Independent Submission                                    A. Brusilovsky
Request for Comments: 5683                                   I. Faynberg
Category: Informational                                       Z. Zeltsan
ISSN: 2070-1721                                           Alcatel-Lucent
                                                                S. Patel
                                                            Google, Inc.
                                                           February 2010
        
Independent Submission                                    A. Brusilovsky
Request for Comments: 5683                                   I. Faynberg
Category: Informational                                       Z. Zeltsan
ISSN: 2070-1721                                           Alcatel-Lucent
                                                                S. Patel
                                                            Google, Inc.
                                                           February 2010
        

Password-Authenticated Key (PAK) Diffie-Hellman Exchange

密码验证密钥(PAK)Diffie-Hellman交换

Abstract

摘要

This document proposes to add mutual authentication, based on a human-memorizable password, to the basic, unauthenticated Diffie-Hellman key exchange. The proposed algorithm is called the Password-Authenticated Key (PAK) exchange. PAK allows two parties to authenticate themselves while performing the Diffie-Hellman exchange.

本文件建议在未经验证的基本Diffie-Hellman密钥交换中添加基于人类可记忆密码的相互认证。所提出的算法称为口令认证密钥(PAK)交换。PAK允许双方在执行Diffie-Hellman交换时对自己进行身份验证。

The protocol is secure against all passive and active attacks. In particular, it does not allow either type of attacker to obtain any information that would enable an offline dictionary attack on the password. PAK provides Forward Secrecy.

该协议对所有被动和主动攻击都是安全的。特别是,它不允许任何一种类型的攻击者获取任何可能导致对密码进行脱机字典攻击的信息。巴基斯坦提供前沿保密。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5683.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5683.

Copyright Notice

版权公告

Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http:trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

本文件受BCP 78和IETF信托有关IETF文件的法律规定(http:truster.IETF.org/license info)的约束,这些法律规定在本文件出版之日生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。

Table of Contents

目录

   1. Introduction ....................................................3
   2. Conventions .....................................................3
   3. Password-Authenticated Key Exchange .............................4
   4. Selection of Parameters .........................................5
      4.1. General Considerations .....................................5
      4.2. Over-the-Air Service Provisioning (OTASP) and Wireless
           Local Area Network (WLAN) Diffie-Hellman Parameters and
           Key Expansion Functions ....................................5
   5. Security Considerations .........................................7
   6. Acknowledgments .................................................8
   7. References ......................................................8
      7.1. Normative References .......................................8
      7.2. Informative References .....................................8
        
   1. Introduction ....................................................3
   2. Conventions .....................................................3
   3. Password-Authenticated Key Exchange .............................4
   4. Selection of Parameters .........................................5
      4.1. General Considerations .....................................5
      4.2. Over-the-Air Service Provisioning (OTASP) and Wireless
           Local Area Network (WLAN) Diffie-Hellman Parameters and
           Key Expansion Functions ....................................5
   5. Security Considerations .........................................7
   6. Acknowledgments .................................................8
   7. References ......................................................8
      7.1. Normative References .......................................8
      7.2. Informative References .....................................8
        
1. Introduction
1. 介绍

PAK has the following advantages:

PAK具有以下优势:

- It provides a secure, authenticated key-exchange protocol. - It is secure against offline dictionary attacks when passwords are used. - It ensures Forward Secrecy. - It has been proven to be as secure as the Diffie-Hellman solution.

- 它提供了一个安全、经过身份验证的密钥交换协议。-当使用密码时,它可以防止脱机字典攻击。-它确保了前向保密它已被证明与Diffie Hellman解决方案一样安全。

The PAK protocol ([BMP00], [MP05], [X.1035]) has been proven to be as secure as the Diffie-Hellman ([RFC2631], [DH76]) in the random oracle model [BR93]. That is, PAK retains its security when used with low-entropy passwords. Therefore, it can be seamlessly integrated into existing applications, requiring secure authentication based on such low-entropy shared secrets.

