Coordinate conditions: Difference between revisions
en>JRSpriggs →Other coordinates: convergence of post-Newtonian expansion as a criterion for choosing coordinate conditions |
No edit summary |
||
Line 1: | Line 1: | ||
In cryptography, the '''Password Authenticated Key Exchange by Juggling''' (or J-PAKE) is a [[password-authenticated key agreement]] protocol.<ref>F. Hao, P. Ryan. [http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf Password Authenticated Key Exchange by Juggling]. ''Proceedings of the 16th International Workshop on Security Protocols, 2008.</ref> This technique allows two parties to establish private and authenticated communication solely based on their shared (low-entropy) password without requiring a [[Public Key Infrastructure]]. It provides mutual authentication to the key exchange, a feature that is lacking in the [[Diffie-Hellman key exchange]] protocol. The authors suggest that J-PAKE may be helpful in avoiding patents in the field. | |||
==Description== | |||
Two parties, Alice and Bob, agree on a group <math>G</math> with generator <math>g</math> of prime order <math>q</math> in which the discrete log problem is hard. Typically a [[Schnorr group]] is used. In general, J-PAKE can use any prime order group that is suitable for public key cryptography, including [[Elliptic curve cryptography]]. Let <math>s</math> be their shared (low-entropy) secret, which can be a password or a hash of a password (<math>s \neq 0</math>). The protocol executes in two rounds. | |||
;Round 1: Alice selects <math>x_1 \in_R [0, q-1]</math>, <math>x_2 \in_R (0, q-1]</math> and sends out <math>g^{x_1}</math>, <math>g^{x_2}</math> together with the [[Zero-knowledge proofs]] (using for example [[Schnorr signature]]) for the proof of the exponents <math>x_1</math> and <math>x_2</math>. Similarly, Bob selects <math>x_3 \in_R [0, q-1]</math>, <math>x_4 \in_R (0, q-1]</math> and sends out <math>g^{x_3}</math>, <math>g^{x_4}</math> together with the [[Zero-knowledge proofs]] for the proof of the exponents <math>x_3</math> and <math>x_4</math>. The above communication can be completed in one round as neither party depends on the other. When it finishes, Alice and Bob verify the received [[Zero-knowledge proofs]] and also check <math>g^{x_2}, g^{x_4} \neq 1</math>. | |||
;Round 2: Alice sends out <math>A = g^{(x_1 + x_3 + x_4) x_2 s}</math> and a [[Zero-knowledge proof]] for the proof of the exponent <math>x_2 s</math>. (Note Alice actually derives a new public key using <math>g^{x_1 + x_3 + x_4}</math> as the generator). Similarly, Bob sends out <math>B = g^{(x_1 + x_2 + x_3) x_4 s}</math> and a [[Zero-knowledge proof]] for the proof of the exponent <math>x_4 s</math>. | |||
After Round 2, Alice computes <math>K = (B/g^{x_2 x_4 s})^{x_2} = g^{(x_1 + x_3) x_2 x_4 s}</math>. Similarly, Bob computes <math>K = (A/g^{x_2 x_4 s})^ {x_4} = g^{(x_1 + x_3) x_2 x_4 s}</math>. With the same keying material <math>K</math>, Alice and Bob can derive a session key using a [[Cryptographic hash function]]: <math>\kappa = H(K)</math>. | |||
The two-round J-PAKE protocol is completely symmetric. This helps significantly simplify the security analysis. For example, the proof that one party does not leak any password information in the data exchange must hold true for the other party based on the symmetry. This reduces the number of the needed security proofs by half. | |||
In practice, it is more likely to implement J-PAKE in three flows since one party shall normally take the initiative. This can be done trivially without loss of security. Suppose Alice initiates the communication by sending to Bob: <math>g^{x_1}, g^{x_2}</math> and Zero-knowledge proofs. Then Bob replies with: <math>g^{x_3}, g^{x_4}, B = g^{(x_1 + x_2 + x_3) x_4 s}</math> and Zero-knowledge proofs. Finally, Alice sends to Bob: <math>A = g^{(x_1 + x_3 + x_4) x_2 s}</math> and a Zero-knowledge proof. Both parties can now derive the same session key. | |||
