Internet Engineering Task Force (IETF) D. Harkins Request for Comments: 6617 Aruba Networks Category: Experimental June 2012 ISSN: 2070-1721
Internet Engineering Task Force (IETF) D. Harkins Request for Comments: 6617 Aruba Networks Category: Experimental June 2012 ISSN: 2070-1721
Secure Pre-Shared Key (PSK) Authentication for the Internet Key Exchange Protocol (IKE)
Internet密钥交换协议(IKE)的安全预共享密钥(PSK)身份验证
Abstract
摘要
This memo describes a secure pre-shared key (PSK) authentication method for the Internet Key Exchange Protocol (IKE). It is resistant to dictionary attack and retains security even when used with weak pre-shared keys.
本备忘录描述了Internet密钥交换协议(IKE)的安全预共享密钥(PSK)身份验证方法。它能够抵抗字典攻击,即使与弱预共享密钥一起使用,也能保持安全性。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for examination, experimental implementation, and evaluation.
本文件不是互联网标准跟踪规范;它是为检查、实验实施和评估而发布的。
This document defines an Experimental Protocol for the Internet community. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文档为互联网社区定义了一个实验协议。本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6617.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6617.
Copyright Notice
版权公告
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................3 1.1. Keyword Definitions ........................................3 2. Usage Scenarios .................................................3 3. Terms and Notation ..............................................4 4. Discrete Logarithm Cryptography .................................5 4.1. Elliptic Curve Cryptography (ECP) Groups ...................5 4.2. Finite Field Cryptography (MODP) Groups ....................7 5. Random Numbers ..................................................8 6. Using Passwords and Raw Keys For Authentication .................8 7. Assumptions .....................................................9 8. Secure PSK Authentication Message Exchange ......................9 8.1. Negotiation of Secure PSK Authentication ..................10 8.2. Fixing the Secret Element, SKE ............................11 8.2.1. ECP Operation to Select SKE ........................12 8.2.2. MODP Operation to Select SKE .......................13 8.3. Encoding and Decoding of Group Elements and Scalars .......14 8.3.1. Encoding and Decoding of Scalars ...................14 8.3.2. Encoding and Decoding of ECP Elements ..............15 8.3.3. Encoding and Decoding of MODP Elements .............15 8.4. Message Generation and Processing .........................16 8.4.1. Generation of a Commit .............................16 8.4.2. Processing of a Commit .............................16 8.4.2.1. Validation of an ECP Element ..............16 8.4.2.2. Validation of a MODP Element ..............16 8.4.2.3. Commit Processing Steps ...................17 8.4.3. Authentication of the Exchange .....................17 8.5. Payload Format ............................................18 8.5.1. Commit Payload .....................................18 8.6. IKEv2 Messaging ...........................................19 9. IANA Considerations ............................................20 10. Security Considerations .......................................20 11. Acknowledgements ..............................................22 12. References ....................................................22 12.1. Normative References .....................................22 12.2. Informative References ...................................23
1. Introduction ....................................................3 1.1. Keyword Definitions ........................................3 2. Usage Scenarios .................................................3 3. Terms and Notation ..............................................4 4. Discrete Logarithm Cryptography .................................5 4.1. Elliptic Curve Cryptography (ECP) Groups ...................5 4.2. Finite Field Cryptography (MODP) Groups ....................7 5. Random Numbers ..................................................8 6. Using Passwords and Raw Keys For Authentication .................8 7. Assumptions .....................................................9 8. Secure PSK Authentication Message Exchange ......................9 8.1. Negotiation of Secure PSK Authentication ..................10 8.2. Fixing the Secret Element, SKE ............................11 8.2.1. ECP Operation to Select SKE ........................12 8.2.2. MODP Operation to Select SKE .......................13 8.3. Encoding and Decoding of Group Elements and Scalars .......14 8.3.1. Encoding and Decoding of Scalars ...................14 8.3.2. Encoding and Decoding of ECP Elements ..............15 8.3.3. Encoding and Decoding of MODP Elements .............15 8.4. Message Generation and Processing .........................16 8.4.1. Generation of a Commit .............................16 8.4.2. Processing of a Commit .............................16 8.4.2.1. Validation of an ECP Element ..............16 8.4.2.2. Validation of a MODP Element ..............16 8.4.2.3. Commit Processing Steps ...................17 8.4.3. Authentication of the Exchange .....................17 8.5. Payload Format ............................................18 8.5.1. Commit Payload .....................................18 8.6. IKEv2 Messaging ...........................................19 9. IANA Considerations ............................................20 10. Security Considerations .......................................20 11. Acknowledgements ..............................................22 12. References ....................................................22 12.1. Normative References .....................................22 12.2. Informative References ...................................23
[RFC5996] allows for authentication of the IKE peers using a pre-shared key. This exchange, though, is susceptible to dictionary attack and is therefore insecure when used with weak pre-shared keys, such as human-memorizable passwords. To address the security issue, [RFC5996] recommends that the pre-shared key used for authentication "contain as much unpredictability as the strongest key being negotiated". That means any non-hexadecimal key would require over 100 characters to provide enough strength to generate a 128-bit key suitable for AES. This is an unrealistic requirement because humans have a hard time entering a string over 20 characters without error. Consequently, pre-shared key authentication in [RFC5996] is used insecurely today.
[RFC5996]允许使用预共享密钥对IKE对等方进行身份验证。不过,这种交换容易受到字典攻击,因此在与弱预共享密钥(如人类可记忆密码)一起使用时不安全。为了解决安全问题,[RFC5996]建议用于身份验证的预共享密钥“包含与协商的最强密钥一样多的不可预测性”。这意味着任何非十六进制密钥都需要超过100个字符才能提供足够的强度来生成适合AES的128位密钥。这是一个不现实的要求,因为人类很难输入超过20个字符的字符串而不出错。因此,[RFC5996]中的预共享密钥身份验证如今被不安全地使用。
A pre-shared key authentication method built on top of a zero-knowledge proof will provide resistance to dictionary attack and still allow for security when used with weak pre-shared keys, such as user-chosen passwords. Such an authentication method is described in this memo.
在零知识证明的基础上构建的预共享密钥身份验证方法可以抵抗字典攻击,并且在与弱预共享密钥(如用户选择的密码)一起使用时仍然允许安全性。本备忘录中描述了这种认证方法。
Resistance to dictionary attack is achieved when an adversary gets one, and only one, guess at the secret per active attack (see, for example, [BM92], [BMP00], and [BPR00]). Another way of putting this is that any advantage the adversary can realize is through interaction and not through computation. This is demonstrably different than the technique from [RFC5996] of using a large, random number as the pre-shared key. That can only make a dictionary attack less likely to succeed; it does not prevent a dictionary attack. Furthermore, as [RFC5996] notes, it is completely insecure when used with weak keys like user-generated passwords.
当对手在每次主动攻击中猜到一个(且只有一个)秘密时,就可以抵抗字典攻击(例如,请参见[BM92]、[BMP00]和[BPR00])。另一种说法是,对手能够实现的任何优势都是通过交互而不是计算实现的。这显然不同于[RFC5996]使用大随机数作为预共享密钥的技术。这只会降低字典攻击成功的可能性;它不能防止字典攻击。此外,正如[RFC5996]所指出的,当与弱密钥(如用户生成的密码)一起使用时,它是完全不安全的。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
[RFC5996] describes usage scenarios for IKEv2. These are:
[RFC5996]描述了IKEv2的使用场景。这些是:
1. "Security Gateway to Security Gateway Tunnel": The endpoints of the IKE (and IPsec) communication are network nodes that protect traffic on behalf of connected networks. Protected traffic is between devices on the respective protected networks.
1. “安全网关到安全网关隧道”:IKE(和IPsec)通信的端点是代表连接网络保护流量的网络节点。受保护的流量在各自受保护网络上的设备之间。
2. "Endpoint-to-Endpoint Transport": The endpoints of the IKE (and IPsec) communication are hosts according to [RFC4301]. Protected traffic is between the two endpoints.
2. “端点到端点传输”:根据[RFC4301],IKE(和IPsec)通信的端点是主机。受保护的通信量位于两个端点之间。
3. "Endpoint to Security Gateway Tunnel": One endpoint connects to a protected network through a network node. The endpoints of the IKE (and IPsec) communication are the endpoint and network node, but the protected traffic is between the endpoint and another device on the protected network behind the node.
