[Cryptography] PAKE for embedded device (<64K RAM)?

Mon Feb 27 11:07:55 EST 2017

On Feb 26, 2017, at 11:21 PM, Andrew P. Lentvorski <bsder at allcaps.org> wrote:

> I've been trying to secure some BLE (Bluetooth Low Energy) communication, but seem to have hit into a wall in trying to avoid active MITM attacks.
> 
> Is there a good PAKE anywhere for small devices?  It seems like all the PAKE protocols use very heavyweight primitives and don't like elliptic curve stuff very much.
> 
> Maybe I'm just being obtuse and not searching on the right keywords, but it seems like *everything* in this space is a bit flaky--either theoretically or implementation-wise.  It doesn't seem like there has been much auditing going on in this space.
> 
> It seems like IEEE 802.15.6 was supposed to cover this, but it seems like that got compromised:
> http://arxiv.org/pdf/1501.02601.pdf
> 
> ProtonMail has a discussion about SRP here:
> https://protonmail.com/blog/encrypted_email_authentication/
> 
> But it certainly makes me wary when I, as an implementer, seem to have to make so many decisions about the underlying protocol(Hash function, different moduli, embedded in certificate-TLS (then why use SRP?), prime number choice, etc.).  Since I am most definitively *NOT* a cryptographer, I'm incredibly likely to screw something up. SRP isn't exactly *small* either.
> 
> Normally, my first instinct is to go look at what DJB has to say and then work outward from there, but I'm not seeing anything in this space.
> 
> Am I missing something?  What's the current "best practice" in this space?
> 
> Any pointers would be appreciated.

First, in your subject line you mention that your device has <64k RAM.  That is very unlikely to be your limiting factor.  64k RAM is plenty to implement just about any crypto algorithm and protocol (except, obviously, memory-hard password hashes, but those are trivially avoided simply by not using them).

Second, it’s impossible to answer your question without a more detailed description of the application and the threat model.  Who is your adversary and what are their powers and motives?  Do you need to protect against DOS attacks?  Impersonation attacks?  With or without physical proximity?  Do you really mean PAKE and not just AKE?  (Embedded devices generally do not have the kind of UI that would let a user enter a password.)

rg