draft-ietf-kitten-krb-spake-preauth-04.txt   draft-ietf-kitten-krb-spake-preauth-05.txt 
Internet Engineering Task Force N. McCallum Internet Engineering Task Force N. McCallum
Internet-Draft S. Sorce Internet-Draft S. Sorce
Updates: 3961 (if approved) R. Harwood Intended status: Standards Track R. Harwood
Intended status: Standards Track Red Hat, Inc. Expires: August 14, 2018 Red Hat, Inc.
Expires: July 28, 2018 G. Hudson G. Hudson
MIT MIT
January 24, 2018 February 10, 2018
SPAKE Pre-Authentication SPAKE Pre-Authentication
draft-ietf-kitten-krb-spake-preauth-04 draft-ietf-kitten-krb-spake-preauth-05
Abstract Abstract
This document defines a new pre-authentication mechanism for the This document defines a new pre-authentication mechanism for the
Kerberos protocol that uses a password authenticated key exchange. Kerberos protocol that uses a password authenticated key exchange.
This document has three goals. First, increase the security of This document has three goals. First, increase the security of
Kerberos pre-authentication exchanges by making offline brute-force Kerberos pre-authentication exchanges by making offline brute-force
attacks infeasible. Second, enable the use of second factor attacks infeasible. Second, enable the use of second factor
authentication without relying on FAST. This is achieved using the authentication without relying on FAST. This is achieved using the
existing trust relationship established by the shared first factor. existing trust relationship established by the shared first factor.
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 28, 2018. This Internet-Draft will expire on August 14, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 27 skipping to change at page 2, line 27
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Properties of PAKE . . . . . . . . . . . . . . . . . . . 3 1.1. Properties of PAKE . . . . . . . . . . . . . . . . . . . 3
1.2. PAKE Algorithm Selection . . . . . . . . . . . . . . . . 3 1.2. PAKE Algorithm Selection . . . . . . . . . . . . . . . . 3
1.3. PAKE and Two-Factor Authentication . . . . . . . . . . . 4 1.3. PAKE and Two-Factor Authentication . . . . . . . . . . . 4
1.4. SPAKE Overview . . . . . . . . . . . . . . . . . . . . . 5 1.4. SPAKE Overview . . . . . . . . . . . . . . . . . . . . . 5
2. Document Conventions . . . . . . . . . . . . . . . . . . . . 5 2. Document Conventions . . . . . . . . . . . . . . . . . . . . 5
3. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. PA-ETYPE-INFO2 . . . . . . . . . . . . . . . . . . . . . 6 3.1. PA-ETYPE-INFO2 . . . . . . . . . . . . . . . . . . . . . 6
3.2. Cookie Support . . . . . . . . . . . . . . . . . . . . . 6 3.2. Cookie Support . . . . . . . . . . . . . . . . . . . . . 6
3.3. More Pre-Authentication Data Required . . . . . . . . . . 6 3.3. More Pre-Authentication Data Required . . . . . . . . . . 6
4. Update to Checksum Specifications . . . . . . . . . . . . . . 6 4. SPAKE Pre-Authentication Message Protocol . . . . . . . . . . 6
5. SPAKE Pre-Authentication Message Protocol . . . . . . . . . . 7 4.1. First Pass . . . . . . . . . . . . . . . . . . . . . . . 7
5.1. First Pass . . . . . . . . . . . . . . . . . . . . . . . 7 4.2. Second Pass . . . . . . . . . . . . . . . . . . . . . . . 7
5.2. Second Pass . . . . . . . . . . . . . . . . . . . . . . . 8 4.3. Third Pass . . . . . . . . . . . . . . . . . . . . . . . 9
5.3. Third Pass . . . . . . . . . . . . . . . . . . . . . . . 9 4.4. Subsequent Passes . . . . . . . . . . . . . . . . . . . . 10
5.4. Subsequent Passes . . . . . . . . . . . . . . . . . . . . 10 4.5. Reply Key Strengthening . . . . . . . . . . . . . . . . . 10
5.5. Reply Key Strengthening . . . . . . . . . . . . . . . . . 10 4.6. Optimizations . . . . . . . . . . . . . . . . . . . . . . 10
5.6. Optimizations . . . . . . . . . . . . . . . . . . . . . . 11 5. SPAKE Parameters and Conversions . . . . . . . . . . . . . . 11
6. SPAKE Parameters and Conversions . . . . . . . . . . . . . . 11 6. Transcript Hash . . . . . . . . . . . . . . . . . . . . . . . 12
7. Transcript Checksum . . . . . . . . . . . . . . . . . . . . . 12 7. Key Derivation . . . . . . . . . . . . . . . . . . . . . . . 12
8. Key Derivation . . . . . . . . . . . . . . . . . . . . . . . 13 8. Second Factor Types . . . . . . . . . . . . . . . . . . . . . 13
9. Second Factor Types . . . . . . . . . . . . . . . . . . . . . 14 9. Hint for Authentication Sets . . . . . . . . . . . . . . . . 14
10. Security Considerations . . . . . . . . . . . . . . . . . . . 14 10. Security Considerations . . . . . . . . . . . . . . . . . . . 14
10.1. Unauthenticated Plaintext . . . . . . . . . . . . . . . 14 10.1. Unauthenticated Plaintext . . . . . . . . . . . . . . . 14
10.2. Side Channels . . . . . . . . . . . . . . . . . . . . . 14 10.2. Side Channels . . . . . . . . . . . . . . . . . . . . . 15
10.3. KDC State . . . . . . . . . . . . . . . . . . . . . . . 15 10.3. KDC State . . . . . . . . . . . . . . . . . . . . . . . 16
10.4. Dictionary Attacks . . . . . . . . . . . . . . . . . . . 16 10.4. Dictionary Attacks . . . . . . . . . . . . . . . . . . . 16
10.5. Brute Force Attacks . . . . . . . . . . . . . . . . . . 16 10.5. Brute Force Attacks . . . . . . . . . . . . . . . . . . 17
10.6. Denial of Service Attacks . . . . . . . . . . . . . . . 17 10.6. Denial of Service Attacks . . . . . . . . . . . . . . . 17
10.7. Reply-Key Encryption Type . . . . . . . . . . . . . . . 17 10.7. Reply-Key Encryption Type . . . . . . . . . . . . . . . 17
10.8. KDC Authentication . . . . . . . . . . . . . . . . . . . 17 10.8. KDC Authentication . . . . . . . . . . . . . . . . . . . 18
11. Assigned Constants . . . . . . . . . . . . . . . . . . . . . 17 11. Assigned Constants . . . . . . . . . . . . . . . . . . . . . 18
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
12.1. Kerberos Second Factor Types . . . . . . . . . . . . . . 18 12.1. Kerberos Second Factor Types . . . . . . . . . . . . . . 18
12.1.1. Registration Template . . . . . . . . . . . . . . . 18 12.1.1. Registration Template . . . . . . . . . . . . . . . 19
12.1.2. Initial Registry Contents . . . . . . . . . . . . . 18 12.1.2. Initial Registry Contents . . . . . . . . . . . . . 19
12.2. Kerberos SPAKE Groups . . . . . . . . . . . . . . . . . 19 12.2. Kerberos SPAKE Groups . . . . . . . . . . . . . . . . . 19
12.2.1. Registration Template . . . . . . . . . . . . . . . 19 12.2.1. Registration Template . . . . . . . . . . . . . . . 19
12.2.2. Initial Registry Contents . . . . . . . . . . . . . 19 12.2.2. Initial Registry Contents . . . . . . . . . . . . . 20
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 21
13.1. Normative References . . . . . . . . . . . . . . . . . . 21 13.1. Normative References . . . . . . . . . . . . . . . . . . 21
13.2. Non-normative References . . . . . . . . . . . . . . . . 22 13.2. Non-normative References . . . . . . . . . . . . . . . . 23
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 23 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 24
Appendix B. SPAKE M and N Value Selection . . . . . . . . . . . 24 Appendix B. SPAKE M and N Value Selection . . . . . . . . . . . 25
Appendix C. Test Vectors . . . . . . . . . . . . . . . . . . . . 24 Appendix C. Test Vectors . . . . . . . . . . . . . . . . . . . . 25
Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 31 Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 34
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 31 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34
1. Introduction 1. Introduction
When a client uses PA-ENC-TIMESTAMP (or similar schemes, or the KDC When a client uses PA-ENC-TIMESTAMP (or similar schemes, or the KDC
does not require preauthentication), a passive attacker that observes does not require preauthentication), a passive attacker that observes
either the AS-REQ or AS-REP can perform an offline brute-force attack either the AS-REQ or AS-REP can perform an offline brute-force attack
against the transferred ciphertext. When the client principal's against the transferred ciphertext. When the client principal's
long-term key is based on a password, offline dictionary attacks can long-term key is based on a password, offline dictionary attacks can
successfuly recover the key, with only modest effort needed if the successfuly recover the key, with only modest effort needed if the
password is weak. password is weak.
skipping to change at page 5, line 25 skipping to change at page 5, line 25
4. Verification of the derived encryption key (K') 4. Verification of the derived encryption key (K')
Higher level protocols must define their own verification step. In Higher level protocols must define their own verification step. In
the case of this mechanism, verification happens implicitly by a the case of this mechanism, verification happens implicitly by a
successful decryption of the 2FA data. successful decryption of the 2FA data.
This mechanism provides its own method of deriving encryption keys This mechanism provides its own method of deriving encryption keys
from the calculated shared secret K, for several reasons: to fit from the calculated shared secret K, for several reasons: to fit
within the framework of [RFC3961], to ensure negotiation integrity within the framework of [RFC3961], to ensure negotiation integrity
using a transcript checksum, to derive different keys for each use, using a transcript hash, to derive different keys for each use, and
and to bind the KDC-REQ-BODY to the pre-authentication exchange. to bind the KDC-REQ-BODY to the pre-authentication exchange.
2. Document Conventions 2. Document Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
This document refers to numerous terms and protocol messages defined This document refers to numerous terms and protocol messages defined
in [RFC4120]. in [RFC4120].
The terms "encryption type", "required checksum mechanism", and The terms "encryption type", "key generation seed length", and
"get_mic" are defined in [RFC3961]. "random-to-key" are defined in [RFC3961].
The terms "FAST", "PA-FX-COOKIE", "KDC_ERR_PREAUTH_EXPIRED", The terms "FAST", "PA-FX-COOKIE", "KDC_ERR_PREAUTH_EXPIRED",
"KDC_ERR_MORE_PREAUTH_DATA_REQUIRED", "KDC_ERR_PREAUTH_FAILED", "pre- "KDC_ERR_MORE_PREAUTH_DATA_REQUIRED", "KDC_ERR_PREAUTH_FAILED", "pre-
authentication facility", and "authentication set" are defined in authentication facility", and "authentication set" are defined in
[RFC6113]. [RFC6113].
The [SPAKE] paper defines SPAKE as a family of two key exchange The [SPAKE] paper defines SPAKE as a family of two key exchange
algorithms differing only in derivation of the final key. This algorithms differing only in derivation of the final key. This
mechanism uses a derivation similar to the second algorithm (SPAKE2) mechanism uses a derivation similar to the second algorithm (SPAKE2)
with differences in detail. For simplicity, this document refers to with differences in detail. For simplicity, this document refers to
skipping to change at page 6, line 33 skipping to change at page 6, line 33
implementations, this method will most commonly be an encrypted PA- implementations, this method will most commonly be an encrypted PA-
FX-COOKIE. Clients which implement SPAKE pre-authentication MUST FX-COOKIE. Clients which implement SPAKE pre-authentication MUST
support PA-FX-COOKIE, as described in [RFC6113] section 5.2. support PA-FX-COOKIE, as described in [RFC6113] section 5.2.
3.3. More Pre-Authentication Data Required 3.3. More Pre-Authentication Data Required
Both KDCs and clients which implement SPAKE pre-authentication MUST Both KDCs and clients which implement SPAKE pre-authentication MUST
support the use of KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, as described support the use of KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, as described
in [RFC6113] section 5.2. in [RFC6113] section 5.2.
4. Update to Checksum Specifications 4. SPAKE Pre-Authentication Message Protocol
[RFC3961] section 4 specifies the Kerberos checksum algorithm
profile. It does not require checksums to be deterministic. In
practice, DES-based checksum types (deprecated by [RFC6649]) use a
random confounder; all other current checksum types are
deterministic.
Future checksum types required by an encryption type MUST be
deterministic. All future checksum types SHOULD be deterministic.
This mechanism requires a deterministic checksum type for the
transcript checksum. Therefore, a KDC MUST NOT offer this mechanism
if the initial reply key is of type des-cbc-crc, des-cbc-md4, or des-
cbc-md5.
5. SPAKE Pre-Authentication Message Protocol
This mechanism uses the reply key and provides the Client This mechanism uses the reply key and provides the Client
Authentication and Strengthening Reply Key pre-authentication Authentication and Strengthening Reply Key pre-authentication
facilities ([RFC6113] section 3). When the mechanism completes facilities ([RFC6113] section 3). When the mechanism completes
successfully, the client will have proved knowledge of the original successfully, the client will have proved knowledge of the original
reply key and possibly a second factor, and the reply key will be reply key and possibly a second factor, and the reply key will be
strengthened to a more uniform distribution based on the PAKE strengthened to a more uniform distribution based on the PAKE
exchange. This mechanism also ensures the integrity of the KDC-REQ- exchange. This mechanism also ensures the integrity of the KDC-REQ-
BODY contents. This mechanism can be used in an authentication set; BODY contents. This mechanism can be used in an authentication set;
no pa-hint value is required or defined. no pa-hint value is required or defined.
