PKEX Alternatives Date: 2016-10-03 Authors: Acknowledgements: Month Year doc.: IEEE 802.11-yy/xxxxr0 October 2016 PKEX Alternatives Date: 2016-10-03 Authors: Acknowledgements: Special thanks to Stanislav Smyshlyaev for his invaluable review and comments on the earlier version of SPAKE2+mbDH. Paul A. Lambert (Marvell) John Doe, Some Company

Month Year doc.: IEEE 802.11-yy/xxxxr0 October 2016 Abstract The Fast Initial Link Setup project (FILS, P802.11ai) is introducing several new authentication mechanisms. Review of one of these authentication mechanisms, PKEX (in Draft P802.11ai_D10.0), identified serious issues with the cryptographic design of the protocol. PKEX was removed from P802.11ai. https://mentor.ieee.org/802.11/dcn/16/11-16-1142-06-00ai-cryptographic-review-and-pkex.ppt This presentation provides a description of one possible replacement for PKEX. Paul A. Lambert (Marvell) John Doe, Some Company

PAKE+PKA PKEX provided a password based mutual authentication of long-term public keys Based loosely on the SPAKE2 protocol https://www.ietf.org/archive/id/draft-ladd- spake2-01.txt PKEX is a form of Password Authenticated Key Exchange plus Public Key Authentication (PAKE+PKA) Alternatives to PKEX More efficient and secure exchanges could be developed by combining an evaluated authenticated public key exchanges with an evaluated PAKE. An alternative follows where SPAKE2 is combined with mutually blinded Diffie- Hellman (mbDH) https://tools.ietf.org/html/draft-irtf-cfrg-spake2-03 https://www.emvco.com/specifications.aspx?id=285 Paul A. Lambert (Marvell)

PAKE+PKA Preconditions Protocol Exchange Post Conditions sA PA = sA*G Alice shared secret pw sB PB = sB*G Preconditions Bob macA, macB, nonceA, CA macB, macA, nonceB, CB Protocol Exchange macA, macB, checkA macB, macA, checkB PB sk PA sk shared secret keys Post Conditions After the exchange the required properties are: - Alice and Bob share pair-wise unique symmetric keys - Alice has Bob’s public key PB and has validated its ownership to that of the owner of the shared secret ‘pw’ - Bob has Alice’s public key PA and has validated its ownership to that of the owner of the shared secret ‘pw’ Paul A. Lambert (Marvell)

Cryptographic Notation s private key used to generate the public key G generator element of the group used for public key operations + associative group operation (point addition for ECC) * scalar multiplication is the repeated addition of a group element with itself P a long-term public key where P=s*G H() hash function len(S) denotes the length of a string in bytes, represented as an eight-byte big-endian number. sk symmetric secret key developed from DH key agreement || denotes concatenation of strings { }sk curly braces indicate AEAD encryption by the key appended to the second brace (e.g. ‘sk’). The protocol shall fail and terminate when the integrity check on decryption fails. PA PB Subscripts indicate the entity that controls the key pair (Alice ‘A’ , Bob ‘B’) Alice sA PA = sA*G Bob sB PB = sB*G Paul A. Lambert (Marvell)

SPAKE2 https://tools.ietf.org/html/draft-irtf-cfrg-spake2-03 iidA = “Alice” idB = “Bob” shared secret pw idB = “Bob” idA = “Alice” Alice Bob MA and MB are known constants selected for their security properties. w = H( pw ) xA = randRange(0,p*h) XA = xA*G RA = w*MA + XA RA w = H( pw ) xB = randRange(0,p*h) XB = xB*G RB = w*MB + XB RB K = xA * (RB – w*MB) sk = H(len(idA)|| idA || len(idB) || idB || len(RA) || RA || len(RB) || RB || len(w) || w || len(K) || K) K = xB * (RA – w*MA) sk = H(len(idA)|| idA || len(idB) || idB || len(RA) || RA || len(RB) || RB || len(w) || w || len(K) || K) After the exchange the properties are: - Alice and Bob share a pair-wise unique symmetric key ‘sk’ with certainty that their peer knew the shared secret ‘pw’ If the peer did not use the same passphrase ‘pw’ the shared secret (sk) will not be the same for the peers. - Note that this 2-step exchange does not include validation of the shared secret key Paul A. Lambert (Marvell)

