Internet Research Task Force (IRTF) D. Harkins, Ed. Request for Comments: 7664 Aruba Networks Category: Informational November 2015 ISSN: 2070-1721
Internet Research Task Force (IRTF) D. Harkins, Ed. Request for Comments: 7664 Aruba Networks Category: Informational November 2015 ISSN: 2070-1721
Dragonfly Key Exchange
蜻蜓密钥交换
Abstract
摘要
This document specifies a key exchange using discrete logarithm cryptography that is authenticated using a password or passphrase. It is resistant to active attack, passive attack, and offline dictionary attack. This document is a product of the Crypto Forum Research Group (CFRG).
本文档指定使用离散对数加密的密钥交换,该加密使用密码或密码短语进行身份验证。它可以抵抗主动攻击、被动攻击和离线字典攻击。本文件是加密论坛研究组(CFRG)的产品。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Research Task Force (IRTF). The IRTF publishes the results of Internet-related research and development activities. These results might not be suitable for deployment. This RFC represents the individual opinion(s) of one or more members of the Crypto Forum Research Group of the Internet Research Task Force (IRTF). Documents approved for publication by the IRSG are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网研究工作组(IRTF)的产品。IRTF发布互联网相关研究和开发活动的结果。这些结果可能不适合部署。本RFC代表互联网研究工作队(IRTF)加密论坛研究小组一名或多名成员的个人意见。IRSG批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7664.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7664.
Copyright Notice
版权公告
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2015 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.1. Notations . . . . . . . . . . . . . . . . . . . . . . 3 1.2.2. Resistance to Dictionary Attack . . . . . . . . . . . 3 2. Discrete Logarithm Cryptography . . . . . . . . . . . . . . . 4 2.1. Elliptic Curve Cryptography . . . . . . . . . . . . . . . 4 2.2. Finite Field Cryptography . . . . . . . . . . . . . . . . 5 3. The Dragonfly Key Exchange . . . . . . . . . . . . . . . . . 6 3.1. Assumptions . . . . . . . . . . . . . . . . . . . . . . . 7 3.2. Derivation of the Password Element . . . . . . . . . . . 8 3.2.1. Hunting and Pecking with ECC Groups . . . . . . . . . 10 3.2.2. Hunting and Pecking with MODP Groups . . . . . . . . 12 3.3. The Commit Exchange . . . . . . . . . . . . . . . . . . . 13 3.4. The Confirm Exchange . . . . . . . . . . . . . . . . . . 14 4. Security Considerations . . . . . . . . . . . . . . . . . . . 15 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 5.1. Normative References . . . . . . . . . . . . . . . . . . 16 5.2. Informative References . . . . . . . . . . . . . . . . . 16 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 18 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.1. Notations . . . . . . . . . . . . . . . . . . . . . . 3 1.2.2. Resistance to Dictionary Attack . . . . . . . . . . . 3 2. Discrete Logarithm Cryptography . . . . . . . . . . . . . . . 4 2.1. Elliptic Curve Cryptography . . . . . . . . . . . . . . . 4 2.2. Finite Field Cryptography . . . . . . . . . . . . . . . . 5 3. The Dragonfly Key Exchange . . . . . . . . . . . . . . . . . 6 3.1. Assumptions . . . . . . . . . . . . . . . . . . . . . . . 7 3.2. Derivation of the Password Element . . . . . . . . . . . 8 3.2.1. Hunting and Pecking with ECC Groups . . . . . . . . . 10 3.2.2. Hunting and Pecking with MODP Groups . . . . . . . . 12 3.3. The Commit Exchange . . . . . . . . . . . . . . . . . . . 13 3.4. The Confirm Exchange . . . . . . . . . . . . . . . . . . 14 4. Security Considerations . . . . . . . . . . . . . . . . . . . 15 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 5.1. Normative References . . . . . . . . . . . . . . . . . . 16 5.2. Informative References . . . . . . . . . . . . . . . . . 16 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 18 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 18
Passwords and passphrases are the predominant way of doing authentication in the Internet today. Many protocols that use passwords and passphrases for authentication exchange password-derived data as a proof-of-knowledge of the password (for example, [RFC7296] and [RFC5433]). This opens the exchange up to an offline dictionary attack where the attacker gleans enough knowledge from either an active or passive attack on the protocol to run through a pool of potential passwords and compute verifiers until it is able to match the password-derived data.
密码和密码短语是当今互联网上进行身份验证的主要方式。许多使用密码和密码短语进行身份验证的协议交换密码派生数据作为密码知识的证明(例如,[RFC7296]和[RFC5433])。这将使exchange面临脱机字典攻击,攻击者从协议的主动或被动攻击中收集足够的知识,以通过潜在密码池和计算验证器运行,直到能够匹配密码派生的数据。
This protocol employs discrete logarithm cryptography to perform an efficient exchange in a way that performs mutual authentication using a password that is provably resistant to an offline dictionary attack. Consensus of the CFRG for this document was rough.
该协议采用离散对数加密,以一种使用可证明抵抗脱机字典攻击的密码执行相互身份验证的方式执行有效交换。CFRG对本文件的共识是粗略的。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
The following notations are used in this memo.
本备忘录中使用了以下符号。
password A shared, secret, and potentially low-entropy word, phrase, code, or key used as a credential to mutually authenticate the peers. It is not restricted to characters in a human language.
密码一个共享的、秘密的、可能是低熵的字、短语、代码或密钥,用作相互认证对等方的凭证。它不限于人类语言中的字符。
a | b denotes concatenation of bit string "a" with bit string "b".
a | b表示位字符串“a”与位字符串“b”的串联。
len(a) indicates the length in bits of the bit string "a".
len(a)表示位字符串“a”的位长度。
lsb(a) returns the least-significant bit of the bit string "a".
lsb(a)返回位字符串“a”的最低有效位。
lgr(a,b) takes "a" and a prime, "b", and returns the Legendre symbol (a/b).
lgr(a,b)接受“a”和素数“b”,并返回勒让德符号(a/b)。
min(a,b) returns the lexicographical minimum of strings "a" and "b", or zero (0) if "a" equals "b".
min(a,b)返回字符串“a”和“b”的字典最小值,如果“a”等于“b”,则返回零(0)。
max(a,b) returns the lexicographical maximum of strings "a" and "b", or zero (0) if "a" equals "b".
max(a,b)返回字符串“a”和“b”的字典最大值,如果“a”等于“b”,则返回零(0)。
The convention for this memo is to represent an element in a finite cyclic group with an uppercase letter or acronym, while a scalar is indicated with a lowercase letter or acronym. An element that represents a point on an elliptic curve has an implied composite nature -- i.e., it has both an x- and y-coordinate.