This mechanism negotiates a choice of group for the SPAKE algorithm. This mechanism negotiates a choice of group for the SPAKE algorithm.
Groups are defined in the IANA "Kerberos SPAKE Groups" registry Groups are defined in the IANA "Kerberos SPAKE Groups" registry
created by this document. Clients and KDCs MUST implement the created by this document. Each group definition specifies an
associated hash function, which will be used for transcript
protection and key derivation. Clients and KDCs MUST implement the
edwards25519 group, but MAY choose not to offer or accept it by edwards25519 group, but MAY choose not to offer or accept it by
default. default.
This section will describe the flow of messages when performing SPAKE This section will describe the flow of messages when performing SPAKE
pre-authentication. We will begin by explaining the most verbose pre-authentication. We will begin by explaining the most verbose
version of the protocol which all implementations MUST support. Then version of the protocol which all implementations MUST support. Then
we will describe several optional optimizations to reduce round- we will describe several optional optimizations to reduce round-
trips. trips.
Mechanism messages are communicated using PA-DATA elements within the Mechanism messages are communicated using PA-DATA elements within the
skipping to change at page 7, line 47 skipping to change at page 7, line 29
contain a DER encoding for the ASN.1 type PA-SPAKE. contain a DER encoding for the ASN.1 type PA-SPAKE.
PA-SPAKE ::= CHOICE { PA-SPAKE ::= CHOICE {
support [0] SPAKESupport, support [0] SPAKESupport,
challenge [1] SPAKEChallenge, challenge [1] SPAKEChallenge,
response [2] SPAKEResponse, response [2] SPAKEResponse,
encdata [3] EncryptedData, encdata [3] EncryptedData,
... ...
} }
5.1. First Pass 4.1. First Pass
The SPAKE pre-authentication exchange begins when the client sends an The SPAKE pre-authentication exchange begins when the client sends an
initial authentication service request (AS-REQ) without pre- initial authentication service request (AS-REQ) without pre-
authentication data. Upon receipt of this AS-REQ, a KDC which authentication data. Upon receipt of this AS-REQ, a KDC which
requires pre-authentication and supports SPAKE SHOULD reply with a requires pre-authentication and supports SPAKE SHOULD reply with a
KDC_ERR_PREAUTH_REQUIRED error, with METHOD-DATA containing an empty KDC_ERR_PREAUTH_REQUIRED error, with METHOD-DATA containing an empty
PA-SPAKE PA-DATA element (possibly in addition to other PA-DATA PA-SPAKE PA-DATA element (possibly in addition to other PA-DATA
elements). This message indicates to the client that the KDC elements). This message indicates to the client that the KDC
supports SPAKE pre-authentication. supports SPAKE pre-authentication.
5.2. Second Pass 4.2. Second Pass
Once the client knows that the KDC supports SPAKE pre-authentication Once the client knows that the KDC supports SPAKE pre-authentication
and the client desires to use it, the client will generate a new AS- and the client desires to use it, the client will generate a new AS-
REQ message containing a PA-SPAKE PA-DATA element using the support REQ message containing a PA-SPAKE PA-DATA element using the support
choice. This message indicates to the KDC which groups the client choice. This message indicates to the KDC which groups the client
prefers for the SPAKE operation. The group numbers are defined in prefers for the SPAKE operation. The group numbers are defined in
the IANA "Kerberos SPAKE Groups" registry created by this document. the IANA "Kerberos SPAKE Groups" registry created by this document.
The groups sequence is ordered from the most preferred group to the The groups sequence is ordered from the most preferred group to the
least preferred group. least preferred group.
SPAKESupport ::= SEQUENCE { SPAKESupport ::= SEQUENCE {
groups [0] SEQUENCE (SIZE(1..MAX)) OF Int32, groups [0] SEQUENCE (SIZE(1..MAX)) OF Int32,
... ...
} }
The client and KDC initialize a transcript checksum (Section 7) and
update it with the DER-encoded PA-SPAKE message.
Upon receipt of the support message, the KDC will select a group. Upon receipt of the support message, the KDC will select a group.
The KDC SHOULD choose a group from the groups provided by the support The KDC SHOULD choose a group from the groups provided by the support
message. However, if the support message does not contain any group message. However, if the support message does not contain any group
that is supported by the KDC, the KDC MAY select another group in that is supported by the KDC, the KDC MAY select another group in
hopes that the client might support it. Otherwise, the KDC MUST hopes that the client might support it. Otherwise, the KDC MUST
respond with a KDC_ERR_PREAUTH_FAILED error. respond with a KDC_ERR_PREAUTH_FAILED error.
Once the KDC has selected a group, the KDC will reply to the client Once the KDC has selected a group, the KDC will reply to the client
with a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error containing a PA-SPAKE with a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error containing a PA-SPAKE
PA-DATA element using the challenge choice. The client and KDC PA-DATA element using the challenge choice.
update the transcript checksum with the DER-encoded PA-SPAKE message.
SPAKEChallenge ::= SEQUENCE { SPAKEChallenge ::= SEQUENCE {
group [0] Int32, group [0] Int32,
pubkey [1] OCTET STRING, pubkey [1] OCTET STRING,
factors [2] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor, factors [2] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor,
... ...
} }
The group field indicates the KDC-selected group used for all SPAKE The group field indicates the KDC-selected group used for all SPAKE
calculations as defined in the IANA "Kerberos SPAKE Groups" registry calculations as defined in the IANA "Kerberos SPAKE Groups" registry
created by this document. created by this document.
The pubkey field indicates the KDC's public key generated using the M The pubkey field indicates the KDC's public key generated using the M
constant in the SPAKE algorithm, with inputs and conversions as constant in the SPAKE algorithm, with inputs and conversions as
specified in Section 6. specified in Section 5.
The factors field contains an unordered list of second factors which The factors field contains an unordered list of second factors which
can be used to complete the authentication. Each second factor is can be used to complete the authentication. Each second factor is
represented by a SPAKESecondFactor. represented by a SPAKESecondFactor.
SPAKESecondFactor ::= SEQUENCE { SPAKESecondFactor ::= SEQUENCE {
type [0] Int32, type [0] Int32,
data [1] OCTET STRING OPTIONAL data [1] OCTET STRING OPTIONAL
} }
The type field is a unique integer which identifies the second factor The type field is a unique integer which identifies the second factor
type. The factors field of SPAKEChallenge MUST NOT contain more than type. The factors field of SPAKEChallenge MUST NOT contain more than
one SPAKESecondFactor with the same type value. one SPAKESecondFactor with the same type value.
The data field contains optional challenge data. The contents in The data field contains optional challenge data. The contents in
this field will depend upon the second factor type chosen. this field will depend upon the second factor type chosen.
5.3. Third Pass The client and KDC will each initialize a transcript hash (Section 6)
using the hash function associated with the chosen group, and update
it with the concatenation of the DER-encoded PA-SPAKE messages sent
by the client and the KDC.
4.3. Third Pass
Upon receipt of the challenge message, the client will complete its Upon receipt of the challenge message, the client will complete its
part of of the SPAKE algorithm, generating a public key and computing part of of the SPAKE algorithm, generating a public key and computing
the shared secret K. The client will then choose one of the second the shared secret K. The client will then choose one of the second
factor types listed in the factors field of the challenge message and factor types listed in the factors field of the challenge message and
gather whatever data is required for the chosen second factor type, gather whatever data is required for the chosen second factor type,
possibly using the associated challenge data. Finally, the client possibly using the associated challenge data. Finally, the client
will send an AS-REQ containing a PA-SPAKE PA-DATA element using the will send an AS-REQ containing a PA-SPAKE PA-DATA element using the
response choice. response choice.
SPAKEResponse ::= SEQUENCE { SPAKEResponse ::= SEQUENCE {
pubkey [0] OCTET STRING, pubkey [0] OCTET STRING,
factor [1] EncryptedData, -- SPAKESecondFactor factor [1] EncryptedData, -- SPAKESecondFactor
... ...
} }
The client and KDC will update the transcript checksum with the The client and KDC will update the transcript hash with the pubkey
pubkey value, and use the resulting checksum for all encryption key value, and use the resulting hash for all encryption key derivations.
derivations.
The pubkey field indicates the client's public key generated using The pubkey field indicates the client's public key generated using
the N constant in the SPAKE algorithm, with inputs and conversions as the N constant in the SPAKE algorithm, with inputs and conversions as
specified in Section 6. specified in Section 5.
The factor field indicates the client's chosen second factor data. The factor field indicates the client's chosen second factor data.
The key for this field is K'[1] as specified in Section 8. The key The key for this field is K'[1] as specified in Section 7. The key
usage number for the encryption is KEY_USAGE_SPAKE_FACTOR. The plain usage number for the encryption is KEY_USAGE_SPAKE. The plain text
text inside the EncryptedData is an encoding of SPAKESecondFactor. inside the EncryptedData is an encoding of SPAKESecondFactor. Once
Once decoded, the SPAKESecondFactor contains the type of the second decoded, the SPAKESecondFactor contains the type of the second factor
factor and any optional data used. The contents of the data field and any optional data used. The contents of the data field will
will depend on the second factor type chosen. The client MUST NOT depend on the second factor type chosen. The client MUST NOT send a
send a response containing a second factor type which was not listed response containing a second factor type which was not listed in the
in the factors field of the challenge message. factors field of the challenge message.
When the KDC receives the response message from the client, it will When the KDC receives the response message from the client, it will
use the pubkey to compute the SPAKE result, derive K'[1], and decrypt use the pubkey to compute the SPAKE result, derive K'[1], and decrypt
the factors field. If decryption is successful, the first factor is the factors field. If decryption is successful, the first factor is
successfully validated. The KDC then validates the second factor. successfully validated. The KDC then validates the second factor.
If either factor fails to validate, the KDC SHOULD respond with a If either factor fails to validate, the KDC SHOULD respond with a
KDC_ERR_PREAUTH_FAILED error. KDC_ERR_PREAUTH_FAILED error.
If validation of the second factor requires further round-trips, the If validation of the second factor requires further round-trips, the
KDC MUST reply to the client with KDC_ERR_MORE_PREAUTH_DATA_REQUIRED KDC MUST reply to the client with KDC_ERR_MORE_PREAUTH_DATA_REQUIRED
containing a PA-SPAKE PA-DATA element using the encdata choice. The containing a PA-SPAKE PA-DATA element using the encdata choice. The
key for the EncryptedData value is K'[2] as specified in Section 8, key for the EncryptedData value is K'[2] as specified in Section 7,
and the key usage number is KEY_USAGE_SPAKE_FACTOR. The plain text and the key usage number is KEY_USAGE_SPAKE. The plain text of this
of this message contains a DER-encoded SPAKESecondFactor message. As message contains a DER-encoded SPAKESecondFactor message. As before,
before, the type field of this message will contain the second factor the type field of this message will contain the second factor type,
type, and the data field will optionally contain second factor type and the data field will optionally contain second factor type
specific data. specific data.
KEY_USAGE_SPAKE_FACTOR 65 KEY_USAGE_SPAKE 65
5.4. Subsequent Passes 4.4. Subsequent Passes
Any number of additional round trips may occur using the encdata Any number of additional round trips may occur using the encdata
choice. The contents of the plaintexts are specific to the second choice. The contents of the plaintexts are specific to the second
factor type. If a client receives a PA-SPAKE PA-DATA element using factor type. If a client receives a PA-SPAKE PA-DATA element using
the encdata choice from the KDC, it MUST reply with a subsequent AS- the encdata choice from the KDC, it MUST reply with a subsequent AS-
REQ with a PA-SPAKE PA-DATA using the encdata choice, or abort the AS REQ with a PA-SPAKE PA-DATA using the encdata choice, or abort the AS
exchange. exchange.
The key for client-originated encdata messages in subsequent passes The key for client-originated encdata messages in subsequent passes
is K'[3] as specified in Section 8 for the first subsequent pass, is K'[3] as specified in Section 7 for the first subsequent pass,
K'[5] for the second, and so on. The key for KDC-originated encdata K'[5] for the second, and so on. The key for KDC-originated encdata
messages is K'[4] for the first subsequent pass, K'[6] for the messages is K'[4] for the first subsequent pass, K'[6] for the
second, and so on. second, and so on.
5.5. Reply Key Strengthening 4.5. Reply Key Strengthening
When the KDC has successfully validated both factors, the reply key When the KDC has successfully validated both factors, the reply key
is strengthened and the mechanism is complete. To strengthen the is strengthened and the mechanism is complete. To strengthen the
reply key, the client and KDC replace it with K'[0] as specified in reply key, the client and KDC replace it with K'[0] as specified in
Section 8. The KDC then replies with a KDC-REP message, or continues Section 7. The KDC then replies with a KDC-REP message, or continues
on to the next mechanism in the authentication set. There is no on to the next mechanism in the authentication set. There is no
final PA-SPAKE PA-DATA message from the KDC to the client. final PA-SPAKE PA-DATA message from the KDC to the client.
