Internet Engineering Task Force T.Kwon, Sejong University INTERNET-DRAFT H. Yoon, Samsung SDS Intended Status: Standards Track S. Kim, Samsung SDS Expires: November 4, 2013 May 3, 2013 I-PAKE: Identity-Based Password Authenticated Key Exchange draft-kwon-yoon-kim-ipake-01 Abstract Although password authentication is the most widespread user authentication method today, cryptographic protocols for mutual authentication and key agreement, i.e., password authenticated key exchange (PAKE), in particular authenticated key exchange (AKE) based on a password only, are not actively used in the real world. This document introduces a quite novel form of PAKE protocols that employ a particular concept of ID-based encryption (IBE). The resulting cryptographic protocol is the ID-based password authenticated key exchange (I-PAKE) protocol which is a secure and efficient PAKE protocol in both soft- and hard-augmented models. I-PAKE achieves the security goals of AKE, PAKE, and hard-augmented PAKE. I-PAKE also achieves the great efficiency by allowing the whole pre-computation of the ephemeral Diffie-Hellman public keys by both server and client. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Expires November 4, 2013 [Page 1] INTERNET DRAFT I-PAKE May 3, 2013 Copyright and License Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 5 2.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2 Abbreviations . . . . . . . . . . . . . . . . . . . . . . . 5 2.3 Underlying Group . . . . . . . . . . . . . . . . . . . . . . 6 2.4 Notations . . . . . . . . . . . . . . . . . . . . . . . . . 6 3 Identity-Based Password Authenticated Key Exchange . . . . . . . 9 3.1 Initialization . . . . . . . . . . . . . . . . . . . . . . . 9 3.1.1 System Initialization . . . . . . . . . . . . . . . . . 9 3.1.2 Registration . . . . . . . . . . . . . . . . . . . . . . 9 3.2 Protocol Execution . . . . . . . . . . . . . . . . . . . . . 9 4 Security Considerations . . . . . . . . . . . . . . . . . . . . 13 4.1 General - Completeness . . . . . . . . . . . . . . . . . . . 13 4.1.1 Mutual Authentication . . . . . . . . . . . . . . . . . 13 4.1.2 Key Agreement . . . . . . . . . . . . . . . . . . . . . 13 4.2 I-PAKE - AKE Security . . . . . . . . . . . . . . . . . . . 13 4.2.1 Passive Attacks . . . . . . . . . . . . . . . . . . . . 13 4.2.2 Active Attacks . . . . . . . . . . . . . . . . . . . . . 14 4.2.3 Forward Secrecy . . . . . . . . . . . . . . . . . . . . 15 4.2.4 Known Session Key . . . . . . . . . . . . . . . . . . . 15 4.2.5 Key Control . . . . . . . . . . . . . . . . . . . . . . 16 4.3 I-PAKE - Dictionary Attack . . . . . . . . . . . . . . . . . 16 4.3.1 On-line Dictionary Attack . . . . . . . . . . . . . . . 16 4.3.2 Off-line Dictionary Attack . . . . . . . . . . . . . . . 17 4.4 I-PAKE - Server Compromise . . . . . . . . . . . . . . . . . 17 4.4.1 Soft-Augmented Model . . . . . . . . . . . . . . . . . . 17 4.4.2 Hard-Augmented Model . . . . . . . . . . . . . . . . . . 18 5 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 18 Expires November 4, 2013 [Page 2] INTERNET DRAFT I-PAKE May 3, 2013 6 References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 6.1 Normative References . . . . . . . . . . . . . . . . . . . 18 6.2 Informative References . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19 Expires November 4, 2013 [Page 3] INTERNET DRAFT I-PAKE May 3, 2013 1 Introduction The most widespread user authentication method today is obviously password-based authentication; a user memorizes a textual and/or numerical password and makes its direct entry for authentication. There have been various attempts to enhance security of password- based authentication. Password authenticated key exchange (PAKE) is a cryptographic protocol to achieve both mutual authentication and secure key agreement based on a password only, i.e., without requiring a public key certificate [IEEE P1363.2]. That is, PAKE is an authenticated key exchange (AKE) protocol based on the user- memorable low-entropy password, so that both authenticated entities can only agree on a fresh session key. Augmented PAKE protocols allow a server to store a one-way function of password instead of the plain text, so as to mitigate the server compromise [RFC2945]. PAKE protocols, however, have not been deployed