Dragonfly Key Exchange

RFC7664

PS: 这个RFC不好读,主要原因是,它把椭圆曲线的加法和乘法又重新用函数表述了一下

Derivation of the Password Element

把pw通过指定的F函数,映射为ECC上的一个点: F(pw), 文档里记为PE

PE做为下面计算的基点base

  1. 基于双方id、password、counter计算hash,得到base

    \(base = H(max(Alice,Bob) | min(Alice,Bob) | password | counter)\)

  2. 基于base,派生 \(seed ( 1 <= seed < p)\)

\[ \begin{align}\begin{aligned}temp = KDF-n(base, "Dragonfly Hunting and Pecking")\\seed = (temp mod (p - 1)) + 1\end{aligned}\end{align} \]
  1. 如果seed二次剩余,则作为x;否则counter++,重新计算base。

  2. 基于计算E公式,选取较小的y值,得到 \(PE = (x, y)\)

Commit Exchange

通信双方各自随机选两个整数,一个private, 一个mask

q为阶

\[ \begin{align}\begin{aligned}scalar = (private + mask) mod q\\Element = - mask * PE\end{aligned}\end{align} \]

双方互相发送 (scalar, Element)

显然,最终双方能获得 private_a*private_b*PE

然后再派生出kck = key confirm key,mk = master key

\[ \begin{align}\begin{aligned}share = private * (peer-Element + peer-scalar * PE)\\ = private * peer-private * PE\\ss = F(share)\\kck | mk = KDF-n(ss, "Dragonfly Key Derivation")\end{aligned}\end{align} \]

Confirm Exchange

校验confirm,确认可用,则以mk做为master key建立会话

\[confirm = H(kck | scalar | peer-scalar | Element | Peer-Element | <sender-id>)\]

security

resistant to active attack, passive attack, and offline dictionary attack

不同client区分会话密钥

side-channel attack

small subgroup

usage

TLS-PWD, RFC8492

WIFI WPA3