Reply key strengthening occurs only once at the end of the exchange. Reply key strengthening occurs only once at the end of the exchange.
The client and KDC MUST use the initial reply key as the base key for The client and KDC MUST use the initial reply key as the base key for
all K'[n] derivations. all K'[n] derivations.
5.6. Optimizations 4.6. Optimizations
The full protocol has two possible optimizations. The full protocol has two possible optimizations.
First, the KDC MAY reply to the initial AS-REQ (containing no pre- First, the KDC MAY reply to the initial AS-REQ (containing no pre-
authentication data) with a PA-SPAKE PA-DATA element using the authentication data) with a PA-SPAKE PA-DATA element using the
challenge choice, instead of an empty padata-value. In this case, challenge choice, instead of an empty padata-value. In this case,
the KDC optimistically selects a group which the client may not the KDC optimistically selects a group which the client may not
support. If the group chosen by the challenge message is supported support. If the group chosen by the challenge message is supported
by the client, the client MUST skip to the third pass by issuing an by the client, the client MUST skip to the third pass by issuing an
AS-REQ with a PA-SPAKE message using the response choice. If the AS-REQ with a PA-SPAKE message using the response choice. In this
KDC's chosen group is not supported by the client, the client MUST case no SPAKESupport message is sent by the client, so the first
initialize and update the transcript checksum with the KDC's update to the transcript hash contains only the KDC's optimistic
challenge message, and then continue to the second pass. Clients challenge. If the KDC's chosen group is not supported by the client,
MUST support this optimization. the client MUST continue to the second pass. In this case both the
client and KDC MUST reinitialize the transcript hash for the client's
support message. Clients MUST support this optimization.
Second, clients MAY skip the first pass and send an AS-REQ with a PA- Second, clients MAY skip the first pass and send an AS-REQ with a PA-
SPAKE PA-DATA element using the support choice. If the KDC accepts SPAKE PA-DATA element using the support choice. If the KDC accepts
the support message and generates a challenge, it MUST include a PA- the support message and generates a challenge, it MUST include a PA-
ETYPE-INFO2 value within the METHOD-DATA of the ETYPE-INFO2 value within the METHOD-DATA of the
KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error response, as the client may KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error response, as the client may
not otherwise be able to compute the initial reply key. If the KDC not otherwise be able to compute the initial reply key. If the KDC
cannot continue with SPAKE (either because initial reply key type is cannot continue with SPAKE (either because initial reply key type is
incompatible with SPAKE or because it does not support any of the incompatible with SPAKE or because it does not support any of the
client's groups) but can offer other pre-authentication mechanisms, client's groups) but can offer other pre-authentication mechanisms,
it MUST respond with a KDC_ERR_PREAUTH_FAILED error containing it MUST respond with a KDC_ERR_PREAUTH_FAILED error containing
METHOD-DATA. A client supporting this optimization MUST continue METHOD-DATA. A client supporting this optimization MUST continue
after a KDC_ERR_PREAUTH_FAILED error as described in [RFC6113] after a KDC_ERR_PREAUTH_FAILED error as described in [RFC6113]
section 2. KDCs MUST support this optimization. section 2. KDCs MUST support this optimization.
6. SPAKE Parameters and Conversions 5. SPAKE Parameters and Conversions
Group elements are converted to octet strings using the serialization Group elements are converted to octet strings using the serialization
method defined in the IANA "Kerberos SPAKE Groups" registry created method defined in the IANA "Kerberos SPAKE Groups" registry created
by this document. by this document.
The SPAKE algorithm requires constants M and N for each group. These The SPAKE algorithm requires constants M and N for each group. These
constants are defined in the IANA "Kerberos SPAKE Groups" registry constants are defined in the IANA "Kerberos SPAKE Groups" registry
created by this document. created by this document.
The SPAKE algorithm requires a shared secret input w to be used as a The SPAKE algorithm requires a shared secret input w to be used as a
scalar multiplier (see [I-D.irtf-cfrg-spake2] section 2). This value scalar multiplier (see [I-D.irtf-cfrg-spake2] section 2). This value
MUST be produced from the initial reply key as follows: MUST be produced from the initial reply key as follows:
1. Determine the length of the multiplier octet string as defined in 1. Determine the length of the multiplier octet string as defined in
the IANA "Kerberos SPAKE Groups" registry created by this the IANA "Kerberos SPAKE Groups" registry created by this
document. document.
2. Compose a pepper string by concatenating the string "SPAKEsecret" 2. Compose a pepper string by concatenating the string "SPAKEsecret"
and the group number as a big-endian four-byte unsigned binary and the group number as a big-endian four-byte two's complement
number. binary number.
3. Produce an octet string of the required length using PRF+(K, 3. Produce an octet string of the required length using PRF+(K,
pepper), where K is the initial reply key and PRF+ is defined in pepper), where K is the initial reply key and PRF+ is defined in
[RFC6113] section 5.1. [RFC6113] section 5.1.
4. Convert the octet string to a multiplier scalar using the 4. Convert the octet string to a multiplier scalar using the
multiplier conversion method defined in the IANA "Kerberos SPAKE multiplier conversion method defined in the IANA "Kerberos SPAKE
Groups" registry created by this document. Groups" registry created by this document.
The KDC chooses a secret scalar value x and the client chooses a The KDC chooses a secret scalar value x and the client chooses a
secret scalar value y. As required by the SPAKE algorithm, these secret scalar value y. As required by the SPAKE algorithm, these
values are chosen randomly and uniformly. The KDC and client MUST values are chosen randomly and uniformly. The KDC and client MUST
NOT reuse x or y values for authentications involving different NOT reuse x or y values for authentications involving different
initial reply keys (see Section 10.3). initial reply keys (see Section 10.3).
7. Transcript Checksum 6. Transcript Hash
The transcript checksum is an octet string of length equal to the The transcript hash is an octet string of length equal to the output
output length of the required checksum type of the encryption type of length of the hash function associated with the selected group. The
the initial reply key. The initial value consists of all bits set to initial value consists of all bits set to zero.
zero.
When the transcript checksum is updated with an octet string input, When the transcript hash is updated with an octet string input, the
the new value is the get_mic result computed over the concatenation new value is the hash function computed over the concatenation of the
of the old value and the input, for the required checksum type of the old value and the input.
initial reply key's encryption type, using the initial reply key and
the key usage number KEY_USAGE_SPAKE_TRANSCRIPT.
In the normal message flow or with the second optimization described In the normal message flow or with the second optimization described
in Section 5.6, the transcript checksum is first updated with the in Section 4.6, the transcript hash is first updated with the
client's support message, then the KDC's challenge message, and concatenation of the client's support message and the KDC's
finally with the client's pubkey value. It therefore incorporates challenge, and then updated a second time with the client's pubkey
the client's supported groups, the KDC's chosen group, the KDC's value. It therefore incorporates the client's supported groups, the
initial second-factor messages, and the client and KDC public values. KDC's chosen group, the KDC's initial second-factor messages, and the
Once the transcript checksum is finalized, it is used without change client and KDC public values. Once the transcript hash is finalized,
for all key derivations (Section 8). it is used without change for all key derivations (Section 7).
If the first optimization described in Section 5.6 is used If the first optimization described in Section 4.6 is used
successfully, the transcript checksum is updated only with the KDC's successfully, the transcript hash is updated first with the KDC's
challenge message and the client's pubkey value. challenge message, and second with the client's pubkey value.
If first optimization is used unsuccessfully (i.e. the client does If first optimization is used unsuccessfully (i.e. the client does
not accept the KDC's selected group), the transcript checksum is not accept the KDC's selected group), the transcript hash is computed
updated with the KDC's optimistic challenge message, then with the as in the normal message flow, without including the KDC's optimistic
client's support message, then the KDC's second challenge message, challenge.
and finally with the client's pubkey value.
KEY_USAGE_SPAKE_TRANSCRIPT 66
8. Key Derivation 7. Key Derivation
Implementations MUST NOT use the SPAKE result (denoted by K in Implementations MUST NOT use the SPAKE result (denoted by K in
Section 2 of SPAKE [I-D.irtf-cfrg-spake2]) directly for any Section 2 of SPAKE [I-D.irtf-cfrg-spake2]) directly for any
cryptographic operation. Instead, the SPAKE result is used to derive cryptographic operation. Instead, the SPAKE result is used to derive
keys K'[n] as defined in this section. This method differs slightly keys K'[n] as defined in this section. This method differs slightly
from the method used to generate K' in Section 3 of SPAKE from the method used to generate K' in Section 3 of SPAKE
[I-D.irtf-cfrg-spake2]. [I-D.irtf-cfrg-spake2].
An input string is assembled by concatenating the following values: First, the hash function associated with the selected group is
computed over the concatenation of the following values:
o The fixed string "SPAKEkey". o The fixed string "SPAKEkey".
o The group number as a big-endian four-byte unsigned binary number. o The group number as a big-endian four-byte two's complement binary
number.
o The encryption type of the initial reply key as a big-endian four- o The encryption type of the initial reply key as a big-endian four-
byte unsigned binary number. byte two's complement binary number.
o The PRF+ output used to compute the initial secret input w as
specified in Section 5.
o The SPAKE result K, converted to an octet string as specified in o The SPAKE result K, converted to an octet string as specified in
Section 6. Section 5.
o The transcript checksum. o The transcript hash.
o The KDC-REQ-BODY encoding for the request being sent or responded o The KDC-REQ-BODY encoding for the request being sent or responded
to. Within a FAST channel, the inner KDC-REQ-BODY encoding MUST to. Within a FAST channel, the inner KDC-REQ-BODY encoding MUST
be used. be used.
o The value n as a big-endian four-byte unsigned binary number. o The value n as a big-endian four-byte unsigned binary number.
The derived key K'[n] has the same encryption type as the initial o A single-byte block counter, with the initial value 0x01.
reply key, and has the value random-to-key(PRF+(initial-reply-key,
input-string)). PRF+ is defined in [RFC6113] section 5.1.
9. Second Factor Types If the hash output is too small for the encryption type's key
generation seed length, the block counter value is incremented and
the hash function re-computed to produce as many blocks as are
required. The result is truncated to the key generation seed length,
and the random-to-key function is used to produce an intermediate key
with the same encryption type as the initial reply key.
The key K'[n] has the same encryption type as the initial reply key,
and has the value KRB-FX-CF2(initial-reply-key, intermediate-key,
"SPAKE", "keyderiv"), where KRB-FX-CF2 is defined in [RFC6113]
section 5.1.
8. Second Factor Types
This document defines one second factor type: This document defines one second factor type:
SF-NONE 1 SF-NONE 1
This second factor type indicates that no second factor is used. This second factor type indicates that no second factor is used.
Whenever a SPAKESecondFactor is used with SF-NONE, the data field Whenever a SPAKESecondFactor is used with SF-NONE, the data field
MUST be omitted. The SF-NONE second factor always successfully MUST be omitted. The SF-NONE second factor always successfully
validates. validates.
9. Hint for Authentication Sets
If a KDC offers SPAKE pre-authentication as part of an authentication
set ([RFC6113] section 5.3), it MAY provide a pa-hint value
containing the DER encoding of the ASN.1 type PA-SPAKE-HINT, to help
the client determine whether SPAKE pre-authentication is likely to
succeed if the authentication set is chosen.
PA-SPAKE-HINT ::= SEQUENCE {
groups [0] SEQUENCE (SIZE(1..MAX)) OF Int32,
factors [1] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor
}
The groups field indicates the KDC's supported groups. The factors
field indicates the KDC's supported second factors. The KDC MAY omit
the data field of values in the factors list.
A KDC MUST NOT include a PA-SPAKE-HINT message in a pa-value field;
hints must only be provided within authentication sets. A KDC SHOULD
include a hint if SPAKE pre-authentication is offered as the second
or later element of an authentication set.
The PA-SPAKE-HINT message is not part of the transcript, and does not
replace any part of the SPAKE message flow.
10. Security Considerations 10. Security Considerations
All of the security considerations from SPAKE [I-D.irtf-cfrg-spake2] All of the security considerations from SPAKE [I-D.irtf-cfrg-spake2]
apply here as well. apply here as well.
10.1. Unauthenticated Plaintext 10.1. Unauthenticated Plaintext
This mechanism includes unauthenticated plaintext in the support and This mechanism includes unauthenticated plaintext in the support and
challenge messages. Beginning with the third pass, the integrity of challenge messages. Beginning with the third pass, the integrity of
this plaintext is ensured by incorporating the transcript checksum this plaintext is ensured by incorporating the transcript hash into
into the derivation of the final reply key and second factor the derivation of the final reply key and second factor encryption
encryption keys. Downgrade attacks on support and challenge messages keys. Downgrade attacks on support and challenge messages will
will result in the client and KDC deriving different reply keys and result in the client and KDC deriving different reply keys and
EncryptedData keys. The KDC-REQ-BODY contents are also incorporated EncryptedData keys. The KDC-REQ-BODY contents are also incorporated
into key derivation, ensuring their integrity. The unauthenticated into key derivation, ensuring their integrity. The unauthenticated
plaintext in the KDC-REP message is not protected by this mechanism. plaintext in the KDC-REP message is not protected by this mechanism.