actively despite of their merits. Instead, for example, Web applications employ the SSL/TLS suite for secure transport of password information at the cost of manipulating and relying on server's public key certificates with regard to long-term security. This is in part due to that the password transport over SSL/TLS is easier for migration of existing password-based systems on the Web and also that PAKE protocols require a large amount of computation for security enhancement, e.g., for encrypting ephemeral Diffie-Hellman public keys under the low- entropy password. There still remains a security concern as for the augmented PAKE protocols. The protocols which said to resist a server compromise are prone to off-line guessing attacks if the server is really compromised. The password information stored in the server's storage for verification purposes can be exploited by adversaries to derive real passwords. Consequently, users are still in great danger. This document raises the fundamental questions as above to the existing form of PAKE protocols and attempts to provide a novel design to resolve these problems. We depart from the previous way of encrypting the ephemeral Diffie-Hellman public keys under the low- entropy password. Instead we map to for authentication. To the protocol, the former pair is the user input derived from the user's memory, while the latter is the server input fetched from the server's storage. We also introduce the hard- augmented model which enhances the previous, soft-augmented model for sever compromise security, based on the hardware security module (HSM). For the purposes, a particular concept of identity-based encryption (IBE) is employed. At the cost of pre-computation of the salt alphabet as for the ID alphabet, we can reduce the amount of computation in real time, i.e., at registration and authentication. Expires November 4, 2013 [Page 4] INTERNET DRAFT I-PAKE May 3, 2013 The resulting cryptographic protocol is the ID-based password authenticated key exchange (IPAKE) protocol which is a secure and efficient PAKE protocol in both soft- and hard-augmented models. IPAKE achieves the security goals of AKE, PAKE, and hard-augmented PAKE. IPAKE also achieves the great efficiency by allowing the whole pre-computation of the ephemeral Diffie-Hellman public keys by both server and client. 1.1 Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Requirements Notation 2.1 Definitions Identity Based Encryption (IBE): Identity-based encryption (IBE) is a public-key encryption technology that allows a public key to be calculated from an identity and a set of public mathematical parameters and that allows for the corresponding private key to be calculated from an identity, a set of public mathematical parameters, and a domain-wide secret value [RFC5408]. The IBE framework is defined in [RFC5091], [RFC5408], and [RFC5409]. Password Authenticated Key Exchange (PAKE): Password authenticated key exchange (PAKE) is a cryptographic protocol to achieve both mutual authentication and key agreement securely based on a password only, i.e., without requiring a public key certificate. That is, PAKE is a form of authenticated key exchange (AKE) which is in particular based on the password for authentication. The PAKE framework is defined in [IEEE P1363.2], [ISO/IEC 11770-4], and [RFC2945]. 2.2 Abbreviations TDL Trapdoor Discrete Logarithm IBE Identity Based Encryption I-PAKE Identity-Based Password Authenticated Key Exchange AKE Authenticated Key Exchange Expires November 4, 2013 [Page 5] INTERNET DRAFT I-PAKE May 3, 2013 PKG Private Key Generator HSM Hardware Security Module MAC Message Authentication Code SSL/TLS Secure Socket Layer/Transport Layer Security CDH problem Computational Diffie-Hellman problem 2.3 Underlying Group The I-PAKE protocol can be implemented over the following group. Let N =p*q where p and q are sufficiently large B-smooth prime such that p = 3 (mod 4), q = 3 (mod 4), gcd(p - 1, q - 1) = 2. Let G be a multiplicative cyclic subgroup of Z_N^* with a generator g = g_m^2 where g_m is a generator of a maximal cyclic subgroup of Z_N^* of order phi(N)/2. The order of g is phi(N)/4. 