Answers:
在身份验证中,您经常会遇到零知识密码证明(ZKPP)。EAP本身是一个相当通用的框架,它可能涉及显示客户端的身份,例如,将其身份转移到身份验证的下一层,例如RADIUS。
PACE(BSI TR-03110)是用于身份验证的ZKPP协议的一个示例。EAP-SPEKE是另一个。
密钥的安全性取决于客户端和服务器之间交换中仅使用部分密钥。客户端向服务器提供用密钥加密的随机数。因此,流氓服务器接收到一个加密的随机数,并保留其纯文本版本。这不是零知识,因为流氓服务器可能会在有限的时间内积累足够的信息来破坏AES-128加密。
因此,尽管其他建议的基于EAP的身份验证方案(例如EAP-SPEKE)具有此属性,但是EAP-PSK可能不被视为零知识密码证明的示例。
为了说明EAP-PSK协议的问题部分,请考虑RFC 4764中介绍的消息流。
服务器将第一条消息发送到对等方:
* Send a 16-byte random challenge (RAND_S). RAND_S was called RA in Section 3.2 * State its identity (ID_S). ID_S was denoted by A in Section 3.2.o第二条消息由对等方发送到服务器,以:
* Send another 16-byte random challenge (RAND_P). RAND_P was called RB in Section 3.2 * State its identity (ID_P). ID_P was denoted by B in Section 3.2. * Authenticate to the server by proving that it is able to compute a particular MAC (MAC_P), which is a function of the two challenges and AK: MAC_P = CMAC-AES-128(AK, ID_P||ID_S||RAND_S||RAND_P)o第三条消息由服务器发送到对等方:
* Authenticate to the peer by proving that it is able to compute another MAC (MAC_S), which is a function of the peer's challenge and AK: MAC_S = CMAC-AES-128(AK, ID_S||RAND_P)
此处AK是此阶段使用的秘密密钥的一部分,可能会透露给能够解密AES-128的恶意服务器。