PAK协议([BMP00]、[MP05]、[X.1035])已被证明与随机oracle模型[BR93]中的Diffie-Hellman([RFC2631]、[DH76])一样安全。也就是说,PAK在与低熵密码一起使用时保持其安全性。因此,它可以无缝地集成到现有的应用程序中,需要基于这种低熵共享秘密的安全身份验证。

2. Conventions
2. 习俗

- A is an identity of Alice.

- A是爱丽丝的身份。

- B is an identity of Bob.

- B是鲍勃的身份。

- Ra is a secret random exponent selected by A.

- Ra是由a选择的秘密随机指数。

- Rb is a secret random exponent selected by B.

- Rb是由B选择的秘密随机指数。

- Xab denotes a value (X presumably computed by A) as derived by B.

- Xab表示由B导出的值(X可能由a计算)。

- Yba denotes a value (Y presumably computed by B) as derived by A.

- Yba表示由a导出的值(Y可能由B计算)。

- A mod b denotes the least non-negative remainder when a is divided by b.

- 当A除以b时,模b表示最小的非负余数。

- Hi(u) denotes an agreed-on function (e.g., based on SHA-1, SHA-256, etc.) computed over a string u; the various H() act as independent random functions. H1(u) and H2(u) are the key derivation functions. H3(u), H4(u), and H5(u) are the hash functions.

- Hi(u)表示通过字符串u计算的约定函数(例如,基于SHA-1、SHA-256等);各种H()函数充当独立的随机函数。H1(u)和H2(u)是关键的派生函数。H3(u)、H4(u)和H5(u)是散列函数。

- s|t denotes concatenation of the strings s and t.

- s | t表示字符串s和t的串联。

- ^ denotes exponentiation.

- ^表示指数化。

- Multiplication, division, and exponentiation are performed over (Zp)*; in other words:

- 在(Zp)*上执行乘法、除法和幂运算;换言之:

1) a*b always means a*b (mod p).

1) a*b始终表示a*b(mod p)。

2) a/b always means a * x (mod p), where x is the multiplicative inverse of b modulo p.

2) a/b始终表示a*x(mod p),其中x是b模p的乘法逆。

3) a^b means a^b (mod p).

3) a^b表示a^b(mod p)。

3. Password-Authenticated Key Exchange
3. 密码认证密钥交换

Diffie-Hellman key agreement requires that both the sender and recipient of a message create their own secret, random numbers and exchange the exponentiation of their respective numbers.

Diffie-Hellman密钥协议要求消息的发送方和接收方都创建自己的秘密随机数,并交换各自数字的幂。

PAK has two parties, Alice (A) and Bob (B), sharing a secret password PW that satisfies the following conditions:

PAK有两方,Alice(A)和Bob(B),共享满足以下条件的秘密密码PW:

      H1(A|B|PW) != 0
      H2(A|B|PW) != 0
        
      H1(A|B|PW) != 0
      H2(A|B|PW) != 0
        

The global Diffie-Hellman publicly known constants, a prime p and a generator g, are carefully selected so that:

仔细选择全局Diffie-Hellman公知常数,质数p和生成器g,以便:

1. A safe prime p is large enough to make the computation of discrete logarithms infeasible, and

1. 安全素数p足够大,使得离散对数的计算不可行,并且

2. Powers of g modulo p cover the entire range of p-1 integers from 1 to p-1. (References demonstrate working examples of selections).