Depending on the application requirement, Alice and Bob may perform an optional key confirmation step. There are several ways to do it. A simple method described in [[SPEKE (cryptography)|SPEKE]] works as follows: Alice sends to Bob <math>H(H(\kappa))</math>, and then Bob replies with <math>H(\kappa)</math>.<ref>{{cite journal | first = David | last = Jablon | title = Strong Password-Only Authenticated Key Exchange | journal = Computer Communication Review | publisher = ACM SIGCOMM | volume = 26 | issue = 5 | pages = 5–26 |date=October 1996 | url = http://www.jablon.org/passwordlinks.html#Jab96 | doi = 10.1145/242896.242897}}</ref> Alternatively, Alice and Bob can realize explicit key confirmation by using the newly constructed session key to encrypt a known value (or a random challenge). [[Encrypted key exchange|EKE]], [[Kerberos (protocol)|Kerberos]] and [[Needham-Schroeder]] all attempt to provide explicit key confirmation by exactly this method. | |||
==Security properties== | |||
The J-PAKE protocol is provably secure, fulfilling the following properties<ref>F. Hao, P. Ryan. [http://eprint.iacr.org/2010/190.pdf J-PAKE: Authenticated Key Exchange Without PKI]. ''Springer Transactions on Computational Science XI, Special Issue on Security in Computing, Part II, Vol. 6480, pp. 192-206, 2010.</ref>. | |||
# Off-line dictionary attack resistance - It does not leak any password verification information to a passive/active attacker. | |||
# Forward secrecy - It produces session keys that remain secure even when the password is later disclosed. | |||
# Known-key security - It prevents a disclosed session key from affecting the security of other sessions. | |||
# On-line dictionary attack resistance - It limits an active attacker to test only one password per protocol execution. | |||
==The protocol design== | |||
The J-PAKE protocol is designed by combining random public keys in such a structured way to achieve a vanishing effect if both parties supplied exactly the same passwords. This is somehow similar to the [[Anonymous veto network]] protocol design. The essence of the idea, however, can be traced back to [[David Chaum]]'s original [[dining cryptographers problem | Dining Cryptographers]] network protocol,<ref>David Chaum. [http://dx.doi.org/10.1007/BF00206326 The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability] Journal of Cryptology, vol. 1, No, 1, pp. 65-75, 1988</ref> where binary bits are combined in a structured way to achieve a vanishing effect. | |||
==The implementation== | |||
J-PAKE has been implemented in [[OpenSSL]] and [[OpenSSH]] as an experimental authentication protocol. It has also been implemented in [[Network Security Services|NSS]] and is used by [[Firefox Sync]]. Since February 2013, J-PAKE has been added to the lightweight API in [[Bouncycastle]] (1.48 and onwards). | |||
==References== | |||
{{reflist}} | |||
==External links== | |||
* [http://www.links.org/?p=393 A prototype demo of J-PAKE in C] | |||
* [http://haofeng66.googlepages.com/JPAKEDemo.java A prototype demo of J-PAKE in Java] | |||
* [http://homepages.cs.ncl.ac.uk/feng.hao/files/EllipticCurveJPAKEDemo.java An example of implementing J-PAKE using Elliptic Curve] | |||
* [http://www.lightbluetouchpaper.org/2008/05/29/j-pake J-PAKE: From Dining Cryptographers to Jugglers] | |||
{{DEFAULTSORT:Password Authenticated Key Exchange By Juggling}} | |||
[[Category:Cryptography]] | |||
[[Category:Cryptographic protocols]] |
Latest revision as of 22:39, 29 December 2013
In cryptography, the Password Authenticated Key Exchange by Juggling (or J-PAKE) is a password-authenticated key agreement protocol.[1] This technique allows two parties to establish private and authenticated communication solely based on their shared (low-entropy) password without requiring a Public Key Infrastructure. It provides mutual authentication to the key exchange, a feature that is lacking in the Diffie-Hellman key exchange protocol. The authors suggest that J-PAKE may be helpful in avoiding patents in the field.