Blinded Diffie-Hellman (bDH) https://www. emvco. com/specifications The EMVco defined bDH protocol is asymmetric and only authenticates one side of the exchange. sA PA = sA*G Alice Bob xA = randRange(0,p*h) RA = xA* PA RA xB = randRange(0,p*h) RB = xB*G K = xB*XA skBA = H( “R” || K ) encrypt( key=skBA, ( ...) ) RB, { ... }skBA K = sA*xA*RB skBA = H( “R” || K ) decrypt( key=skBA, { (xB, PB), ... } ) assert decrypt is successful skAB = H( “I” || K ) encrypt( key=skAB, ((xA, PA), ...) ) { (xA, PA), ... }skAB skAB = H( “I” || K ) decrypt( key=skAB, { (xA, PA), ... } ) assert decrypt is successful assert RA == xA*PA encrypt( key=skAB, (...) ) { ... }skBA decrypt( key=skBA, { ... } ) After the exchange the properties are: - Alice and Bob share pair-wise unique symmetric keys - Alice has not received a long-term public key from Bob - Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’ Paul A. Lambert (Marvell)

Making bDH Mutual Additions to bDH to make the protocol symmetric and provide mutual authentication are shown in red sA PA = sA*G sB PB = sB*G Alice Bob xA = randRange(0,p*h) RA = xA* PA RA xB = randRange(0,p*h) RB = xB*G xB*PB K = sB*xB*XA skBA = H( “R” || K ) encrypt( key=skBA, ((xB, PB), ...) ) RB, { (xB, PB), ... }skBA K = sA*xA*RB skBA = H( “R” || K ) decrypt( key=skBA, { (xB, PB), ... } ) assert decrypt is successful assert RB == xB*PB skAB = H( “I” || K ) encrypt( key=skAB, ((xA, PA), ...) ) { (xA, PA), ... }skAB skAB = H( “I” || K ) decrypt( key=skAB, { (xA, PA), ... } ) assert decrypt is successful assert RA == xA*PA encrypt( key=skAB, (...) ) { ... }skBA decrypt( key=skBA, { ... } ) assert decrypt is successful After the exchange the properties are: - Alice and Bob share pair-wise unique symmetric keys with certainty that their peer knew the shared secret ‘pw’ - Alice has Bob’s public key PB and has validated its ownership to the peer with shared key ‘skBA’ - Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’ Paul A. Lambert (Marvell)

Mutually Blinded DH (mbDH) sA PA = sA*G sB PB = sB*G Alice Bob xA = randRange(0,p*h) RA = xA* PA RA xB = randRange(0,p*h) RB = xB*PB K = sB*xB*XA skBA = H( “R” || K ) encrypt( key=skBA, ((xB, PB), ...) ) RB, { (xB, PB), ... }skBA K = sA*xA*RB skBA = H( “R” || K ) decrypt( key=skBA, { (xB, PB), ... } ) assert decrypt is successful assert RB == xB*PB skAB = H( “I” || K ) encrypt( key=skAB, ((xA, PA), ...) ) { (xA, PA), ... }skAB skAB = H( “I” || K ) decrypt( key=skAB, { (xA, PA), ... } ) assert decrypt is successful assert RA == xA*PA encrypt( key=skAB, (...) ) { ... }skBA decrypt( key=skBA, { ... } ) assert decrypt is successful After the exchange the properties are: - Alice and Bob share pair-wise unique symmetric keys with certainty that their peer knew the shared secret ‘pw’ - Alice has Bob’s public key PB and has validated its ownership to the peer with shared key ‘skBA’ - Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’ Paul A. Lambert (Marvell)