3. “端点到安全网关隧道”:一个端点通过网络节点连接到受保护的网络。IKE(和IPsec)通信的端点是端点和网络节点,但受保护的通信量在端点和节点后面受保护网络上的另一个设备之间。
The authentication and key exchange process described in this memo is suitable for all the usage scenarios described in [RFC5996]. In the "Security Gateway to Security Gateway Tunnel" scenario and the "Endpoint-to-Endpoint Transport" scenario, it provides a secure method of authentication without requiring a certificate. For the "Endpoint to Security Gateway Tunnel" scenario, it provides for secure username+password authentication that is popular in remote-access VPN situations.
本备忘录中描述的身份验证和密钥交换过程适用于[RFC5996]中描述的所有使用场景。在“安全网关到安全网关隧道”场景和“端点到端点传输”场景中,它提供了一种无需证书的安全身份验证方法。对于“端点到安全网关隧道”场景,它提供了在远程访问VPN环境中流行的安全用户名+密码身份验证。
The following terms and notations are used in this memo:
本备忘录中使用了以下术语和符号:
PSK A shared, secret, and potentially low-entropy word, phrase, code, or key used as a credential to mutually authenticate the peers.
PSK一种共享的、秘密的、潜在的低熵字、短语、代码或密钥,用作相互认证对等方的凭证。
a = prf(b, c) The string "b" and "c" are given to a pseudo-random function (prf) to produce a fixed-length output "a".
a=prf(b,c)字符串“b”和“c”被赋予伪随机函数(prf),以产生固定长度的输出“a”。
a | b denotes concatenation of string "a" with string "b".
a | b表示字符串“a”与字符串“b”的串联。
[a]b indicates a string consisting of the single bit "a" repeated "b" times.
[a] b表示由单个位“a”重复“b”次组成的字符串。
len(a) indicates the length in bits of the string "a".
len(a)表示字符串“a”的长度(以位为单位)。
LSB(a) returns the least-significant bit of the bitstring "a".
LSB(a)返回位字符串“a”的最低有效位。
element one member of a finite cyclic group.
有限循环群的一个成员。
scalar a quantity that can multiply an element.
标量可以使一个元素相乘的量。
The convention for this memo to represent an element in a finite cyclic group is to use an upper-case letter or acronym, while a scalar is indicated with a lowercase letter or acronym.
此备忘录表示有限循环组中的元素的惯例是使用大写字母或首字母缩写,而标量用小写字母或首字母缩写表示。
This protocol uses Discrete Logarithm Cryptography to achieve authentication. Each party to the exchange derives ephemeral public and private keys with respect to a particular set of domain parameters (referred to here as a "group"). Groups can be either based on finite field cryptography (modular exponentiation (MODP) groups) or elliptic curve cryptography (ECP groups).
该协议使用离散对数密码实现身份验证。交换的每一方都获得与特定域参数集(此处称为“组”)相关的临时公钥和私钥。组可以基于有限域加密(模幂(MODP)组)或椭圆曲线加密(ECP组)。
This protocol uses the same group as the IKE exchange in which it is being used for authentication, with the exception of characteristic-two elliptic curve groups (EC2N). Use of such groups is undefined for this authentication method, and an IKE exchange that negotiates one of these groups MUST NOT use this method of authentication.
该协议使用与用于身份验证的IKE交换相同的组,但特征两个椭圆曲线组(EC2N)除外。此身份验证方法未定义此类组的使用,协商其中一个组的IKE交换不得使用此身份验证方法。
For each group, the following operations are defined:
对于每个组,定义了以下操作:
o "scalar operation" -- takes a scalar and an element in the group to produce another element -- Z = scalar-op(x, Y).
o “标量运算”——获取组中的标量和元素以生成另一个元素——Z=标量op(x,Y)。
o "element operation" -- takes two elements in the group to produce a third -- Z = element-op(X, Y).
o “元素操作”--获取组中的两个元素以生成第三个元素--Z=元素op(X,Y)。
o "inverse operation" -- takes an element and returns another element such that the element operation on the two produces the identity element of the group -- Y = inverse(X).
o “反向操作”--获取一个元素并返回另一个元素,以便对这两个元素的元素操作生成组的标识元素——Y=反向(X)。
The key exchange defined in this memo uses fundamental algorithms of ECP groups as described in [RFC6090].
本备忘录中定义的密钥交换使用[RFC6090]中所述的ECP组的基本算法。
Domain parameters for ECP elliptic curves used for Secure PSK Authentication include:
用于安全PSK身份验证的ECP椭圆曲线的域参数包括:
o A prime, p, determining a prime field GF(p). The cryptographic group will be a subgroup of the full elliptic curve group that consists of points on an elliptic curve -- elements from GF(p) that satisfy the curve's equation -- together with the "point at infinity" (denoted here as "0") that serves as the identity element.
o 素数,p,决定素数域GF(p)。密码组将是完整椭圆曲线组的一个子组,由椭圆曲线上的点组成——GF(p)中满足曲线方程的元素——以及作为身份元素的“无穷远点”(此处表示为“0”)。
o Elements a and b from GF(p) that define the curve's equation. The point (x,y) is on the elliptic curve if and only if y^2 = x^3 + a*x + b.
o 定义曲线方程的GF(p)中的元素a和b。点(x,y)在椭圆曲线上当且仅当y^2=x^3+a*x+b。
o A prime, r, which is the order of, or number of elements in, a subgroup generated by an element G.
o 素数,r,是由元素G生成的子群中元素的顺序或数量。
The scalar operation is multiplication of a point on the curve by itself a number of times. The point Y is multiplied x-times to produce another point Z:
标量运算是将曲线上的一个点自身相乘若干次。将点Y乘以x,生成另一个点Z:
Z = scalar-op(x, Y) = x*Y
Z = scalar-op(x, Y) = x*Y
The element operation is addition of two points on the curve. Points X and Y are summed to produce another point Z:
元素操作是在曲线上添加两个点。将点X和Y相加以生成另一个点Z:
Z = element-op(X, Y) = X + Y
Z = element-op(X, Y) = X + Y
The inverse function is defined such that the sum of an element and its inverse is "0", the point-at-infinity of an elliptic curve group:
定义反函数时,元素及其逆的和为“0”,即椭圆曲线群无穷远处的点:
Q + inverse(Q) = "0"
Q + inverse(Q) = "0"
Elliptic curve groups require a mapping function, q = F(Q), to convert a group element to an integer. The mapping function used in this memo returns the x-coordinate of the point it is passed.
椭圆曲线组需要一个映射函数q=F(q),将组元素转换为整数。此备忘录中使用的映射函数返回所传递点的x坐标。
scalar-op(x, Y) can be viewed as x iterations of element-op() by defining:
通过定义以下内容,可以将标量op(x,Y)视为元素-op()的x次迭代:
Y = scalar-op(1, Y)
Y=标量op(1,Y)
Y = scalar-op(x, Y) = element-op(Y, scalar-op(x-1, Y)), for x > 1
Y = scalar-op(x, Y) = element-op(Y, scalar-op(x-1, Y)), for x > 1
A definition of how to add two points on an elliptic curve (i.e., element-op(X, Y)) can be found in [RFC6090].
如何在椭圆曲线上添加两点(即元素op(X,Y))的定义见[RFC6090]。
Note: There is another ECP domain parameter, a cofactor, h, that is defined by the requirement that the size of the full elliptic curve group (including "0") be the product of h and r. ECP groups used for Secure PSK Authentication MUST have a cofactor of one (1). At the time of publication of this memo, all ECP groups in [IKEV2-IANA] had a cofactor of one (1).
注意:还有另一个ECP域参数,一个辅因子h,它是由完整椭圆曲线组(包括“0”)的大小是h和r的乘积的要求定义的。用于安全PSK身份验证的ECP组必须具有一(1)个辅因子。在本备忘录发布时,[IKEV2-IANA]中的所有ECP组都有一(1)个辅因子。
Domain parameters for MODP groups used for Secure PSK Authentication include:
用于安全PSK身份验证的MODP组的域参数包括:
o A prime, p, determining a prime field GF(p), the integers modulo p.
o 一个素数,p,决定一个素数域GF(p),模p的整数。
o A prime, r, which is the multiplicative order, and thus also the size, of the cryptographic subgroup of GF(p)* that is generated by an element G.
o 素数r,它是由元素G生成的GF(p)*的加密子群的乘法阶,因此也是其大小。
The scalar operation is exponentiation of a generator modulo a prime. An element Y is taken to the x-th power modulo the prime, thereby returning another element, Z:
标量运算是生成元与素数的幂运算。元素Y取素数的x次幂模,从而返回另一个元素Z:
Z = scalar-op(x, Y) = Y^x mod p
Z = scalar-op(x, Y) = Y^x mod p
The element operation is modular multiplication. Two elements, X and Y, are multiplied modulo the prime, thereby returning another element, Z:
元素运算是模乘运算。两个元素X和Y乘以素数,从而返回另一个元素Z:
Z = element-op(X, Y) = (X * Y) mod p
Z = element-op(X, Y) = (X * Y) mod p
The inverse function for a MODP group is defined such that the product of an element and its inverse modulo the group prime equals one (1). In other words,
MODP群的逆函数定义为:元素与其逆模与群素数的乘积等于一(1)。换句话说,,
(Q * inverse(Q)) mod p = 1
(Q * inverse(Q)) mod p = 1
Unlike ECP groups, MODP groups do not require a mapping function to convert an element into an integer. However, for the purposes of notation in protocol definition, the function F, when used below, shall just return the value that was passed to it, i.e., F(i) = i.
