Post-Handshake Authentication via PAKE for TLS 1.3

Post-Handshake Authentication via PAKE for TLS 1.3 This section describes details of PAKE-based post-handshake authentication for TLS 1.3. In this document, four PAKE algorithms are considered: CPace , SPAKE2 , OPAQUE and SPAKE2+ . The former two are symmetric PAKE algorithms and the latter two are asymmetric PAKE algorithms.

PAKE Handshake Messages To use PAKE as an application-layer password authentication over TLS 1.3 , we define PAKEHandshake messages which are used to negotiate PAKE algorithms and key exchange parameters and to complete PAKE-based authentication. The expected order of PAKE handshake messages is: PAKEClientHello, PAKEHelloRetryRequest, PAKEClientHello, PAKEServerHello, server PAKEFinished, client PAKEFinished. pake_client_hello: The PAKEClientHello message is used by the client to send its supported PAKE algorithm suites and PAKE shares for selected algorithm suites to the server. pake_server_hello: The PAKEServerHello message is used by the server to send its PAKE share for the negotiated algorithm suite to the client. pake_hello_retry_request: If the server does not support PAKE algorithm suites selected by the client in the PAKEClientHello message but supports other PAKE algorithm suites listed by the client, the server MUST use the PAKEHelloRetryRequest message to send a PAKE algorithm suite that is supported by both parties to the client. pake_finished: The PAKEFinished message is used by the client or server to send a message authentication code (MAC) to its peer for identity authentication, key confirmation, and handshake integrity. pake_status: The PAKEStatus message is used by the client or server to send the execution status of the PAKE protocol to its peer, indicating whether the PAKE protocol has been successfully executed. pake_message_hash: When the server responds to a PAKEClientHello message with a PAKEHelloRetryRequest message, the value of the PAKEClientHello1 message is replaced with a specific synthetic handshake message of handshake type "pake_message_hash" containing Hash(PAKEClientHello1).

PAKE Client Hello Structure of the PAKEClientHello message is defined as follows: ; opaque client_identity<0..2^16-1>; PAKEShareEntry client_shares<0..2^16-1>; } PAKEClientHello; ]]>

supported_pake_algorithms: A list of all PAKE algorithm suites supported by the client. The structure of PAKEAlgorithm is defined in , where the second bytes "0x00~0x7F" can be used to represent ciphersuites without channel binding and the second bytes "0x80~0xFF" can be used to represent ciphersuites with channel binding.

client_identity: A client's identity used in the PAKE algorithm.
client_shares: A list of offered PAKEShareEntry values in descending order of client preference. The structure of PAKEShareEntry is defined in .

Note that the concatenation of the "random" value of the ClientHello message (see ) and the "random" value of the ServerHello message (see ) can be used as a unique session identifier sid of the CPace algorithm (see ).

PAKE Server Hello Structure of the PAKEServerHello message is defined as follows: ; PAKEShareEntry server_share; } PAKEServerHello; ]]>

server_identity: A server's identity used in the PAKE algorithm.
server_share: A single PAKEShareEntry value that is in the same PAKE algorithm suite as one of the client’s shares. The structure of PAKEShareEntry is defined in .

PAKE Hello Retry Request Structure of the PAKEHelloRetryRequest message is defined as follows:

selected_pake_algorithm: A PAKE algorithm suite selected by the server to correct mismatch algorithm suites with the client.

PAKE Finished Structure of the PAKEFinished message is defined as follows:

pake_verify_data: A MAC value calculated by the client or server to provide to its peer for identity authentication, key confirmation and handshake integrity, and more details about this calculation will be given in . MAC is the MAC function negotiated in the PAKE algorithm suite, and MAC.length is its output length in bytes.

PAKE Status Structure of the PAKEStatus message is defined as follows: pake_success_notify: This status notifies the client of the successful validation of its PAKEFinished message. pake_unexpected_message: An inappropriate message (e.g., the wrong PAKE handshake message, etc.) was received. A peer which receives a PAKE handshake message in an unexpected order MUST abort the handshake with an "pake_unexpected_message" alert. This alert should never be observed in communication between proper implementations. pake_handshake_failure: Receipt of a "pake_handshake_failure" alert message indicates that the sender was unable to negotiate an acceptable PAKE algorithm suite given the options available. pake_illegal_parameter: A field in the PAKE handshake was incorrect or inconsistent with other fields. This alert is used for errors which conform to the formal protocol syntax but are otherwise incorrect. pake_decode_error: A message could not be decoded because some field was out of the specified range or the length of the message was incorrect. This alert is used for errors where the message does not conform to the formal protocol syntax. This alert should never be observed in communication between proper implementations, except when messages were corrupted in the network. pake_decrypt_error: A PAKE handshake cryptographic operation failed, including being unable to correctly verify a PAKEFinished message. pake_insufficient_security: Returned instead of "pake_handshake_failure" when a negotiation has failed specifically because the server requires PAKE parameters more secure than those supported by the client. pake_internal_error: An internal error unrelated to the peer or the correctness of the protocol (such as a memory allocation failure) makes it impossible to continue.

