|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
PAK has a separate patent!
--- Ofer Biran <BIRAN@il.ibm.com> wrote:
>
> Philip,
>
> I'm confused... if you really followed the archive
> you
> must have noticed that the issue with SRP was
> patents
> that might be related (Lucent EKE, Phoenix SPEKE).
> But you
> didn't mention any patent/license aspect for PAK...
> is it
> because you can guarantee PAK is IP free ?
>
> Thanks,
> Ofer
>
>
> Ofer Biran
> Storage and Systems Technology
> IBM Research Lab in Haifa
> biran@il.ibm.com 972-4-8296253
>
>
> Philip MacKenzie
> <philmac@research.bell-labs.com>@ece.cmu.edu on
> 29/04/2002
> 15:20:34
>
> Please respond to Philip MacKenzie
> <philmac@research.bell-labs.com>
>
> Sent by: owner-ips@ece.cmu.edu
>
>
> To: ips@ece.cmu.edu
> cc:
> Subject: iSCSI: PAK: an alternative to SRP and
> DH-CHAP
>
>
>
> Two weeks ago I heard there was an issue regarding
> password-authenticated key exchange in the iSCSI
> proposal,
> and after studying the mailing list archive to
> understand the issue and its history, I thought that
> it may be worthwhile to propose an alternative
> that may be more acceptable to the members of this
> group.
>
> I am writing an Internet Draft proposing the PAK
> protocol
> for inclusion in iSCSI. I expect that it will be
> published
> within a couple days, but I thought it would be best
> to present
> the protocol and start the discussion as soon as
> possible.
> I know that this proposal is coming later in the
> process
> that desired, but since DH-CHAP was so recently
> introduced,
> I would hope that this proposal is also not too
> late.
>
> PAK is a password-authenticated key exchange
> protocol that
> is designed to solve the same problem as SRP,
> namely, it
> is a key exchange protocol that uses a password for
> authentication, but is immune to offline dictionary
> attacks,
> even against an active attacker who may insert,
> modify, or
> delete messages on the network. The basic idea is
> very
> simple: it's a Diffie-Hellman key exchange with one
> of the
> Diffie-Hellman messages multiplied by a hash of the
> password.
>
> Graphically, it is just:
>
> Alice Bob
>
> H(pw) * g^x
> -------------------->
> g^y, Conf-hash
> <--------------------
> Conf-hash'
> --------------------->
>
> where the secret value is g^{xy}. Notice that Bob
> must divide out H(pw) from the message he gets from
> Alice.
> The confirmation hashes are necessary, unless Bob
> also
> multiplies his value g^y by a hash of the password.
>
>
> A complete version of the protocol may be found at:
>
>
http://www.integritysciences.com/p1363/submissions/pak-suite.pdf
>
> The Internet Draft will have a completely specified
> version
> of this protocol, with all parameters, etc.
>
> Reasons for preferring PAK over DH-CHAP:
> - security against active attacks (same as SRP vs.
> DH-CHAP)
>
> Reasons for preferring PAK over SRP:
> - PAK has a mathematical proof of security
> (assuming the hash functions are modeled as random
> functions).
> - PAK is more elegant (IMHO).
>
> Efficiency:
> - As you can see, PAK is about as efficient as
> DH-CHAP or SRP
>
> Acceptance:
> - PAK has been published in Eurocrypt (2000), one
> of the 2 top crypto conferences.
> - PAK is basically a refinement of EKE, the
> well-known
> encrypted key exchange protocol by Bellovin and
> Merritt.
> - PAK is being used in Plan9 from Lucent.
> - PAK is one of the protocols being standardized in
> IEEE P1363.2
> - We are also planning to implement PAK as part
> of the Lucent's iSCSI protocol implementation in
> FreeBSD.
>
> Once again, the draft should be available in a day
> or two,
> but I am happy to answer any questions and comments
> in the meanwhile!
>
> -Phil MacKenzie
> Bell Labs
>
>
>
>
>
>
>
>
______________________________________________________________________
Post your ad for FREE! http://personals.yahoo.ca
Home Last updated: Fri May 03 13:18:31 2002 9949 messages in chronological order |