1. PKEX Alternatives Date: 2016-10-03 Authors: Acknowledgements:
Month Year
doc.: IEEE yy/xxxxr0
October 2016
PKEX Alternatives
Date:
Authors:
Acknowledgements:
Special thanks to Stanislav Smyshlyaev for his invaluable review and comments on the earlier version of SPAKE2+mbDH.
Paul A. Lambert (Marvell)
John Doe, Some Company

2. Month Year
doc.: IEEE yy/xxxxr0
October 2016
Abstract
The Fast Initial Link Setup project (FILS, P802.11ai) is introducing several new authentication mechanisms. Review of one of these authentication mechanisms, PKEX (in Draft P802.11ai_D10.0), identified serious issues with the cryptographic design of the protocol. PKEX was removed from P802.11ai.
This presentation provides a description of one possible replacement for PKEX.
Paul A. Lambert (Marvell)
John Doe, Some Company

3. PAKE+PKA
PKEX provided a password based mutual authentication of long-term public keys
Based loosely on the SPAKE2 protocol spake2-01.txt
PKEX is a form of Password Authenticated Key Exchange plus Public Key Authentication (PAKE+PKA)
Alternatives to PKEX
More efficient and secure exchanges could be developed by combining an evaluated authenticated public key exchanges with an evaluated PAKE.
An alternative follows where SPAKE2 is combined with mutually blinded Diffie- Hellman (mbDH)
Paul A. Lambert (Marvell)

4. PAKE+PKA Preconditions Protocol Exchange Post Conditions sA PA = sA*G
Alice
shared secret pw sB
PB = sB*G
Preconditions
Bob
macA, macB, nonceA, CA
macB, macA, nonceB, CB
Protocol Exchange
macA, macB, checkA
macB, macA, checkB PB sk PA sk
shared secret keys
Post Conditions
After the exchange the required properties are: - Alice and Bob share pair-wise unique symmetric keys
- Alice has Bob’s public key PB and has validated its ownership to that of the owner of the shared secret ‘pw’
- Bob has Alice’s public key PA and has validated its ownership to that of the owner of the shared secret ‘pw’
Paul A. Lambert (Marvell)

5. Cryptographic Notations
private key used to generate the public key G
generator element of the group used for public key operations +
associative group operation (point addition for ECC) *
scalar multiplication is the repeated addition of a group element with itself P
a long-term public key where P=s*G
H()
hash function
len(S)
denotes the length of a string in bytes, represented as an eight-byte big-endian number. sk
symmetric secret key developed from DH key agreement ||
denotes concatenation of strings
{ }sk
curly braces indicate AEAD encryption by the key appended to the second brace (e.g. ‘sk’). The protocol shall fail and terminate when the integrity check on decryption fails.
PA PB
Subscripts indicate the entity that controls the key pair (Alice ‘A’ , Bob ‘B’)
Alice sA
PA = sA*G
Bob sB
PB = sB*G
Paul A. Lambert (Marvell)

6. SPAKE2 https://tools.ietf.org/html/draft-irtf-cfrg-spake2-03
iidA = “Alice”
idB = “Bob”
shared secret pw
idB = “Bob”
idA = “Alice”
Alice
Bob
MA and MB are known constants selected for their security properties.
w = H( pw )
xA = randRange(0,p*h)
XA = xA*G
RA = w*MA + XA RA
w = H( pw )
xB = randRange(0,p*h)
XB = xB*G
RB = w*MB + XB RB
K = xA * (RB – w*MB)
sk = H(len(idA)|| idA || len(idB) || idB || len(RA) || RA || len(RB) || RB || len(w) || w || len(K) || K)
K = xB * (RA – w*MA)
sk = H(len(idA)|| idA || len(idB) || idB || len(RA) || RA || len(RB) || RB || len(w) || w || len(K) || K)
After the exchange the properties are:
- Alice and Bob share a pair-wise unique symmetric key ‘sk’ with certainty that their peer knew the shared secret ‘pw’ If the peer did not use the same passphrase ‘pw’ the shared secret (sk) will not be the same for the peers.
- Note that this 2-step exchange does not include validation of the shared secret key
Paul A. Lambert (Marvell)