Unless FAST is used, the factors field of a challenge message is not Unless FAST is used, the factors field of a challenge message is not
integrity-protected until the response is verified. Second factor integrity-protected until the response is verified. Second factor
types MUST account for this when specifying the semantics of the data types MUST account for this when specifying the semantics of the data
field. Second factor data in the challenge should not be included in field. Second factor data in the challenge should not be included in
user prompts, as it could be modified by an attacker to contain user prompts, as it could be modified by an attacker to contain
misleading or offensive information. misleading or offensive information.
Subsequent factor data, including the data in the response, are Subsequent factor data, including the data in the response, are
encrypted in a derivative of the shared secret K. Therefore, it is encrypted in a derivative of the shared secret K. Therefore, it is
not possible to exploit the untrustworthiness of the challenge to not possible to exploit the untrustworthiness of the challenge to
turn the client into an encryption or signing oracle, unless the turn the client into an encryption or signing oracle, unless the
attacker knows the client's long-term key. attacker knows the client's long-term key.
Unless FAST is used, any PA-SPAKE-HINT messages included when SPAKE
is advertised in authentication sets are unauthenticated, and are not
protected by the transcript hash. Since hints do not replace any
part of the message flow, manipulation of hint messages can only
affect the client's decision to use or not use an authentication set,
which could more easily be accomplished by removing authentication
sets entirely.
10.2. Side Channels 10.2. Side Channels
An implementation of this pre-authentication mechanism can have the An implementation of this pre-authentication mechanism can have the
property of indistinguishability, meaning that an attacker who property of indistinguishability, meaning that an attacker who
guesses a long-term key and a second factor value cannot determine guesses a long-term key and a second factor value cannot determine
whether one of the factors was correct unless both are correct. whether one of the factors was correct unless both are correct.
Indistinguishability is only maintained if the second factor can be Indistinguishability is only maintained if the second factor can be
validated solely based on the data in the response; the use of validated solely based on the data in the response; the use of
additional round trips will reveal to the attacker whether the long- additional round trips will reveal to the attacker whether the long-
term key is correct. Indistinguishability also requires that there term key is correct. Indistinguishability also requires that there
skipping to change at page 15, line 39 skipping to change at page 16, line 18
Others may silently accept such a multiplier, but proceed to perform Others may silently accept such a multiplier, but proceed to perform
multiplication that is not constant time. This is a minor risk in multiplication that is not constant time. This is a minor risk in
all known groups, but is a major risk for P-521 due to the extra all known groups, but is a major risk for P-521 due to the extra
seven high bits in the input octet string. A common solution to this seven high bits in the input octet string. A common solution to this
problem is achieved by reducing the multiplier modulo the group problem is achieved by reducing the multiplier modulo the group
order, taking care to ensure constant time operation. order, taking care to ensure constant time operation.
10.3. KDC State 10.3. KDC State
A stateless KDC implementation generally must use a PA-FX-COOKIE A stateless KDC implementation generally must use a PA-FX-COOKIE
value to remember its private scalar value x and the transcript value to remember its private scalar value x and the transcript hash.
checksum. The KDC MUST maintain confidentiality and integrity of the The KDC MUST maintain confidentiality and integrity of the cookie
cookie value, perhaps by encrypting it in a key known only to the value, perhaps by encrypting it in a key known only to the realm's
realm's KDCs. Cookie values may be replayed by attackers. The KDC KDCs. Cookie values may be replayed by attackers. The KDC SHOULD
SHOULD limit the time window of replays using a timestamp, and SHOULD limit the time window of replays using a timestamp, and SHOULD
prevent cookie values from being applied to other pre-authentication prevent cookie values from being applied to other pre-authentication
mechanisms or other client principals. Within the validity period of mechanisms or other client principals. Within the validity period of
a cookie, an attacker can replay the final message of a pre- a cookie, an attacker can replay the final message of a pre-
authentication exchange to any of the realm's KDCs and make it appear authentication exchange to any of the realm's KDCs and make it appear
that the client has authenticated. that the client has authenticated.
If an x or y value is reused for pre-authentications involving two If an x or y value is reused for pre-authentications involving two
different client long-term keys, an attacker who observes both different client long-term keys, an attacker who observes both
authentications and knows one of the long-term keys can conduct an authentications and knows one of the long-term keys can conduct an
offline dictionary attack to recover the other one. offline dictionary attack to recover the other one.
skipping to change at page 17, line 39 skipping to change at page 18, line 17
This mechanism does not directly provide the KDC Authentication pre- This mechanism does not directly provide the KDC Authentication pre-
authentication facility, because it does not send a key confirmation authentication facility, because it does not send a key confirmation
from the KDC to the client. When used as a stand-alone mechanism, from the KDC to the client. When used as a stand-alone mechanism,
the traditional KDC authentication provided by the KDC-REP enc-part the traditional KDC authentication provided by the KDC-REP enc-part
still applies. still applies.
11. Assigned Constants 11. Assigned Constants
The following key usage values are assigned for this mechanism: The following key usage values are assigned for this mechanism:
KEY_USAGE_SPAKE_TRANSCRIPT 65 KEY_USAGE_SPAKE 65
KEY_USAGE_SPAKE_FACTOR 66
12. IANA Considerations 12. IANA Considerations
IANA has assigned the following number for PA-SPAKE in the "Pre- IANA has assigned the following number for PA-SPAKE in the "Pre-
authentication and Typed Data" registry: authentication and Typed Data" registry:
+----------+-------+-----------------+ +----------+-------+-----------------+
| Type | Value | Reference | | Type | Value | Reference |
+----------+-------+-----------------+ +----------+-------+-----------------+
| PA-SPAKE | 151 | [this document] | | PA-SPAKE | 151 | [this document] |
+----------+-------+-----------------+ +----------+-------+-----------------+
The notes for the "Kerberos Checksum Type Numbers" registry should be
updated with the following addition: "If the checksum algorithm is
non-deterministic, see [this document] Section 4."
This document establishes two registries with the following This document establishes two registries with the following
procedure, in accordance with [RFC5226]: procedure, in accordance with [RFC5226]:
Registry entries are to be evaluated using the Specification Required Registry entries are to be evaluated using the Specification Required
method. All specifications must be be published prior to entry method. All specifications must be be published prior to entry
inclusion in the registry. There will be a three-week review period inclusion in the registry. There will be a three-week review period
by Designated Experts on the krb5-spake-review@ietf.org mailing list. by Designated Experts on the krb5-spake-review@ietf.org mailing list.
Prior to the end of the review period, the Designated Experts must Prior to the end of the review period, the Designated Experts must
approve or deny the request. This decision is to be conveyed to both approve or deny the request. This decision is to be conveyed to both
the IANA and the list, and should include reasonably detailed the IANA and the list, and should include reasonably detailed
skipping to change at page 19, line 42 skipping to change at page 20, line 17
Multiplier Conversion: Reference to the definition of the method Multiplier Conversion: Reference to the definition of the method
used to convert an octet string to a multiplier scalar. used to convert an octet string to a multiplier scalar.
SPAKE M Constant: The serialized value of the SPAKE M constant in SPAKE M Constant: The serialized value of the SPAKE M constant in
hexadecimal notation. hexadecimal notation.
SPAKE N Constant: The serialized value of the SPAKE N constant in SPAKE N Constant: The serialized value of the SPAKE N constant in
hexadecimal notation. hexadecimal notation.
Hash Function: The group's associated hash function.
12.2.2. Initial Registry Contents 12.2.2. Initial Registry Contents
o ID Number: 1 o ID Number: 1
o Name: edwards25519 o Name: edwards25519
o Specification: [RFC7748] section 4.1 (edwards25519) o Specification: [RFC7748] section 4.1 (edwards25519)
o Serialization: [RFC8032] section 3.1 o Serialization: [RFC8032] section 3.1
o Multiplier Length: 32 o Multiplier Length: 32
o Multiplier Conversion: [RFC8032] section 3.1 o Multiplier Conversion: [RFC8032] section 3.1
o SPAKE M Constant: o SPAKE M Constant:
d048032c6ea0b6d697ddc2e86bda85a33adac920f1bf18e1b0c6d166a5cecdaf d048032c6ea0b6d697ddc2e86bda85a33adac920f1bf18e1b0c6d166a5cecdaf
o SPAKE N Constant: o SPAKE N Constant:
d3bfb518f44f3430f29d0c92af503865a1ed3281dc69b35dd868ba85f886c4ab d3bfb518f44f3430f29d0c92af503865a1ed3281dc69b35dd868ba85f886c4ab
skipping to change at page 20, line 14 skipping to change at page 20, line 31
o ID Number: 1 o ID Number: 1
o Name: edwards25519 o Name: edwards25519
o Specification: [RFC7748] section 4.1 (edwards25519) o Specification: [RFC7748] section 4.1 (edwards25519)
o Serialization: [RFC8032] section 3.1 o Serialization: [RFC8032] section 3.1
o Multiplier Length: 32 o Multiplier Length: 32
o Multiplier Conversion: [RFC8032] section 3.1 o Multiplier Conversion: [RFC8032] section 3.1
o SPAKE M Constant: o SPAKE M Constant:
d048032c6ea0b6d697ddc2e86bda85a33adac920f1bf18e1b0c6d166a5cecdaf d048032c6ea0b6d697ddc2e86bda85a33adac920f1bf18e1b0c6d166a5cecdaf
o SPAKE N Constant: o SPAKE N Constant:
d3bfb518f44f3430f29d0c92af503865a1ed3281dc69b35dd868ba85f886c4ab d3bfb518f44f3430f29d0c92af503865a1ed3281dc69b35dd868ba85f886c4ab
o Hash function: SHA-256 ([RFC6234])
o ID Number: 2 o ID Number: 2
o Name: P-256 o Name: P-256
o Specification: [SEC2] section 2.4.2 o Specification: [SEC2] section 2.4.2
o Serialization: [SEC1] section 2.3.3 (compressed). o Serialization: [SEC1] section 2.3.3 (compressed).
o Multiplier Length: 32 o Multiplier Length: 32
o Multiplier Conversion: [SEC1] section 2.3.8. o Multiplier Conversion: [SEC1] section 2.3.8.
o SPAKE M Constant: o SPAKE M Constant:
02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f 02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f
o SPAKE N Constant: o SPAKE N Constant:
03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49 03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49
o Hash function: SHA-256 ([RFC6234])
o ID Number: 3 o ID Number: 3
o Name: P-384 o Name: P-384
o Specification: [SEC2] section 2.5.1 o Specification: [SEC2] section 2.5.1
o Serialization: [SEC1] section 2.3.3 (compressed). o Serialization: [SEC1] section 2.3.3 (compressed).
o Multiplier Length: 48 o Multiplier Length: 48
o Multiplier Conversion: [SEC1] section 2.3.8. o Multiplier Conversion: [SEC1] section 2.3.8.
o SPAKE M Constant: o SPAKE M Constant:
030ff0895ae5ebf6187080a82d82b42e2765e3b2f8749c7e05eba3664 030ff0895ae5ebf6187080a82d82b42e2765e3b2f8749c7e05eba3664
34b363d3dc36f15314739074d2eb8613fceec2853 34b363d3dc36f15314739074d2eb8613fceec2853
o SPAKE N Constant: o SPAKE N Constant:
02c72cf2e390853a1c1c4ad816a62fd15824f56078918f43f922ca215 02c72cf2e390853a1c1c4ad816a62fd15824f56078918f43f922ca215
18f9c543bb252c5490214cf9aa3f0baab4b665c10 18f9c543bb252c5490214cf9aa3f0baab4b665c10
o Hash function: SHA-384 ([RFC6234])
o ID Number: 4 o ID Number: 4
o Name: P-521 o Name: P-521
o Specification: [SEC2] section 2.6.1 o Specification: [SEC2] section 2.6.1
o Serialization: [SEC1] section 2.3.3 (compressed). o Serialization: [SEC1] section 2.3.3 (compressed).
o Multiplier Length: 66 o Multiplier Length: 66
o Multiplier Conversion: [SEC1] section 2.3.8. o Multiplier Conversion: [SEC1] section 2.3.8.
o SPAKE M Constant: o SPAKE M Constant:
02003f06f38131b2ba2600791e82488e8d20ab889af753a41806c5db1 02003f06f38131b2ba2600791e82488e8d20ab889af753a41806c5db1
8d37d85608cfae06b82e4a72cd744c719193562a653ea1f119eef9356907edc9b5 8d37d85608cfae06b82e4a72cd744c719193562a653ea1f119eef9356907edc9b5
6979962d7aa 6979962d7aa
o SPAKE N Constant: o SPAKE N Constant:
0200c7924b9ec017f3094562894336a53c50167ba8c5963876880542b 0200c7924b9ec017f3094562894336a53c50167ba8c5963876880542b
c669e494b2532d76c5b53dfb349fdf69154b9e0048c58a42e8ed04cef052a3bc34 c669e494b2532d76c5b53dfb349fdf69154b9e0048c58a42e8ed04cef052a3bc34
9d95575cd25 9d95575cd25
o Hash function: SHA-512 ([RFC6234])
13. References 13. References
13.1. Normative References 13.1. Normative References
[CCITT.X680.2002] [CCITT.X680.2002]
International Telephone and Telegraph Consultative International Telephone and Telegraph Consultative
Committee, "Abstract Syntax Notation One (ASN.1): Committee, "Abstract Syntax Notation One (ASN.1):
Specification of basic notation", CCITT Recommendation Specification of basic notation", CCITT Recommendation
X.680, July 2002. X.680, July 2002.
skipping to change at page 22, line 20 skipping to change at page 22, line 33
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", RFC 5226, DOI IANA Considerations Section in RFCs", RFC 5226, DOI
10.17487/RFC5226, May 2008, <https://www.rfc- 10.17487/RFC5226, May 2008, <https://www.rfc-
editor.org/info/rfc5226>. editor.org/info/rfc5226>.
