SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    iSCSI: PAK: an alternative to SRP and DH-CHAP


    • To: ips@ece.cmu.edu
    • Subject: iSCSI: PAK: an alternative to SRP and DH-CHAP
    • From: Philip MacKenzie <philmac@research.bell-labs.com>
    • Date: Mon, 29 Apr 2002 08:20:34 -0400
    • Content-Transfer-Encoding: 7bit
    • Content-Type: text/plain; charset=us-ascii; format=flowed
    • Organization: Bell Labs, Lucent Technologies
    • Sender: owner-ips@ece.cmu.edu
    • User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1

    Two weeks ago I heard there was an issue regarding
    password-authenticated key exchange in the iSCSI proposal,
    and after studying the mailing list archive to
    understand the issue and its history, I thought that
    it may be worthwhile to propose an alternative
    that may be more acceptable to the members of this group.
    
    I am writing an Internet Draft proposing the PAK protocol
    for inclusion in iSCSI.  I expect that it will be published
    within a couple days, but I thought it would be best to present
    the protocol and start the discussion as soon as possible.
    I know that this proposal is coming later in the process
    that desired, but since DH-CHAP was so recently introduced,
    I would hope that this proposal is also not too late.
    
    PAK is a password-authenticated key exchange protocol that
    is designed to solve the same problem as SRP, namely, it
    is a key exchange protocol that uses a password for
    authentication, but is immune to offline dictionary attacks,
    even against an active attacker who may insert, modify, or
    delete messages on the network.  The basic idea is very
    simple: it's a Diffie-Hellman key exchange with one of the
    Diffie-Hellman messages multiplied by a hash of the password.
    
    Graphically, it is just:
    
         Alice                             Bob
    
                        H(pw) * g^x
                  -------------------->
                      g^y, Conf-hash
                  <--------------------
                         Conf-hash'
                  --------------------->
    
    where the secret value is g^{xy}.  Notice that Bob
    must divide out H(pw) from the message he gets from Alice.
    The confirmation hashes are necessary, unless Bob also
    multiplies his value g^y by a hash of the password.
    
    
    A complete version of the protocol may be found at:
    
    http://www.integritysciences.com/p1363/submissions/pak-suite.pdf
    
    The Internet Draft will have a completely specified version
    of this protocol, with all parameters, etc.
    
    Reasons for preferring PAK over DH-CHAP:
    - security against active attacks (same as SRP vs. DH-CHAP)
    
    Reasons for preferring PAK over SRP:
    - PAK has a mathematical proof of security
    (assuming the hash functions are modeled as random functions).
    - PAK is more elegant (IMHO).
    
    Efficiency:
    - As you can see, PAK is about as efficient as DH-CHAP or SRP
    
    Acceptance:
    - PAK has been published in Eurocrypt (2000), one
    of the 2 top crypto conferences.
    - PAK is basically a refinement of EKE, the well-known
    encrypted key exchange protocol by Bellovin and Merritt.
    - PAK is being used in Plan9 from Lucent.
    - PAK is one of the protocols being standardized in IEEE P1363.2
    - We are also planning to implement PAK as part
    of the Lucent's iSCSI protocol implementation in FreeBSD.
    
    Once again, the draft should be available in a day or two,
    but I am happy to answer any questions and comments
    in the meanwhile!
    
    -Phil MacKenzie
    Bell Labs
    
    
    
    
    
    


Home

Last updated: Wed May 15 15:19:08 2002
10128 messages in chronological order