Expand description
RustCrypto: AuCPace
Pure Rust implementation of the AuCPace password-authenticated key-exchange algorithm.
About
This library is an implementation of the AuCPace (Augmented Composable Password Authenticated Connection Establishment) protocol. AuCPace is an efficient verifier-based PAKE protocol designed for Industrial IOT applications. It allows two parties, who share a weak password, to safely derive a strong shared secret (and therefore build an encrypted+authenticated channel).
A passive attacker who eavesdrops on the connection learns no information about the password or the generated secret. An active attacker (machine-in-the-middle) gets exactly one guess at the password, and unless they get it right, they learn no information about the password or the generated secret. Each execution of the protocol enables one guess. The use of a weak password is made safer by the rate-limiting of guesses: no offline dictionary attack is available to the network-level attacker.
The protocol requires a previous “registration” of a user over a secure channel. Without this it is unsafe to perform a registration.
The ClientMessage
and ServerMessage
structs compromise all the data that is sent in messages between the
client and the server. Optionally the serde
feature can be enabled to allow serde to serialise and deserialise
these messages.
Currently this implementation uses the “Ristretto255” group, though this is subject to change.
What Is It Good For?
AuCPace is designed for Industrial IOT settings, specifically where you have many low-power servers and a single client which is assumed to be more powerful. This protocol is specifically designed for situations with limited Public Key Infrastructure (PKI), where using a V-PAKE protocol provides a significant security improvement by preventing phishing and offline dictionary attacks.
Additionally a variant of the protocol - StrongAuCPace - is also implemented, this provides resistance to pre-computation attacks by blinding sensitive values in transit.
The partially augmented version of the protocol allows for even less computational burden on the server by utilising a long term key-pair for each user on the server, instead of generating a fresh one each time.
⚠️ Security Warning
This crate has never received an independent third party audit for security and correctness.
USE AT YOUR OWN RISK!
Minimum Supported Rust Version
Rust 1.60 or higher.
Minimum supported Rust version can be changed in the future, but it will be done with a minor version bump.
License
Licensed under either of:
at your option.
Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.
Usage
Add aucpace
to your Cargo.toml
:
[dependencies]
aucpace = "0.1"
Next read documentation for client
and
server
modules.
Protocol description
Here we briefly describe the AuCPace Protocol. For additional information
refer to AuCPace literature1. All arithmetic is done on the (hyper-) elliptic curve C
in group J
, with co-factor c_J
and Diffie-Hellman base point B
in J
.
It’s STRONGLY recommended to use AuCPace parameters provided by this crate
in the Client
and Server
default instantiations.
Server | Data transfer | Client |
---|---|---|
Agree on ssid | ||
s = ${0,1}^k1 | <- t , s -> | t = {0,1}^k1 |
ssid = H0(s || t) | ssid = H0(s || t) | |
Augmentation layer | ||
x = ${1..m_J} | ||
X = B^(x * c_J) | <- username | |
W,salt = lookupW(user) | J,X,salt,sigma -> | |
w = PBKDF_sigma(pw, user, salt) | ||
if lookup failed PRS = {0,1}^k2 | abort if X invalid | |
else PRS = W^(x * c_J) | PRS = X^(w * c_J) | |
CPace substep | ||
g' = H1(ssid ||PRS ||CI) | g' = H1(ssid ||PRS ||CI) | |
G = Map2Point(g') | G = Map2Point(g') | |
ya = ${1..m_J} | yb = ${1..m_J} | |
Ya = G^(ya * cj) | <- Yb Ya -> | Yb = G^(yb * cj) |
K = Yb^(ya * cj) | K = Ya^(yb * cj) | |
abort if Yb invalid | abort if Ya invalid | |
sk1 = H2(ssid || K) | sk1 = H2(ssid || K) | |
Explicit Mutual Authentication | ||
Ta = H3(ssid || sk1) | Ta -> | Ta = H3(ssid || sk1) |
Tb = H4(ssid || sk1) | <- Tb | Tb = H4(ssid || sk1) |
verify Tb | verify Ta | |
sk = H5(ssid || sk1) | sk = H5(ssid || sk1) |
Variables and notations have the following meaning:
k1
— length of nonce to use in SSID agreement stepk2
— length of the wire representation of a curve points
,t
— nonces used in SSID agreementH
— one-way hash functionH0..H5
—H
where the index is prepended to the input as a little-endian four-byte word${a,b}^N
— pick randomly froma
andb
,N
times${a..b}
— pick a number betweena
andb
^
— Curve point multiplication*
— Scalar value multiplication- ‖ — concatenation
m_J
— the order ofJ
c_J
— co-factor ofJ
PBKDF_sigma
— password based key derivation function, parameterised bysigma
ssid
— subsession IDPRS
— Password Related StringCI
— Channel IdentifierlookupW
— the server lookup of the password verifier for the userMap2Point
— map a binary string to a random curve point such that its discrete logarithm is unknownG
— the ephemeral generator for the diffie hellman protocolya
,yb
— ephemeral secret group elements for diffie hellman protocolYa
,Yb
— public group elements for diffie hellman protocolK
— shared secret point from diffie hellman protocolsk1
— first session key derived from Ksk
— the final session key refreshed from sk1
Re-exports
pub use self::client::AuCPaceClient;
pub use self::client::ClientMessage;
pub use self::server::AuCPaceServer;
pub use self::server::ServerMessage;
Modules
- Module containing the implementation of the client for the AuCPace protocol
- Module contains constants used in the code
- Module containing the implementation of the server for the AuCPace protocol
Enums
- Errors that can occur during the protocol
Traits
- trait for AuCPace to use to abstract over the storage and retrieval of verifiers
Type Definitions
- Default Client instantiation with SHA512, Scrypt, OsRng and a nonce size of 16 bytes
- Result type
- Default Server instantiation with SHA512, OsRng and a nonce size of 16 bytes