2. g模p的幂覆盖了从1到p-1的整个p-1整数范围。(参考文献展示了选择的工作示例)。

Initially, Alice (A) selects a secret, random exponent Ra and computes g^Ra; Bob (B) selects a secret, random exponent Rb and computes g^Rb. For efficiency purposes, short exponents could be used for Ra and Rb, provided they have a certain minimum size. Then:

最初,Alice(A)选择一个秘密的随机指数Ra并计算g^Ra;Bob(B)选择一个秘密的随机指数Rb并计算g^Rb。为了提高效率,短指数可用于Ra和Rb,前提是它们具有一定的最小尺寸。然后:

   A --> B: {A, X = H1(A|B|PW)*(g^Ra)}
            (The above precondition on PW ensures that X != 0)
        
   A --> B: {A, X = H1(A|B|PW)*(g^Ra)}
            (The above precondition on PW ensures that X != 0)
        
      Bob
        receives Q (presumably Q = X), verifies that Q != 0
          (if Q = 0, Bob aborts the procedure);
        divides Q by H1(A|B|PW) to get Xab, the recovered value of g^Ra
        
      Bob
        receives Q (presumably Q = X), verifies that Q != 0
          (if Q = 0, Bob aborts the procedure);
        divides Q by H1(A|B|PW) to get Xab, the recovered value of g^Ra
        
   B --> A: {Y = H2(A|B|PW)*(g^Rb), S1 = H3(A|B|PW|Xab|g^Rb|(Xab)^Rb)}
            (The above precondition on PW ensures that Y != 0)
        
   B --> A: {Y = H2(A|B|PW)*(g^Rb), S1 = H3(A|B|PW|Xab|g^Rb|(Xab)^Rb)}
            (The above precondition on PW ensures that Y != 0)
        
      Alice
        verifies that Y != 0;
        divides Y by H2(A|B|PW) to get Yba, the recovered value of g^Rb,
        and computes S1' = H3(A|B|PW|g^Ra|Yba|(Yba)^Ra);
        authenticates Bob by checking whether S1' = S1;
        if authenticated, then sets key K = H5(A|B|PW|g^Ra|Yba|(Yba)^Ra)
        
      Alice
        verifies that Y != 0;
        divides Y by H2(A|B|PW) to get Yba, the recovered value of g^Rb,
        and computes S1' = H3(A|B|PW|g^Ra|Yba|(Yba)^Ra);
        authenticates Bob by checking whether S1' = S1;
        if authenticated, then sets key K = H5(A|B|PW|g^Ra|Yba|(Yba)^Ra)
        
   A --> B:  S2 = H4(A|B|PW|g^Ra|Yba|(Yba)^Ra)
        
   A --> B:  S2 = H4(A|B|PW|g^Ra|Yba|(Yba)^Ra)
        
      Bob
        Computes S2' = H4(A|B|PW|Xab|g^Rb|(Xab)^Rb) and
        authenticates Alice by checking whether S2' = S2;
        if authenticated, then sets K = H5(A|B|PW|Xab|g^Rb|(Xab)^Rb)
        
      Bob
        Computes S2' = H4(A|B|PW|Xab|g^Rb|(Xab)^Rb) and
        authenticates Alice by checking whether S2' = S2;
        if authenticated, then sets K = H5(A|B|PW|Xab|g^Rb|(Xab)^Rb)
        

If any of the above verifications fails, the protocol halts; otherwise, both parties have authenticated each other and established the key.

如果上述任何验证失败,则协议停止;否则,双方已相互验证并建立密钥。

4. Selection of Parameters
4. 参数的选择

This section provides guidance on selection of the PAK parameters. First, it addresses general considerations, then it reports on specific implementations.

本节提供关于PAK参数选择的指南。首先,它解决了一般性问题,然后报告了具体的实现。

4.1. General Considerations
4.1. 一般考虑

In general implementations, the parameters must be selected to meet algorithm requirements of [BMP00].

在一般实现中,必须选择参数以满足[BMP00]的算法要求。

4.2. Over-the-Air Service Provisioning (OTASP) and Wireless Local Area Network (WLAN) Diffie-Hellman Parameters and Key Expansion Functions

4.2. 空中服务供应(OTASP)和无线局域网(WLAN)Diffie-Hellman参数和关键扩展功能

[OTASP], [TIA683], and [WLAN] pre-set public parameters p and g to their "published" values. This is necessary to protect against an attacker sending bogus p and g values, tricking the legitimate user to engage in improper Diffie-Hellman exponentiation and leaking some information about the password.

