SPAKE2+, an Augmented PAKE
draft-bar-cfrg-spake2plus-01

Document Type Active Internet-Draft (individual)
Last updated 2020-06-09
Stream (None)
Intended RFC status (None)
Formats plain text html xml pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         T. Taubert
Internet-Draft                                                Apple Inc.
Intended status: Informational                                 C.A. Wood
Expires: 11 December 2020                                    9 June 2020

                       SPAKE2+, an Augmented PAKE
                      draft-bar-cfrg-spake2plus-01

Abstract

   This document describes SPAKE2+, a Password Authenticated Key
   Exchange (PAKE) protocol run between two parties for deriving a
   strong shared key with no risk of disclosing the password.  SPAKE2+
   is an augmented PAKE protocol, as only one party has knowledge of the
   password.  This method is simple to implement, compatible with any
   prime order group and is computationally efficient.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Source for this draft and an issue tracker can be found at
   https://github.com/chris-wood/draft-bar-cfrg-spake2plus
   (https://github.com/chris-wood/draft-bar-cfrg-spake2plus).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 11 December 2020.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Taubert & Wood          Expires 11 December 2020                [Page 1]
Internet-Draft                 spake2plus                      June 2020

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Notation . . . . . . . . . . . . . . . . . . . .   3
   3.  Definition of SPAKE2+ . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Offline Initialization  . . . . . . . . . . . . . . . . .   3
     3.2.  Protocol Flow . . . . . . . . . . . . . . . . . . . . . .   4
     3.3.  SPAKE2+ . . . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Key Schedule and Key Confirmation . . . . . . . . . . . . . .   7
   5.  Ciphersuites  . . . . . . . . . . . . . . . . . . . . . . . .   7
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  10
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  10
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  11
   Appendix A.  Algorithm used for Point Generation  . . . . . . . .  11
   Appendix B.  Test Vectors . . . . . . . . . . . . . . . . . . . .  13
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  17

1.  Introduction

   This document describes SPAKE2+, a Password Authenticated Key
   Exchange (PAKE) protocol run between two parties for deriving a
   strong shared key with no risk of disclosing the password.  SPAKE2+
   is an augmented PAKE protocol, as only one party makes direct use of
   the password during the execution of the protocol.  The other party
   only needs a verification value at the time of the protocol execution
   instead of the password.  The verification value can be computed
   once, during an offline initialization phase.  The party using the
   password directly would typically be a client, and acts as a prover,
   while the other party would be a server, and acts as verifier.

   The protocol is augmented in the sense that it provides some
   resilience to the compromise or extraction of the verification value.
   The design of the protocol forces the adversary to recover the
   password from the verification value to successfully execute the
   protocol.  Hence this protocol can be advantageously combined with a
   salted Password Hashing Function to increase the cost of the recovery
Show full document text