7. Blinded Diffie-Hellman (bDH) https://www. emvco. com/specifications
The EMVco defined bDH protocol is asymmetric and only authenticates one side of the exchange.
sA PA = sA*G
Alice
Bob
xA = randRange(0,p*h)
RA = xA* PA RA
xB = randRange(0,p*h)
RB = xB*G
K = xB*XA
skBA = H( “R” || K )
encrypt( key=skBA, ( ...) )
RB, { ... }skBA
K = sA*xA*RB
skBA = H( “R” || K )
decrypt( key=skBA, { (xB, PB), ... } )
assert decrypt is successful
skAB = H( “I” || K )
encrypt( key=skAB, ((xA, PA), ...) )
{ (xA, PA), ... }skAB
skAB = H( “I” || K )
decrypt( key=skAB, { (xA, PA), ... } )
assert decrypt is successful
assert RA == xA*PA
encrypt( key=skAB, (...) )
{ ... }skBA
decrypt( key=skBA, { ... } )
After the exchange the properties are: - Alice and Bob share pair-wise unique symmetric keys
- Alice has not received a long-term public key from Bob
- Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’
Paul A. Lambert (Marvell)

8. Making bDH Mutual
Additions to bDH to make the protocol symmetric and provide mutual authentication are shown in red
sA PA = sA*G sB
PB = sB*G
Alice
Bob
xA = randRange(0,p*h)
RA = xA* PA RA
xB = randRange(0,p*h)
RB = xB*G xB*PB
K = sB*xB*XA
skBA = H( “R” || K )
encrypt( key=skBA, ((xB, PB), ...) )
RB, { (xB, PB), ... }skBA
K = sA*xA*RB
skBA = H( “R” || K )
decrypt( key=skBA, { (xB, PB), ... } )
assert decrypt is successful
assert RB == xB*PB
skAB = H( “I” || K )
encrypt( key=skAB, ((xA, PA), ...) )
{ (xA, PA), ... }skAB
skAB = H( “I” || K )
decrypt( key=skAB, { (xA, PA), ... } )
assert decrypt is successful
assert RA == xA*PA
encrypt( key=skAB, (...) )
{ ... }skBA
decrypt( key=skBA, { ... } )
assert decrypt is successful
After the exchange the properties are: - Alice and Bob share pair-wise unique symmetric keys with certainty that their peer knew the shared secret ‘pw’
- Alice has Bob’s public key PB and has validated its ownership to the peer with shared key ‘skBA’
- Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’
Paul A. Lambert (Marvell)

9. Mutually Blinded DH (mbDH)
sA PA = sA*G sB
PB = sB*G
Alice
Bob
xA = randRange(0,p*h)
RA = xA* PA RA
xB = randRange(0,p*h)
RB = xB*PB
K = sB*xB*XA
skBA = H( “R” || K )
encrypt( key=skBA, ((xB, PB), ...) )
RB, { (xB, PB), ... }skBA
K = sA*xA*RB
skBA = H( “R” || K )
decrypt( key=skBA, { (xB, PB), ... } )
assert decrypt is successful
assert RB == xB*PB
skAB = H( “I” || K )
encrypt( key=skAB, ((xA, PA), ...) )
{ (xA, PA), ... }skAB
skAB = H( “I” || K )
decrypt( key=skAB, { (xA, PA), ... } )
assert decrypt is successful
assert RA == xA*PA
encrypt( key=skAB, (...) )
{ ... }skBA
decrypt( key=skBA, { ... } )
assert decrypt is successful
After the exchange the properties are: - Alice and Bob share pair-wise unique symmetric keys with certainty that their peer knew the shared secret ‘pw’
- Alice has Bob’s public key PB and has validated its ownership to the peer with shared key ‘skBA’
- Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’
Paul A. Lambert (Marvell)