与ECP组不同,MODP组不需要映射函数将元素转换为整数。然而,为了在协议定义中表示,函数F在下面使用时,应仅返回传递给它的值,即F(i)=i。
Some MODP groups in [IKEV2-IANA] are based on safe primes, and the order is not included in the group's domain parameter set. In this case only, the order, r, MUST be computed as the prime minus one divided by two -- (p-1)/2. If an order is included in the group's domain parameter set, that value MUST be used in this exchange when an order is called for. If a MODP group does not include an order in its domain parameter set and is not based on a safe prime, it MUST NOT be used with this exchange.
[IKEV2-IANA]中的一些MODP组基于安全素数,并且顺序不包括在组的域参数集中。仅在这种情况下,阶数r必须计算为素数减1除以2——(p-1)/2。如果订单包含在组的域参数集中,则在调用订单时必须在此交换中使用该值。如果MODP组在其域参数集中不包含订单,并且不基于安全素数,则不得与此交换一起使用。
As with IKE itself, the security of the Secure PSK Authentication method relies upon each participant in the protocol producing quality secret random numbers. A poor random number chosen by either side in a single exchange can compromise the shared secret from that exchange and open up the possibility of a dictionary attack.
与IKE本身一样,安全PSK认证方法的安全性依赖于协议中的每个参与者生成高质量的秘密随机数。在一次交换中,任何一方选择的一个糟糕的随机数都可能破坏该交换的共享秘密,并可能导致字典攻击。
Producing quality random numbers without specialized hardware entails using a cryptographic mixing function (like a strong hash function) to mix entropy from multiple, uncorrelated sources of information and events. A very good discussion of this can be found in [RFC4086].
在没有专用硬件的情况下生成高质量随机数需要使用加密混合函数(如强哈希函数)来混合来自多个不相关信息源和事件的熵。[RFC4086]中对这一点进行了很好的讨论。
The PSK used as an authentication credential with this protocol can be either a character-based password or passphrase, or it could be a binary or hexadecimal string. Regardless, however, this protocol requires both the Initiator and Responder to have identical binary representations of the shared credential.
此协议中用作身份验证凭据的PSK可以是基于字符的密码或密码短语,也可以是二进制或十六进制字符串。无论如何,该协议要求发起方和响应方对共享凭证具有相同的二进制表示。
If the PSK is a character-based password or passphrase, there are two types of pre-processing that SHALL be employed to convert the password or passphrase into a hexadecimal string suitable for use with Secure PSK Authentication. If a PSK is already a hexadecimal or binary string, it SHALL be used directly as the shared credential without any pre-processing.
如果PSK是基于字符的密码或密码短语,则有两种类型的预处理可用于将密码或密码短语转换为适合用于安全PSK身份验证的十六进制字符串。如果PSK已经是十六进制或二进制字符串,则应直接将其用作共享凭证,无需任何预处理。
The first step of pre-processing is to remove ambiguities that may arise due to internationalization. Each character-based password or passphrase MUST be pre-processed to remove that ambiguity by processing the character-based password or passphrase according to the rules of the SASLprep [RFC4013] profile of [RFC3454]. The password or passphrase SHALL be considered a "stored string" per [RFC3454], and unassigned code points are therefore prohibited. The output SHALL be the binary representation of the processed UTF-8 character string. Prohibited output and unassigned codepoints encountered in SASLprep pre-processing SHALL cause a failure of pre-processing, and the output SHALL NOT be used with Secure PSK Authentication.
预处理的第一步是消除由于国际化可能产生的歧义。必须根据[RFC3454]的SASLprep[RFC4013]配置文件的规则处理基于字符的密码或密码短语,从而预处理每个基于字符的密码或密码短语,以消除歧义。根据[RFC3454],密码或密码短语应视为“存储字符串”,因此禁止未分配的代码点。输出应为已处理UTF-8字符串的二进制表示。SASLprep预处理中遇到的禁止输出和未分配的码点将导致预处理失败,且输出不得与安全PSK认证一起使用。
The next pre-processing step for character-based passwords or passphrases is to effectively obfuscate the string. This is done in an attempt to reduce exposure of stored passwords in the event of server compromise, or compromise of a server's database of stored passwords. The step involves taking the output of the SASLprep [RFC4013] profile of [RFC3454] and passing it, as the key, with the
基于字符的密码或密码短语的下一个预处理步骤是有效地混淆字符串。这样做是为了在服务器泄露或服务器存储密码数据库泄露的情况下减少存储密码的暴露。该步骤包括获取[RFC3454]的SASLprep[RFC4013]概要文件的输出,并将其作为键传递给
ASCII string "IKE Secure PSK Authentication", as the data, to HMAC-SHA256(). The output of this obfuscation step SHALL become the shared credential used with Secure PSK Authentication.
ASCII字符串“IKE Secure PSK Authentication”作为HMAC-SHA256()的数据。该混淆步骤的输出应成为与安全PSK认证一起使用的共享凭证。
Note: Passwords tend to be shared for multiple purposes, and compromise of a server or database of stored plaintext passwords can be used, in that event, to mount multiple attacks. The obfuscation step is merely to hide the password in the event of server compromise or compromise of the database of stored passwords. Advances in distributed computing power have diminished the effectiveness of performing multiple prf iterations as a technique to prevent dictionary attacks, so no such behavior is proscribed here. Mutually consenting implementations can agree to use a different password obfuscation method; the one described here is for interoperability purposes only.
注意:密码往往是为多种目的共享的,在这种情况下,可以使用服务器或存储明文密码的数据库的泄露来发起多个攻击。混淆步骤仅仅是在服务器泄露或存储密码数据库泄露的情况下隐藏密码。分布式计算能力的进步降低了执行多个prf迭代作为防止字典攻击的技术的有效性,因此这里不禁止这种行为。相互同意的实现可以同意使用不同的密码混淆方法;这里所描述的仅用于互操作性目的。
If a device stores passwords for use at a later time, it SHOULD pre-process the password prior to storage. If a user enters a password into a device at authentication time, it MUST be pre-processed upon entry and prior to use with Secure PSK Authentication.
如果设备存储密码供以后使用,则应在存储之前对密码进行预处理。如果用户在身份验证时向设备输入密码,则必须在输入密码时以及在使用安全PSK身份验证之前对其进行预处理。
The security of the protocol relies on certain assumptions. They are:
协议的安全性依赖于某些假设。他们是:
1. The pseudo-random function, prf, defined in [RFC5996], acts as an "extractor" (see [RFC5869]) by distilling the entropy from a secret input into a short, fixed string. The output of prf is indistinguishable from a random source.
1. [RFC5996]中定义的伪随机函数prf通过将秘密输入中的熵提取为短的固定字符串,充当“提取器”(参见[RFC5869])。prf的输出与随机源无法区分。
2. The discrete logarithm problem for the chosen finite cyclic group is hard. That is, given G, p and Y = G^x mod p, it is computationally infeasible to determine x. Similarly, for an elliptic curve group given the curve definition, a generator G, and Y = x * G, it is computationally infeasible to determine x.
2. 所选有限循环群的离散对数问题是困难的。也就是说,给定G,p和Y=G^x mod p,计算上不可能确定x。类似地,对于给定曲线定义的椭圆曲线群、生成器G和Y=x*G,计算上不可能确定x。
3. The pre-shared key is drawn from a finite pool of potential keys. Each possible key in the pool has equal probability of being the shared key. All potential adversaries have access to this pool of keys.