2.4 Notations a||b A concatenation of a and b. A The alphabet of ID. An alphanumeric set is commonly used. T The alphabet of salt. A set of discrete logarithms of the A's elements in G. This set is maintained privately by the server's HSM_s. P The alphabet of password. An alphanumeric set with special characters is commonly used. User A human user who actually remembers a pair of ID and password for authentication. ID User's identity which is represented ID = ID_1||ID_2|| ... || ID_alpha where the ID_i is an element of Set A for all i in {1,2, ..., alpha}. Client or C Expires November 4, 2013 [Page 6] INTERNET DRAFT I-PAKE May 3, 2013 A protocol entity providing a user interface to User for ID and password entry, and a system interface to a remote server for running the protocol. Client represents User in the protocol. Server or S A protocol entity providing a system interface to Client for running the protocol, and storing a 3-tuple of ID, salt, and password-verifier for authentication. HSM_t and HSM_v Private hardware attached to Server. HSM_t stores Set T and is used for deriving salt given ID. HSM_v is only used in the hard- augmented model for computing a password-verifier. h A known random hash function which takes an arbitrary finite bit string and assigns it to an element of Z_N^*, where Z_N^* is a set of positive integers modulo N which are not zero divisors. In practice, a cryptographically secure one-way hash function is used. H It is defined as H(ID) = (h(ID))^2 for an ID. By definition, H takes an ID and assigns it to an elements of G. That is H(ID) = I is in G. In fact, ID = ID_1||ID_2|| ... || ID_alpha, H(ID) is calculated as H(ID_1) * H(ID_2) * ... * H(ID_alpha). h_i (i = 0, 1, 2, 3, 4, 5, 6) Known random hash functions. In practice, a cryptographically secure one-way hash function is used with distinct indices i. Each h_i takes an arbitrary finite bit string and assigns it to a finite string. The bit size of output of each h_i can be different from each other. t_ID The secret key of the client whose identity is ID. t_ID is a discrete logarithm of I = H(ID) based on g. That is, t_ID = log_g H(ID) = log_g H(ID_1) * H(ID_2) * ... * H(ID_alpha) = log_g H(ID_1) + log_g H(ID_2) + ... + log_g H(ID_alpha) = t_ID_1 + t_ID_2 + ... + t_ID_alpha. pw and PW "pw" is the password maintained by Client. Importantly, pw can be a plaintext of password, exactly remembered by User, or a one-way hash function of it, depending on the protocol and Server implementation. "PW" is the password maintained by Server. Importantly, PW can be equal to pw, exactly maintained by Client, or a one-way hash function of it, or a MAC of it, depending on the Expires November 4, 2013 [Page 7] INTERNET DRAFT I-PAKE May 3, 2013 protocol and Server implementation. V_PW A password-verifier maintained by Server, such that V_PW = h(ID,t_ID,PW). This value is derived from PW by hashing in the soft-augmented model or MAC in the hard-augmented model. That is PW = h'(pw) or PW = MAC_hk(pw), where h' is a cryptographically secure one-way hash function, MAC_hk is a message authentication code that takes an element in P and assigns it to a finite bit string where hk is a secret key of HSM_v. X and Y Ephemeral Diffie-Hellman public keys. X=g^x mod N and Y=g^y mod N, respectively, for randomly chosen x and y in Z_N^*. E_K(pw) Encryption of pw under the ephemeral high-entropy key K. The encryption function E is a secure symmetric key encryption function, for example, AES. C_1 and C_2 Confirmation messages in the protocol. ' An indicator that discriminates the values computed by the server from the same values computed by the client. For instance, sk and sk' might be the same values but computed by respective parties. Expires November 4, 2013 [Page 8] INTERNET DRAFT I-PAKE May 3, 2013 3 Identity-Based Password Authenticated Key Exchange I-PAKE is a two-party protocol where Client and Server authenticate each other and generate a session key together, based on a human- memorable password and ID information. For the purpose, the client and the server exchange messages involving ephemeral keying information and agree on a fresh session key. 3.1 Initialization The initialization SHOULD be finished before the I-PAKE protocol execution. 