|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] iSCSI: PAK: an alternative to SRP and DH-CHAPTwo weeks ago I heard there was an issue regarding password-authenticated key exchange in the iSCSI proposal, and after studying the mailing list archive to understand the issue and its history, I thought that it may be worthwhile to propose an alternative that may be more acceptable to the members of this group. I am writing an Internet Draft proposing the PAK protocol for inclusion in iSCSI. I expect that it will be published within a couple days, but I thought it would be best to present the protocol and start the discussion as soon as possible. I know that this proposal is coming later in the process that desired, but since DH-CHAP was so recently introduced, I would hope that this proposal is also not too late. PAK is a password-authenticated key exchange protocol that is designed to solve the same problem as SRP, namely, it is a key exchange protocol that uses a password for authentication, but is immune to offline dictionary attacks, even against an active attacker who may insert, modify, or delete messages on the network. The basic idea is very simple: it's a Diffie-Hellman key exchange with one of the Diffie-Hellman messages multiplied by a hash of the password. Graphically, it is just: Alice Bob H(pw) * g^x --------------------> g^y, Conf-hash <-------------------- Conf-hash' ---------------------> where the secret value is g^{xy}. Notice that Bob must divide out H(pw) from the message he gets from Alice. The confirmation hashes are necessary, unless Bob also multiplies his value g^y by a hash of the password. A complete version of the protocol may be found at: http://www.integritysciences.com/p1363/submissions/pak-suite.pdf The Internet Draft will have a completely specified version of this protocol, with all parameters, etc. Reasons for preferring PAK over DH-CHAP: - security against active attacks (same as SRP vs. DH-CHAP) Reasons for preferring PAK over SRP: - PAK has a mathematical proof of security (assuming the hash functions are modeled as random functions). - PAK is more elegant (IMHO). Efficiency: - As you can see, PAK is about as efficient as DH-CHAP or SRP Acceptance: - PAK has been published in Eurocrypt (2000), one of the 2 top crypto conferences. - PAK is basically a refinement of EKE, the well-known encrypted key exchange protocol by Bellovin and Merritt. - PAK is being used in Plan9 from Lucent. - PAK is one of the protocols being standardized in IEEE P1363.2 - We are also planning to implement PAK as part of the Lucent's iSCSI protocol implementation in FreeBSD. Once again, the draft should be available in a day or two, but I am happy to answer any questions and comments in the meanwhile! -Phil MacKenzie Bell Labs
Home Last updated: Wed May 15 15:19:08 2002 10128 messages in chronological order |