3. 预共享密钥是从有限的潜在密钥池中提取的。池中每个可能的密钥成为共享密钥的概率相等。所有潜在对手都可以访问此密钥池。
The key exchange described in this memo is based on the "Dragonfly" key exchange, which has also been defined for use in 802.11 wireless networks (see [SAE]) and as an Extensible Authentication Protocol (EAP) method (see [RFC5931]). "Dragonfly" is patent-free and
本备忘录中描述的密钥交换基于“蜻蜓”密钥交换,该密钥交换也被定义用于802.11无线网络(参见[SAE])和可扩展认证协议(EAP)方法(参见[RFC5931])。“蜻蜓”是免费的,而且
royalty-free. It SHALL use the same pseudo-random function (prf) and the same Diffie-Hellman group that are negotiated for use in the IKE exchange that "Dragonfly" is authenticating.
免版税。它应使用相同的伪随机函数(prf)和相同的Diffie-Hellman组,这些函数和组经过协商,用于“蜻蜓”正在验证的IKE交换。
A pseudo-random function that uses a block cipher is NOT RECOMMENDED for use with Secure PSK Authentication due to its poor job operating as an "extractor" (see Section 7). Pseudo-random functions based on hash functions using the HMAC construct from [RFC2104] SHOULD be used.
不建议将使用分组密码的伪随机函数用于安全PSK身份验证,因为它作为“提取器”的性能较差(参见第7节)。应使用基于[RFC2104]中HMAC构造的哈希函数的伪随机函数。
To perform Secure PSK Authentication, each side must generate a shared and secret element in the chosen group based on the pre-shared key. This element, called the Secret Key Element, or SKE, is then used in the "Dragonfly" authentication and key exchange protocol. "Dragonfly" consists of each side exchanging a Commit payload and then proving knowledge of the resulting shared secret.
要执行安全的PSK身份验证,各方必须基于预共享密钥在所选组中生成共享和机密元素。该元素称为秘密密钥元素(SKE),然后在“蜻蜓”身份验证和密钥交换协议中使用。“蜻蜓”包括每一方交换一个提交负载,然后证明所得到的共享秘密的知识。
The Commit payload contributes ephemeral information to the exchange and binds the sender to a single value of the pre-shared key from the pool of potential pre-shared keys. An authentication payload (AUTH) proves that the pre-shared key is known and completes the zero-knowledge proof.
提交有效负载向交换提供临时信息,并将发送方绑定到潜在预共享密钥池中预共享密钥的单个值。身份验证有效负载(AUTH)证明预共享密钥是已知的,并完成零知识证明。
The Initiator indicates its desire to use Secure PSK Authentication by adding a Notify payload of type SECURE_PASSWORD_METHODS (see [RFC6467]) to the first message of the IKE_SA_INIT exchange and by including 3 in the notification data field of the Notify payload, indicating Secure PSK Authentication.
发起方通过向IKE_SA_INIT交换的第一条消息中添加类型为Secure_PASSWORD_METHODS(参见[RFC6467])的通知有效负载,并通过在通知有效负载的通知数据字段中包含3来表示其希望使用安全PSK认证,这表示安全PSK认证。
The Responder indicates its acceptance to perform Secure PSK Authentication by adding a Notify payload of type SECURE_PASSWORD_METHODS to its response in the IKE_SA_INIT exchange and by adding the sole value of 3 to the notification data field of the Notify payload.
响应者通过在IKE_SA_INIT交换中向其响应添加类型为Secure_PASSWORD_METHODS的Notify payload,并通过向Notify payload的notification数据字段添加唯一值3来表示其接受执行安全PSK身份验证。
If the Responder does not include a Notify payload of type SECURE_PASSWORD_METHODS in its IKE_SA_INIT response, the Initiator MUST terminate the exchange, and it MUST NOT fall back to the PSK authentication method of [RFC5996]. If the Initiator only indicated its support for Secure PSK Authentication (i.e., if the Notify data field only contained 3) and the Responder replies with a Notify payload of type SECURE_PASSWORD_METHODS and a different value in the Notify data field, the Initiator MUST terminate the exchange.
如果响应程序在其IKE_SA_INIT响应中未包含类型为SECURE_PASSWORD_METHODS的Notify payload,则发起程序必须终止交换,并且不得退回到[RFC5996]的PSK身份验证方法。如果发起方仅表示支持安全PSK身份验证(即,如果Notify数据字段仅包含3),并且响应方使用类型为Secure_PASSWORD_METHODS的Notify有效负载以及Notify数据字段中的不同值进行回复,则发起方必须终止交换。
The method of fixing SKE depends on the type of group, either MODP or ECP. The function "prf+" from [RFC5996] is used as a key derivation function.
固定SKE的方法取决于组的类型,即MODP或ECP。[RFC5996]中的函数“prf+”用作键派生函数。
Fixing SKE involves an iterative hunting-and-pecking technique using the prime from the negotiated group's domain parameter set and an ECP- or MODP-specific operation depending on the negotiated group. This technique requires the pre-shared key to be a binary string; therefore, any pre-processing transformation (see Section 6) MUST be performed on the pre-shared key prior to fixing SKE.
修复SKE涉及迭代搜索和啄食技术,使用协商组域参数集中的素数和ECP或MODP特定操作(取决于协商组)。这种技术要求预共享密钥是二进制字符串;因此,在固定SKE之前,必须对预共享密钥执行任何预处理转换(参见第6节)。
To thwart side-channel attacks that attempt to determine the number of iterations of the hunting-and-pecking loop that are used to find SKE for a given password, a security parameter, k, is used to ensure that at least k iterations are always performed.
为了阻止试图确定用于查找给定密码的SKE的狩猎和啄食循环的迭代次数的侧通道攻击,使用安全参数k确保始终执行至少k次迭代。
Prior to beginning the hunting-and-pecking loop, an 8-bit counter is set to the value one (1). Then the loop begins. First, the pseudo-random function is used to generate a secret seed using the counter, the pre-shared key, and two nonces (without the fixed headers) exchanged by the Initiator and the Responder (see Section 8.6):
在开始狩猎和啄食循环之前,将8位计数器设置为值1(1)。然后循环开始。首先,伪随机函数用于使用计数器、预共享密钥和由发起方和响应方交换的两个nonce(无固定头)生成秘密种子(见第8.6节):
ske-seed = prf(Ni | Nr, psk | counter)
ske seed=prf(Ni | Nr,psk |计数器)
Then, the ske-seed is expanded using prf+ to create an ske-value:
然后,使用prf+扩展ske种子以创建ske值:
ske-value = prf+(ske-seed, "IKE SKE Hunting And Pecking")
ske值=prf+(ske种子,“IKE ske狩猎和啄食”)
where len(ske-value) is the same as len(p), the length of the prime from the domain parameter set of the negotiated group.
其中len(ske值)与len(p)相同,是协商组的域参数集中的素数的长度。
If the ske-seed is greater than or equal to the prime, p, the counter is incremented, a new ske-seed is generated, and the hunting-and-pecking continues. If ske-seed is less than the prime, p, it is passed to the group-specific operation to select the SKE or fail. If the group-specific operation fails, the counter is incremented, a new ske-seed is generated, and the hunting-and-pecking continues. This process continues until the group-specific operation returns the password element. After the password element has been chosen, a random number is used in place of the password in the ske-seed calculation, and the hunting-and-pecking continues until the counter is greater than the security parameter, k.
如果ske种子大于或等于质数p,计数器将递增,生成新的ske种子,狩猎和啄食将继续。如果ske seed小于素数p,则将其传递给特定于组的操作以选择ske或失败。如果特定于组的操作失败,计数器将递增,生成新的ske种子,狩猎和啄食将继续。此过程将继续,直到特定于组的操作返回password元素。选择密码元素后,在ske种子计算中使用随机数代替密码,并继续搜索和啄食,直到计数器大于安全参数k。
The group-specific operation for ECP groups uses ske-value, ske-seed, and the equation of the curve to produce SKE. First, ske-value is used directly as the x-coordinate, x, with the equation of the elliptic curve, with parameters a and b from the domain parameter set of the curve, to solve for a y-coordinate, y.
ECP组的组特定操作使用ske值、ske种子和曲线方程生成ske。首先,ske值直接用作x坐标x,椭圆曲线方程,参数a和b来自曲线的域参数集,用于求解y坐标y。
Note: A method of checking whether a solution to the equation of the elliptic curve is to see whether the Legendre symbol of (x^3 + ax + b) equals one (1). If it does, then a solution exists; if it does not, then there is no solution.