本备忘录的惯例是用大写字母或首字母缩写表示有限循环组中的元素,而标量用小写字母或首字母缩写表示。表示椭圆曲线上的点的元素具有隐含的复合性质,即它同时具有x坐标和y坐标。
Resistance to dictionary attack means that any advantage an adversary can gain must be directly related to the number of interactions she makes with an honest protocol participant and not through computation. The adversary will not be able to obtain any information about the password except whether a single guess from a protocol run is correct or incorrect.
抵抗字典攻击意味着对手所能获得的任何优势都必须与她与诚实协议参与者的交互次数直接相关,而不是通过计算。对手将无法获得有关密码的任何信息,除非协议运行中的一次猜测是正确的还是不正确的。
Dragonfly uses discrete logarithm cryptography to achieve authentication and key agreement (see [SP800-56A]). Each party to the exchange derives ephemeral keys with respect to a particular set of domain parameters (referred to here as a "group"). A group can be based on Finite Field Cryptography (FFC) or Elliptic Curve Cryptography (ECC).
蜻蜓使用离散对数加密实现身份验证和密钥协商(见[SP800-56A])。交换的每一方都获得与特定域参数集(此处称为“组”)相关的临时密钥。组可以基于有限域加密(FFC)或椭圆曲线加密(ECC)。
Three operations are defined for both types of groups:
两种类型的组都定义了三种操作:
o "scalar operation" -- takes a scalar and an element in the group to produce another element -- Z = scalar-op(x, Y).
o “标量运算”——获取组中的标量和元素以生成另一个元素——Z=标量op(x,Y)。
o "element operation" -- takes two elements in the group to produce a third -- Z = element-op(X, Y).
o “元素操作”--获取组中的两个元素以生成第三个元素--Z=元素op(X,Y)。
o "inverse operation" -- takes an element and returns another element such that the element operation on the two produces the identity element of the group -- Y = inverse(X).
o “反向操作”--获取一个元素并返回另一个元素,以便对这两个元素的元素操作生成组的标识元素——Y=反向(X)。
Domain parameters for the ECC groups used by Dragonfly are:
蜻蜓使用的ECC组的域参数为:
o A prime, p, determining a prime field GF(p). The cryptographic group will be a subgroup of the full elliptic curve group that consists of points on an elliptic curve -- elements from GF(p) that satisfy the curve's equation -- together with the "point at infinity" that serves as the identity element. The group operation for ECC groups is addition of points on the elliptic curve.
o 素数,p,决定素数域GF(p)。密码组将是完整椭圆曲线组的一个子组,由椭圆曲线上的点组成——满足曲线方程的GF(p)元素——以及作为身份元素的“无穷远点”。ECC群的群运算是在椭圆曲线上加点。
o Elements a and b from GF(p) that define the curve's equation. The point (x, y) in GF(p) x GF(p) is on the elliptic curve if and only if (y^2 - x^3 - a*x - b) mod p equals zero (0).
o 定义曲线方程的GF(p)中的元素a和b。GF(p)xgf(p)中的点(x,y)在椭圆曲线上当且仅当(y^2-x^3-a*x-b)mod p等于零(0)。
o A point, G, on the elliptic curve, which serves as a generator for the ECC group. G is chosen such that its order, with respect to elliptic curve addition, is a sufficiently large prime.
o 椭圆曲线上的一个点G,用作ECC组的生成器。选择G,使其相对于椭圆曲线加法的阶数是一个足够大的素数。
o A prime, q, which is the order of G, and thus is also the size of the cryptographic subgroup that is generated by G.
o 素数q是G的阶数,因此也是由G生成的加密子群的大小。
An (x,y) pair is a valid ECC element if: 1) the x- and y-coordinates are both greater than zero (0) and less than the prime defining the underlying field; and, 2) the x- and y-coordinates satisfy the equation for the curve and produce a valid point on the curve that is
(x,y)对是有效的ECC元素,前提是:1)x坐标和y坐标均大于零(0)且小于定义基础字段的素数;x坐标和y坐标满足曲线方程,并在曲线上生成一个有效点,即
not the point at infinity. If either one of those conditions do not hold, the (x,y) pair is not a valid element.
不是无穷远处的点。如果其中任何一个条件不成立,则(x,y)对不是有效元素。
The scalar operation is addition of a point on the curve with itself a number of times. The point Y is multiplied x times to produce another point Z:
标量运算是将曲线上的一个点与自身相加若干次。将点Y乘以x,生成另一个点Z:
Z = scalar-op(x, Y) = x*Y
Z = scalar-op(x, Y) = x*Y
The element operation is addition of two points on the curve. Points X and Y are summed to produce another point Z:
元素操作是在曲线上添加两个点。将点X和Y相加以生成另一个点Z:
Z = element-op(X, Y) = X + Y
Z = element-op(X, Y) = X + Y
The inverse function is defined such that the sum of an element and its inverse is "0", the point at infinity of an elliptic curve group:
定义反函数时,元素及其逆的和为“0”,即椭圆曲线群无穷远处的点:
R + inverse(R) = "0"
R + inverse(R) = "0"
Elliptic curve groups require a mapping function, q = F(Q), to convert a group element to an integer. The mapping function used in this memo returns the x-coordinate of the point it is passed.
椭圆曲线组需要一个映射函数q=F(q),将组元素转换为整数。此备忘录中使用的映射函数返回所传递点的x坐标。
scalar-op(x, Y) can be viewed as x iterations of element-op() by defining:
通过定义以下内容,可以将标量op(x,Y)视为元素-op()的x次迭代:
Y = scalar-op(1, Y)
Y=标量op(1,Y)
Y = scalar-op(x, Y) = element-op(Y, scalar-op(x-1, Y)), for x > 1
Y = scalar-op(x, Y) = element-op(Y, scalar-op(x-1, Y)), for x > 1
A definition of how to add two points on an elliptic curve (i.e., element-op(X, Y)) can be found in [RFC6090].