10. SPAKE2 plus mbDH v2 (SPM2) iidA = “Alice” idB = “Bob” sA PA = sA*G
shared secret pw sB
PB = sB*G
idB = “Bob”
idA = “Alice”
Alice
Bob
yA = randRange(0,p*h)
YA = yA* PA
w = H( pw )
xA = randRange(0,p*h)
RA = w*MA + XA*G
yB = randRange(0,p*h)
YB = yB* PB
w = H( pw )
xB = randRange(0,p*h)
RB = w*MB + xB*G
K = (xB + yB* sB)*(RA – w*MA+ YA)
skBA = H( “R” || len(idA)|| idA || len(idB) || idB || len(RA) || RA || len(RB) || RB || len(w) || w || len(K) || K)
encrypt( key=skBA, ((xB, PB), ...) )
RA, YA
SPAKE2 and mbDH are sent in parallel
SPAKE2 and mbDH are sent in parallel
RB, YB, { (yB, PB), ... }skBA
K = (xA + yA* sA)*(RB – w*MB + YB)
skBA = H( “R” || RA || RB || XA || XB || K || w )
decrypt( key=skBA, { (xB, PB), ... } )
assert YB == yB*PB
skAB = H( “I” || len(idA)|| idA || len(idB) || idB || len(RA) || RA || len(RB) || RB || len(w) || w || len(K) || K)
encrypt( key=skAB, ((xA, PA), ...) )
The shared key is jointly calculated
The shared key is jointly calculated
{ (yA, PA), ... }skAB
skAB = H( “I” || RA || RB || XA || XB || K || w )
decrypt( key=skAB, { (xA, PA), ... } )
assert YA == yA*PA
encrypt( key=skAB, (...) )
{ ... }skBA
decrypt( key=skBA, { ... } )
After the exchange the properties are: - Alice and Bob share a pair-wise unique symmetric keys with certainty that their peer knew the shared secret ‘pw’
- Alice has Bob’s public key PB and has validated its ownership to the peer with shared key ‘skBA’
- Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’
Paul A. Lambert (Marvell)

11. SPAKE2 plus mbDH v2 (SPM2) sA PA = sA*G shared secret pw sB PB = sB*G
idB = “Bob”
idA = “Alice”
iidA = “Alice”
idB = “Bob”
Alice
Bob
yA = randRange(0,p*h)
YA = yA* PA
w = H( pw )
xA = randRange(0,p*h)
RA = w*MA + XA*G
yB = randRange(0,p*h)
YB = yB* PB
w = H( pw )
xB = randRange(0,p*h)
RB = w*MB + xB*G
K = (xB + yB* sB)*(RA – w*MA+ YA)
skBA = H( “R” || len(idA)|| idA || len(idB) || idB || len(RA) || RA || len(RB) || RB || len(w) || w || len(K) || K)
encrypt( key=skBA, ((xB, PB), ...) )
RA, YA
RB, YB, { (yB, PB), ... }skBA
K = (xA + yA* sA)*(RB – w*MB + YB)
skBA = H( “R” || RA || RB || XA || XB || K || w )
decrypt( key=skBA, { (xB, PB), ... } )
assert YB == yB*PB
skAB = H( “I” || len(idA)|| idA || len(idB) || idB || len(RA) || RA || len(RB) || RB || len(w) || w || len(K) || K)
encrypt( key=skAB, ((xA, PA), ...) )
{ (yA, PA), ... }skAB
skAB = H( “I” || RA || RB || XA || XB || K || w )
decrypt( key=skAB, { (xA, PA), ... } )
assert YA == yA*PA
encrypt( key=skAB, (...) )
{ ... }skBA
decrypt( key=skBA, { ... } )
After the exchange the properties are: - Alice and Bob share a pair-wise unique symmetric keys with certainty that their peer knew the shared secret ‘pw’
- Alice has Bob’s public key PB and has validated its ownership to the peer with shared key ‘skBA’
- Bob has Alice’s public key PA and has validated its ownership to the peer with shared key ‘skAB’
Paul A. Lambert (Marvell)