[RFC6113] Hartman, S. and L. Zhu, "A Generalized Framework for [RFC6113] Hartman, S. and L. Zhu, "A Generalized Framework for
Kerberos Pre-Authentication", RFC 6113, DOI 10.17487/ Kerberos Pre-Authentication", RFC 6113, DOI 10.17487/
RFC6113, April 2011, <https://www.rfc-editor.org/info/ RFC6113, April 2011, <https://www.rfc-editor.org/info/
rfc6113>. rfc6113>.
[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234, DOI
10.17487/RFC6234, May 2011, <https://www.rfc-
editor.org/info/rfc6234>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/info/rfc7748>. 2016, <https://www.rfc-editor.org/info/rfc7748>.
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/ Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/
RFC8032, January 2017, <https://www.rfc-editor.org/info/ RFC8032, January 2017, <https://www.rfc-editor.org/info/
rfc8032>. rfc8032>.
[SEC1] Standards for Efficient Cryptography Group, "SEC 1: [SEC1] Standards for Efficient Cryptography Group, "SEC 1:
skipping to change at page 22, line 42 skipping to change at page 23, line 11
[SEC2] Standards for Efficient Cryptography Group, "SEC 2: [SEC2] Standards for Efficient Cryptography Group, "SEC 2:
Recommended Elliptic Curve Domain Parameters", January Recommended Elliptic Curve Domain Parameters", January
2010. 2010.
13.2. Non-normative References 13.2. Non-normative References
[RFC6560] Richards, G., "One-Time Password (OTP) Pre- [RFC6560] Richards, G., "One-Time Password (OTP) Pre-
Authentication", RFC 6560, DOI 10.17487/RFC6560, April Authentication", RFC 6560, DOI 10.17487/RFC6560, April
2012, <https://www.rfc-editor.org/info/rfc6560>. 2012, <https://www.rfc-editor.org/info/rfc6560>.
[RFC6649] Hornquist Astrand, L. and T. Yu, "Deprecate DES, RC4-HMAC-
EXP, and Other Weak Cryptographic Algorithms in Kerberos",
BCP 179, RFC 6649, DOI 10.17487/RFC6649, July 2012,
<https://www.rfc-editor.org/info/rfc6649>.
[SPAKE] Abdalla, M. and D. Pointcheval, "Simple Password-Based [SPAKE] Abdalla, M. and D. Pointcheval, "Simple Password-Based
Encrypted Key Exchange Protocols", February 2005. Encrypted Key Exchange Protocols", February 2005.
Appendix A. ASN.1 Module Appendix A. ASN.1 Module
KerberosV5SPAKE { KerberosV5SPAKE {
iso(1) identified-organization(3) dod(6) internet(1) iso(1) identified-organization(3) dod(6) internet(1)
security(5) kerberosV5(2) modules(4) spake(8) security(5) kerberosV5(2) modules(4) spake(8)
} DEFINITIONS EXPLICIT TAGS ::= BEGIN } DEFINITIONS EXPLICIT TAGS ::= BEGIN
skipping to change at page 23, line 50 skipping to change at page 24, line 50
} }
PA-SPAKE ::= CHOICE { PA-SPAKE ::= CHOICE {
support [0] SPAKESupport, support [0] SPAKESupport,
challenge [1] SPAKEChallenge, challenge [1] SPAKEChallenge,
response [2] SPAKEResponse, response [2] SPAKEResponse,
encdata [3] EncryptedData, encdata [3] EncryptedData,
... ...
} }
PA-SPAKE-HINT ::= SEQUENCE {
groups [0] SEQUENCE (SIZE(1..MAX)) OF Int32,
factors [1] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor
}
END END
Appendix B. SPAKE M and N Value Selection Appendix B. SPAKE M and N Value Selection
The M and N constants for the NIST groups are from The M and N constants for the NIST groups are from
[I-D.irtf-cfrg-spake2] section 3. [I-D.irtf-cfrg-spake2] section 3.
The M and N constants for the edwards25519 group were generated using The M and N constants for the edwards25519 group were generated using
the algorithm from [I-D.irtf-cfrg-spake2] section 3 and the seed the algorithm from [I-D.irtf-cfrg-spake2] section 3 and the seed
strings "edwards25519 point generation seed (M)" and "edwards25519 strings "edwards25519 point generation seed (M)" and "edwards25519
skipping to change at page 24, line 40 skipping to change at page 25, line 44
type. type.
o The KDC-REQ-BODY message contains no KDC options, the client o The KDC-REQ-BODY message contains no KDC options, the client
principal name "raeburn@ATHENA.MIT.EDU", the server principal name principal name "raeburn@ATHENA.MIT.EDU", the server principal name
"krbtgt/ATHENA.MIT.EDU", the realm "ATHENA.MIT.EDU", the till "krbtgt/ATHENA.MIT.EDU", the realm "ATHENA.MIT.EDU", the till
field "19700101000000Z", the nonce zero, and an etype list field "19700101000000Z", the nonce zero, and an etype list
containing only the designated encryption type. containing only the designated encryption type.
DES3 edwards25519 DES3 edwards25519
key: 850bb51358548cd05e86768c313e3bfef7511937dcf72c3e key: 850bb51358548cd05e86768c313e3bfef7511937dcf72c3e
w: a1f1a25cbd8e3092667e2fddba8ecd24f2c9cef124f7a3371ae81e11cad42a07 w (PRF+ output): 686d84730cb8679ae95416c6567c6a63
f2c9cef124f7a3371ae81e11cad42a37
w (reduced multiplier): a1f1a25cbd8e3092667e2fddba8ecd24
f2c9cef124f7a3371ae81e11cad42a07
x: 201012d07bfd48ddfa33c4aac4fb1e229fb0d043cfe65ebfb14399091c71a723 x: 201012d07bfd48ddfa33c4aac4fb1e229fb0d043cfe65ebfb14399091c71a723
y: 500b294797b8b042aca1bedc0f5931a4f52c537b3608b2d05cc8a2372f439f25 y: 500b294797b8b042aca1bedc0f5931a4f52c537b3608b2d05cc8a2372f439f25
X: ec274df1920dc0f690c8741b794127233745444161016ef950ad75c51db58c3e X: ec274df1920dc0f690c8741b794127233745444161016ef950ad75c51db58c3e
Y: d90974f1c42dac1cd4454561ac2d49af762f2ac87bf02436d461e7b661b43028 Y: d90974f1c42dac1cd4454561ac2d49af762f2ac87bf02436d461e7b661b43028
T: 18f511e750c97b592acd30db7d9e5fca660389102e6bf610c1bfbed4616c8362 T: 18f511e750c97b592acd30db7d9e5fca660389102e6bf610c1bfbed4616c8362
S: 5d10705e0d1e43d5dbf30240ccfbde4a0230c70d4c79147ab0b317edad2f8ae7 S: 5d10705e0d1e43d5dbf30240ccfbde4a0230c70d4c79147ab0b317edad2f8ae7
K: 25bde0d875f0feb5755f45ba5e857889d916ecf7476f116aa31dc3e037ec4292 K: 25bde0d875f0feb5755f45ba5e857889d916ecf7476f116aa31dc3e037ec4292
SPAKESupport: a0093007a0053003020101 SPAKESupport: a0093007a0053003020101
Checksum after SPAKESupport: 9037756a58a060f80c13354b1a743a66837f1d4d
SPAKEChallenge: a1363034a003020101a122042018f511e750c97b592acd30 SPAKEChallenge: a1363034a003020101a122042018f511e750c97b592acd30
db7d9e5fca660389102e6bf610c1bfbed4616c8362a20930 db7d9e5fca660389102e6bf610c1bfbed4616c8362a20930
073005a003020101 073005a003020101
Transcript hash after challenge: 22bb2271e34d329d52073c70b1d11879
Checksum after SPAKEChallenge: 145fbe58e8bd6bf84627 73181f0bc7614266bb79ee80d3335175
df10ee9954b7849fdc8c Final transcript hash after pubkey: eaaa08807d0616026ff51c849efbf35b
Final checksum after pubkey: f08091064aa5cc32c5660d9a04efb84a1948381b a0ce3c5300e7d486da46351b13d4605b
KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009
1b077261656275726ea2101b0e415448454e412e4d49542e 1b077261656275726ea2101b0e415448454e412e4d49542e
454455a3233021a003020102a11a30181b066b7262746774 454455a3233021a003020102a11a30181b066b7262746774
1b0e415448454e412e4d49542e454455a511180f31393730 1b0e415448454e412e4d49542e454455a511180f31393730
303130313030303030305aa703020100a8053003020110 303130313030303030305aa703020100a8053003020110
K'[0]: 8fcdad5da81f0b4962e91a67d598a2d9c84fc83b0104c868 K'[0]: baf12fae7cd958cbf1a29bfbc71f89ce49e03e295d89dafd
K'[1]: abf286ce894523013ba89e3413f7c4ef43c1eca8efa7dadf K'[1]: 64f73dd9c41908206bcec1f719026b574f9d13463d7a2520
K'[2]: 6897524c86b5dc5ec7ecc1944cbc1aae7cbcc1643dcd989e K'[2]: 0454520b086b152c455829e6baeff78a61dfe9e3d04a895d
K'[3]: b0a22c32e37902e023192cefada1869b08e69429e9fe0243 K'[3]: 4a92260b25e3ef94c125d5c24c3e5bced5b37976e67f25c4
RC4 edwards25519 RC4 edwards25519
key: 8846f7eaee8fb117ad06bdd830b7586c key: 8846f7eaee8fb117ad06bdd830b7586c
w: 2713c1583c53861520b849bfef0525cd4fe82215b3ea6fcd896561d48048f40c w (PRF+ output): 7c86659d29cf2b2ea93bfe79c3cefb88
50e82215b3ea6fcd896561d48048f49c
w (reduced multiplier): 2713c1583c53861520b849bfef0525cd
4fe82215b3ea6fcd896561d48048f40c
x: c8a62e7b626f44cad807b2d695450697e020d230a738c5cd5691cc781dce8754 x: c8a62e7b626f44cad807b2d695450697e020d230a738c5cd5691cc781dce8754
y: 18fe7c1512708c7fd06db270361f04593775bc634ceaf45347e5c11c38aae017 y: 18fe7c1512708c7fd06db270361f04593775bc634ceaf45347e5c11c38aae017
X: b0bcbbdd25aa031f4608d0442dd4924be7731d49c089a8301859d77343ffb567 X: b0bcbbdd25aa031f4608d0442dd4924be7731d49c089a8301859d77343ffb567
Y: 7d1ab8aeda1a2b1f9eab8d11c0fda60b616005d0f37d1224c5f12b8649f579a5 Y: 7d1ab8aeda1a2b1f9eab8d11c0fda60b616005d0f37d1224c5f12b8649f579a5
T: 7db465f1c08c64983a19f560bce966fe5306c4b447f70a5bca14612a92da1d63 T: 7db465f1c08c64983a19f560bce966fe5306c4b447f70a5bca14612a92da1d63
S: 38f8d4568090148ebc9fd17c241b4cc2769505a7ca6f3f7104417b72b5b5cf54 S: 38f8d4568090148ebc9fd17c241b4cc2769505a7ca6f3f7104417b72b5b5cf54
K: 03e75edd2cd7e7677642dd68736e91700953ac55dc650e3c2a1b3b4acdb800f8 K: 03e75edd2cd7e7677642dd68736e91700953ac55dc650e3c2a1b3b4acdb800f8
SPAKESupport: a0093007a0053003020101 SPAKESupport: a0093007a0053003020101
Checksum after SPAKESupport: c8bb7fb72f6b142557fd5de9b1b8bb4c
SPAKEChallenge: a1363034a003020101a12204207db465f1c08c64983a19f5 SPAKEChallenge: a1363034a003020101a12204207db465f1c08c64983a19f5
60bce966fe5306c4b447f70a5bca14612a92da1d63a20930 60bce966fe5306c4b447f70a5bca14612a92da1d63a20930
073005a003020101 073005a003020101
Checksum after SPAKEChallenge: 318afd9874400fffa744bc602615cde8 Transcript hash after challenge: 3cde9ed9b562a09d816885b6c225f733
Final checksum after pubkey: 0853678dff8b9e5eb855c5e05420790c 6d9e2674bb4df903dfc894d963a2af42
Final transcript hash after pubkey: f4b208458017de6ef7f6a307d47d87db
6c2af1d291b726860f68bc08bfef440a
KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009
1b077261656275726ea2101b0e415448454e412e4d49542e 1b077261656275726ea2101b0e415448454e412e4d49542e
454455a3233021a003020102a11a30181b066b7262746774 454455a3233021a003020102a11a30181b066b7262746774
1b0e415448454e412e4d49542e454455a511180f31393730 1b0e415448454e412e4d49542e454455a511180f31393730
303130313030303030305aa703020100a8053003020117 303130313030303030305aa703020100a8053003020117
K'[0]: 87a50a15f0dbd7c958e5bf1bbffee4f2 K'[0]: 770b720c82384cbb693e85411eedecba
K'[1]: 1b4a484d4ac7dd18acf5ebc42d8e1b14 K'[1]: 621deec88e2865837c4d3462bb50a1d5
K'[2]: 8d6b89f491be1b532be6c6e8482328fe K'[2]: 1cc8f6333b9fa3b42662fd9914fbd5bb
K'[3]: 425c47073edd4a6f0067f08166d44c7a K'[3]: edb4032b7fc3806d5211a534dcbc390c
AES128 edwards25519 AES128 edwards25519
key: fca822951813fb252154c883f5ee1cf4 key: fca822951813fb252154c883f5ee1cf4
w: 17c2a9030afb7c37839bd4ae7fdfeb179e99e710e464e62f1fb7c9b67936f30b w (PRF+ output): 0d591b197b667e083c2f5f98ac891d3c
9f99e710e464e62f1fb7c9b67936f3eb
w (reduced multiplier): 17c2a9030afb7c37839bd4ae7fdfeb17
9e99e710e464e62f1fb7c9b67936f30b
x: 50be049a5a570fa1459fb9f666e6fd80602e4e87790a0e567f12438a2c96c138 x: 50be049a5a570fa1459fb9f666e6fd80602e4e87790a0e567f12438a2c96c138
y: b877afe8612b406d96be85bd9f19d423e95be96c0e1e0b5824127195c3ed5917 y: b877afe8612b406d96be85bd9f19d423e95be96c0e1e0b5824127195c3ed5917
X: e73a443c678913eb4a0cad5cbd3086cf82f65a5a91b611e01e949f5c52efd6dd X: e73a443c678913eb4a0cad5cbd3086cf82f65a5a91b611e01e949f5c52efd6dd
Y: 473c5b44ed2be9cb50afe1762b535b3930530489816ea6bd962622cccf39f6e8 Y: 473c5b44ed2be9cb50afe1762b535b3930530489816ea6bd962622cccf39f6e8
T: 9e9311d985c1355e022d7c3c694ad8d6f7ad6d647b68a90b0fe46992818002da T: 9e9311d985c1355e022d7c3c694ad8d6f7ad6d647b68a90b0fe46992818002da
S: fbe08f7f96cd5d4139e7c9eccb95e79b8ace41e270a60198c007df18525b628e S: fbe08f7f96cd5d4139e7c9eccb95e79b8ace41e270a60198c007df18525b628e
K: c2f7f99997c585e6b686ceb62db42f17cc70932def3bb4cf009e36f22ea5473d K: c2f7f99997c585e6b686ceb62db42f17cc70932def3bb4cf009e36f22ea5473d
SPAKESupport: a0093007a0053003020101 SPAKESupport: a0093007a0053003020101
Checksum after SPAKESupport: ce5052873534f00424e38897
SPAKEChallenge: a1363034a003020101a12204209e9311d985c1355e022d7c SPAKEChallenge: a1363034a003020101a12204209e9311d985c1355e022d7c
3c694ad8d6f7ad6d647b68a90b0fe46992818002daa20930 3c694ad8d6f7ad6d647b68a90b0fe46992818002daa20930
073005a003020101 073005a003020101
Checksum after SPAKEChallenge: 9c46dbbaa67fe262585e68f4 Transcript hash after challenge: 4512310282c01b39dd9aebd0cc2a5e53
Final checksum after pubkey: 9eb1f4db71208adad0d6d9f1 2ed077a6c11d4c973c4593d525078797
Final transcript hash after pubkey: 951285f107c87f0169b9c918a1f51f60
cb1a75b9f8bb799a99f53d03add94b5f
KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009
1b077261656275726ea2101b0e415448454e412e4d49542e 1b077261656275726ea2101b0e415448454e412e4d49542e
454455a3233021a003020102a11a30181b066b7262746774 454455a3233021a003020102a11a30181b066b7262746774
1b0e415448454e412e4d49542e454455a511180f31393730 1b0e415448454e412e4d49542e454455a511180f31393730
303130313030303030305aa703020100a8053003020111 303130313030303030305aa703020100a8053003020111
K'[0]: 50de22f3b9cd6cd283b23396870ca246 K'[0]: 548022d58a7c47eae8c49dccf6baa407
K'[1]: b8e433cef3a84fff59f683b5206d3c86 K'[1]: b2c9ba0e13fc8ab3a9d96b51b601cf4a
K'[2]: 3c96a2da9575a297c4e831fe2ae625d8 K'[2]: 69f0ee5fdb6c237e7fcd38d9f87df1bd
K'[3]: 54ef2f63b25f66aed65f3d6c77030c6a K'[3]: 78f91e2240b5ee528a5cc8d7cbebfba5
AES256 edwards25519 AES256 edwards25519
key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1 key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1
w: 35b35ca126156b5bf4ec8b90e9545060f2108f1b6aa97b381012b9400c9e3f0e w (PRF+ output): e902341590a1b4bb4d606a1c643cccb3
f2108f1b6aa97b381012b9400c9e3f4e
w (reduced multiplier): 35b35ca126156b5bf4ec8b90e9545060
f2108f1b6aa97b381012b9400c9e3f0e
x: 88c6c0a4f0241ef217c9788f02c32d00b72e4310748cd8fb5f94717607e6417d x: 88c6c0a4f0241ef217c9788f02c32d00b72e4310748cd8fb5f94717607e6417d
y: 88b859df58ef5c69bacdfe681c582754eaab09a74dc29cff50b328613c232f55 y: 88b859df58ef5c69bacdfe681c582754eaab09a74dc29cff50b328613c232f55
X: 23c48eaff2721051946313840723b38f563c59b92043d6ffd752f95781af0327 X: 23c48eaff2721051946313840723b38f563c59b92043d6ffd752f95781af0327
Y: 3d51486ec1d9be69bc45386bb675c013db87fd0488f6a9cacf6b43e8c81a0641 Y: 3d51486ec1d9be69bc45386bb675c013db87fd0488f6a9cacf6b43e8c81a0641
T: 6f301aacae1220e91be42868c163c5009aeea1e9d9e28afcfc339cda5e7105b5 T: 6f301aacae1220e91be42868c163c5009aeea1e9d9e28afcfc339cda5e7105b5
S: 9e2cc32908fc46273279ec75354b4aeafa70c3d99a4d507175ed70d80b255dda S: 9e2cc32908fc46273279ec75354b4aeafa70c3d99a4d507175ed70d80b255dda
K: cf57f58f6e60169d2ecc8f20bb923a8e4c16e5bc95b9e64b5dc870da7026321b K: cf57f58f6e60169d2ecc8f20bb923a8e4c16e5bc95b9e64b5dc870da7026321b
SPAKESupport: a0093007a0053003020101 SPAKESupport: a0093007a0053003020101
Checksum after SPAKESupport: 14b16e16da078fab9830a66c
SPAKEChallenge: a1363034a003020101a12204206f301aacae1220e91be428 SPAKEChallenge: a1363034a003020101a12204206f301aacae1220e91be428
68c163c5009aeea1e9d9e28afcfc339cda5e7105b5a20930 68c163c5009aeea1e9d9e28afcfc339cda5e7105b5a20930
073005a003020101 073005a003020101
Checksum after SPAKEChallenge: 667e82727168d0fef248c926 Transcript hash after challenge: 23a5e72eb4dedd1ca860f43736c458f0
Final checksum after pubkey: 32bf15d0606762b6411a0f68 775c3bb1370a26af8a9374d521d70ec9
Final transcript hash after pubkey: 1c605649d4658b58cbe79a5faf227acc
16c355c58b7dade022f90c158fe5ed8e
KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009
1b077261656275726ea2101b0e415448454e412e4d49542e 1b077261656275726ea2101b0e415448454e412e4d49542e
454455a3233021a003020102a11a30181b066b7262746774 454455a3233021a003020102a11a30181b066b7262746774
1b0e415448454e412e4d49542e454455a511180f31393730 1b0e415448454e412e4d49542e454455a511180f31393730
303130313030303030305aa703020100a8053003020112 303130313030303030305aa703020100a8053003020112
K'[0]: 9463038f091c0aed6f8186224b7da5cf K'[0]: a9bfa71c95c575756f922871524b6528
24557bf5c7fd6fe35526ce34a9eb5b05 8b3f695573ccc0633e87449568210c23
K'[1]: 1900e226176d6730e9e4c1bf342fd954 K'[1]: 1865a9ee1ef0640ec28ac007391cac62
df3fc65790f8c267c89b4a3026d0d164 4c42639c714767a974e99aa10003015f
K'[2]: b025fb4103dc29f233640540627331e1 K'[2]: e57781513fefdb978e374e156b0da0c1
b567c1a7f5a3a00d800c70f0ef213804 a08148f5eb26b8e157ac3c077e28bf49
K'[3]: 840e2280e4d4c61c44c057e2c7c92207 K'[3]: 008e6487293c3cc9fabbbcdd8b392d6d
041dd205bd76b6dc50c9add16cc76c7b cb88222317fd7fe52d12fbc44fa047f1
AES256 P-256 AES256 P-256
key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1 key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1
w: eb2984af18703f94dd5288b8596cd36988d0d4e83bfb2b44de14d0e95e2090bd w (PRF+ output): eb2984af18703f94dd5288b8596cd369
88d0d4e83bfb2b44de14d0e95e2090bd
w (reduced multiplier): eb2984af18703f94dd5288b8596cd369
88d0d4e83bfb2b44de14d0e95e2090bd
x: 935ddd725129fb7c6288e1a5cc45782198a6416d1775336d71eacd0549a3e80e x: 935ddd725129fb7c6288e1a5cc45782198a6416d1775336d71eacd0549a3e80e
y: e07405eb215663abc1f254b8adc0da7a16febaa011af923d79fdef7c42930b33 y: e07405eb215663abc1f254b8adc0da7a16febaa011af923d79fdef7c42930b33
X: 03bc802165aea7dbd98cc155056249fe0a37a9c203a7c0f7e872d5bf687bd105e2 X: 03bc802165aea7dbd98cc155056249fe0a37a9c203a7c0f7e872d5bf687bd105e2
Y: 0340b8d91ce3852d0a12ae1f3e82c791fc86df6b346006431e968a1b869af7c735 Y: 0340b8d91ce3852d0a12ae1f3e82c791fc86df6b346006431e968a1b869af7c735
T: 024f62078ceb53840d02612195494d0d0d88de21feeb81187c71cbf3d01e71788d T: 024f62078ceb53840d02612195494d0d0d88de21feeb81187c71cbf3d01e71788d
S: 021d07dc31266fc7cfd904ce2632111a169b7ec730e5f74a7e79700f86638e13c8 S: 021d07dc31266fc7cfd904ce2632111a169b7ec730e5f74a7e79700f86638e13c8
K: 0268489d7a9983f2fde69c6e6a1307e9d252259264f5f2dfc32f58cca19671e79b K: 0268489d7a9983f2fde69c6e6a1307e9d252259264f5f2dfc32f58cca19671e79b
SPAKESupport: a0093007a0053003020102 SPAKESupport: a0093007a0053003020102
Checksum after SPAKESupport: 61f93e7f998dec5f54cac55c
SPAKEChallenge: a1373035a003020102a1230421024f62078ceb53840d0261 SPAKEChallenge: a1373035a003020102a1230421024f62078ceb53840d0261
2195494d0d0d88de21feeb81187c71cbf3d01e71788da209 2195494d0d0d88de21feeb81187c71cbf3d01e71788da209
30073005a003020101 30073005a003020101
Checksum after SPAKEChallenge: 949916036d3c524608533206 Transcript hash after challenge: 0a142afca77c2e92b066572a90389eac
Final checksum after pubkey: 1024bfe60a1e22b5bf2838c3 40a6b1f1ed8b534d342591c0e7727e00
Final transcript hash after pubkey: 20ad3c1a9a90fc037d1963a1c4bfb15a
b4484d7b6cf07b12d24984f14652de60
KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009
1b077261656275726ea2101b0e415448454e412e4d49542e 1b077261656275726ea2101b0e415448454e412e4d49542e
454455a3233021a003020102a11a30181b066b7262746774 454455a3233021a003020102a11a30181b066b7262746774
1b0e415448454e412e4d49542e454455a511180f31393730 1b0e415448454e412e4d49542e454455a511180f31393730
303130313030303030305aa703020100a8053003020112 303130313030303030305aa703020100a8053003020112
K'[0]: b3a882eccd2f31df46880f6235522a4d K'[0]: 7d3b906f7be49932db22cd3463f032d0
87523a34442547778c46780f5b35800a 6c9c078be4b1d076d201fc6e61ef531e
K'[1]: 6e18ebfd20a9a05af11b320eaab15870 K'[1]: 17d74e36f8993841fbb7feb12fa4f011