如何在椭圆曲线上添加两点(即元素op(X,Y))的定义见[RFC6090]。
Note: There is another elliptic curve domain parameter, a cofactor, h, that is defined by the requirement that the size of the full elliptic curve group (including "0") be the product of h and q. Elliptic curve groups used with Dragonfly authentication MUST have a cofactor of one (1).
注意:还有另一个椭圆曲线域参数,一个辅因子h,它是由完整椭圆曲线组(包括“0”)的大小是h和q的乘积的要求定义的。与蜻蜓身份验证一起使用的椭圆曲线组必须具有一(1)个辅因子。
Domain parameters for the FFC groups used in Dragonfly are:
蜻蜓中使用的FFC组的域参数为:
o A prime, p, determining a prime field GF(p), the integers modulo p. The FFC group will be a subgroup of GF(p)*, the multiplicative group of non-zero elements in GF(p). The group operation for FFC groups is multiplication modulo p.
o 一个素数,p,决定一个素数域GF(p),模p的整数。FFC群将是GF(p)*的子群,GF(p)中非零元素的乘法群。FFC组的组运算是乘法模p。
o An element, G, in GF(p)* which serves as a generator for the FFC group. G is chosen such that its multiplicative order is a sufficiently large prime divisor of ((p-1)/2).
o GF(p)*中的一个元素G,用作FFC组的生成器。选择G,使其乘法阶为((p-1)/2)的足够大的素因子。
o A prime, q, which is the multiplicative order of G, and thus also the size of the cryptographic subgroup of GF(p)* that is generated by G.
o 素数q,是G的乘法阶,因此也是G生成的GF(p)*的密码子群的大小。
A number is a valid element in an FFC group if: 1) it is between one (1) and one (1) less than the prime, p, exclusive (i.e., 1 < element < p-1); and, 2) if modular exponentiation of the element by the group order, q, equals one (1). If either one of those conditions do not hold, the number is not a valid element.
如果一个数字比素数p(互斥)小一(1)到一(1)个之间(即1<元素<p-1),则该数字是FFC组中的有效元素;并且,2)如果元素的群阶q的模幂等于1(1)。如果其中任何一个条件不成立,则该数字不是有效元素。
The scalar operation is exponentiation of a generator modulo a prime. An element Y is taken to the x-th power modulo the prime returning another element, Z:
标量运算是生成元与素数的幂运算。一个元素Y被取为与返回另一个元素Z的素数的x次幂模:
Z = scalar-op(x, Y) = Y^x mod p
Z = scalar-op(x, Y) = Y^x mod p
The element operation is modular multiplication. Two elements, X and Y, are multiplied modulo the prime returning another element, Z:
元素运算是模乘运算。两个元素X和Y乘以返回另一个元素Z的素数:
Z = element-op(X, Y) = (X * Y) mod p
Z = element-op(X, Y) = (X * Y) mod p
The inverse function for a MODP group is defined such that the product of an element and its inverse modulo the group prime equals one (1). In other words,
MODP群的逆函数定义为:元素与其逆模与群素数的乘积等于一(1)。换句话说,,
(R * inverse(R)) mod p = 1
(R * inverse(R)) mod p = 1
There are two parties to the Dragonfly exchange named, for convenience and by convention, Alice and Bob. The two parties have a shared password that was established in an out-of-band mechanism, and they both agree to use a particular domain parameter set (either ECC or FFC). In the Dragonfly exchange, both Alice and Bob share an identical view of the shared password -- i.e., it is not "augmented", where one side holds a password and the other side holds a non-invertible verifier. This allows Dragonfly to be used in traditional client-server protocols and also in peer-to-peer applications in which there are not fixed roles and either party may initiate the exchange (and both parties may implement it simultaneously).
为了方便起见,按照惯例,蜻蜓交易所有两个交易方:爱丽丝和鲍勃。双方拥有一个在带外机制中建立的共享密码,并且双方都同意使用特定的域参数集(ECC或FFC)。在Dragonfly exchange中,Alice和Bob共享共享密码的相同视图,即它不是“增强”的,其中一方持有密码,另一方持有不可逆的验证器。这使得Dragonfly可以在传统的客户机-服务器协议中使用,也可以在没有固定角色的对等应用程序中使用,任何一方都可以启动交换(并且双方可以同时实现)。
Prior to beginning the Dragonfly exchange, the two peers MUST derive a secret element in the chosen domain parameter set. Two "hunting-and-pecking" techniques to determine a secret element, one for ECC
在开始蜻蜓交换之前,两个对等方必须在所选域参数集中派生一个秘密元素。两种“狩猎和啄食”技术用于确定秘密元素,一种用于ECC
and one for FFC, are described in Section 3.2, but any secure, deterministic method that is agreed upon can be used. For instance, the technique described in [hash2ec] can be used for ECC groups.
第3.2节中描述了一种用于FFC的方法,但可以使用商定的任何安全、确定性方法。例如,[hash2ec]中描述的技术可用于ECC组。
The Dragonfly exchange consists of two message exchanges, a "Commit Exchange" in which both sides commit to a single guess of the password, and a "Confirm Exchange" in which both sides confirm knowledge of the password. A side effect of running the Dragonfly exchange is an authenticated, shared, and secret key whose cryptographic strength is set by the agreed-upon group.
蜻蜓交换由两个消息交换组成,一个是“提交交换”,双方都对密码的一次猜测作出承诺,另一个是“确认交换”,双方都确认知道密码。运行Dragonfly exchange的一个副作用是一个经过身份验证、共享和保密的密钥,其加密强度由商定的组设置。
Dragonfly uses a random function, H(), a mapping function, F(), and a key derivation function, KDF().
Dragonfly使用一个随机函数H()、一个映射函数F()和一个键派生函数KDF()。
In order to avoid attacks on the Dragonfly protocol, some basic assumptions are made:
为了避免对蜻蜓协议的攻击,我们做了一些基本假设:
1. Function H is a "random oracle" (see [RANDOR]) that maps a binary string of indeterminate length onto a fixed binary string that is x bits in length.
1. 函数H是一个“随机预言”(参见[RANDOR]),它将长度不确定的二进制字符串映射到长度为x位的固定二进制字符串上。
H: {0,1}^* --> {0,1}^x
H: {0,1}^* --> {0,1}^x
2. Function F is a mapping function that takes an element in a group and returns an integer. For ECC groups, function F() returns the x-coordinate of the element (which is a point on the elliptic curve); for FFC groups, function F() is the identity function (since all elements in an FFC group are already integers less than the prime).