[OTASP]、[TIA683]和[WLAN]将公共参数p和g预设为其“已发布”值。这对于防止攻击者发送伪造的p和g值、诱骗合法用户进行不正确的Diffie-Hellman求幂以及泄露一些有关密码的信息是必要的。

According to [OTASP], [TIA683], and [WLAN], g shall be set to 00001101, and p to the following 1024-bit prime number (most significant bit first):

根据[OTASP]、[TIA683]和[WLAN],g应设置为00001101,p应设置为以下1024位素数(最高有效位优先):

0xFFFFFFFF 0xFFFFFFFF 0xC90FDAA2 0x2168C234 0xC4C6628B 0x80DC1CD1 0x29024E08 0x8A67CC74 0x020BBEA6 0x3B139B22 0x514A0879 0x8E3404DD 0xEF9519B3 0xCD3A431B 0x302B0A6D 0xF25F1437 0x4FE1356D 0x6D51C245 0xE485B576 0x625E7EC6 0xF44C42E9 0xA637ED6B 0x0BFF5CB6 0xF406B7ED 0xEE386BFB 0x5A899FA5 0xAE9F2411 0x7C4B1FE6 0x49286651 0xECE65381 0xFFFFFFFF 0xFFFFFFFF

0xFFFFFFFF 0xFFFFFF 0xC90FDAA2 0x2168C234 0xC4C6628B 0x80DC1CD1 0x29024E08 0x8A67CC74 0x020BBEA6 0x3B139B22 0x514A0879 0x8E3404DD 0xEF9519B3 0xCD3A431B 0x302B0A6D 0xF25F1437 0x4FE1356D 0x6D51C245 0xE485B576 0x625E6E6 0xF442E9 0xA6376B 0x0BFF566 0xF466 0xF406B767ED 0xEE386FB 0xF565A895F465B5F497CF4110xFFFFFF

In addition, if short exponents [MP05] are used for Diffie-Hellman parameters Ra and Rb, then they should have a minimum size of 384 bits. The independent, random functions H1 and H2 should each output 1152 bits, assuming prime p is 1024 bits long and session keys K are 128 bits long. H3, H4, and H5 each output 128 bits. More information on instantiating random functions using hash functions can be found in [BR93]. We use the FIPS 180 SHA-1 hashing function [FIPS180] below to instantiate the random function as done in [WLAN]; however, SHA-256 can also be used:

此外,如果短指数[MP05]用于Diffie-Hellman参数Ra和Rb,则它们的最小大小应为384位。假设素数p为1024位,会话密钥K为128位,则独立随机函数H1和H2应各自输出1152位。H3、H4和H5各输出128位。有关使用哈希函数实例化随机函数的更多信息,请参见[BR93]。我们使用下面的FIPS 180 SHA-1散列函数[FIPS180]来实例化在[WLAN]中完成的随机函数;但是,也可以使用SHA-256:

   H1(z):
   SHA-1(1|1|z) mod 2^128 | SHA-1(1|2|z) mod 2^128 |...|
   | SHA-1(1|9|z) mod 2^128
        
   H1(z):
   SHA-1(1|1|z) mod 2^128 | SHA-1(1|2|z) mod 2^128 |...|
   | SHA-1(1|9|z) mod 2^128
        
   H2(z):
   SHA-1(2|1|z) mod 2^128 | SHA-1(2|2|z) mod 2^128 |...|
   | SHA-1(2|9|z) mod 2^128
        
   H2(z):
   SHA-1(2|1|z) mod 2^128 | SHA-1(2|2|z) mod 2^128 |...|
   | SHA-1(2|9|z) mod 2^128
        
   H3(z): SHA-1(3|len(z)|z|z) mod 2^128
   H4(z): SHA-1(4|len(z)|z|z) mod 2^128
   H5(z): SHA-1(5|len(z)|z|z) mod 2^128
        