3.1.1 System Initialization Server MAY negotiate with PKG or play the role of PKG by itself, so as to generate system parameters including underlying group parameters, ID and salt alphabets, and required functions. Server MUST keep the salt alphabet, T, secure, e.g., in HSM_t, after the initialization. In the hard-augmented model, Server MUST initialize HSM_v as well. 3.1.2 Registration User SHOULD select ID and a memorable password, and register them to Server through a secure channel. The secure channel at registration is out of scope in this document. Client MAY receive the User's input and set the password as pw, so as to submit ID and pw to Server. Server MUST fetch the discrete logarithms of H(ID_i) from T for ID, and set their sum as User's salt, t_ID. Server MAY set the received pw as PW, so as to compute a password-verifier. In the hard-augmented model, Server MUST negotiate with HSM_v for obtaining PW such that PW = MAC_hk(pw). In the soft-augmented model, Server MAY set PW as a function of pw. Server SHOULD store ID, t_ID, and V_PW in its storage after computing the password-verifier such that V_PW = h(ID,t_ID,PW) User MAY update the memorable password with a new one, and register it to Server again. 3.2 Protocol Execution Expires November 4, 2013 [Page 9] INTERNET DRAFT I-PAKE May 3, 2013 User MUST input ID and password at the user interface provided by Client. The protocol SHOULD be executed between Server and Client. +------------+ +-------------+ | | | | | Client | MESSAGE_1 | Server | | | -------------> | | | | MESSAGE_2 | | | | <------------ | | | | MESSAGE_3 | | | | -------------> | | +-------+ | | MESSAGE_4 | | --- | HSM_v | | | <------------- | | +-------+ | | | | +------------+ +-------------+ Client ----> Server Client SHALL choose a random x from Z_N^* and computes its ephemeral Diffie-Hellman public key X = g^x mod N. It is an OPTION that this computation MAY be done as pre-computation. MESSAGE_1 = ID, X Server ----> Client If the received value X is 1, 0, or -1, then Server MUST terminate this protocol execution. Upon receiving MESSAGE_1, Server SHALL select a random y from Z_N^* and compute Y=g^y mod N. It is an OPTION that this computation MAY be done as pre- computation. MESSAGE_2 = Y Client ----> Server If the received value Y is 1, 0, or -1, then Client MUST terminate this protocol execution. Upon receiving MESSAGE_2, Client SHALL perform the following: o Action 1: Calculate I = H(ID). o Action 2: Calculate e = h_0(ID,C,S,X,Y,I). o Action 3: Calculate Z = (YI^e)^x mod N. Expires November 4, 2013 [Page 10] INTERNET DRAFT I-PAKE May 3, 2013 o Action 4: Calculate the secret key K = h_1(ID,C,S,X,Y,I,Z). o Action 5: Calculate the session key sk = h_2(ID,C,S,X,Y,I,Z). o Action 6: Encrypt the password pw using the secret key K, E_K(pw). o Action 7: Calculate C_1 = h_3(ID,C,S,X,Y,I,sk). MESSAGE_3 = E_K(pw), C_1 Server ----> Client Upon receiving MESSAGE_3, Server SHALL perform the following: o Action 1: Calculate I = H(ID). o Action 2: Calculate e = h_0(ID,C,S,X,Y,I). o Action 3: Calculate Z' = X^(y+t_ID*e) mod N. o Action 4: Calculate the secret key K' = h_1(ID,C,S,X, Y, I, Z'). o Action 5: Calculate the session key sk' = h_2(ID,C,S,X, Y, I, Z'). o Action 6: Decrypt the received E_K(pw) using the secret key K'. o Action 7: Calculate the password verifier V_PW = h(ID,t_ID,PW), where PW is MAC_hk(pw) in the hard-augmented model or h(pw) in the soft-augmented model. If the calculated V_PW is not equal to the saved V_PW then Server MUST terminate this protocol execution. Otherwise, Server SHALL perform the following: o Action 8: Calculate C_1' = h_3(ID,C,S,X,Y,I,sk). If the received C_1 in MESSAGE_3 is not equal to C_1' then Server MUST terminate this protocol execution. Otherwise, Server shall perform the following: o Action 9: Calculate C_2 = h_4(ID,C,S,X,Y,I,sk'). Expires November 4, 2013 [Page 11] INTERNET DRAFT I-PAKE May 3, 2013 MESSAGE_4 = C_2 Since (YI^e)^x = (g^y * (g^sID)^e)^x = g^xy * g^((s_ID)ex) = X^y * X^(s_ID * e) = X^(y + s_ID*e), K = K' and sk = sk'. That is, Server calculates the same secret key with Client and can decrypt the MESSAGE_3 and obtain the same password pw. Server can confirm that Client is now operated by authenticated User and agree on the session key sk to be shared with Client. Client Upon receiving MESSAGE_4, Client SHALL perform the following: o Action 1: Calculate C_2' = h_4(ID,C,S,X,Y,I,sk'). If the received C_2 does not equal to C_2' then Client MUST terminate this protocol execution. Otherwise, Client can confirm that Server is authenticated and agree on the session key sk to be shared with Server. Expires November 4, 2013 [Page 12] INTERNET DRAFT I-PAKE May 3, 2013 4 Security Considerations 4.1 General - Completeness The I-PAKE protocol is a cryptographic protocol that achieves mutual authentication and key agreement, based on a human- memorable password and ID information, between two entities. 