2. 函数F是一个映射函数,它接受组中的一个元素并返回一个整数。对于ECC组,函数F()返回元素的x坐标(椭圆曲线上的一个点);对于FFC组,函数F()是标识函数(因为FFC组中的所有元素都已经是小于素数的整数)。
ECC: x = F(P), where P=(x,y)
ECC: x = F(P), where P=(x,y)
FFC: x = F(x)
FFC: x = F(x)
3. Function KDF is a key derivation function (see, for instance, [SP800-108]) that takes a key to stretch, k, a label to bind to the key, label, and an indication of the desired output, n:
3. 函数KDF是一个密钥派生函数(例如,请参见[SP800-108]),它使用一个密钥来拉伸k、一个标签来绑定密钥、标签以及所需输出的指示n:
stretch = KDF-n(k, label)
拉伸=KDF-n(k,标签)
so that len(stretch) equals n.
所以len(拉伸)等于n。
4. The discrete logarithm problem for the chosen group is hard. That is, given G, P, and Y = G^x mod p, it is computationally infeasible to determine x. Similarly, for an ECC group given the curve definition, a generator G, and Y = x * G, it is computationally infeasible to determine x.
4. 所选组的离散对数问题很难解决。也就是说,给定G,P和Y=G^x mod P,计算上不可能确定x。类似地,对于给定曲线定义的ECC组、生成器G和Y=x*G,确定x在计算上是不可行的。
5. There exists a pool of passwords from which the password shared by the two peers is drawn. This pool can consist of words from a dictionary, for example. Each password in this pool has an equal probability of being the shared password. All potential attackers have access to this pool of passwords.
5. 存在一个密码池,从中提取两个对等方共享的密码。例如,此池可以由字典中的单词组成。此池中的每个密码成为共享密码的概率相等。所有潜在攻击者都可以访问此密码池。
6. The peers have the ability to produce quality random numbers.
6. 对等点具有生成高质量随机数的能力。
Prior to beginning the exchange of information, the peers MUST derive a secret element, called the Password Element (PE), in the group defined by the chosen domain parameter set. From the point of view of an attacker who does not know the password, the PE will be a random element in the negotiated group. Two examples are described here for completeness, but any method of deterministically mapping a secret string into an element in a selected group can be used -- for instance, the technique in [hash2ec] for ECC groups. If a different technique than the ones described here is used, the secret string SHOULD include the identities of the peers.
在开始信息交换之前,对等方必须在所选域参数集定义的组中派生一个秘密元素,称为密码元素(PE)。从不知道密码的攻击者的角度来看,PE将是协商组中的随机元素。为了完整起见,这里描述了两个示例,但是可以使用任何确定地将秘密字符串映射到所选组中的元素的方法——例如,[hash2ec]中针对ECC组的技术。如果使用了与本文所述不同的技术,则秘密字符串应包括对等方的身份。
To fix the PE, both peers MUST have a common view of the password. If there is any password processing necessary (for example, to support internationalization), the processed password is then used as the shared credential. If either side wants to store a hashed version of the password (hashing the password with random data called a "salt"), it will be necessary to convey the salt to the other side prior to commencing the exchange, and the hashed password is then used as the shared credential.
要修复PE,两个对等方必须具有密码的共同视图。如果需要进行任何密码处理(例如,支持国际化),则处理后的密码将用作共享凭据。如果任何一方希望存储散列版本的密码(使用称为“salt”的随机数据散列密码),则必须在开始交换之前将salt传递给另一方,然后将散列密码用作共享凭证。
Note: Only one party would be able to maintain a salted password, and this would require that the Dragonfly key exchange be used in a protocol that has strict roles for client (that always initiates) and server (that always responds). Due to the symmetric nature of Dragonfly, salting passwords does not prevent an impersonation attack after compromise of a database of salted passwords.
注意:只有一方能够维护salt密码,这将要求蜻蜓密钥交换在对客户端(总是发起)和服务器(总是响应)具有严格角色的协议中使用。由于Dragonfly的对称性,加密密码不能防止加密密码数据库受损后的模拟攻击。
The deterministic process to select the PE begins with choosing a secret seed and then performing a group-specific hunting-and-pecking technique -- one for FFC groups and another for ECC groups.
选择PE的确定性过程从选择一个秘密种子开始,然后执行特定于组的狩猎和啄食技术——一个用于FFC组,另一个用于ECC组。
To thwart side-channel attacks that attempt to determine the number of iterations of the hunting-and-pecking loop used to find the PE for a given password, a security parameter, k, is used that ensures that at least k iterations are always performed. The probability that one requires more than n iterations of the hunting-and-pecking loop to find an ECC PE is roughly (q/2p)^n and to find an FFC PE is roughly (q/p)^n, both of which rapidly approach zero (0) as n increases. The security parameter, k, SHOULD be set sufficiently large such that the probability that finding the PE would take more than k iterations is sufficiently small (see Section 4).
为了阻止试图确定用于查找给定密码的PE的狩猎和啄食循环的迭代次数的侧通道攻击,使用了一个安全参数k,以确保始终执行至少k次迭代。搜索和啄食循环需要n次以上迭代才能找到ECC PE的概率约为(q/2p)^n,而找到FFC PE的概率约为(q/p)^n,两者都随着n的增加而迅速接近零(0)。安全参数k应设置得足够大,以使查找PE所需迭代次数超过k次的概率足够小(参见第4节)。
First, an 8-bit counter is set to one (1), and a secret base is computed using the negotiated one-way function with the identities of the two participants, Alice and Bob, the secret password, and the counter:
首先,将8位计数器设置为一(1),并使用协商单向函数计算秘密基数,其中包含两个参与者Alice和Bob的身份、秘密密码和计数器:
base = H(max(Alice,Bob) | min(Alice,Bob) | password | counter)
base = H(max(Alice,Bob) | min(Alice,Bob) | password | counter)
The identities are passed to the max() and min() functions to provide the necessary ordering of the inputs to H() while still allowing for a peer-to-peer exchange where both Alice and Bob each view themselves as the "initiator" of the exchange.