Description
Two parties, Alice and Bob, agree on a group with generator of prime order in which the discrete log problem is hard. Typically a Schnorr group is used. In general, J-PAKE can use any prime order group that is suitable for public key cryptography, including Elliptic curve cryptography. Let be their shared (low-entropy) secret, which can be a password or a hash of a password (). The protocol executes in two rounds.
- Round 1
- Alice selects , and sends out , together with the Zero-knowledge proofs (using for example Schnorr signature) for the proof of the exponents and . Similarly, Bob selects , and sends out , together with the Zero-knowledge proofs for the proof of the exponents and . The above communication can be completed in one round as neither party depends on the other. When it finishes, Alice and Bob verify the received Zero-knowledge proofs and also check .
- Round 2
- Alice sends out and a Zero-knowledge proof for the proof of the exponent . (Note Alice actually derives a new public key using as the generator). Similarly, Bob sends out and a Zero-knowledge proof for the proof of the exponent .
After Round 2, Alice computes . Similarly, Bob computes . With the same keying material , Alice and Bob can derive a session key using a Cryptographic hash function: .
The two-round J-PAKE protocol is completely symmetric. This helps significantly simplify the security analysis. For example, the proof that one party does not leak any password information in the data exchange must hold true for the other party based on the symmetry. This reduces the number of the needed security proofs by half.
In practice, it is more likely to implement J-PAKE in three flows since one party shall normally take the initiative. This can be done trivially without loss of security. Suppose Alice initiates the communication by sending to Bob: and Zero-knowledge proofs. Then Bob replies with: and Zero-knowledge proofs. Finally, Alice sends to Bob: and a Zero-knowledge proof. Both parties can now derive the same session key.
Depending on the application requirement, Alice and Bob may perform an optional key confirmation step. There are several ways to do it. A simple method described in SPEKE works as follows: Alice sends to Bob , and then Bob replies with .[2] Alternatively, Alice and Bob can realize explicit key confirmation by using the newly constructed session key to encrypt a known value (or a random challenge). EKE, Kerberos and Needham-Schroeder all attempt to provide explicit key confirmation by exactly this method.
Security properties
The J-PAKE protocol is provably secure, fulfilling the following properties[3].
- Off-line dictionary attack resistance - It does not leak any password verification information to a passive/active attacker.
- Forward secrecy - It produces session keys that remain secure even when the password is later disclosed.
- Known-key security - It prevents a disclosed session key from affecting the security of other sessions.
- On-line dictionary attack resistance - It limits an active attacker to test only one password per protocol execution.
The protocol design
The J-PAKE protocol is designed by combining random public keys in such a structured way to achieve a vanishing effect if both parties supplied exactly the same passwords. This is somehow similar to the Anonymous veto network protocol design. The essence of the idea, however, can be traced back to David Chaum's original Dining Cryptographers network protocol,[4] where binary bits are combined in a structured way to achieve a vanishing effect.
The implementation
J-PAKE has been implemented in OpenSSL and OpenSSH as an experimental authentication protocol. It has also been implemented in NSS and is used by Firefox Sync. Since February 2013, J-PAKE has been added to the lightweight API in Bouncycastle (1.48 and onwards).
References
43 year old Petroleum Engineer Harry from Deep River, usually spends time with hobbies and interests like renting movies, property developers in singapore new condominium and vehicle racing. Constantly enjoys going to destinations like Camino Real de Tierra Adentro.
External links
- A prototype demo of J-PAKE in C
- A prototype demo of J-PAKE in Java
- An example of implementing J-PAKE using Elliptic Curve
- J-PAKE: From Dining Cryptographers to Jugglers
- ↑ F. Hao, P. Ryan. Password Authenticated Key Exchange by Juggling. Proceedings of the 16th International Workshop on Security Protocols, 2008.
