Coordinate conditions: Difference between revisions

In cryptography, the Password Authenticated Key Exchange by Juggling (or J-PAKE) is a password-authenticated key agreement protocol.^[1] This technique allows two parties to establish private and authenticated communication solely based on their shared (low-entropy) password without requiring a Public Key Infrastructure. It provides mutual authentication to the key exchange, a feature that is lacking in the Diffie-Hellman key exchange protocol. The authors suggest that J-PAKE may be helpful in avoiding patents in the field.

Description

Two parties, Alice and Bob, agree on a group ${\displaystyle G}$ with generator ${\displaystyle g}$ of prime order ${\displaystyle q}$ in which the discrete log problem is hard. Typically a Schnorr group is used. In general, J-PAKE can use any prime order group that is suitable for public key cryptography, including Elliptic curve cryptography. Let ${\displaystyle s}$ be their shared (low-entropy) secret, which can be a password or a hash of a password (${\displaystyle s\ne 0}$). The protocol executes in two rounds.

Round 1

Alice selects ${\displaystyle x_1{\in }_R[0,q-1]}$, ${\displaystyle x_2{\in }_R(0,q-1]}$ and sends out ${\displaystyle g^{x_1}}$, ${\displaystyle g^{x_2}}$ together with the Zero-knowledge proofs (using for example Schnorr signature) for the proof of the exponents ${\displaystyle x_1}$ and ${\displaystyle x_2}$. Similarly, Bob selects ${\displaystyle x_3{\in }_R[0,q-1]}$, ${\displaystyle x_4{\in }_R(0,q-1]}$ and sends out ${\displaystyle g^{x_3}}$, ${\displaystyle g^{x_4}}$ together with the Zero-knowledge proofs for the proof of the exponents ${\displaystyle x_3}$ and ${\displaystyle x_4}$. The above communication can be completed in one round as neither party depends on the other. When it finishes, Alice and Bob verify the received Zero-knowledge proofs and also check ${\displaystyle g^{x_2},g^{x_4}\ne 1}$.

Round 2

Alice sends out ${\displaystyle A=g^{(x_1+x_3+x_4)x_{2}s}}$ and a Zero-knowledge proof for the proof of the exponent ${\displaystyle x_{2}s}$. (Note Alice actually derives a new public key using ${\displaystyle g^{x_1+x_3+x_4}}$ as the generator). Similarly, Bob sends out ${\displaystyle B=g^{(x_1+x_2+x_3)x_{4}s}}$ and a Zero-knowledge proof for the proof of the exponent ${\displaystyle x_{4}s}$.

After Round 2, Alice computes ${\displaystyle K=(B/g^{x_2{x}_{4}s}{)}^{x_2}=g^{(x_1+x_3)x_2{x}_{4}s}}$. Similarly, Bob computes ${\displaystyle K=(A/g^{x_2{x}_{4}s}{)}^{x_4}=g^{(x_1+x_3)x_2{x}_{4}s}}$. With the same keying material ${\displaystyle K}$, Alice and Bob can derive a session key using a Cryptographic hash function: ${\displaystyle \kappa =H(K)}$.

The two-round J-PAKE protocol is completely symmetric. This helps significantly simplify the security analysis. For example, the proof that one party does not leak any password information in the data exchange must hold true for the other party based on the symmetry. This reduces the number of the needed security proofs by half.

In practice, it is more likely to implement J-PAKE in three flows since one party shall normally take the initiative. This can be done trivially without loss of security. Suppose Alice initiates the communication by sending to Bob: ${\displaystyle g^{x_1},g^{x_2}}$ and Zero-knowledge proofs. Then Bob replies with: ${\displaystyle g^{x_3},g^{x_4},B=g^{(x_1+x_2+x_3)x_{4}s}}$ and Zero-knowledge proofs. Finally, Alice sends to Bob: ${\displaystyle A=g^{(x_1+x_3+x_4)x_{2}s}}$ and a Zero-knowledge proof. Both parties can now derive the same session key.

Depending on the application requirement, Alice and Bob may perform an optional key confirmation step. There are several ways to do it. A simple method described in SPEKE works as follows: Alice sends to Bob ${\displaystyle H(H(\kappa ))}$, and then Bob replies with ${\displaystyle H(\kappa )}$.^[2] Alternatively, Alice and Bob can realize explicit key confirmation by using the newly constructed session key to encrypt a known value (or a random challenge). EKE, Kerberos and Needham-Schroeder all attempt to provide explicit key confirmation by exactly this method.

Security properties

The J-PAKE protocol is provably secure, fulfilling the following properties^[3].

1. Off-line dictionary attack resistance - It does not leak any password verification information to a passive/active attacker.
2. Forward secrecy - It produces session keys that remain secure even when the password is later disclosed.
3. Known-key security - It prevents a disclosed session key from affecting the security of other sessions.
4. On-line dictionary attack resistance - It limits an active attacker to test only one password per protocol execution.

The protocol design

The J-PAKE protocol is designed by combining random public keys in such a structured way to achieve a vanishing effect if both parties supplied exactly the same passwords. This is somehow similar to the Anonymous veto network protocol design. The essence of the idea, however, can be traced back to David Chaum's original Dining Cryptographers network protocol,^[4] where binary bits are combined in a structured way to achieve a vanishing effect.

The implementation

J-PAKE has been implemented in OpenSSL and OpenSSH as an experimental authentication protocol. It has also been implemented in NSS and is used by Firefox Sync. Since February 2013, J-PAKE has been added to the lightweight API in Bouncycastle (1.48 and onwards).

References

43 year old Petroleum Engineer Harry from Deep River, usually spends time with hobbies and interests like renting movies, property developers in singapore new condominium and vehicle racing. Constantly enjoys going to destinations like Camino Real de Tierra Adentro.

External links

• A prototype demo of J-PAKE in C
• A prototype demo of J-PAKE in Java
• An example of implementing J-PAKE using Elliptic Curve
• J-PAKE: From Dining Cryptographers to Jugglers