93f3e21a5efcb261307786661330344d 243d3ae4d2ace55b39379294bbc4db2c
K'[2]: 11e1a36e87c729a89bbda12cfa15652f K'[2]: d192c9044081a2aa6a97a6c69e2724e8
a1848c0ba9b72cb3e69562648744fb09 e5671c2c9ce073dd439cdbaf96d7dab0
K'[3]: 9875d491c6d0bb7cbe6d374c368e1242 K'[3]: 41e5bad6b67f12c53ce0e2720dd6a988
97e506becbf8ec6aa539a0d70b9e430a 7f877bf9463c2d5209c74c36f8d776b7
AES256 P-384 AES256 P-384
key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1 key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1
w: 0304cfc55151c6bbe889653db96dbfe0ba4acafc024c1e8840cb3a486f6d80c1 w (PRF+ output): 0304cfc55151c6bbe889653db96dbfe0ba4acafc024c1e88
6e1b8974016aa4b7fa43042a9b3825b1 40cb3a486f6d80c16e1b8974016aa4b7fa43042a9b3825b1
w (reduced multiplier): 0304cfc55151c6bbe889653db96dbfe0
ba4acafc024c1e8840cb3a486f6d80c1
6e1b8974016aa4b7fa43042a9b3825b1
x: f323ca74d344749096fd35d0adf20806e521460637176e84d977e9933c49d76f x: f323ca74d344749096fd35d0adf20806e521460637176e84d977e9933c49d76f
cfc6e62585940927468ff53d864a7a50 cfc6e62585940927468ff53d864a7a50
y: 5b7c709acb175a5afb82860deabca8d0b341facdff0ac0f1a425799aa905d750 y: 5b7c709acb175a5afb82860deabca8d0b341facdff0ac0f1a425799aa905d750
7e1ea9c573581a81467437419466e472 7e1ea9c573581a81467437419466e472
X: 0211e3334f117b76635dd802d4022f601680a1fd066a56606b7f246493a10351 X: 0211e3334f117b76635dd802d4022f601680a1fd066a56606b7f246493a10351
7797b81789b225bd5bb1d9ae1da2962250 7797b81789b225bd5bb1d9ae1da2962250
Y: 0383dfa413496e5e7599fc8c6430f8d6910d37cf326d81421bc92c0939b555c4 Y: 0383dfa413496e5e7599fc8c6430f8d6910d37cf326d81421bc92c0939b555c4
ca2ef6a993f6d3db8cb7407655ef60866e ca2ef6a993f6d3db8cb7407655ef60866e
T: 02a1524603ef14f184696f854229d3397507a66c63f841ba748451056be07879 T: 02a1524603ef14f184696f854229d3397507a66c63f841ba748451056be07879
ac298912387b1c5cdff6381c264701be57 ac298912387b1c5cdff6381c264701be57
S: 020d5adfdb92bc377041cf5837412574c5d13e0f4739208a4f0c859a0a302bc6 S: 020d5adfdb92bc377041cf5837412574c5d13e0f4739208a4f0c859a0a302bc6
a533440a245b9d97a0d34af5016a20053d a533440a245b9d97a0d34af5016a20053d
K: 0264aa8c61da9600dfb0beb5e46550d63740e4ef29e73f1a30d543eb43c25499 K: 0264aa8c61da9600dfb0beb5e46550d63740e4ef29e73f1a30d543eb43c25499
037ad16538586552761b093cf0e37c703a 037ad16538586552761b093cf0e37c703a
SPAKESupport: a0093007a0053003020103 SPAKESupport: a0093007a0053003020103
Checksum after SPAKESupport: a0024c7b5ff667ae074a9988
SPAKEChallenge: a1473045a003020103a133043102a1524603ef14f184696f SPAKEChallenge: a1473045a003020103a133043102a1524603ef14f184696f
854229d3397507a66c63f841ba748451056be07879ac2989 854229d3397507a66c63f841ba748451056be07879ac2989
12387b1c5cdff6381c264701be57a20930073005a003020101 12387b1c5cdff6381c264701be57a20930073005a0030201
Checksum after SPAKEChallenge: ecd0f64ed7c0d4e18fa4c5b4 01
Final checksum after pubkey: a238108c88afd856f04d3aa5 Transcript hash after challenge: 4d4095d9f94552e15015881a3f2cf458
1be83217cf7ad830d2f051dba3ec8caa
6e354eaa85738d7035317ac557f8c294
Final transcript hash after pubkey: 5ac0d99ef9e5a73998797fe64f074673
e3952dec4c7d1aacce8b75f64d2b0276
a901cb8539b4e8ed69e4db0ce805b47b
KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009
1b077261656275726ea2101b0e415448454e412e4d49542e 1b077261656275726ea2101b0e415448454e412e4d49542e
454455a3233021a003020102a11a30181b066b7262746774 454455a3233021a003020102a11a30181b066b7262746774
1b0e415448454e412e4d49542e454455a511180f31393730 1b0e415448454e412e4d49542e454455a511180f31393730
303130313030303030305aa703020100a8053003020112 303130313030303030305aa703020100a8053003020112
K'[0]: ff59fb5fb83c7bafe197b62c853eb7c3 K'[0]: b917d37c16dd1d8567fbe379f64e1ee3
a2902301dfe8326851626a0e9c714c47 6ca3fd127aa4e60f97e4afa3d9e56d91
K'[1]: e3c741ac7041feed0f0b5c36cb74c179 K'[1]: 93d40079dab229b9c79366829f4e7e72
cb565e509b6d65594d0badafe318c4dc 82e6a4b943ac7bac69922d516673f49a
K'[2]: 9c7a73087f22b52db38a14eb8292df61 K'[2]: bfc4f16f12f683e71589f9a888e23287
54516eaadb7149b14d35864bdb85aa22 5ef293ac9793db6c919567cd7b94bcd4
K'[3]: 75ea14f0f53ee8dbabd78f446462cfda K'[3]: 3630e2b5b99938e7506733141e8ec344
590d4ace0fa93708a00f26f26c565e56 166f6407e5fc2ef107c156e764d1bc20
AES256 P-521 AES256 P-521
key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1 key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1
w: 003a095a2b2386eff3eb15b735398da1caf95bc8425665d82370aff58b0471f3 w (PRF+ output): de3a095a2b2386eff3eb15b735398da1caf95bc8425665d8
4cce63791cfed967f0c94c16054b3e1703133681bece1e05219f5426bc944b0f 2370aff58b0471f34a57bccddf1ebf0a2965b58a93ee5b45
bfb3 e85d1a5435d1c8c83662999722d542831f9a
w (reduced multiplier): 003a095a2b2386eff3eb15b735398da1
caf95bc8425665d82370aff58b0471f3
4cce63791cfed967f0c94c16054b3e17
03133681bece1e05219f5426bc944b0f
bfb3
x: 017c38701a14b490b6081dfc83524562be7fbb42e0b20426465e3e37952d30bc x: 017c38701a14b490b6081dfc83524562be7fbb42e0b20426465e3e37952d30bc
ab0ed857010255d44936a1515607964a870c7c879b741d878f9f9cdf5a865306 ab0ed857010255d44936a1515607964a870c7c879b741d878f9f9cdf5a865306
f3f5 f3f5
y: 003e2e2950656fa231e959acdd984d125e7fa59cec98126cbc8f3888447911eb y: 003e2e2950656fa231e959acdd984d125e7fa59cec98126cbc8f3888447911eb
cd49428a1c22d5fdb76a19fbeb1d9edfa3da6cf55b158b53031d05d51433ade9 cd49428a1c22d5fdb76a19fbeb1d9edfa3da6cf55b158b53031d05d51433ade9
b2b4 b2b4
X: 03003e95272223b210b48cfd908b956a36add04a7ff443511432f94ddd87e064 X: 03003e95272223b210b48cfd908b956a36add04a7ff443511432f94ddd87e064
1d680ba3b3d532c21fa6046192f6bfae7af81c4b803aa154e12459d1428f8f2f 1d680ba3b3d532c21fa6046192f6bfae7af81c4b803aa154e12459d1428f8f2f
56e9f2 56e9f2
Y: 030064916687960df496557ecab08298bf075429eca268c6dabbae24e258d568 Y: 030064916687960df496557ecab08298bf075429eca268c6dabbae24e258d568
skipping to change at page 29, line 7 skipping to change at page 30, line 42
T: 02017d3de19a3ec53d0174905665ef37947d142535102cd9809c0dfbd0dfe007 T: 02017d3de19a3ec53d0174905665ef37947d142535102cd9809c0dfbd0dfe007
353d54cf406ce2a59950f2bb540df6fbe75f8bbbef811c9ba06cc275adbd9675 353d54cf406ce2a59950f2bb540df6fbe75f8bbbef811c9ba06cc275adbd9675
6696ec 6696ec
S: 02004d142d87477841f6ba053c8f651f3395ad264b7405ca5911fb9a55abd454 S: 02004d142d87477841f6ba053c8f651f3395ad264b7405ca5911fb9a55abd454
fef658a5f9ed97d1efac68764e9092fa15b9e0050880d78e95fd03abf5931791 fef658a5f9ed97d1efac68764e9092fa15b9e0050880d78e95fd03abf5931791
6822b5 6822b5
K: 03007c303f62f09282cc849490805bd4457a6793a832cbeb55df427db6a31e99 K: 03007c303f62f09282cc849490805bd4457a6793a832cbeb55df427db6a31e99
b055d5dc99756d24d47b70ad8b6015b0fb8742a718462ed423b90fa3fe631ac1 b055d5dc99756d24d47b70ad8b6015b0fb8742a718462ed423b90fa3fe631ac1
3fa916 3fa916
SPAKESupport: a0093007a0053003020104 SPAKESupport: a0093007a0053003020104
Checksum after SPAKESupport: 1b69d116036e141e45d4f7d7
SPAKEChallenge: a1593057a003020104a145044302017d3de19a3ec53d0174 SPAKEChallenge: a1593057a003020104a145044302017d3de19a3ec53d0174
905665ef37947d142535102cd9809c0dfbd0dfe007353d54 905665ef37947d142535102cd9809c0dfbd0dfe007353d54
cf406ce2a59950f2bb540df6fbe75f8bbbef811c9ba06cc2 cf406ce2a59950f2bb540df6fbe75f8bbbef811c9ba06cc2
75adbd96756696eca20930073005a003020101 75adbd96756696eca20930073005a003020101
Checksum after SPAKEChallenge: cac3da1e9ab1261723ece823 Transcript hash after challenge: 554405860f8a80944228f1fa2466411d
Final checksum after pubkey: 654493ca7e47f3c5200f4b84 cf236162aa385e1289131b39e1fd59f2
5e58b4c281ff059c28dc20f5803b87c6
7571ce64cea01b39a21819d1ef1cdc7f
Final transcript hash after pubkey: 8d6a89ae4d80cc4e47b6f4e48ea3e579
19cc69598d0d3dc7c8bd49b6f1db1409
ca0312944cd964e213aba98537041102
237cff5b331e5347a0673869b412302e
KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009
1b077261656275726ea2101b0e415448454e412e4d49542e 1b077261656275726ea2101b0e415448454e412e4d49542e
454455a3233021a003020102a11a30181b066b7262746774 454455a3233021a003020102a11a30181b066b7262746774
1b0e415448454e412e4d49542e454455a511180f31393730 1b0e415448454e412e4d49542e454455a511180f31393730
303130313030303030305aa703020100a8053003020112 303130313030303030305aa703020100a8053003020112
K'[0]: c91635dfd1de3884b635b58b30d3cfd5 K'[0]: 1eb3d10bee8fab483adcd3eb38f3ebf1
26fe78f8dade6f19e4eb2fb23ef594ca f4feb8db96ecc035f563cf2e1115d276
K'[1]: 03d38e139bb3f66cc76c5da720f3bf11 K'[1]: 482b92781ce57f49176e4c94153cc622
4280f64ed708e69e96094bb62aa28f32 fe247a7dbe931d1478315f856f085890
K'[2]: 515eaa3c45b08bc9d77468059e64a8e1 K'[2]: a2c215126dd3df280aab5a27e1e0fb7e
96cfcd15db92ad431cae5edbe721d07e 594192cbff8d6d8e1b6f1818d9bb8fac
K'[3]: 898ae786e58391d8a00eb7a7cbddd005 K'[3]: cc06603de984324013a01f888de6d43b
3aff9147b42a3076d934608e70a6f0ff 410a4da2dea53509f30e433c352fb668
AES256 edwards25519 with accepted optimistic challenge AES256 edwards25519 with accepted optimistic challenge
key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1 key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1
w: 35b35ca126156b5bf4ec8b90e9545060f2108f1b6aa97b381012b9400c9e3f0e w (PRF+ output): e902341590a1b4bb4d606a1c643cccb3
f2108f1b6aa97b381012b9400c9e3f4e
w (reduced multiplier): 35b35ca126156b5bf4ec8b90e9545060
f2108f1b6aa97b381012b9400c9e3f0e
x: 70937207344cafbc53c8a55070e399c584cbafce00b836980dd4e7e74fad2a64 x: 70937207344cafbc53c8a55070e399c584cbafce00b836980dd4e7e74fad2a64
y: 785d6801a2490df028903ac6449b105f2ff0db895b252953cdc2076649526103 y: 785d6801a2490df028903ac6449b105f2ff0db895b252953cdc2076649526103