4.1.1 Mutual Authentication A user is authenticated by a server through a pair of ID and memorable password pw in the I-PAKE protocol. For the purpose, a client of the user should submit the encryption of pw under a correct fresh encryption key K, along with the user's ID, in the protocol. Note that pw can be a secure one-way hash function of real memorable password. The server is authenticated by the client through the salt, that is, the user's ID information based on IBE, in the I-PAKE protocol. For the purpose, the server must show the confirmation that the same session key has been derived based on the salt. 4.1.2 Key Agreement A client and a server both exchange ephemeral Diffie-Hellman public keys, X and Y, and agree on the same key incorporating the correct Diffie-Hellman key based on them. 4.2 I-PAKE - AKE Security The I-PAKE protocol is an AKE protocol based on a memorable password and ID information. Thus, it fulfills the requirements of AKE security. 4.2.1 Passive Attacks We say that an AKE protocol is secure against passive attacks if an adversary who merely observes honest entities carrying out the protocol, fails to derive a session key, which was authenticated and agreed by the honest entities. IPAKE is a secure AKE protocol because the messages, (U, X), (S, Y), C1, and C2, eavesdropped by a passive attacker, do not reveal the corresponding session key, sk, due to the CDH problem and the secure one-way hash function. More specifically, sk and K are secure one-way hash functions of Expires November 4, 2013 [Page 13] INTERNET DRAFT I-PAKE May 3, 2013 protocol messages involving the seed key, zk, denoted as follows. zk=Z*Z'^e mod N Note that Z is a Diffie-Hellman key of X and Y, i.e., Z=g^(xy) mod N; Z' can be seen as another form of the Diffie-Hellman key of X and I, i.e., Z=g^(xt) mod N; and e is a secure one-way hash function of protocol messages involving X, Y, and I, i.e., e=h0(U,S,X,Y,I). The confirmation messages, C1 and C2, are secure one-way hash functions of protocol messages involving sk. The I-PAKE protocol is secure against the passive attacks. 4.2.2 Active Attacks We say that an AKE protocol is secure against active attacks if an adversary who controls the protocol messages, e.g., by injection, interception, replay, and/or modification, fails to subvert the communications of the honest entities. o Impersonation of client: In order to impersonate a client of a target user, an adversary should obtain the encryption of pw under a fresh encryption key K and its confirmation message C1. (1) Although the adversary can inject a new message X to the protocol and derive K from x and Y, the probability of constructing the correct encryption of pw is bounded by the password space. (2) Although the adversary can replay the old message X' generated previously by the honest client, the new encryption key K must be different from the old encryption key K' due to the server's new ephemeral key Y that is different from the old ephemeral key Y'. In both cases, the adversary cannot construct the correct encryption of pw and its confirmation message C1, and thus fails to impersonate the client. o Impersonation of server: In order to impersonate a server, an adversary should obtain a correct encryption key K and its confirmation message C2. (1) Although the adversary can inject a new message Y to the protocol, the probability of computing K is bounded by the salt space. (2) Although the adversary can replay the old message Y' generated previously by the honest server, the new decryption key K must be different from the old encryption key K' due to the client's new ephemeral key X that is also distinct from the old ephemeral key X'. (3) Although the adversary can modify a new message Y, e.g., Y=g^y*I^(1/e') mod Expires November 4, 2013 [Page 14] INTERNET DRAFT I-PAKE May 3, 2013 N, for the purpose of canceling