- ↑ One of the biggest reasons investing in a Singapore new launch is an effective things is as a result of it is doable to be lent massive quantities of money at very low interest rates that you should utilize to purchase it. Then, if property values continue to go up, then you'll get a really high return on funding (ROI). Simply make sure you purchase one of the higher properties, reminiscent of the ones at Fernvale the Riverbank or any Singapore landed property Get Earnings by means of Renting
In its statement, the singapore property listing - website link, government claimed that the majority citizens buying their first residence won't be hurt by the new measures. Some concessions can even be prolonged to chose teams of consumers, similar to married couples with a minimum of one Singaporean partner who are purchasing their second property so long as they intend to promote their first residential property. Lower the LTV limit on housing loans granted by monetary establishments regulated by MAS from 70% to 60% for property purchasers who are individuals with a number of outstanding housing loans on the time of the brand new housing purchase. Singapore Property Measures - 30 August 2010 The most popular seek for the number of bedrooms in Singapore is 4, followed by 2 and three. Lush Acres EC @ Sengkang
Discover out more about real estate funding in the area, together with info on international funding incentives and property possession. Many Singaporeans have been investing in property across the causeway in recent years, attracted by comparatively low prices. However, those who need to exit their investments quickly are likely to face significant challenges when trying to sell their property – and could finally be stuck with a property they can't sell. Career improvement programmes, in-house valuation, auctions and administrative help, venture advertising and marketing, skilled talks and traisning are continuously planned for the sales associates to help them obtain better outcomes for his or her shoppers while at Knight Frank Singapore. No change Present Rules
Extending the tax exemption would help. The exemption, which may be as a lot as $2 million per family, covers individuals who negotiate a principal reduction on their existing mortgage, sell their house short (i.e., for lower than the excellent loans), or take part in a foreclosure course of. An extension of theexemption would seem like a common-sense means to assist stabilize the housing market, but the political turmoil around the fiscal-cliff negotiations means widespread sense could not win out. Home Minority Chief Nancy Pelosi (D-Calif.) believes that the mortgage relief provision will be on the table during the grand-cut price talks, in response to communications director Nadeam Elshami. Buying or promoting of blue mild bulbs is unlawful.
A vendor's stamp duty has been launched on industrial property for the primary time, at rates ranging from 5 per cent to 15 per cent. The Authorities might be trying to reassure the market that they aren't in opposition to foreigners and PRs investing in Singapore's property market. They imposed these measures because of extenuating components available in the market." The sale of new dual-key EC models will even be restricted to multi-generational households only. The models have two separate entrances, permitting grandparents, for example, to dwell separately. The vendor's stamp obligation takes effect right this moment and applies to industrial property and plots which might be offered inside three years of the date of buy. JLL named Best Performing Property Brand for second year running
The data offered is for normal info purposes only and isn't supposed to be personalised investment or monetary advice. Motley Fool Singapore contributor Stanley Lim would not personal shares in any corporations talked about. Singapore private home costs increased by 1.eight% within the fourth quarter of 2012, up from 0.6% within the earlier quarter. Resale prices of government-built HDB residences which are usually bought by Singaporeans, elevated by 2.5%, quarter on quarter, the quickest acquire in five quarters. And industrial property, prices are actually double the levels of three years ago. No withholding tax in the event you sell your property. All your local information regarding vital HDB policies, condominium launches, land growth, commercial property and more
There are various methods to go about discovering the precise property. Some local newspapers (together with the Straits Instances ) have categorised property sections and many local property brokers have websites. Now there are some specifics to consider when buying a 'new launch' rental. Intended use of the unit Every sale begins with 10 p.c low cost for finish of season sale; changes to 20 % discount storewide; follows by additional reduction of fiftyand ends with last discount of 70 % or extra. Typically there is even a warehouse sale or transferring out sale with huge mark-down of costs for stock clearance. Deborah Regulation from Expat Realtor shares her property market update, plus prime rental residences and houses at the moment available to lease Esparina EC @ Sengkang - ↑ F. Hao, P. Ryan. J-PAKE: Authenticated Key Exchange Without PKI. Springer Transactions on Computational Science XI, Special Issue on Security in Computing, Part II, Vol. 6480, pp. 192-206, 2010.
- ↑ David Chaum. The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability Journal of Cryptology, vol. 1, No, 1, pp. 65-75, 1988