   H3(z): SHA-1(3|len(z)|z|z) mod 2^128
   H4(z): SHA-1(4|len(z)|z|z) mod 2^128
   H5(z): SHA-1(5|len(z)|z|z) mod 2^128
        

In order to create 1152 output bits for H1 and H2, nine calls to SHA-1 are made and the 128 least significant bits of each output are used. The input payload of each call to SHA-1 consists of:

为了为H1和H2创建1152个输出位,对SHA-1进行了九次调用,并使用每个输出的128个最低有效位。对SHA-1的每次呼叫的输入有效载荷包括:

   a) 32 bits of function type, which for H1 is set to 1 and for H2 is
      set to 2;
   b) a 32-bit counter value, which is incremented from 1 to 9 for each
      call to SHA-1;
   c) the argument z [for (A|B|PW)].
        
   a) 32 bits of function type, which for H1 is set to 1 and for H2 is
      set to 2;
   b) a 32-bit counter value, which is incremented from 1 to 9 for each
      call to SHA-1;
   c) the argument z [for (A|B|PW)].
        

The functions H3, H4, and H5 require only one call to the SHA-1 hashing function and their respective payloads consist of:

函数H3、H4和H5只需要对SHA-1散列函数进行一次调用,它们各自的有效载荷包括:

   a) 32 bits of function type (e.g., 3 for H3);
   b) a 32-bit value for the bit length of the argument z;
   c) the actual argument repeated twice.
        
   a) 32 bits of function type (e.g., 3 for H3);
   b) a 32-bit value for the bit length of the argument z;
   c) the actual argument repeated twice.
        

Finally, the 128 least significant bits of the output are used.

最后,使用输出的128个最低有效位。

5. Security Considerations
5. 安全考虑

Security considerations are as follows:

安全考虑如下:

- Identifiers

- 标识符

Any protocol that uses PAK must specify a method for producing a single representation of identity strings.

任何使用PAK的协议都必须指定一种方法来生成标识字符串的单一表示形式。

- Shared secret

- 共享秘密

PAK involves the use of a shared secret. Protection of the shared values and managing (limiting) their exposure over time is essential and can be achieved using well-known security policies and measures. If a single secret is shared among more than two entities (e.g., Alice, Bob, and Mallory), then Mallory can represent himself as Alice to Bob without Bob being any the wiser.

PAK涉及使用共享秘密。随着时间的推移,保护共享价值和管理(限制)它们的暴露是至关重要的,可以使用众所周知的安全策略和措施来实现。如果一个秘密在两个以上的实体之间共享(例如,Alice、Bob和Mallory),那么Mallory可以在Bob面前将自己表示为Alice,而Bob则不会显得更聪明。

- Selection of Diffie-Hellman parameters

- Diffie-Hellman参数的选择

The parameters p and g must be carefully selected in order not to compromise the shared secret. Only previously agreed-upon values for parameters p and g should be used in the PAK protocol. This is necessary to protect against an attacker sending bogus p and g values and thus tricking the other communicating party in an improper Diffie-Hellman exponentiation. Both parties also need to randomly select a new exponent each time the key-agreement protocol is executed. If both parties re-use the same values, then Forward Secrecy property is lost.

必须仔细选择参数p和g,以免泄露共享秘密。PAK协议中仅应使用先前商定的参数p和g值。这对于防止攻击者发送伪造的p和g值,从而在不正确的Diffie-Hellman求幂中欺骗另一通信方是必要的。双方还需要在每次执行密钥协商协议时随机选择一个新的指数。如果双方重复使用相同的值,则前向保密属性将丢失。

In addition, if short exponents Ra and Rb are used, then they should have a minimum size of 384 bits (assuming that 128-bit session keys are used). Historically, the developers, who strived for 128-bit security (and thus selected 256-bit exponents), added 128 bits to the exponents to ensure the security reduction proofs. This should explain how an "odd" length of 384 has been arrived at.