SPAKE2 plus mbDH v2 (SPM2) iidA = “Alice” idB = “Bob” sA PA = sA*G shared secret pw sB PB = sB*G idB = “Bob” idA = “Alice” Alice Bob yA = randRange(0,p*h) YA = yA* PA w = H( pw ) xA = randRange(0,p*h) RA = w*MA + XA*G yB = randRange(0,p*h) YB = yB* PB w = H( pw ) xB = randRange(0,p*h) RB = w*MB + xB*G K = (xB + yB* sB)*(RA – w*MA+ YA) skBA = H( “R” || len(idA)|| idA || len(idB) || idB || len(RA) || RA || len(RB) || RB || len(w) || w || len(K) || K) encrypt( key=skBA, ((xB, PB), ...) ) RA, YA SPAKE2 and mbDH are sent in parallel SPAKE2 and mbDH are sent in parallel RB, YB, { (yB, PB), ... }skBA K = (xA + yA* sA)*(RB – w*MB + YB) skBA = H( “R” || RA || RB || XA || XB || K || w ) decrypt( key=skBA, { (xB, PB), ... } ) assert YB == yB*PB skAB = H( “I” || len(idA)|| idA || len(idB) || idB || len(RA) || RA || len(RB) || RB || len(w) || w || len(K) || K) encrypt( key=skAB, ((xA, PA), ...) ) The shared key is jointly calculated The shared key is jointly calculated { (yA, PA), ... }skAB skAB = H( “I” || RA || RB || XA || XB || K || w ) decrypt( key=skAB, { (xA, PA), ... } ) assert YA == yA*PA encrypt( key=skAB, (...) ) { ... }skBA decrypt( key=skBA, { ... } ) After the exchange the properties are: - Alice and Bob share a pair-wise unique symmetric keys with certainty that their peer knew the shared secret ‘pw’ - Alice has Bob’s public key PB and has validated its ownership to the peer with shared key ‘skBA’ - Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’ Paul A. Lambert (Marvell)

SPAKE2 plus mbDH v2 (SPM2) sA PA = sA*G shared secret pw sB PB = sB*G idB = “Bob” idA = “Alice” iidA = “Alice” idB = “Bob” Alice Bob yA = randRange(0,p*h) YA = yA* PA w = H( pw ) xA = randRange(0,p*h) RA = w*MA + XA*G yB = randRange(0,p*h) YB = yB* PB w = H( pw ) xB = randRange(0,p*h) RB = w*MB + xB*G K = (xB + yB* sB)*(RA – w*MA+ YA) skBA = H( “R” || len(idA)|| idA || len(idB) || idB || len(RA) || RA || len(RB) || RB || len(w) || w || len(K) || K) encrypt( key=skBA, ((xB, PB), ...) ) RA, YA RB, YB, { (yB, PB), ... }skBA K = (xA + yA* sA)*(RB – w*MB + YB) skBA = H( “R” || RA || RB || XA || XB || K || w ) decrypt( key=skBA, { (xB, PB), ... } ) assert YB == yB*PB skAB = H( “I” || len(idA)|| idA || len(idB) || idB || len(RA) || RA || len(RB) || RB || len(w) || w || len(K) || K) encrypt( key=skAB, ((xA, PA), ...) ) { (yA, PA), ... }skAB skAB = H( “I” || RA || RB || XA || XB || K || w ) decrypt( key=skAB, { (xA, PA), ... } ) assert YA == yA*PA encrypt( key=skAB, (...) ) { ... }skBA decrypt( key=skBA, { ... } ) After the exchange the properties are: - Alice and Bob share a pair-wise unique symmetric keys with certainty that their peer knew the shared secret ‘pw’ - Alice has Bob’s public key PB and has validated its ownership to the peer with shared key ‘skBA’ - Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’ Paul A. Lambert (Marvell)