X: 13841224ea50438c1d9457159d05f2b7cd9d05daf154888eeed223e79008b47c X: 13841224ea50438c1d9457159d05f2b7cd9d05daf154888eeed223e79008b47c
Y: d01fc81d5ce20d6ea0939a6bb3e40ccd049f821baaf95e323a3657309ef75d61 Y: d01fc81d5ce20d6ea0939a6bb3e40ccd049f821baaf95e323a3657309ef75d61
T: 83523b35f1565006cbfc4f159885467c2fb9bc6fe23d36cb1da43d199f1a3118 T: 83523b35f1565006cbfc4f159885467c2fb9bc6fe23d36cb1da43d199f1a3118
S: 2a8f70f46cee9030700037b77f22cec7970dcc238e3e066d9d726baf183992c6 S: 2a8f70f46cee9030700037b77f22cec7970dcc238e3e066d9d726baf183992c6
K: d3c5e4266aa6d1b2873a97ce8af91c7e4d7a7ac456acced7908d34c561ad8fa6 K: d3c5e4266aa6d1b2873a97ce8af91c7e4d7a7ac456acced7908d34c561ad8fa6
SPAKEChallenge: a1363034a003020101a122042083523b35f1565006cbfc4f SPAKEChallenge: a1363034a003020101a122042083523b35f1565006cbfc4f
159885467c2fb9bc6fe23d36cb1da43d199f1a3118a20930 159885467c2fb9bc6fe23d36cb1da43d199f1a3118a20930
073005a003020101 073005a003020101
Checksum after SPAKEChallenge: 0b1dc2059f7411b639295982 Transcript hash after challenge: 0332da8ba3095ccd127c51740cb905ba
Final checksum after pubkey: 3990d78eb0abc055d1f69fcb c76e90725e769570b9d8338e6d62a7f2
Final transcript hash after pubkey: 26f07f9f8965307434d11ea855461d41
e0cbabcc0a1bab48ecee0c6c1a4292b7
KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009
1b077261656275726ea2101b0e415448454e412e4d49542e 1b077261656275726ea2101b0e415448454e412e4d49542e
454455a3233021a003020102a11a30181b066b7262746774 454455a3233021a003020102a11a30181b066b7262746774
1b0e415448454e412e4d49542e454455a511180f31393730 1b0e415448454e412e4d49542e454455a511180f31393730
303130313030303030305aa703020100a8053003020112 303130313030303030305aa703020100a8053003020112
K'[0]: 1e9b04bdbdaaffb340aa09c6cdf560fa K'[0]: 4569ec08b5de5c3cc19d941725913ace
dcaadb7cb8762b22cd6e7c96753090b7 8d74524b521a341dc746acd5c3784d92
K'[1]: 7b959d40bd6c517a89278b008cf314e5 K'[1]: 0d96ce1a4ac0f2e280a0cfc31742b064
d947b181a3251d2832ab61a21c40d484 61d83d04ae45433db2d80478dd882a4c
K'[2]: 58018c19315a1ba5d5bb9813b58029f0
K'[2]: 3e484bb86ab7f4ffc4b80a6f6d79692c aec18a6f9ca59e0847de1c60bc25945c
55daf2b78654b38c7f1d37b1d688d1f3 K'[3]: ed7e9bffd68c54d86fb19cd3c03f317f
K'[3]: 23a331ddf33211859b82502295b0be4b 88a71ad9a5e94c28581d93fc4ec72b6a
23a56057b77356d62a13985ca573dae1
AES256 P-521 with rejected optimistic edwards25519 challenge AES256 P-521 with rejected optimistic edwards25519 challenge
key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1 key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1
w: 003a095a2b2386eff3eb15b735398da1caf95bc8425665d82370aff58b0471f3 w (PRF+ output): de3a095a2b2386eff3eb15b735398da1caf95bc8425665d8
4cce63791cfed967f0c94c16054b3e1703133681bece1e05219f5426bc944b0f 2370aff58b0471f34a57bccddf1ebf0a2965b58a93ee5b45
bfb3 e85d1a5435d1c8c83662999722d542831f9a
w (reduced multiplier): 003a095a2b2386eff3eb15b735398da1
caf95bc8425665d82370aff58b0471f3
4cce63791cfed967f0c94c16054b3e17
03133681bece1e05219f5426bc944b0f
bfb3
x: 01687b59051bf40048d7c31d5a973d792fa12284b7a447e7f5938b5885ca0bb2 x: 01687b59051bf40048d7c31d5a973d792fa12284b7a447e7f5938b5885ca0bb2
c3f0bd30291a55fea08e143e2e04bdd7d19b753c7c99032f06cab0d9c2aa8f83 c3f0bd30291a55fea08e143e2e04bdd7d19b753c7c99032f06cab0d9c2aa8f83
7ef7 7ef7
y: 01ded675ebf74fe30c9a53710f577e9cf84f09f6048fe245a4600004884cc167 y: 01ded675ebf74fe30c9a53710f577e9cf84f09f6048fe245a4600004884cc167
733f9a9e43108fb83babe8754cd37cbd7025e28bc9ff870f084c7244f536285e 733f9a9e43108fb83babe8754cd37cbd7025e28bc9ff870f084c7244f536285e
25b4 25b4
X: 03001bed88af987101ef52db5b8876f6287eb49a72163876c2cf99deb94f4c74 X: 03001bed88af987101ef52db5b8876f6287eb49a72163876c2cf99deb94f4c74
9bfd118f0f400833cc8daad81971fe40498e6075d8ba0a2acfac35eb9ec8530e 9bfd118f0f400833cc8daad81971fe40498e6075d8ba0a2acfac35eb9ec8530e
e0edd5 e0edd5
Y: 02007bd3bf214200795ea449852976f241c9f50f445f78ff2714fffe42983f25 Y: 02007bd3bf214200795ea449852976f241c9f50f445f78ff2714fffe42983f25
skipping to change at page 30, line 40 skipping to change at page 32, line 41
S: 02016c64995e804416f748fd5fa3aa678cbc7cbb596a4f523132dc8af7ce84e5 S: 02016c64995e804416f748fd5fa3aa678cbc7cbb596a4f523132dc8af7ce84e5
41f484a2c74808c6b21dcf7775baefa6753398425becc7b838b210ac5daa0cb0 41f484a2c74808c6b21dcf7775baefa6753398425becc7b838b210ac5daa0cb0
b710e2 b710e2
K: 0200997f4848ae2e7a98c23d14ac662030743ab37fccc2a45f1c721114f40bcc K: 0200997f4848ae2e7a98c23d14ac662030743ab37fccc2a45f1c721114f40bcc
80fe6ec6aba49868f8aea1aa994d50e81b86d3e4d3c1130c8695b68907c673d9 80fe6ec6aba49868f8aea1aa994d50e81b86d3e4d3c1130c8695b68907c673d9
e5886a e5886a
Optimistic SPAKEChallenge: a1363034a003020102a122042047ca8c Optimistic SPAKEChallenge: a1363034a003020102a122042047ca8c
24c3a4a70b6eca228322529dadcfa85c 24c3a4a70b6eca228322529dadcfa85c
f58faceecf5d5c02907b9e2deba20930 f58faceecf5d5c02907b9e2deba20930
073005a003020101 073005a003020101
Checksum after optimist SPAKEChallenge: 57eff4df899bc520010deb48
SPAKESupport: a0093007a0053003020104 SPAKESupport: a0093007a0053003020104
Checksum after SPAKESupport: c2fe6c3c142c207d0bdbdd9c
SPAKEChallenge: a1593057a003020104a145044302014cb2e5b592ece5990f SPAKEChallenge: a1593057a003020104a145044302014cb2e5b592ece5990f
0ef30d308c061de1598bc4272b4a6599bed466fd15216936 0ef30d308c061de1598bc4272b4a6599bed466fd15216936
42abcf4dbe36ce1a2d13967de45f6c4f8d0fa8e14428bf03 42abcf4dbe36ce1a2d13967de45f6c4f8d0fa8e14428bf03
fb96ef5f1ed3e645a20930073005a003020101 fb96ef5f1ed3e645a20930073005a003020101
Checksum after SPAKEChallenge: c78a00b2d896b73dbed4969b Transcript hash after challenge: cb925b8baeae5e2867ab5b10ae1c941c
Final checksum after pubkey: 80a1da254a44641e0223a944 4ff4b58a4812c1f7bd1c862ad480a8e1
c6fcd5e88d846a2045e385841c91a75a
d2035f0ff692717608e2a5a90842eff2
Final transcript hash after pubkey: d0efed5e3e2c39c26034756d92a66fec
3082ad793d0197f3f89ad36026f146a3
996e548aa3fc49e2e82f8cac5d132c50
5aa475b39e7be79cded22c26c41aa777
KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009 KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009
1b077261656275726ea2101b0e415448454e412e4d49542e 1b077261656275726ea2101b0e415448454e412e4d49542e
454455a3233021a003020102a11a30181b066b7262746774 454455a3233021a003020102a11a30181b066b7262746774
1b0e415448454e412e4d49542e454455a511180f31393730 1b0e415448454e412e4d49542e454455a511180f31393730
303130313030303030305aa703020100a8053003020112 303130313030303030305aa703020100a8053003020112
K'[0]: 567cb2ee046cc10cd29cd5bbe5998e5c K'[0]: 631fcc8596e7f40e59045950d72aa0b7
d4fca318075981087400c32c55299697 bac2810a07b767050e983841cf3a2d4c
K'[1]: 57535deb12a3bcaac8389957d9065ee5 K'[1]: 881464920117074dbc67155a8f3341d1
51a869148de1f457b232e12055ee9efa 121ef65f78ea0380bfa81a134c1c47b1
K'[2]: 6d18f714b69242f1e556b2819f895926 K'[2]: 377b72ac3af2caad582d73ae4682fd56
9ee0da5b014785b4f1fabb3b7318b70c b531ee56706200dd6c38c42b8219837a
K'[3]: a1d86d7d091800f191884e501974fa32 K'[3]: 35ad8e4d580ed3f0d15ad928329773c0
ca513a520197866d7c57e5c1296319e6 81bd19f9a56363f3a5f77c7e66108c26
There are currently no encryption types with a seed size large enough
to require multiple hash blocks during key derivation with any of the
assigned hash functions. To exercise this possibility, the following
test vector illustrates what keys would be derived if there were a
copy of the edwards25519 group with group number -1 and associated
hash function SHA-1:
AES256 edwards25519 SHA-1 group number -1
key: 01b897121d933ab44b47eb5494db15e50eb74530dbdae9b634d65020ff5d88c1
w (PRF+ output): 26da6b118cee6fa5ea795ed32d61490d
82b2f11102312f3f2fc04fb01c93df91
w (reduced multiplier): d166c7cc9e72ca8c61f6a9185a987251
81b2f11102312f3f2fc04fb01c93df01
x: 606c1b668008ed78fe2eee942e8f08007f3f1dcbef66d37fd69033525bda2030
y: 10fc4e0bb1a902e58f632a1ea0bceb366360ac985f46996d956a02572bfcf050
X: 389621509665abad35eaab26eab3a0f593c7b4380562aa5513c1140fd78ce048
Y: de3ed05986eeac518958b566f9bad065b321402025cd188f3d198dc55c6d6b8d
T: 2289a4f3c613e6e1df95e94aaa3c127dc062b9fceec3f9b62378dc729d61d0e3
S: f9a7fa352930dedb422d567700bfcd39ba221e7f9ac3e6b36f2b63b68b88642c
K: 6f61d6b18323b6c3ddaac7c56712845335384f095d3e116f69feb926a04f1340
SPAKESupport: a0093007a00530030201ff
SPAKEChallenge: a1363034a0030201ffa12204202289a4f3c613e6e1df95e9
4aaa3c127dc062b9fceec3f9b62378dc729d61d0e3a20930
073005a003020101
Transcript hash after challenge: f5c051eb75290f92142c
bbe80557ec2c85902c94
Final transcript hash after pubkey: 9e26a3b148400c8f9cb8
545331e4e7dcab399cc0
KDC-REQ-BODY: 3075a00703050000000000a1143012a003020101a10b3009
1b077261656275726ea2101b0e415448454e412e4d49542e
454455a3233021a003020102a11a30181b066b7262746774
1b0e415448454e412e4d49542e454455a511180f31393730
303130313030303030305aa703020100a8053003020112
K'[0]: 40bceb51bba474fd29ae65950022b704
17b80d973fa8d8d6cd39833ff89964ad
K'[1]: c29a7315453dc1cce938fa12a9e5c0db
2894b2194da14c9cd4f7bc3a6a37223d
K'[2]: f261984dba3c230fad99d324f871514e
5aad670e44f00daef3264870b0851c25
K'[3]: d24b2b46bab7c4d1790017d9116a7eeb
ca88b0562a5ad8989c826cb7dab715c7
Appendix D. Acknowledgements Appendix D. Acknowledgements
Nico Williams (Cryptonector) Nico Williams (Cryptonector)
Taylor Yu (MIT) Taylor Yu (MIT)
Authors' Addresses Authors' Addresses
Nathaniel McCallum Nathaniel McCallum
Red Hat, Inc. Red Hat, Inc.
 End of changes. 99 change blocks. 
257 lines changed or deleted 384 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/