out I and so the slat s when computing a fresh key K from X, Y, and the secure one-way hash function e, the probability of obtaining e' such that e'=e must be bounded by the collision resistance of the hash function. In all cases, the adversary cannot obtain a correct encryption key K and its confirmation message C2, and thus fails to impersonate the server. o Man-in-the-middle attack: In order to reside as a middle man in the protocol, an adversary should enforce a fresh encryption key K, encryption of pw, and confirmation messages C1 and C2, according to her own key X' and Y', respectively. Although the adversary can intercept X and Y, and inject her own key X' and Y' to replace them, respectively, into the protocol, the probability of computing K against a client is bounded by the salt space while that of constructing the encryption of pw against the server is bounded by the password space. The adversary fails to reside as a middle man in the protocol. The I-PAKE protocol is secure against the active attacks. 4.2.3 Forward Secrecy We say AKE provides forward secrecy when the secrecy of previous session keys is not affected even if long-term secrets, such as passwords and salt in the I-PAKE protocol, of one or more entities are compromised. If the password is compromised, an adversary should inspect the protocol messages of the previous sessions that incorporate the password but only is the encryption of pw from a conventional block cipher system. Due to the security assumption of the block cipher, the ephemeral encryption key K is not derivable. Even if K is also compromised, the previous session key is not derivable due to the security assumption of one-way hash function. If the salt is compromised, the adversary should inspect the protocol messages of the previous sessions that incorporate the salt but only is the ID information. Due to the hardness assumption of the Diffie-Hellman problem, the previous session key is not derivable from X and Y. The I-PAKE protocol provides the forward secrecy. 4.2.4 Known Session Key We say AKE is secure against known session key attacks if the protocol achieves its goal even if an adversary learned some Expires November 4, 2013 [Page 15] INTERNET DRAFT I-PAKE May 3, 2013 previous session keys. If the previous session key sk is compromised, an adversary should inspect the protocol messages of the previous and/or future sessions but only is the confirmation message. Due to the hardness assumption of the Diffie-Hellman problem and the security assumption of one-way hash function, the old session keys neither reveal the password and salt information nor enforce forged key agreement. The I-PAKE protocol is secure against the known session key attacks. 4.2.5 Key Control We say AKE is secure against key control attacks if neither entity is able to force the session key to be a function of a pre-selected value, such as either X or Y. Due to the the hardness assumption of the Diffie-Hellman problem, neither entity can enforce the key agreement on a pre- selected value. The I-PAKE protocol is secure against the key control attacks. 4.3 I-PAKE - Dictionary Attack The I-PAKE protocol is a PAKE protocol that incorporates IBE. Thus, it fulfills the requirements of PAKE security against dictionary attacks. 4.3.1 On-line Dictionary Attack We say PAKE is secure against on-line dictionary attacks if an active adversary in the client side is only able to test a single guess from a password dictionary per on-line attempt while a server is able to count the number of failed attempts consistently, and also in the server side cannot test any guess from the password dictionary per on-line attempt. Note that the second requirement is very important in practical settings. In order to test a guessed password on-line in the client side, the adversary should send the honest server the encryption of guessed password and its confirmation C1 after exchanging X and Y. The adversary can verify the guess according to the response of the server, while the server can also verify it and count its failure due to the decryption result. If the failure count gets to the limit, the server can lock the corresponding account. Expires November 4, 2013 [Page 16] INTERNET DRAFT I-PAKE May 3, 2013 In order to test a guessed password on-line in the server side, the adversary should decrypt out the password which was encrypted by the honest client after exchanging X and Y. The adversary cannot verify the guess because the corresponding decryption key K is not derivable. The I-PAKE protocol is secure against the on-line dictionary attacks. 