Dragonfly Key Exchange
PS: 这个RFC不好读,主要原因是,它把椭圆曲线的加法和乘法又重新用函数表述了一下
Derivation of the Password Element
把pw通过指定的F函数,映射为ECC上的一个点: F(pw), 文档里记为PE
PE做为下面计算的基点base
基于双方id、password、counter计算hash,得到base
\(base = H(max(Alice,Bob) | min(Alice,Bob) | password | counter)\)
基于base,派生 \(seed ( 1 <= seed < p)\)
\[ \begin{align}\begin{aligned}temp = KDF-n(base, "Dragonfly Hunting and Pecking")\\seed = (temp mod (p - 1)) + 1\end{aligned}\end{align} \]
如果seed二次剩余,则作为x;否则counter++,重新计算base。
基于计算E公式,选取较小的y值,得到 \(PE = (x, y)\)
Commit Exchange
通信双方各自随机选两个整数,一个private, 一个mask
q为阶
\[ \begin{align}\begin{aligned}scalar = (private + mask) mod q\\Element = - mask * PE\end{aligned}\end{align} \]
双方互相发送 (scalar, Element)
显然,最终双方能获得 private_a*private_b*PE
然后再派生出kck = key confirm key,mk = master key
\[ \begin{align}\begin{aligned}share = private * (peer-Element + peer-scalar * PE)\\ = private * peer-private * PE\\ss = F(share)\\kck | mk = KDF-n(ss, "Dragonfly Key Derivation")\end{aligned}\end{align} \]
Confirm Exchange
校验confirm,确认可用,则以mk做为master key建立会话
\[confirm = H(kck | scalar | peer-scalar | Element | Peer-Element | <sender-id>)\]
security
resistant to active attack, passive attack, and offline dictionary attack
不同client区分会话密钥
side-channel attack
small subgroup
usage
WIFI WPA3