标识被传递给max()和min()函数,以提供H()输入的必要顺序,同时仍然允许对等交换,其中Alice和Bob各自将自己视为交换的“发起人”。
The base is then stretched using the technique from Section B.5.1 of [FIPS186-4]. The key derivation function, KDF, is used to produce a bitstream whose length is equal to the length of the prime from the group's domain parameter set plus the constant sixty-four (64) to derive a temporary value, and the temporary value is modularly reduced to produce a seed:
然后使用[FIPS186-4]第B.5.1节中的技术拉伸底座。密钥派生函数KDF用于生成一个比特流,该比特流的长度等于组的域参数集的素数长度加上常数六十四(64)以派生一个临时值,并且该临时值被模块化缩减以生成一个种子:
n = len(p) + 64
n = len(p) + 64
temp = KDF-n(base, "Dragonfly Hunting and Pecking")
temp=KDF-n(基础,“捕猎和啄食蜻蜓”)
seed = (temp mod (p - 1)) + 1
seed = (temp mod (p - 1)) + 1
The string bound to the derived temporary value is for illustrative purposes only. Implementations of the Dragonfly key exchange SHOULD use a usage-specific label with the KDF.
绑定到派生临时值的字符串仅用于说明目的。Dragonfly密钥交换的实现应该使用KDF的特定用法标签。
Note: The base is stretched to 64 more bits than are needed so that the bias from the modular reduction is not so apparent.
注:基极被拉伸到比所需位多64位,因此模块缩减的偏差不太明显。
The seed is then passed to the group-specific hunting-and-pecking technique.
然后将种子传给特定群体的狩猎和啄食技术。
If the protocol performing the Dragonfly exchange has the ability to exchange random nonces, those SHOULD be added to the computation of the base to ensure that each run of the protocol produces a different PE.
如果执行Dragonfly交换的协议能够交换随机nonce,则应将这些nonce添加到基础计算中,以确保协议的每次运行都产生不同的PE。
The ECC-specific hunting-and-pecking technique entails looping until a valid point on the elliptic curve has been found. The seed is used as an x-coordinate with the equation of the curve to check whether x^3 + a*x + b is a quadratic residue modulo p. If it is not, then the counter is incremented, a new base and new seed are generated, and the hunting and pecking continues. If it is a quadratic residue modulo p, then the x-coordinate is assigned the value of seed and the current base is stored. When the hunting-and-pecking loop terminates, the x-coordinate is used with the equation of the curve to solve for a y-coordinate. An ambiguity exists since two values for the y-coordinate would be valid, and the low-order bit of the stored base is used to unambiguously determine the correct y-coordinate. The resulting (x,y) pair becomes the Password Element, PE.
ECC特定的狩猎和啄食技术需要循环,直到找到椭圆曲线上的有效点。种子用作曲线方程的x坐标,以检查x^3+a*x+b是否是模p的二次剩余。如果不是,则计数器递增,生成新的基和新的种子,狩猎和啄食继续。如果它是模p的二次剩余,则x坐标被分配种子值,并存储当前基。当狩猎和啄食循环终止时,x坐标与曲线方程一起用于求解y坐标。由于y坐标的两个值是有效的,并且存储基的低阶位用于明确确定正确的y坐标,因此存在歧义。结果(x,y)对成为密码元素PE。
Algorithmically, the process looks like this:
从算法上看,该过程如下所示:
found = 0 counter = 1 n = len(p) + 64 do { base = H(max(Alice,Bob) | min(Alice,Bob) | password | counter) temp = KDF-n(base, "Dragonfly Hunting And Pecking") seed = (temp mod (p - 1)) + 1 if ( (seed^3 + a*seed + b) is a quadratic residue mod p) then if ( found == 0 ) then x = seed save = base found = 1 fi fi counter = counter + 1 } while ((found == 0) || (counter <= k)) y = sqrt(x^3 + ax + b) if ( lsb(y) == lsb(save) ) then PE = (x,y) else PE = (x,p-y) fi
found = 0 counter = 1 n = len(p) + 64 do { base = H(max(Alice,Bob) | min(Alice,Bob) | password | counter) temp = KDF-n(base, "Dragonfly Hunting And Pecking") seed = (temp mod (p - 1)) + 1 if ( (seed^3 + a*seed + b) is a quadratic residue mod p) then if ( found == 0 ) then x = seed save = base found = 1 fi fi counter = counter + 1 } while ((found == 0) || (counter <= k)) y = sqrt(x^3 + ax + b) if ( lsb(y) == lsb(save) ) then PE = (x,y) else PE = (x,p-y) fi
Figure 1: Fixing PE for ECC Groups
图1:固定ECC组的PE
Checking whether a value is a quadratic residue modulo a prime can leak information about that value in a side-channel attack. Therefore, it is RECOMMENDED that the technique used to determine if the value is a quadratic residue modulo p blind the value with a random number so that the blinded value can take on all numbers between 1 and p-1 with equal probability while not changing its quadratic residuosity. Determining the quadratic residue in a fashion that resists leakage of information is handled by flipping a coin and multiplying the blinded value by either a random quadratic residue or a random quadratic nonresidue and checking whether the multiplied value is a quadratic residue (qr) or a quadratic nonresidue (qnr) modulo p, respectively. The random residue and nonresidue can be calculated prior to hunting and pecking by calculating the Legendre symbol on random values until they are found:
检查一个值是否是素数模的二次剩余可以在侧通道攻击中泄漏关于该值的信息。因此,建议使用确定值是否为二次剩余模p的技术,使用随机数对值进行盲处理,以便盲处理值可以以相同的概率处理1和p-1之间的所有数字,同时不改变其二次剩余度。以防止信息泄漏的方式确定二次剩余是通过翻转硬币并将盲值乘以随机二次剩余或随机二次非剩余,并分别检查乘以的值是模p的二次剩余(qr)还是二次非剩余(qnr)来处理的。在狩猎和啄食之前,可以通过计算随机值上的勒让德符号来计算随机剩余物和非剩余物,直到找到它们:
do { qr = random() mod p } while ( lgr(qr, p) != 1)
do { qr = random() mod p } while ( lgr(qr, p) != 1)
do { qnr = random() mod p } while ( lgr(qnr, p) != -1)
do { qnr = random() mod p } while ( lgr(qnr, p) != -1)
Algorithmically, the masking technique to find out whether or not a value is a quadratic residue looks like this:
从算法上讲,确定值是否为二次剩余的掩蔽技术如下所示:
is_quadratic_residue (val, p) { r = (random() mod (p - 1)) + 1 num = (val * r * r) mod p if ( lsb(r) == 1 ) num = (num * qr) mod p if ( lgr(num, p) == 1) then return TRUE fi else num = (num * qnr) mod p if ( lgr(num, p) == -1) then return TRUE fi fi return FALSE }
is_quadratic_residue (val, p) { r = (random() mod (p - 1)) + 1 num = (val * r * r) mod p if ( lsb(r) == 1 ) num = (num * qr) mod p if ( lgr(num, p) == 1) then return TRUE fi else num = (num * qnr) mod p if ( lgr(num, p) == -1) then return TRUE fi fi return FALSE }
The MODP-specific hunting-and-pecking technique entails finding a random element which, when used as a generator, will create a group with the same order as the group created by the generator from the domain parameter set. The secret generator is found by exponentiating the seed to the value ((p-1)/q), where p is the prime and q is the order from the domain parameter set. If that value is greater than one (1), it becomes the PE; otherwise, the counter is incremented, a new base and seed are generated, and the hunting and pecking continues.