4.3.2 Off-line Dictionary Attack We say PAKE is secure against off-line dictionary attacks if an active adversary is only able to remove at most a single guess from a password dictionary per session, and a passive adversary cannot remove any guess from the dictionary. As described in the on-line dictionary attack, the active adversary can only remove a single guess from the dictionary in the client side, and no guess in the server side per session. As described in the passive attack, the passive adversary cannot derive a decryption key K, and thus cannot remove any guess from the dictionary per session. The I-PAKE protocol is secure against the off-line dictionary attacks. 4.4 I-PAKE - Server Compromise The I-PAKE protocol is an augmented PAKE protocol that fulfills the requirements of PAKE security against server compromise, not only in the previous (soft-) augmented model but also in the new hard-augmented model. 4.4.1 Soft-Augmented Model We say PAKE is secure against the server compromise in the soft- augmented model if an adversary who obtained a password verification directory stored by the server cannot impersonate the client of the target user directly, i.e., without launching the off-line dictionary attack. Note that the off-line dictionary attack is possible for the server compromise in the soft-augmented model. Since the server stores only ID, salt, and verifier in the password verification directory, the adversary who obtained the directory cannot construct the encryption of password. Expires November 4, 2013 [Page 17] INTERNET DRAFT I-PAKE May 3, 2013 The I-PAKE protocol is secure against the server compromise in the soft-augmented model. 4.4.2 Hard-Augmented Model We say PAKE is secure against the server compromise in the hard- augmented model if an adversary who obtained a password verification directory stored by the server cannot impersonate the client of the target user and launch the off-line dictionary attack. The basic assumption is that the HSM module is never compromised. Since the server stores only ID, salt, and verifier in the password verification directory, the adversary who obtained the directory cannot construct the encryption of password. Since the verifier is the MAC of password information under the MAC key which is only stored in the HSM module, the adversary who obtained the directory cannot launch the off-line dictionary attack. The I-PAKE protocol is secure against the server compromise in the hard-augmented model. 5 IANA Considerations This document includes no request to IANA. 6 References 6.1 Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2945] Wu, T., "The SRP Authentication and Key Exchange System", RFC 2945, September 2000. 6.2 Informative References [RFC5408] Appenzeller, G., Martin, L., and M. Schertler, "Identity- Based Encryption Architecture and Supporting Data Structures", RFC 5408, January 2009. [RFC5409] Martin, L. and M. Schertler, "Using the Boneh-Franklin and Expires November 4, 2013 [Page 18] INTERNET DRAFT I-PAKE May 3, 2013 Boneh-Boyen Identity-Based Encryption Algorithms with the Cryptographic Message Syntax (CMS)", RFC 5409, January 2009. [RFC5091] Boyen, X. and L. Martin, "Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems", RFC 5091, December 2007. [IEEE P1363.2] IEEE P1363.2, "Password-Based Public-Key Cryptography", Submissions to IEEE P1363.2, . [ISO/IEC 11770-4] ISO/IEC JTC 1/SC 27 11770-4, "Information technology - Security techniques - Key management - Part 4: Mechanisms based on weak secrets", May 2006, . Authors' Addresses Taekyoung Kwon Sejong University 98 Kunja-dong, Kwangjin-gu Seoul 143-747, Korea EMail: tkwon@sejong.edu Hyojin Yoon Samsung SDS 5th Fl., Medison Bldg., Daechi-dong, Gangnam-gu, Seoul 135-280, Korea EMail: hj1230.yoon@samsung.com Sangyoub Kim Samsung SDS 4th Fl., Medison Bldg., Daechi-dong, Gangnam-gu, Seoul 135-280, Korea Expires November 4, 2013 [Page 19] INTERNET DRAFT I-PAKE May 3, 2013 EMail: sy9.kim@samsung.com Expires November 4, 2013 [Page 20]