注:检查椭圆曲线方程解的一种方法是查看(x^3+ax+b)的勒让德符号是否等于一(1)。如果是这样,那么就存在一个解决方案;如果没有,那么就没有解决办法。
If there is no solution to the equation of the elliptic curve, then the operation fails, the counter is incremented, a new ske-value and ske-seed are selected, and the hunting-and-pecking continues. If there is a solution then, y is calculated as the square root of (x^3 + ax + b) using the equation of the elliptic curve. In this case, an ambiguity exists as there are technically two solutions to the equation, and ske-seed is used to unambiguously select one of them. If the low-order bit of ske-seed is equal to the low-order bit of y, then a candidate SKE is defined as the point (x,y); if the low-order bit of ske-seed differs from the low-order bit of y then a candidate SKE is defined as the point (x, p-y) where p is the prime from the negotiated group's domain parameter set. The candidate SKE becomes the SKE, and the ECP-specific operation completes successfully.
如果椭圆曲线方程没有解,则操作失败,计数器递增,选择新的ske值和ske种子,继续狩猎和啄食。如果有解,那么y是用椭圆曲线方程计算的(x^3+ax+b)的平方根。在这种情况下,存在歧义,因为从技术上讲,方程有两个解,并且使用ske seed明确地选择其中一个。如果ske种子的低阶位等于y的低阶位,则将候选ske定义为点(x,y);如果ske seed的低阶位与y的低阶位不同,则候选ske被定义为点(x,p-y),其中p是协商组域参数集中的素数。候选SKE成为SKE,并且ECP特定操作成功完成。
Algorithmically, the process looks like this:
从算法上看,该过程如下所示:
found = 0 counter = 1 v = psk do { ske-seed = prf(Ni | Nr, v | counter) ske-value = prf+(ske-seed, "IKE SKE Hunting And Pecking") if (ske-value < p) then x = ske-value if ( (y = sqrt(x^3 + ax + b)) != FAIL) then if (found == 0) then if (LSB(y) == LSB(ske-seed)) then SKE = (x,y) else SKE = (x, p-y) fi found = 1 v = random() fi fi fi counter = counter + 1 } while ((found == 0) || (counter <= k))
found = 0 counter = 1 v = psk do { ske-seed = prf(Ni | Nr, v | counter) ske-value = prf+(ske-seed, "IKE SKE Hunting And Pecking") if (ske-value < p) then x = ske-value if ( (y = sqrt(x^3 + ax + b)) != FAIL) then if (found == 0) then if (LSB(y) == LSB(ske-seed)) then SKE = (x,y) else SKE = (x, p-y) fi found = 1 v = random() fi fi fi counter = counter + 1 } while ((found == 0) || (counter <= k))
where FAIL indicates that there is no solution to sqrt(x^3 + ax + b).
其中FAIL表示sqrt没有解决方案(x^3+ax+b)。
Figure 1: Fixing SKE for ECP Groups
图1:固定ECP组的SKE
Note: For ECP groups, the probability that more than "n" iterations of the hunting-and-pecking loop are required to find SKE is roughly (1-(r/2p))^n, which rapidly approaches zero (0) as "n" increases.
注:对于ECP组,发现SKE所需的狩猎和啄食循环次数超过“n”次的概率约为(1-(r/2p))^n,随着“n”的增加,该概率迅速接近零(0)。
The group-specific operation for MODP groups takes ske-value, the prime, p, and order, r, from the group's domain parameter set to directly produce a candidate SKE by exponentiating the ske-value to the value ((p-1)/r) modulo the prime. If the candidate SKE is greater than one (1), the candidate SKE becomes the SKE, and the MODP-specific operation completes successfully. Otherwise, the MODP-specific operation fails (and the hunting-and-pecking continues).
MODP组的组特定操作从组的域参数集中获取ske值、素数p和顺序r,通过将ske值乘以素数的值((p-1)/r)直接生成候选ske。如果候选SKE大于一(1),则候选SKE成为SKE,并且MODP特定操作成功完成。否则,MODP特定操作失败(狩猎和啄食继续)。
Algorithmically, the process looks like this:
从算法上看,该过程如下所示:
found = 0 counter = 1 v = psk do { ske-seed = prf(Ni | Nr, v | counter) ske-value = prf+(ske-seed, "IKE SKE Hunting And Pecking") if (ske-value < p) then ELE = ske-value ^ ((p-1)/r) mod p if (ELE > 1) then if (found == 0) SKE = ELE found = 1 v = random() fi fi fi counter = counter + 1 } while ((found == 0) || (counter <= k))
found = 0 counter = 1 v = psk do { ske-seed = prf(Ni | Nr, v | counter) ske-value = prf+(ske-seed, "IKE SKE Hunting And Pecking") if (ske-value < p) then ELE = ske-value ^ ((p-1)/r) mod p if (ELE > 1) then if (found == 0) SKE = ELE found = 1 v = random() fi fi fi counter = counter + 1 } while ((found == 0) || (counter <= k))
Figure 2: Fixing SKE for MODP Groups
图2:固定MODP组的SKE
Note: For MODP groups, the probability that more than "n" iterations of the hunting-and-pecking loop are required to find SKE is roughly ((m-p)/p)^n, where m is the largest unsigned number that can be expressed in len(p) bits, which rapidly approaches zero (0) as "n" increases.
注:对于MODP组,搜索和啄食循环需要超过“n”次迭代才能找到SKE的概率大约为((m-p)/p)^n,其中m是可以用len(p)位表示的最大无符号数,随着“n”的增加,该无符号数迅速接近零(0)。
The payloads used in the Secure PSK Authentication method contain elements from the negotiated group and scalar values. To ensure interoperability, scalars and field elements MUST be represented in payloads in accordance with the requirements in this section.
安全PSK身份验证方法中使用的有效负载包含来自协商组和标量值的元素。为了确保互操作性,标量和字段元素必须按照本节的要求在有效负载中表示。
Scalars MUST be represented (in binary form) as unsigned integers that are strictly less than r, the order of the generator of the agreed-upon cryptographic group. The binary representation of each scalar MUST have a bit length equal to the bit length of the binary representation of r. This requirement is enforced, if necessary, by prepending the binary representation of the integer with zeros until the required length is achieved.
标量必须(以二进制形式)表示为严格小于r的无符号整数,r是约定加密组的生成器的顺序。每个标量的二进制表示的位长度必须等于r的二进制表示的位长度。如有必要,可通过在整数的二进制表示形式前加零来强制执行此要求,直到达到所需的长度。
Scalars in the form of unsigned integers are converted into octet strings and back again using the technique described in [RFC6090].
无符号整数形式的标量转换为八位字节字符串,然后使用[RFC6090]中描述的技术再次转换。
Elements in ECP groups are points on the negotiated elliptic curve. Each such element MUST be represented by the concatenation of two components, an x-coordinate and a y-coordinate.
ECP群中的元素是协商椭圆曲线上的点。每个这样的元素必须由两个组件(x坐标和y坐标)的串联表示。
Each of the two components, the x-coordinate and the y-coordinate, MUST be represented (in binary form) as an unsigned integer that is strictly less than the prime, p, from the group's domain parameter set. The binary representation of each component MUST have a bit length equal to the bit length of the binary representation of p. This length requirement is enforced, if necessary, by prepending the binary representation of the integer with zeros until the required length is achieved.
x坐标和y坐标这两个分量中的每一个都必须(以二进制形式)表示为一个无符号整数,严格小于组域参数集中的素数p。每个组件的二进制表示的位长度必须等于p的二进制表示的位长度。如有必要,可通过在整数的二进制表示形式前加零来强制执行此长度要求,直到达到所需的长度。
The unsigned integers that represent the coordinates of the point are converted into octet strings and back again using the technique described in [RFC6090].
表示点坐标的无符号整数转换为八位字节字符串,然后使用[RFC6090]中描述的技术再次转换。
Since the field element is represented in a payload by the x-coordinate followed by the y-coordinate, it follows, then, that the length of the element in the payload MUST be twice the bit length of p.
由于有效载荷中的字段元素由x坐标和y坐标表示,因此有效载荷中的元素长度必须是p的位长度的两倍。
Elements in MODP groups MUST be represented (in binary form) as unsigned integers that are strictly less than the prime, p, from the group's domain parameter set. The binary representation of each group element MUST have a bit length equal to the bit length of the binary representation of p. This length requirement is enforced, if necessary, by prepending the binary representation of the integer with zeros until the required length is achieved.
MODP组中的元素必须(以二进制形式)表示为无符号整数,严格小于组域参数集中的素数p。每个组元素的二进制表示的位长度必须等于p的二进制表示的位长度。如有必要,可通过在整数的二进制表示形式前加零来强制执行此长度要求,直到达到所需的长度。
The unsigned integer that represents a MODP element is converted into an octet string and back using the technique described in [RFC6090].
