IEEE P1363.2: Standard Specifications for Password-based Public-Key Cryptography David Jablon CTO Phoenix Technologies Treasurer, IEEE P1363 NIST Key Management Workshop November 1-2, 2001
November 1, 2001NIST Key Management Workshop2 What is IEEE P ? “Standard Specifications for Public Key Cryptography: Password-based Techniques” “Standard Specifications for Public Key Cryptography: Password-based Techniques” Proposed IEEE standard Proposed IEEE standard Companion to IEEE Std Companion to IEEE Std Product of P1363 Working Group Product of P1363 Working Group Open standards process Open standards process
November 1, 2001NIST Key Management Workshop3 ScopeScope Password-based public-key techniques Password-based public-key techniques Supplemental to IEEE Std Supplemental to IEEE Std Primitives, schemes, and protocols Primitives, schemes, and protocols Key agreement, plus Key agreement, plus resistance to dictionary attack resistance to dictionary attack Tolerates or safely uses low-grade secrets Tolerates or safely uses low-grade secrets passwords, password-derived keys, etc. passwords, password-derived keys, etc.
November 1, 2001NIST Key Management Workshop4 Focus of P Password-based public-key techniques Password-based public-key techniques balanced key agreement balanced key agreement augmented key agreement augmented key agreement key retrieval key retrieval Discrete log and elliptic curve families Discrete log and elliptic curve families Examples Examples AMP, AuthA, EKE, OKE, PAK, SNAPI, SPEKE, SRP,... AMP, AuthA, EKE, OKE, PAK, SNAPI, SPEKE, SRP,...
November 1, 2001NIST Key Management Workshop5 History of P Password-based submissions to P1363 Password-based submissions to P through through 2001 Work deferred to a P1363 supplement Work deferred to a P1363 supplement while Std completed while Std completed P PAR approved P PAR approved late 2000 late 2000 Latest draft Latest draft October 23, 2001 October 23, 2001
November 1, 2001NIST Key Management Workshop6 IEEE P1363 Supplements P1363a, P1363b P1363a, P1363b same goals and families as Std same goals and families as Std P1363.1: Lattice-based P1363.1: Lattice-based same goals -- different family same goals -- different family P1363.2: Password-based P1363.2: Password-based same families -- different goals same families -- different goals
November 1, 2001NIST Key Management Workshop7 Purpose of IEEE P Reference for specification of techniques Reference for specification of techniques Provide theoretic background Provide theoretic background Discuss security and implementation issues Discuss security and implementation issues Does not mandate particular techniques or security requirements Does not mandate particular techniques or security requirements
November 1, 2001NIST Key Management Workshop8 RationaleRationale People are important entities People are important entities Passwords are important for personal authentication Passwords are important for personal authentication People have trouble with high-grade keys People have trouble with high-grade keys storage -- memorizing storage -- memorizing input -- attention to detail input -- attention to detail output-- typing output-- typing Need to standardize the best password techniques Need to standardize the best password techniques
November 1, 2001NIST Key Management Workshop9 BenefitsBenefits Mutual authentication Mutual authentication Person-to-machine, person-to-person,... Person-to-machine, person-to-person,... Authenticated key agreement Authenticated key agreement Authenticated key retrieval Authenticated key retrieval Safer handling of password-derived keys Safer handling of password-derived keys
November 1, 2001NIST Key Management Workshop10 Sample sections of draft Overview Overview Definitions, Concepts, Rationale Definitions, Concepts, Rationale Types of Techniques (primitives, schemes, protocols) Types of Techniques (primitives, schemes, protocols) Methods Based on Discrete Log & Elliptic Curve Problems Methods Based on Discrete Log & Elliptic Curve Problems Password-Authenticated Key Agreement Password-Authenticated Key Agreement Password-Authenticated Key Retrieval Password-Authenticated Key Retrieval Number-Theoretic Background Number-Theoretic Background Security Considerations Security Considerations References & Bibliography References & Bibliography
November 1, 2001NIST Key Management Workshop11 Example of a PKA Scheme Password-authenticated Key Agreement Scheme (PKAS) operation for each party: Password-authenticated Key Agreement Scheme (PKAS) operation for each party: Password ( ) PEPKGP password-entangled public key (w) Password ( ) PEPKGP password-entangled public key (w) Send w to other party Send w to other party Get password-entangled public key (w’) from other party Get password-entangled public key (w’) from other party ,w’ SVDP agreed value z ,w’ SVDP agreed value z
November 1, 2001NIST Key Management Workshop12 Example of a PKA Primitive Password-entangled Public Key Generation Primitive (PEPKGP) operation: Password-entangled Public Key Generation Primitive (PEPKGP) operation: Input: Input: n password-derived mask group element n password-derived mask group element sprivate key sprivate key gdomain parameter gdomain parameter Compute w = (g^s) * n Compute w = (g^s) * n Output: w Output: w
November 1, 2001NIST Key Management Workshop13 Summary of IEEE P IEEE proposed standard -- work in progress IEEE proposed standard -- work in progress Reference for password-based public-key techniques Reference for password-based public-key techniques Solves important problems with human participants Solves important problems with human participants Fills a big gap in other standards Fills a big gap in other standards
November 1, 2001NIST Key Management Workshop14 For More Information IEEE P1363 Web site IEEE P1363 Web site publicly accessible research contributions and document submissions publicly accessible research contributions and document submissions Two mailing lists Two mailing lists general announcements list, low volume general announcements list, low volume technical discussion list, high volume technical discussion list, high volume everybody is welcome to subscribe everybody is welcome to subscribe web site contains subscription information web site contains subscription information
November 1, 2001NIST Key Management Workshop15 David Jablon Phoenix Technologies P1363 Working Group