Channel Binding This document defines two types for channel binding, which can be distinguished by the second byte of PAKE algorithm suites (see ). The meaning of the types and the corresponding channel_binding_secret are described as follows:

The "without_channel_binding" type means that no channel binding is used in the PAKE-based authentication, then the channel_binding_secret is a 0-byte value.
The "with_channel_binding" type means that a channel binding is used in the PAKE-based authentication, then the channel_binding_secret is a 32-byte value. The computation of this secret is defined in for TLS 1.3, and the corresponding inputs are defined in .

Assume that a TLS channel has been established between a client and a server, from which both parties can derive a unique secret that we call a channel binding secret in this document. According to the channel binding type of "tls-exporter" defined in , the channel binding secret is computed as follows. Where Secret is the "exporter_master_secret" value in TLS 1.3 key schedule (see ), the label is the ASCII string "EXPORTER-Channel-Binding", the context_value is a zero-length string, the key_length is 32 bytes. The functions HKDF-Expand-Label and Derive-Secret were defined in .

PAKE-based Post-Handshake Authentication After the TLS channel is established, if there is no MITM attack, the client and server can derive a same channel binding secret. If the channel binding is selected, then this secret will be used as another input to PAKE algorithms except for the password and thus take effect on the PAKE authentication process. If there is a MITM attack during the TLS channel establishment, that is, the client establishes a TLS channel A with the MITM attacker and the MITM attacker establishes a TLS channel B with the server, then the client and server will derive two different secrets respectively. Therefore, when the client and server execute the PAKE protocol with these inconsistent secrets, both parties can not pass the PAKE authentication successfully. The protocol of PAKE-based post-handshake authentication for TLS 1.3 is described as follows. (1) When PAKE-based post-handshake authentication for TLS 1.3 needs to be performed, it is REQUIRED to send the PAKEClientHello as a first PAKE handshake message. The client sets the "supported_pake_algorithms" field to a list of its supported PAKE algorithm suites, sets the "client_identity" field to its identity used to authenticate, and constructs the "client_shares" field by selecting its perferred PAKE algorithm suites and computing their corresponding PAKE shares. The computation of PAKE shares SHOULD conform to the specification of the selected PAKE algorithms. Similar to TLS 1.3, the client MAY provide a single share or multiple shares in the "client_shares" field. The client then sends the PAKEClientHello message to the server. (2) After receiving the PAKEClientHello message, the server first parses it to obtain "supported_pake_algorithms", "client_identity" and "client_shares" fields, uses the "client_identity" value to search a match password or password file, and negotiates a PAKE algorithm suite based on the "pake_algorithm" values included in the "client_shares" field. The server then sets the "server_identity" field to its identity (e.g., its host name), and constructs the "server_share" field by setting the negotiated PAKE algorithm suite and computing its corresponding PAKE share. Based on the received client's share and its own secret, the server first derives a PAKE shared secret, and then derives a session key and a MAC key as follows. Here, KDF(ikm, salt, info, L) is the key-derivation function (KDF) negotiated in the PAKE algorithm suite and the derived key length L relies on the underlying encryption function and MAC function; the PAKE shared secrets for different PAKEs are defined as follows:

For CPace, this secret indicates the value ISK in .
For SPAKE2, this secret indicates the concatenated value Ke || Ka in .
For OPAQUE, this secret indicates the concatenated value Km2 || Km3 || session_key in Section and Section of .
For SPAKE2+, this secret indicates the value K_main in .

Finally, the server computes its "pake_verify_data" value as follows, and sends PAKEServerHello and server PAKEFinished messages to the client. (3) After receiving the PAKEServerHello and server PAKEFinished messages, the client first parses the former to obtain the "server_identity" and "server_share" fields, and parses the later to obtain the "pake_verify_data" field. Based on the received server's share and its own secret, the client derives a PAKE shared secret, and then derives a session key and a MAC key using the same way as the server side. The client then authenticates the server by verifying the server "pake_verify_data" value. If this verification succeeds, the client computes its "pake_verify_data" value as follows, and sends the client PAKEFinished message to the server. Otherwise, the client sends a PAKEStatus message with a "pake_decrypt_error" alert to the server. (4) After receiving the client PAKEFinished message, the server first parses it to obtain the "pake_verify_data" field, then authenticates the client by verifying the client "pake_verify_data" value. If this verification succeeds, the server sends a PAKEStatus message with a "pake_success_notify" status to the client, otherwise sends a PAKEStatus message with a "pake_decrypt_error" alert to the client. If the client has not provided a sufficient "client_shares" field (e.g., it includes only PAKE algorithm suites unacceptable to or unsupported by the server) in the first PAKEClientHello message, the server corrects the mismatch with a PAKEHelloRetryRequest message which contains a "selected_pake_algorithm" field, and the client needs to restart the handshake with a second PAKEClientHello message which MUST contain an appropriate "client_shares" field. In this case, the computation method of "pake_verify_data" values is changed as follows, where the "pake_message_hash" value represents 1 byte 0xFE as defined in , and Hash.length is the output length of the negotiated hash function in bytes. If no common PAKE parameters can be negotiated, the server MUST abort the handshake with either a "pake_handshake_failure" or "pake_insufficient_security" alert.