使用[RFC6090]中描述的技术,将表示MODP元素的无符号整数转换为八位字节字符串并返回。
Before a Commit payload can be generated, the SKE must be fixed using the process described in Section 8.2.
在生成提交有效负载之前,必须使用第8.2节中描述的过程修复SKE。
A Commit payload has two components, a scalar and an element. To generate a Commit payload, two random numbers, a "private" value and a "mask" value, are generated (see Section 5). Their sum modulo the order of the group, r, becomes the scalar component:
提交负载有两个组件,一个标量和一个元素。为了生成提交有效负载,将生成两个随机数,“私有”值和“掩码”值(参见第5节)。它们与群的阶数r的模和成为标量分量:
scalar = (private + mask) mod r
scalar = (private + mask) mod r
If the scalar is not greater than one (1), the private and mask values MUST be thrown away, and new values randomly generated. If the scalar is greater than one (1), the inverse of the scalar operation with the mask and SKE becomes the element component.
如果标量不大于一(1),则必须丢弃私有值和掩码值,并随机生成新值。如果标量大于一(1),则带有掩码和SKE的标量操作的逆运算将成为元素组件。
Element = inverse(scalar-op(mask, SKE))
Element = inverse(scalar-op(mask, SKE))
The Commit payload consists of the scalar followed by the element, and the scalar and element are encoded in the Commit payload according to Section 8.3.
提交有效负载由标量和元素组成,标量和元素根据第8.3节在提交有效负载中进行编码。
Upon receipt of a peer's Commit payload, the scalar and element MUST be validated. The processing of an element depends on the type, either an ECP element or a MODP element.
在收到对等方的提交负载后,必须验证标量和元素。元素的处理取决于类型,ECP元素或MODP元素。
Validating a received ECP element involves: 1) checking whether the two coordinates, x and y, are both greater than zero (0) and less than the prime defining the underlying field; and 2) checking whether the x- and y-coordinates satisfy the equation of the curve (that is, that they produce a valid point on the curve that is not "0"). If either of these conditions are not met, the received element is invalid; otherwise, the received element is valid.
验证接收到的ECP元素包括:1)检查两个坐标x和y是否都大于零(0)且小于定义基础字段的素数;2)检查x坐标和y坐标是否满足曲线方程(即,它们在曲线上生成的有效点不是“0”)。如果不满足上述任一条件,则接收的元素无效;否则,接收的元素是有效的。
A received MODP element is valid if: 1) it is between one (1) and the prime, p, exclusive; and 2) if modular exponentiation of the element by the group order, r, equals one (1). If either of these conditions are not true, the received element is invalid; otherwise, the received element is valid.
接收到的MODP元素在以下情况下有效:1)它介于一(1)和素数p之间,互斥;2)如果元素按组阶r的模幂等于一(1)。如果这些条件中的任何一个不正确,则接收的元素无效;否则,接收的元素是有效的。
Commit payload validation is accomplished by the following steps:
提交有效负载验证通过以下步骤完成:
1. The length of the Commit payload is checked against its anticipated length (the anticipated length of the scalar plus the anticipated length of the element, for the negotiated group). If it is incorrect, the Commit payload is invalidated; otherwise, processing continues.
1. 根据其预期长度(对于协商组,标量的预期长度加上元素的预期长度)检查提交有效负载的长度。如果不正确,则提交有效负载无效;否则,处理将继续。
2. The peer's scalar is extracted from the Commit payload according to Section 8.3.1 and checked to ensure it is between one (1) and r, the order of the negotiated group, exclusive. If it is not, the Commit payload is invalidated; otherwise, processing continues.
2. 根据第8.3.1节,从提交有效负载中提取对等方的标量,并进行检查,以确保其介于1和r之间(协商组的顺序,排他)。如果不是,则提交有效负载无效;否则,处理将继续。
3. The peer's element is extracted from the Commit payload according to Section 8.3.2 and checked in a manner that depends on the type of group negotiated. If the group is ECP, the element is validated according to Section 8.4.2.1. If the group is MODP, the element is validated according to Section 8.4.2.2. If the element is not valid, then the Commit payload is invalidated; otherwise, the Commit payload is validated.
3. 根据第8.3.2节从提交有效负载中提取对等方的元素,并根据协商的组类型进行检查。如果该组为ECP,则根据第8.4.2.1节验证该元素。如果该组为MODP,则根据第8.4.2.2节验证该元素。如果元素无效,则提交有效负载无效;否则,将验证提交有效负载。
4. The Initiator of the IKE exchange has an added requirement to verify that the received element and scalar from the Commit payload differ from the element and scalar sent to the Responder. If they are identical, it signifies a reflection attack, and the Commit payload is invalidated.
4. IKE交换的发起方还需要验证从提交负载接收的元素和标量是否与发送给响应方的元素和标量不同。如果它们相同,则表示反射攻击,并且提交有效负载无效。
If the Commit payload is invalidated, the payload MUST be discarded and the IKE exchange aborted.
如果提交有效负载无效,则必须丢弃该有效负载并中止IKE交换。
After a Commit payload has been generated and a peer's Commit payload has been processed, a shared secret used to authenticate the peer is derived. Using SKE, the "private" value generated as part of Commit payload generation, and the peer's scalar and element from the peer's Commit payload, named here peer-scalar and Peer-Element, respectively, a preliminary shared secret, skey, is generated as:
生成提交有效负载并处理对等方的提交有效负载后,将派生用于对对等方进行身份验证的共享秘密。使用SKE、作为提交有效负载生成一部分生成的“私有”值以及对等方提交有效负载中的对等方标量和元素(分别命名为peer scalar和peer element),初步共享秘密skey生成为:
skey = F(scalar-op(private, element-op(Peer-Element, scalar-op(peer-scalar, SKE))))
skey = F(scalar-op(private, element-op(Peer-Element, scalar-op(peer-scalar, SKE))))
For the purposes of subsequent computation, the bit length of skey SHALL be equal to the bit length of the prime, p, used in either a MODP or ECP group. This bit length SHALL be enforced, if necessary, by prepending zeros to the value until the required length is achieved.
为便于后续计算,skey的位长度应等于MODP或ECP组中使用的素数p的位长度。如有必要,应通过在值前加零来强制该位长度,直到达到所需长度。
A shared secret, ss, is then computed from skey and the nonces exchanged by the Initiator (Ni) and Responder (Nr) (without the fixed headers) using prf():
然后使用prf()从skey和发起方(Ni)和响应方(Nr)(无固定头)交换的nonce计算共享秘密ss:
ss = prf(Ni | Nr, skey | "Secure PSK Authentication in IKE")
ss=prf(Ni | Nr,skey |“IKE中的安全PSK身份验证”)
The shared secret, ss, is used in an AUTH authentication payload to prove possession of the shared secret and therefore knowledge of the pre-shared key.
共享密钥ss用于身份验证有效载荷中,以证明拥有共享密钥,从而知道预共享密钥。
[RFC6467] defines a Generic Secure Password Method (GSPM) payload that is used to convey information that is specific to a particular secure password method. This memo uses the GSPM payload as a Commit payload to contain the scalar and element used in the Secure PSK Authentication exchange:
[RFC6467]定义了一个通用安全密码方法(GSPM)有效负载,用于传递特定安全密码方法的特定信息。此备忘录将GSPM有效负载用作提交有效负载,以包含安全PSK身份验证交换中使用的标量和元素:
The Commit payload is defined as follows:
提交有效负载的定义如下:
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload !C! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + scalar ~ | | ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ | | ~ Element ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload !C! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + scalar ~ | | ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ | | ~ Element ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The scalar and element SHALL be encoded in the Commit payload according to Section 8.3.
标量和元素应根据第8.3节在提交有效载荷中进行编码。
Secure PSK Authentication modifies the IKE_AUTH exchange by adding one additional round trip to exchange Commit payloads to perform the Secure PSK Authentication exchange and by changing the calculation of the AUTH payload data to bind the IKEv2 exchange to the outcome of the Secure PSK Authentication exchange (see Figure 3).