MODP特定的狩猎和啄食技术需要找到一个随机元素,当用作生成器时,将创建一个与生成器从域参数集中创建的组顺序相同的组。秘密生成器是通过将种子指数化为值((p-1)/q来找到的,其中p是素数,q是域参数集的顺序。如果该值大于一(1),则成为PE;否则,计数器将递增,生成新的碱基和种子,狩猎和啄食将继续。
Algorithmically, the process looks like this:
从算法上看,该过程如下所示:
found = 0 counter = 1 n = len(p) + 64 do { base = H(max(Alice,Bob) | min(Alice,Bob) | password | counter) temp = KDF-n(seed, "Dragonfly Hunting And Pecking") seed = (temp mod (p - 1)) + 1 temp = seed ^ ((p-1)/q) mod p if (temp > 1) then if (not found) PE = temp found = 1 fi fi counter = counter + 1 } while ((found == 0) || (counter <= k))
found = 0 counter = 1 n = len(p) + 64 do { base = H(max(Alice,Bob) | min(Alice,Bob) | password | counter) temp = KDF-n(seed, "Dragonfly Hunting And Pecking") seed = (temp mod (p - 1)) + 1 temp = seed ^ ((p-1)/q) mod p if (temp > 1) then if (not found) PE = temp found = 1 fi fi counter = counter + 1 } while ((found == 0) || (counter <= k))
Figure 2: Fixing PE for MODP Groups
图2:MODP组的固定PE
In the Commit Exchange, both sides commit to a single guess of the password. The peers generate a scalar and an element, exchange them with each other, and process the other's scalar and element to generate a common and shared secret.
在提交交换中,双方都对密码进行一次猜测。对等方生成一个标量和一个元素,相互交换,并处理另一方的标量和元素以生成公共和共享的秘密。
First, each peer generates two random numbers, private and mask that are each greater than one (1) and less than the order from the selected domain parameter set:
首先,每个对等点生成两个随机数,private和mask,每个随机数大于一(1),小于所选域参数集的顺序:
1 < private < q 1 < mask < q
1 < private < q 1 < mask < q
These two secrets and the Password Element are then used to construct the scalar and element:
然后使用这两个secrets和Password元素构造标量和元素:
scalar = (private + mask) modulo q Element = inverse(scalar-op(mask, PE))
scalar = (private + mask) modulo q Element = inverse(scalar-op(mask, PE))
If the scalar is less than two (2), the private and mask MUST be thrown away and new values generated. Once a valid scalar and Element are generated, the mask is no longer needed and MUST be irretrievably destroyed.
如果标量小于2,则必须丢弃private和mask并生成新值。一旦生成了有效的标量和元素,就不再需要掩码,并且必须将其彻底销毁。
The peers exchange their scalar and Element and check the peer's scalar and Element, deemed peer-scalar and Peer-Element. If the peer has sent an identical scalar and Element -- i.e., if scalar equals peer-scalar and Element equals Peer-Element -- it is sign of a reflection attack, and the exchange MUST be aborted. If the values differ, peer-scalar and Peer-Element must be validated. For the peer-scalar to be valid, it MUST be between 1 and q exclusive. Validation of the Peer-Element depends on the type of cryptosystem -- validation of an (x,y) pair as an ECC element is specified in Section 2.1, and validation of a number as an FFC element is specified in Section 2.2. If either the peer-scalar or Peer-Element fail validation, then the exchange MUST be terminated and authentication fails. If both the peer-scalar and Peer-Element are valid, they are used with the Password Element to derive a shared secret, ss:
对等方交换其标量和元素,并检查对等方的标量和元素,视为对等标量和对等元素。如果对等方发送了相同的标量和元素(即,如果标量等于对等标量,元素等于对等元素),则表示发生了反射攻击,必须中止交换。如果值不同,则必须验证对等标量和对等元素。要使对等标量有效,它必须介于1和q之间。对等元素的验证取决于密码系统的类型——第2.1节规定了(x,y)对作为ECC元素的验证,第2.2节规定了数字作为FFC元素的验证。如果对等标量或对等元素未通过验证,则必须终止交换且身份验证失败。如果对等标量和对等元素都有效,则它们将与Password元素一起用于派生共享密钥ss:
ss = F(scalar-op(private, element-op(peer-Element, scalar-op(peer-scalar, PE))))
ss = F(scalar-op(private, element-op(peer-Element, scalar-op(peer-scalar, PE))))
To enforce key separation and cryptographic hygiene, the shared secret is stretched into two subkeys -- a key confirmation key, kck, and a master key, mk. Each of the subkeys SHOULD be at least the length of the prime used in the selected group.
为了加强密钥分离和密码卫生,共享密钥被拉伸为两个子密钥——密钥确认密钥kck和主密钥mk。每个子密钥的长度至少应为所选组中使用的素数的长度。
kck | mk = KDF-n(ss, "Dragonfly Key Derivation")
kck | mk=KDF-n(ss,“蜻蜓键派生”)
where n = len(p)*2.
其中n=len(p)*2。
In the Confirm Exchange, both sides confirm that they derived the same secret, and therefore, are in possession of the same password.