此外,如果使用短指数Ra和Rb,则它们的最小大小应为384位(假设使用128位会话密钥)。历史上,致力于128位安全性(并因此选择256位指数)的开发人员向指数中添加128位以确保安全性降低证明。这应该可以解释如何得出384的“奇数”长度。

- Protection against attacks

- 防止攻击

a) There is a potential attack, the so-called discrete logarithm attack on the multiplicative group of congruencies modulo p, in which an adversary can construct a table of discrete logarithms to be used as a "dictionary". A sufficiently large prime, p, must be selected to protect against such an attack. A proper 1024-bit value for p and an appropriate value for g are published in [WLAN] and [TIA683]. For the moment, this is what has been implemented; however, a larger prime (i.e., one that

a) 存在一种潜在的攻击,即所谓的对模p的乘法同余群的离散对数攻击,在这种攻击中,对手可以构造一个离散对数表,用作“字典”。必须选择足够大的素数p,以防止此类攻击。[WLAN]和[TIA683]中公布了p的适当1024位值和g的适当值。就目前而言,这是已经实施的;但是,较大的素数(即

is 2048 bits long, or even larger) will definitely provide better protection. It is important to note that once this is done, the generator must be changed too, so this task must be approached with extreme care.

是2048位长,甚至更大)肯定会提供更好的保护。必须注意的是,一旦完成此操作,发电机也必须更换,因此必须非常小心地执行此任务。

b) An online password attack can be launched by an attacker by repeatedly guessing the password and attempting to authenticate. The implementers of PAK should consider employing mechanisms (such as lockouts) for preventing such attacks.

b) 攻击者可以通过反复猜测密码并尝试进行身份验证来发起在线密码攻击。PAK的实施者应该考虑采用机制(例如封锁)来防止这种攻击。

- Recommendations on H() functions

- 关于H()函数的建议

The independent, random functions H1 and H2 should output 1152 bits each, assuming prime p is 1024 bits long and session keys K are 128 bits long. The random functions H3, H4, and H5 should output 128 bits.

假设素数p为1024位,会话密钥K为128位,则独立随机函数H1和H2应分别输出1152位。随机函数H3、H4和H5应输出128位。

An example of secure implementation of PAK is provided in [Plan9].

[Plan9]中提供了安全实现PAK的示例。

6. Acknowledgments
6. 致谢

The authors are grateful for the thoughtful comments received from Shehryar Qutub, Ray Perlner, and Yaron Sheffer. Special thanks go to Alfred Hoenes, Tim Polk, and Jim Schaad for their careful reviews and invaluable help in preparing the final version of this document.

作者感谢Shehryar Qutub、Ray Perlner和Yaron Sheffer提出的深思熟虑的意见。特别感谢阿尔弗雷德·霍恩斯(Alfred Hoenes)、蒂姆·波尔克(Tim Polk)和吉姆·沙德(Jim Schaad)在准备本文件最终版本时所做的仔细审查和宝贵帮助。

7. References
7. 工具书类
7.1. Normative References
7.1. 规范性引用文件

[X.1035] ITU-T, "Password-authenticated key exchange (PAK) protocol", ITU-T Recommendation X.1035, 2007.

[X.1035]ITU-T,“密码认证密钥交换(PAK)协议”,ITU-T建议X.10352007。

[TIA683] TIA, "Over-the-Air Service Provisioning of Mobile Stations in Spread Spectrum Systems", TIA-683-D, May 2006.

[TIA683]TIA,“扩频系统中移动站的空中服务供应”,TIA-683-D,2006年5月。

7.2. Informative References
7.2. 资料性引用

[Plan9] Alcatel-Lucent, "Plan 9 from Bell Labs", http://netlib.bell-labs.com/plan9/.

[Plan9]阿尔卡特朗讯,“贝尔实验室的Plan9”,http://netlib.bell-labs.com/plan9/.

