Hi Dan, > Hi Dennis, > > I have read the PACE submission. I believe claim 1 of the SPEKE patent, > US 6,792,533, covers this protocol. If you do think otherwise, please > explain why.
This is very simple. The password is only temporarily used to protect a nonce sent to the other party. The key derivation step is completely independent of the password. > > Also, in PACE you compute CIPH=E(Pwd, s) where E() is the encryption > function of some block cipher and Pwd is the shared password. You don't > mention the block cipher but some block ciphers have weak keys and most > take a fixed-length key. Pwd is a key derived from the password, so length constrainst are no problem. The block cipher is used as a permutation mapping random input to random output. The strength of the password-derived key is not very important as the entropy of the key is at most the entropy of the password - which is rather low. > For a general specification like this I suggest > strengthening it by removing any kind of dependencies and also to bind > the parties to the exchange. I suggest using an "extraction" function with > the shared password and the identities of the two peers to distill the > entropy from the password, bind the identities, and derive a key with > which to do the encryption: > > k = Extractor(Pwd | max(ID-A, ID-B) | min(ID-A, ID-B)) > CIPH = E(k, s) > > where max(x,y) and min(x,y) output an ordering their inputs in some > deterministic fashion, ID-A and ID-B are the identities of the two parties > to the exchange, and "|" is concatenation. I don't see the point of binding the key to identities, but I might miss something here. Best regards, Dennis _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