在确认交换中,双方确认他们获得了相同的秘密,因此拥有相同的密码。
The Commit Exchange consists of an exchange of data that is the output of the random function, H(), the key confirmation key, and the two scalars and two elements exchanged in the Commit Exchange. The order of the scalars and elements are: scalars before elements, and sender's value before recipient's value. So from each peer's perspective, it would generate:
提交交换由数据交换组成,数据交换是随机函数H()的输出、密钥确认密钥以及提交交换中交换的两个标量和两个元素。标量和元素的顺序是:标量在元素之前,发送者的值在接收者的值之前。因此,从每个对等方的角度来看,它将产生:
confirm = H(kck | scalar | peer-scalar | Element | Peer-Element | <sender-id>)
confirm = H(kck | scalar | peer-scalar | Element | Peer-Element | <sender-id>)
Where <sender-id> is the identity of the sender of the confirm message. This identity SHALL be that contributed by the sender of the confirm message in generation of the base in Section 3.2.
其中<sender id>是确认消息的发件人的身份。该身份应为第3.2节中确认消息发送方在生成基础时提供的身份。
The two peers exchange these confirmations and verify the correctness of the other peer's confirmation that they receive. If the other peer's confirmation is valid, authentication succeeds; if the other peer's confirmation is not valid, authentication fails.
两个对等方交换这些确认,并验证另一个对等方收到的确认的正确性。如果对方确认有效,则认证成功;如果另一个对等方的确认无效,则身份验证失败。
If authentication fails, all ephemeral state created as part of the particular run of the Dragonfly exchange MUST be irretrievably destroyed. If authentication does not fail, mk can be exported as an authenticated and secret key that can be used by another protocol, for instance IPsec, to protect other data.
若身份验证失败,作为蜻蜓交换的特定运行的一部分创建的所有短暂状态都必须被无可挽回地破坏。如果身份验证未失败,则可以将mk导出为经过身份验证的密钥,该密钥可由另一个协议(例如IPsec)用于保护其他数据。
The Dragonfly exchange requires both participants to have an identical representation of the password. Salting of the password merely generates a new credential -- the salted password -- that must be identically represented on both sides. If an adversary is able to gain access to the database of salted passwords, she would be able to impersonate one side to the other, even if she was unable to determine the underlying, unsalted password.
蜻蜓交换要求两个参与者拥有相同的密码表示形式。对密码进行盐析只会生成一个新的凭证——盐析密码,它必须在两侧都有相同的表示。如果对手能够访问加密密码数据库,那么即使她无法确定潜在的未加密密码,她也可以从一方模拟另一方。
Resistance to dictionary attack means that an adversary must launch an active attack to make a single guess at the password. If the size of the dictionary from which the password was extracted was d, and each password in the dictionary has an equal probability of being chosen, then the probability of success after a single guess is 1/d. After x guesses, and removal of failed guesses from the pool of possible passwords, the probability becomes 1/(d-x). As x grows, so does the probability of success. Therefore, it is possible for an adversary to determine the password through repeated brute-force, active, guessing attacks. Users of the Dragonfly key exchange SHOULD ensure that the size of the pool from which the password was drawn, d, is sufficiently large to make this attack preventable. Implementations of Dragonfly SHOULD support countermeasures to deal with this attack -- for instance, by refusing authentication attempts for a certain amount of time, after the number of failed authentication attempts reaches a certain threshold. No such threshold or amount of time is recommended in this memo.
抵抗字典攻击意味着对手必须发起主动攻击才能猜测密码。如果从中提取密码的字典的大小为d,并且字典中的每个密码被选择的概率相等,则在一次猜测后成功的概率为1/d。经过x次猜测,并从可能的密码池中删除失败的猜测后,概率变为1/(d-x)。随着x的增长,成功的概率也随之增加。因此,对手有可能通过反复的暴力、主动、猜测攻击来确定密码。Dragonfly密钥交换的用户应确保从中提取密码的池的大小(d)足够大,以防止此攻击。Dragonfly的实现应该支持应对这种攻击的对策——例如,在失败的身份验证尝试次数达到一定阈值后,在一定时间内拒绝身份验证尝试。本备忘录中不建议使用此类阈值或时间量。
Due to the problems with using groups that contain a small subgroup, it is RECOMMENDED that implementations of Dragonfly not allow for the specification of a group's complete domain parameter to be sent in-line, but instead use a common repository and pass an identifier to a domain parameter set whose strength has been rigorously proven and that does not have small subgroups. If a group's complete domain parameter set is passed in-line, it SHOULD NOT be used with Dragonfly unless it directly matches a known good group.
由于使用包含小型子组的组时存在问题,建议Dragonfly的实现不允许在线发送组的完整域参数规范,而是使用一个公共存储库,并将标识符传递给一个域参数集,该域参数集的强度已经过严格验证,并且没有小的子组。如果一个组的完整域参数集是在线传递的,则不应将其用于Dragonfly,除非它直接匹配已知的良好组。
It is RECOMMENDED that an implementation set the security parameter, k, to a value of at least forty (40) which will put the probability that more than forty iterations are needed in the order of one in one trillion (1:1,000,000,000,000).
建议实现将安全参数k设置为至少四十(40)的值,这将使需要四十次以上迭代的概率达到万亿分之一(1:10000000000)。
The technique used to obtain the Password Element in Section 3.2.1 addresses side-channel attacks in a manner deemed controversial by some reviewers in the CFRG. An alternate method, such as the one defined in [hash2ec], can be used to alleviate concerns.
第3.2.1节中用于获取密码元素的技术以CFRG中一些评审员认为有争议的方式解决了侧通道攻击。可以使用另一种方法(如[hash2ec]中定义的方法)来缓解担忧。
This key exchange protocol has received cryptanalysis in [clarkehao]. [lanskro] provides a security proof of Dragonfly in the random oracle model when both identities are included in the data sent in the Confirm Exchange (see Section 3.4).
此密钥交换协议已在[clarkehao]中收到密码分析。[lanskro]提供了随机oracle模型中蜻蜓的安全证明,当两个身份都包含在确认交换中发送的数据中时(参见第3.4节)。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[clarkehao] Clarke, D. and F. Hao, "Cryptanalysis of the Dragonfly Key Exchange Protocol", IET Information Security, Volume 8, Issue 6, DOI 10.1049/iet-ifs.2013.0081, November 2014.