[BMP00] Boyko, V., MacKenzie, P., and S. Patel, "Provably secure password authentication and key exchange using Diffie-Hellman", Proceedings of Eurocrypt 2000.

[BMP00]Boyko,V.,MacKenzie,P.,和S.Patel,“使用Diffie Hellman可证明安全的密码验证和密钥交换”,欧洲密码会议录2000。

[BR93] Bellare, M. and P. Rogaway, "Random Oracles are Practical: A Paradigm for Designing Efficient Protocols", Proceedings of the 5th Annual ACM Conference on Computer and Communications Security, 1998.

[BR93]Bellare,M.和P.Rogaway,“随机预言是实用的:设计有效协议的范例”,第五届ACM计算机和通信安全年度会议记录,1998年。

[DH76] Diffie, W. and M.E. Hellman, "New directions in cryptography", IEEE Transactions on Information Theory 22 (1976), 644-654.

[DH76]Diffie,W.和M.E.Hellman,“密码学的新方向”,IEEE信息论交易22(1976),644-654。

[FIPS180] NIST Federal Information Processing Standards, Publication FIPS 180-3, "Secure Hash Standard", 2008.

[FIPS180]NIST联邦信息处理标准,出版物FIPS 180-3,“安全哈希标准”,2008年。

[MP05] MacKenzie, P. and S. Patel, "Hard Bits of the Discrete Log with Applications to Password Authentication", CT-RSA 2005.

[MP05]MacKenzie,P.和S.Patel,“离散日志的硬位与密码认证的应用”,CT-RSA 2005。

[OTASP] 3GPP2, "Over-the-Air Service Provisioning of Mobile Stations in Spread Spectrum Systems", 3GPP2 C.S0016-C v. 1.0 5, October 2004.

[OTASP]3GPP2,“扩频系统中移动站的空中服务供应”,3GPP2 C.S0016-C v。1.05,2004年10月。

[RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC 2631, June 1999.

[RFC2631]Rescorla,E.,“Diffie-Hellman密钥协商方法”,RFC 26311999年6月。

[WLAN] 3GPP2, "Wireless Local Area Network (WLAN) Interworking", 3GPP2 X.S0028-0, v.1.0, April 2005.

[WLAN]3GPP2,“无线局域网(WLAN)互通”,3GPP2 X.S0028-0,v.1.0,2005年4月。

Authors' Addresses

作者地址

Alec Brusilovsky Alcatel-Lucent Room 9B-226, 1960 Lucent Lane Naperville, IL 60566-7217 USA Tel: +1 630 979 5490 EMail: Alec.Brusilovsky@alcatel-lucent.com

Alec Brusilovsky Alcatel-Lucent Room 9B-226,1960 Lucent Lane Naperville,IL 60566-7217美国电话:+1 630 979 5490电子邮件:Alec。Brusilovsky@alcatel-朗讯网

Igor Faynberg Alcatel-Lucent Room 2D-144, 600 Mountain Avenue Murray Hill, NJ 07974 USA Tel: +1 908 582 2626 EMail: igor.faynberg@alcatel-lucent.com

Igor Faynberg Alcatel-Lucent美国新泽西州默里山山路600号2D-144室07974电话:+1 908 582 2626电子邮件:Igor。faynberg@alcatel-朗讯网

Sarvar Patel Google, Inc. 76 Ninth Avenue New York, NY 10011 USA Tel: +1 212 565 5907 EMail: sarvar@google.com

Sarvar Patel Google,Inc.美国纽约州纽约市第九大道76号,邮编10011电话:+1 212 565 5907电子邮件:sarvar@google.com

Zachary Zeltsan Alcatel-Lucent Room 2D-150, 600 Mountain Avenue Murray Hill, NJ 07974 USA Tel: +1 908 582 2359 EMail: zeltsan@alcatel-lucent.com

Zachary Zeltsan Alcatel-Lucent美国新泽西州默里山山路600号2D-150室电话:+1 908 582 2359电子邮件:zeltsan@alcatel-朗讯网