Secure PSK Authentication修改IKE_身份验证交换,方法是添加一个额外的往返到exchange提交有效负载以执行安全PSK身份验证交换,并更改身份验证有效负载数据的计算以将IKEv2交换绑定到安全PSK身份验证交换的结果(见图3)。
Initiator Responder ----------- -----------
Initiator Responder ----------- -----------
IKE_SA_INIT:
IKE_SA_INIT:
HDR, SAi1, KEi, Ni, N(SPM-SPSK) -->
HDR、SAi1、KEi、Ni、N(SPM-SPSK)-->
<-- HDR, SAr1, KEr, Nr, N(SPM-SPSK)
<--HDR、SAr1、KEr、Nr、N(SPM-SPSK)
IKE_AUTH:
IKE_AUTH:
HDR, SK {IDi, COMi, [IDr,] SAi2, TSi, TSr} --> <-- HDR, SK {IDr, COMr} HDR, SK {AUTHi} --> <-- HDR, SK {AUTHr, SAr2, TSi, TSr}
HDR, SK {IDi, COMi, [IDr,] SAi2, TSi, TSr} --> <-- HDR, SK {IDr, COMr} HDR, SK {AUTHi} --> <-- HDR, SK {AUTHr, SAr2, TSi, TSr}
where N(SPM-SPSK) indicates the Secure Password Methods Notify payloads used to negotiate the use of Secure PSK Authentication (see Section 8.1), COMi and AUTHi are the Commit payload and AUTH payload, respectively, sent by the Initiator, and COMr and AUTHr are the Commit payload and AUTH payload, respectively, sent by the Responder.
其中,N(SPM-SPSK)表示用于协商使用安全PSK身份验证的安全密码方法通知有效载荷(见第8.1节),COMi和AUTHi分别是启动器发送的提交有效载荷和验证有效载荷,COMr和AUTHr分别是响应者发送的提交有效载荷和验证有效载荷。
Figure 3: Secure PSK in IKEv2
图3:IKEv2中的安全PSK
When doing Secure PSK Authentication, the AUTH payloads SHALL be computed as
进行安全PSK认证时,认证有效载荷应计算为
AUTHi = prf(ss, <InitiatorSignedOctets> | COMi | COMr)
AUTHi = prf(ss, <InitiatorSignedOctets> | COMi | COMr)
AUTHr = prf(ss, <ResponderSignedOctets> | COMr | COMi)
AUTHr = prf(ss, <ResponderSignedOctets> | COMr | COMi)
where "ss" is the shared secret derived in Section 8.4.3, COMi and COMr are the entire Commit payloads (including the fixed headers) sent by the Initiator and Responder, respectively, and <InitiatorSignedOctets> and <ResponderSignedOctets> are defined in
其中,“ss”是第8.4.3节中导出的共享秘密,COMi和COMr分别是启动器和响应程序发送的整个提交有效载荷(包括固定头),并且<InitiatorSignedOctets>和<ResponderSignedOctets>在中定义
[RFC5996]. The Authentication Method indicated in both AUTH payloads SHALL be "Generic Secure Password Authentication Method", value 12, from [IKEV2-IANA].
[RFC5996]。两个认证有效载荷中指示的认证方法应为[IKEV2-IANA]中的“通用安全密码认证方法”,值12。
IANA has assigned the value 3 for "Secure PSK Authentication" from the Secure Password Authentication Method registry in [IKEV2-IANA].
IANA已从[IKEV2-IANA]中的安全密码身份验证方法注册表中为“安全PSK身份验证”分配了值3。
Both the Initiator and Responder obtain a shared secret, "ss" (see Section 8.4.3), based on a secret group element and their own private values contributed to the exchange. If they do not share the same pre-shared key, they will be unable to derive the same secret group element, and if they do not share the same secret group element, they will be unable to derive the same shared secret.
发起者和响应者都根据秘密组元素和他们自己对交换贡献的私有值获得共享秘密“ss”(见第8.4.3节)。如果它们不共享相同的预共享密钥,它们将无法派生相同的机密组元素,如果它们不共享相同的机密组元素,它们将无法派生相同的共享机密。
Resistance to dictionary attack means that the adversary must launch an active attack to make a single guess at the pre-shared key. If the size of the pool from which the key was extracted was d and each key in the pool has an equal probability of being chosen, then the probability of success after a single guess is 1/d. After x guesses, and removal of failed guesses from the pool of possible keys, the probability becomes 1/(d-x). As x grows, so does the probability of success. Therefore, it is possible for an adversary to determine the pre-shared key through repeated brute-force, active, guessing attacks. This authentication method does not presume to be secure against this, and implementations SHOULD ensure the value of d is sufficiently large to prevent this attack. Implementations SHOULD also take countermeasures, for instance, refusing authentication attempts for a certain amount of time after the number of failed authentication attempts reaches a certain threshold. No such threshold or amount of time is recommended in this memo.
抵抗字典攻击意味着对手必须发起主动攻击,对预共享密钥进行一次猜测。如果从中提取密钥的池的大小为d,并且池中的每个密钥具有相同的被选择概率,则单个猜测后的成功概率为1/d。经过x次猜测,并从可能的密钥池中删除失败的猜测后,概率变为1/(d-x)。随着x的增长,成功的概率也随之增加。因此,对手有可能通过反复的暴力、主动、猜测攻击来确定预共享密钥。此身份验证方法并不假定对此是安全的,实现应确保d的值足够大,以防止此攻击。实现还应该采取对策,例如,在失败的身份验证尝试次数达到某个阈值后,拒绝身份验证尝试一段时间。本备忘录中不建议使用此类阈值或时间量。
An active attacker can impersonate the Responder of the exchange and send a forged Commit payload after receiving the Initiator's Commit payload. The attacker then waits until it receives the authentication payload from the Responder. Now the attacker can attempt to run through all possible values of the pre-shared key, computing SKE (see Section 8.2), computing "ss" (see Section 8.4.3), and attempting to recreate the Confirm payload from the Responder.
主动攻击者可以模拟exchange的响应程序,并在收到启动器的提交负载后发送伪造的提交负载。然后,攻击者等待,直到从响应程序接收到身份验证有效负载。现在,攻击者可以尝试运行预共享密钥的所有可能值,计算SKE(请参见第8.2节),计算“ss”(请参见第8.4.3节),并尝试从响应程序重新创建确认有效负载。
But, by sending a forged Commit payload the attacker commits to a single guess of the pre-shared key. That value was used by the Responder in his computation of "ss", which was used in the authentication payload. Any guess of the pre-shared key that differs from the one used in the forged Commit payload would result in each
但是,通过发送伪造的提交有效负载,攻击者对预共享密钥进行了一次猜测。响应者在计算“ss”时使用了该值,该值用于身份验证有效负载。任何与伪造提交负载中使用的密钥不同的预共享密钥猜测都会导致
side using a different secret element in the computation of "ss" and therefore the authentication payload could not be verified as correct, even if a subsequent guess, while running through all possible values, was correct. The attacker gets one guess, and one guess only, per active attack.
一方在计算“ss”时使用不同的秘密元素,因此无法验证验证有效载荷是否正确,即使在运行所有可能值时,后续猜测是正确的。每次主动攻击,攻击者只能猜测一次。
An attacker, acting as either the Initiator or Responder, can take the element from the Commit payload received from the other party, reconstruct the random "mask" value used in its construction, and then recover the other party's "private" value from the scalar in the Commit payload. But this requires the attacker to solve the discrete logarithm problem, which we assumed was intractable (Section 7).
作为发起方或响应方的攻击者可以从从从另一方接收的提交负载中获取元素,重构其构造中使用的随机“掩码”值,然后从提交负载中的标量恢复另一方的“私有”值。但这需要攻击者解决离散对数问题,我们认为这个问题很难解决(第7节)。
Instead of attempting to guess at pre-shared keys, an attacker can attempt to determine SKE and then launch an attack, but SKE is determined by the output of the pseudo-random function, prf, which is assumed to be indistinguishable from a random source (Section 7). Therefore, each element of the finite cyclic group will have an equal probability of being the SKE. The probability of guessing SKE will be 1/r, where r is the order of the group. This is the same probability of guessing the solution to the discrete logarithm, which is assumed to be intractable (Section 7). The attacker would have a better chance of success at guessing the input to prf, i.e., the pre-shared key, since the order of the group will be many orders of magnitude greater than the size of the pool of pre-shared keys.
攻击者可以尝试确定SKE,然后发起攻击,而不是尝试猜测预共享密钥,但SKE是由伪随机函数prf的输出确定的,该伪随机函数被假定为与随机源不可区分(第7节)。因此,有限循环群的每个元素成为SKE的概率相等。猜测SKE的概率为1/r,其中r是组的顺序。这与猜测离散对数解的概率相同,而离散对数被认为是难以解决的(第7节)。攻击者在猜测prf的输入(即预共享密钥)时更有可能成功,因为组的顺序将比预共享密钥池的大小大很多数量级。
The implications of resistance to dictionary attack are significant. An implementation can provision a pre-shared key in a practical and realistic manner -- i.e., it MAY be a character string, and it MAY be relatively short -- and still maintain security. The nature of the pre-shared key determines the size of the pool, D, and countermeasures can prevent an adversary from determining the secret in the only possible way: repeated, active, guessing attacks. For example, a simple four-character string using lowercase English characters, and assuming random selection of those characters, will result in D of over four hundred thousand. An adversary would need to mount over one hundred thousand active, guessing attacks (which will easily be detected) before gaining any significant advantage in determining the pre-shared key.
