Dear all,
I posted a new I-D version (draft-shin-augmented-pake <http://www.ietf.org/internet-drafts/draft-shin-augmented-pake-02.txt> ) which also includes how to integrate AugPAKE into IKEv2. The AugPAKE protocol has the following advantages: 1. Simple structure (it is constructed from Diffie-Hellman type key exchange plus "usual" hash function) 2. Most efficient (it is almost same computation/communication costs as the plain DH key exchange) 3. Provable security (see SEC5) 4. Royal -free license (see IPR2/3) 5. No special function (neither hash-to-group mapping technique nor ideal cipher is needed) 6. Additional security (PAKE security (against passive/active/off-line dictionary attacks) plus resistance to server-compromise impersonation attacks) Below are self evaluation of the AugPAKE protocol by following selection criteria http://www.ietf.org/id/draft-harkins-ipsecme-pake-criteria-00.txt. SEC1: AugPAKE is zero knowledge (password) proof. It is secure against passive/active/off-line dictionary attacks. It is also resistant to server-compromise impersonation attacks. SEC2: AugPAKE provides PFS and secure against Denning-Sacco attack. SEC3: IKEv2 identity protection is preserved. SEC4: Any cryptographically secure Diffie-Hellman groups can be used. SEC5: The formal security proof of AugPAKE can be found at Cryptology ePrint Archive: Report 2010/334. http://eprint.iacr.org/2010/334 SEC6: AugPAKE can be easily used with strong credential. SEC7: In the case of server compromise, an attacker has to perform off-line dictionary attacks while computing mod. exp. with a password candidate. IPR1: AugPAKE was publicly disclosed on Oct. 2008. IPR2: AIST applied for patent in Japan on July 10, 2008. AIST would provide royal-free license of AugPAKE. IPR3: IPR disclosure (see https://datatracker.ietf.org/ipr/1284/) MISC1: AugPAKE adds one round trip to IKEv2 MISC2: Initiator needs to compute only 2 mod. exp. computations while responder needs to compute 2.17 mod. exp. computations. AugPAKE needs to exchange 2 group elements and 2 hash values. This is almost same computation/communication costs as the plain DH key exchange. If we use a large (e.g., 2048/3072-bits) parent group, hash size would be relatively small. MISC3: AugPAKE has the same performance for any type of secrets. MISC4: Internationalization of character-based passwords can be supported. MISC5: AugPAKE can be implemented over any ECP, EC2N and MODP groups. MISC6: AugPAKE has request/response nature of IKEv2. MISC7: No additional negotiation is needed. MISC8: No TTP and clock synchronization MISC9: No additional primitive is needed. MISC10: As above, AugPAKE can be implemented over any ECP/EC2N groups. MISC11: Easy implementation. We already implemented AugPAKE and have been testing in AIST. Any comments are welcome! Best regards, Shin
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
