A:
A5 74 AD 15 AC FD 81 A1 46 DC E9 0B 15 79 96 DD
23 EA 33 43 D8 2A 06 A1 95 36 B8 84 59 23 F9 5A
The message MAC_B=HMAC (K_B, 0x02 || ID_B || ind || salt || u_1 || u_2)
from the subject B takes the following value:
MAC_B:
04 12 AA 7E B2 8D AE 3A 98 5C 32 C2 72 C9 8F 81
62 8D 39 E7 A3 FA 36 C4 AB C5 4F 87 57 6E F8 A9
Authors' Addresses
Stanislav Smyshlyaev (editor)
CRYPTO-PRO
18, Suschevsky val
Moscow 127018
Russian Federation
Phone: +7 (495) 995-48-20
Email: svs@cryptopro.ru
Evgeny Alekseev
CRYPTO-PRO
18, Suschevsky val
Moscow 127018
Russian Federation
Phone: +7 (495) 995-48-20
Email: alekseev@cryptopro.ru
Igor Oshkin
CRYPTO-PRO
18, Suschevsky val
Moscow 127018
Russian Federation
Phone: +7 (495) 995-48-20
Email: oshkin@cryptopro.ru
Smyshlyaev, et al. Expires June 24, 2017 [Page 27]
Internet-Draft SESPAKE December 2016
Vladimir Popov
CRYPTO-PRO
18, Suschevsky val
Moscow 127018
Russian Federation
Phone: +7 (495) 995-48-20
Email: vpopov@cryptopro.ru
Smyshlyaev, et al. Expires June 24, 2017 [Page 28]