抵抗字典攻击的含义非常重要。一个实现可以以实际可行的方式提供一个预共享密钥——也就是说,它可能是一个字符串,也可能相对较短——并且仍然保持安全性。预共享密钥的性质决定了池的大小,而对策可以防止对手以唯一可能的方式确定秘密:重复、主动、猜测攻击。例如,一个简单的使用小写英文字符的四个字符字符串,并假设随机选择这些字符,将导致D超过四十万。在确定预共享密钥时,对手需要发起超过十万次主动猜测攻击(很容易被检测到),才能获得任何显著优势。
If an attacker knows the number of hunting-and-pecking loops that were required to determine SKE, it is possible to eliminate passwords from the pool of potential passwords and increase the probability of successfully guessing the real password. MODP groups will require more than "n" loops with a probability based on the value of the prime -- if m is the largest unsigned number that can be expressed in len(p) bits, then the probability is ((m-p)/p)^n -- which will typically be very small for the groups defined in [IKEV2-IANA]. ECP
如果攻击者知道确定SKE所需的狩猎和啄食循环的数量,则有可能从潜在密码池中删除密码,并增加成功猜测真实密码的概率。MODP组将需要超过“n”个循环,其概率基于素数的值——如果m是可以用len(p)位表示的最大无符号数,则概率为((m-p)/p)^n——对于[IKEV2-IANA]中定义的组来说,这通常非常小。ECP
groups will require more than one "n" loop with a probability of roughly (1-(r/2p))^n. Therefore, a security parameter, k, is defined that will ensure that at least k loops will always be executed regardless of whether SKE is found in less than k loops. There is still a probability that a password would require more than k loops, and a side-channel attacker could use that information to his advantage, so selection of the value of k should be based on a trade-off between the additional workload to always perform k iterations and the potential of providing information to a side-channel attacker. It is important to note that the possibility of a successful side-channel attack is greater against ECP groups than MODP groups, and it might be appropriate to have separate values of k for the two.
组将需要多个概率约为(1-(r/2p))^n的“n”循环。因此,定义了一个安全参数k,该参数将确保始终执行至少k个循环,而不管是否在少于k个循环中找到SKE。密码仍有可能需要超过k个循环,并且侧通道攻击者可以利用该信息发挥优势,因此选择k值应基于始终执行k次迭代的额外工作负载和向侧通道攻击者提供信息的可能性之间的权衡。需要注意的是,与MODP组相比,ECP组成功进行侧信道攻击的可能性更大,并且可能需要为这两个组分别设置k值。
For a more detailed discussion of the security of the key exchange underlying this authentication method, see [SAE] and [RFC5931].
有关此身份验证方法的密钥交换安全性的更详细讨论,请参阅[SAE]和[RFC5931]。
The author would like to thank Scott Fluhrer and Hideyuki Suzuki for their insight in discovering flaws in earlier versions of the key exchange that underlies this authentication method and for their helpful suggestions in improving it. Thanks to Lily Chen for useful advice on the hunting-and-pecking technique to "hash into" an element in a group and to Jin-Meng Ho for a discussion on countering a small sub-group attack. Rich Davis suggested several checks on received messages that greatly increase the security of the underlying key exchange. Hugo Krawczyk suggested using the prf as an extractor.
作者要感谢Scott Fluhrer和Hideyuki Suzuki,感谢他们在发现作为此身份验证方法基础的密钥交换早期版本中的缺陷方面的见解,以及他们在改进此方法方面的有益建议。感谢Lily Chen就狩猎和啄食技术提供的有用建议,以“散列”一组中的一个元素,并感谢Jin Meng Ho讨论如何应对一个小的小组攻击。Rich Davis建议对收到的消息进行几次检查,以大大提高底层密钥交换的安全性。Hugo Krawczyk建议使用prf作为提取剂。
[IKEV2-IANA] IANA, "IKEv2 Parameters", <http://www.iana.org/assignments/ikev2-parameters>.
[IKEV2-IANA]IANA,“IKEV2参数”<http://www.iana.org/assignments/ikev2-parameters>.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.
[RFC2104]Krawczyk,H.,Bellare,M.,和R.Canetti,“HMAC:用于消息认证的键控哈希”,RFC 2104,1997年2月。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC3454] Hoffman, P. and M. Blanchet, "Preparation of Internationalized Strings ("stringprep")", RFC 3454, December 2002.
[RFC3454]Hoffman,P.和M.Blanchet,“国际化弦的准备(“stringprep”)”,RFC 3454,2002年12月。
[RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User Names and Passwords", RFC 4013, February 2005.
[RFC4013]Zeilenga,K.,“SASLprep:用户名和密码的Stringprep配置文件”,RFC40113,2005年2月。
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, "Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 5996, September 2010.
[RFC5996]Kaufman,C.,Hoffman,P.,Nir,Y.,和P.Eronen,“互联网密钥交换协议版本2(IKEv2)”,RFC 59962010年9月。
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic Curve Cryptography Algorithms", RFC 6090, February 2011.
[RFC6090]McGrew,D.,Igoe,K.,和M.Salter,“基本椭圆曲线密码算法”,RFC 60902011年2月。
[RFC6467] Kivinen, T., "Secure Password Framework for Internet Key Exchange Version 2 (IKEv2)", RFC 6467, December 2011.
[RFC6467]Kivinen,T.,“互联网密钥交换版本2(IKEv2)的安全密码框架”,RFC 6467,2011年12月。
[BM92] Bellovin, S. and M. Merritt, "Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks", Proceedings of the IEEE Symposium on Security and Privacy, Oakland, 1992.
[BM92]Bellovin,S.和M.Merritt,“加密密钥交换:基于密码的协议防止字典攻击”,IEEE安全和隐私研讨会论文集,奥克兰,1992年。
[BMP00] Boyko, V., MacKenzie, P., and S. Patel, "Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman", Proceedings of Eurocrypt 2000, LNCS 1807 Springer-Verlag, 2000.
[BMP00]Boyko,V.,MacKenzie,P.,和S.Patel,“使用Diffie Hellman可证明安全的密码认证密钥交换”,欧洲密码会议录2000年,LNCS 1807 Springer Verlag,2000年。
[BPR00] Bellare, M., Pointcheval, D., and P. Rogaway, "Authenticated Key Exchange Secure Against Dictionary Attacks", Advances in Cryptology -- Eurocrypt '00, Lecture Notes in Computer Science Springer-Verlag, 2000.
[BPR00]Bellare,M.,Pointcheval,D.,和P.Rogaway,“针对字典攻击的认证密钥交换安全”,密码学进展——Eurocrypt'00,计算机科学讲稿,Springer Verlag,2000年。
[RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, June 2005.
[RFC4086]Eastlake,D.,Schiller,J.,和S.Crocker,“安全的随机性要求”,BCP 106,RFC 4086,2005年6月。
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005.
[RFC4301]Kent,S.和K.Seo,“互联网协议的安全架构”,RFC 43012005年12月。
[RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, May 2010.
[RFC5869]Krawczyk,H.和P.Eronen,“基于HMAC的提取和扩展密钥派生函数(HKDF)”,RFC 5869,2010年5月。
[RFC5931] Harkins, D. and G. Zorn, "Extensible Authentication Protocol (EAP) Authentication Using Only a Password", RFC 5931, August 2010.
[RFC5931]Harkins,D.和G.Zorn,“仅使用密码的可扩展身份验证协议(EAP)身份验证”,RFC 59312010年8月。
[SAE] Harkins, D., "Simultaneous Authentication of Equals: A Secure, Password-Based Key Exchange for Mesh Networks", Proceedings of the 2008 Second International Conference on Sensor Technologies and Applications Volume 00, 2008.
[SAE]Harkins,D.“平等的同时认证:网状网络的安全、基于密码的密钥交换”,《2008年第二届传感器技术与应用国际会议论文集》,2008年第00卷。
Author's Address
作者地址
Dan Harkins Aruba Networks 1322 Crossman Avenue Sunnyvale, CA 94089-1113 United States of America
Dan Harkins Aruba Networks美国加利福尼亚州桑尼维尔市克罗斯曼大道1322号,邮编94089-1113
EMail: dharkins@arubanetworks.com
EMail: dharkins@arubanetworks.com