1. draft-harkins-emu-eap-pwd-01
Dan Harkins
and
Glen Zorn

2. What Problem Does It Solve?
People use secrets to gain network access
must be possible to for a human to remember the secret.
secret be repeatedly entered with a high probability of correctness.
The secret is therefore drawn from a set of secrets that is, most likely, limited and the secret is, quite possibly, cryptographically weak.
This opens up the possibility of a dictionary attack.
This protocol is resistant to dictionary attack and allows for a (possibly weak) secret to be used.

3. A Few Words About Dictionary Attack
The attacker is presumed to have access to the set, D, of from which the secret is drawn and can enumerate each element of D.
Attacks are made against honest participants and can be active or passive.
If |D| = s, then after n attacks the probability of success is not significantly greater than 1/(s-n).
Canonical definition: The advantage the attacker gains is due to interaction and not computation.

4. A Few Words About Dictionary Attack
RFC3748 says: “the method does not allow an offline attack that has a work factor based on the number of passwords in an attacker's dictionary.”
Therefore, merely increasing the size of the set from which the secret is drawn does not make a protocol resistant to dictionary attack.
e.g. “the secret used is a random number between one and 264 therefore the protocol is resistant to dictionary attack.” – wrong!

5. How Does It Work? There are 3 exchanges in EAP-pwd
Identity exchange-- because the one in EAP is not suitable.
Commit exchange in which each side is cryptographically bound to a password guess
Confirm exchange in which each side uses the other party’s commitment to prove knowledge of the shared secret.
Finite Cyclic group from IKE’s IANA registry– can be either a prime modulus group or an elliptic curve group– is used.
A “random oracle” (as defined in the Bellare and Rogaway paper on the subject) is defined using SHA-256.

6. Identity Exchange
The EAP server announces its identity and the group to use.
The EAP client announces its identity
After the exchange a “password element”, PWE, in the agreed-upon group is fixed.
with prime modulus groups this is done with a hash and exponentiation
with elliptic curve groups this is done in a hunt-and-peck fashion to find a random point on the curve.

7. Commit Exchange Choose p_rand at random sp = (p_rand * G).x
EAP client
EAP server
Choose p_rand at random
sp = (p_rand * G).x
elem_p = -(sp * PWE)
scalar_p = (sp+p_rand) mod order
Choose s_rand at random
ss = (s_rand * G).x
elem_s = -(ss * PWE)
scalar_s = (ss+s_rand) mod order
elem_s, scalar_s
elem_p, scalar_p

8. Confirm Exchange kp = (p_rand * (scalar_s * PWE + element_s)).x
EAP client
EAP server
kp = (p_rand * (scalar_s * PWE + element_s)).x
confirm_p = H(kp | element_p | scalar_p | element_s | scalar_s)
ks = (s_rand * (scalar_p * PWE + element_p)).x
confirm_s = H(ks | element_s | scalar_s | element_p | scalar_p)
confirm_s
confirm_p
kp = (p_rand * s_rand * PWE).x = ks
MK = H(k | (element_s + element_p).x |
(scalar_s + scalar_p) mod order)

9. An EMU Work Item?
This sort of work is in the charter (or was at 8am this morning!)
This method is useful and not YAPBEM
password/secret-based authentication which is resistant to dictionary attack and does not require a CA or certificate
robust security: it’s still secure when the “verify server cert” checkbox is unchecked when used with a tunneled method
useful for methods whose security is predicated on secure provisioning of an initial credential. Instead of leaps of faith, use EAP-pwd