iSCSI: PAK: an alternative to SRP and DH-CHAP

To: ips@ece.cmu.edu
Subject: iSCSI: PAK: an alternative to SRP and DH-CHAP
From: Philip MacKenzie <philmac@research.bell-labs.com>
Date: Mon, 29 Apr 2002 08:20:34 -0400
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii; format=flowed
Organization: Bell Labs, Lucent Technologies
Sender: owner-ips@ece.cmu.edu
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1

Two weeks ago I heard there was an issue regarding
password-authenticated key exchange in the iSCSI proposal,
and after studying the mailing list archive to
understand the issue and its history, I thought that
it may be worthwhile to propose an alternative
that may be more acceptable to the members of this group.

I am writing an Internet Draft proposing the PAK protocol
for inclusion in iSCSI.  I expect that it will be published
within a couple days, but I thought it would be best to present
the protocol and start the discussion as soon as possible.
I know that this proposal is coming later in the process
that desired, but since DH-CHAP was so recently introduced,
I would hope that this proposal is also not too late.

PAK is a password-authenticated key exchange protocol that
is designed to solve the same problem as SRP, namely, it
is a key exchange protocol that uses a password for
authentication, but is immune to offline dictionary attacks,
even against an active attacker who may insert, modify, or
delete messages on the network.  The basic idea is very
simple: it's a Diffie-Hellman key exchange with one of the
Diffie-Hellman messages multiplied by a hash of the password.

Graphically, it is just:

     Alice                             Bob

                    H(pw) * g^x
              -------------------->
                  g^y, Conf-hash
              <--------------------
                     Conf-hash'
              --------------------->

where the secret value is g^{xy}.  Notice that Bob
must divide out H(pw) from the message he gets from Alice.
The confirmation hashes are necessary, unless Bob also
multiplies his value g^y by a hash of the password.


A complete version of the protocol may be found at:

http://www.integritysciences.com/p1363/submissions/pak-suite.pdf

The Internet Draft will have a completely specified version
of this protocol, with all parameters, etc.

Reasons for preferring PAK over DH-CHAP:
- security against active attacks (same as SRP vs. DH-CHAP)

Reasons for preferring PAK over SRP:
- PAK has a mathematical proof of security
(assuming the hash functions are modeled as random functions).
- PAK is more elegant (IMHO).

Efficiency:
- As you can see, PAK is about as efficient as DH-CHAP or SRP

Acceptance:
- PAK has been published in Eurocrypt (2000), one
of the 2 top crypto conferences.
- PAK is basically a refinement of EKE, the well-known
encrypted key exchange protocol by Bellovin and Merritt.
- PAK is being used in Plan9 from Lucent.
- PAK is one of the protocols being standardized in IEEE P1363.2
- We are also planning to implement PAK as part
of the Lucent's iSCSI protocol implementation in FreeBSD.

Once again, the draft should be available in a day or two,
but I am happy to answer any questions and comments
in the meanwhile!

-Phil MacKenzie
Bell Labs

Follow-Ups:
- Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
  - From: Bill Strahm <bill@strahm.net>
- Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
  - From: Bill Studenmund <wrstuden@wasabisystems.com>
- Re: Correction iSCSI: PAK: an alternative to SRP and DH-CHAP
  - From: Philip MacKenzie <philmac@research.bell-labs.com>

Prev by Date: Re: FCIP Last Call, comment 109 - Special Frame
Next by Date: Re: Correction iSCSI: PAK: an alternative to SRP and DH-CHAP
Prev by thread: Re: iSCSI: Logout and recovery notes
Next by thread: Re: Correction iSCSI: PAK: an alternative to SRP and DH-CHAP
Index(es):
- Date
- Thread

Home

Last updated: Wed May 15 15:19:08 2002
10128 messages in chronological order