[clarkehao]Clarke,D.和F.Hao,“蜻蜓密钥交换协议的密码分析”,IET信息安全,第8卷,第6期,DOI 10.1049/IET-ifs.2013.008112014年11月。
[FIPS186-4] NIST, "Digital Signature Standard (DSS)", Federal Information Processing Standard (FIPS) 186-4, DOI 10.6028/NIST.FIPS.186-4, July 2013.
[FIPS186-4]NIST,“数字签名标准(DSS)”,联邦信息处理标准(FIPS)186-4,DOI 10.6028/NIST.FIPS.186-42013年7月。
[hash2ec] Brier, E., Coron, J-S., Icart, T., Madore, D., Randriam, H., and M. Tibouchi, "Efficient Indifferentiable Hashing into Ordinary Elliptic Curves", Cryptology ePrint Archive Report 2009/340, 2009.
[hash2ec]Brier,E.,Coron,J-S.,Icart,T.,Madore,D.,Randriam,H.,和M.Tibouchi,“普通椭圆曲线的有效无差别散列”,密码学ePrint存档报告2009/3402009。
[lanskro] Lancrenon, J. and M. Skrobot, "On the Provable Security of the Dragonfly Protocol", Proceedings of 18th International Information Security Conference (ISC 2015), pp 244-261, DOI 10.1007/978-3-319-23318-5_14, September 2015.
[lanskro]Lancrenon,J.和M.Skrobot,“关于蜻蜓协议的可证明安全”,第18届国际信息安全会议记录(ISC 2015),pp 244-261,DOI 10.1007/978-3-319-23318-5Ö,2015年9月。
[RANDOR] Bellare, M. and P. Rogaway, "Random Oracles are Practical: A Paradigm for Designing Efficient Protocols", Proceedings of the 1st ACM Conference on Computer and Communication Security, ACM Press, DOI 10.1145/168588.168596, 1993.
[RANDOR]Bellare,M.和P.Rogaway,“随机预言是实用的:设计有效协议的范例”,《第一届ACM计算机和通信安全会议论文集》,ACM出版社,DOI 10.1145/168588.1685961993年。
[RFC5433] Clancy, T. and H. Tschofenig, "Extensible Authentication Protocol - Generalized Pre-Shared Key (EAP-GPSK) Method", RFC 5433, DOI 10.17487/RFC5433, February 2009, <http://www.rfc-editor.org/info/rfc5433>.
[RFC5433]Clancy,T.和H.Tschofenig,“可扩展认证协议-通用预共享密钥(EAP-GPSK)方法”,RFC 5433,DOI 10.17487/RFC5433,2009年2月<http://www.rfc-editor.org/info/rfc5433>.
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic Curve Cryptography Algorithms", RFC 6090, DOI 10.17487/RFC6090, February 2011, <http://www.rfc-editor.org/info/rfc6090>.
[RFC6090]McGrew,D.,Igoe,K.,和M.Salter,“基本椭圆曲线密码算法”,RFC 6090,DOI 10.17487/RFC6090,2011年2月<http://www.rfc-editor.org/info/rfc6090>.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2014, <http://www.rfc-editor.org/info/rfc7296>.
[RFC7296]Kaufman,C.,Hoffman,P.,Nir,Y.,Eronen,P.,和T.Kivinen,“互联网密钥交换协议版本2(IKEv2)”,STD 79,RFC 7296,DOI 10.17487/RFC72962014年10月<http://www.rfc-editor.org/info/rfc7296>.
[SP800-108] Chen, L., "Recommendation for Key Derivation Using Pseudorandom Functions", NIST Special Publication 800-108, October 2009.
[SP800-108]Chen,L.“使用伪随机函数进行密钥推导的建议”,NIST特别出版物800-108,2009年10月。
[SP800-56A] Barker, E., Johnson, D., and M. Smid, "Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised)", NIST Special Publication 800-56A, March 2007.
[SP800-56A]Barker,E.,Johnson,D.,和M.Smid,“使用离散对数加密的成对密钥建立方案的建议(修订版)”,NIST特别出版物800-56A,2007年3月。
Acknowledgements
致谢
The author would like to thank Kevin Igoe and David McGrew, chairmen of the Crypto Forum Research Group (CFRG) for agreeing to accept this memo as a CFRG work item. Additional thanks go to Scott Fluhrer and Hideyuki Suzuki for discovering attacks against earlier versions of this key exchange and suggesting fixes to address them. Lily Chen provided helpful discussions on hashing into an elliptic curve. Rich Davis suggested the validation steps used on received elements to prevent a small subgroup attack. Dylan Clarke and Feng Hao discovered a dictionary attack against Dragonfly if those checks are not made and a group with a small subgroup is used. And finally, a very heartfelt thanks to Jean Lancrenon and Marjan Skrobot for developing a proof of the security of Dragonfly.
作者要感谢加密论坛研究小组(CFRG)主席凯文·伊戈(Kevin Igoe)和大卫·麦克格雷夫(David McGrew)同意接受本备忘录作为CFRG工作项目。还要感谢Scott Fluhrer和Hideyuki Suzuki发现了针对此密钥交换早期版本的攻击,并提出了解决方案。Lily Chen提供了关于散列到椭圆曲线的有益讨论。Rich Davis建议对接收到的元素使用验证步骤,以防止小的子组攻击。Dylan Clarke和Feng Hao发现了一个针对蜻蜓的字典攻击,如果不进行这些检查,并且使用一个小的分组。最后,衷心感谢Jean Lancrenon和Marjan Skrobot开发了蜻蜓安全性证明。
The blinding scheme to prevent side-channel attacks when determining whether a value is a quadratic residue modulo a prime was suggested by Scott Fluhrer. Kevin Igoe suggested addition of the security parameter k to hide the amount of time taken hunting and pecking for the password element.
Scott Fluhrer提出了在确定值是否是模素数的二次剩余时防止边通道攻击的盲方案。Kevin Igoe建议添加安全参数k,以隐藏搜索和啄食密码元素所花费的时间。
Author's Address
作者地址
Dan Harkins (editor) Aruba Networks 1322 Crossman Avenue Sunnyvale, CA 94089-1113 United States
Dan Harkins(编辑)美国加利福尼亚州桑尼维尔市克罗斯曼大道1322号阿鲁巴网络公司94089-1113
Email: dharkins@arubanetworks.com
Email: dharkins@arubanetworks.com