PACE has been standardized by BSI to provide a secure channel configuration mechanism that provides demonstrable security with low-entropy PINs or passwords. It serves as a replacement for basic access control (BAC), known as international passports. If you are a security researcher with a mathematical background and are interested in the security features of PACE, please read the publication “Security Analysis of the PACE Key-Agreement Protocol” linked above. The following explanation is a purely technical point of view. The first successful methods of password-authenticated key matching were encrypted key exchange methods, described in 1992 by Steven M. Bellovin and Michael Merritt. Although some of the initial methods were flawed, the surviving and improved forms of EKE effectively reinforce a shared password into a shared key that can then be used for message encryption and/or authentication. The first evidence-proof PAKE protocols were developed by M. Bellare, D.
Pointcheval and P. Rogaway (Eurocrypt 2000) and V. Boyko, P. MacKenzie and S. Patel (Eurocrypt 2000). These protocols proved safe in the so-called random oracle model (or even stronger variants), and the first protocols that proved safe under standard assumptions were those of O. Goldreich and Y. Lindell (Crypto 2001), which serve as proof of plausibility but are not effective, and J. Katz, R.
Ostrovsky and M. Yung (Eurocrypt 2001), which is convenient. In only the strictest password security models, it is not necessary for the method user to remember any secret or public data other than the password. A significant number of alternative and secure PAKE protocols have been given in the work of M. Bellare, D. Pointcheval and P. Rogaway, variations and proofs of security have been proposed in this growing class of password-authenticated key tuning methods. The current standards for these methods are IETF RFC 2945, RFC 5054, RFC 5931, RFC 5998, RFC 6124, RFC 6617, RFC 6628 and RFC 6631, IEEE Std 1363.2-2008, ITU-T X.1035 and ISO-IEC 11770-4:2006. An important feature is that a spy or man in the middle cannot get enough information to be able to guess a brute force password for any (few) assumptions without further interactions with the parties. This means that strong security can be achieved with weak passwords. We will focus here on general mapping with diffie-hellman elliptic curves, as this variant is also publicly available in JavaCard or easy to implement on freely programmable maps such as BasicCard PACE defines a so-called General Mapping (GM), Integrated Mapping (IM) and Chip Authentication Mapping (CAM) GM means that diffie-hellman key exchange should be used to agree on cryptographic parameters, IM describes a patented reyling-free mechanism on DH and CAM is a more sophisticated variant to be used mainly in national identity documents. The card responds with a random number (nonce) of 128 bits (16 bytes) encrypted with PACE_nonce_AES128key In practice, we do not deal directly with PIN codes and passwords and do not store such secrets in the chip.
The Secure Messaging part itself (usually AES-128-CBC-CMAC8) is NOT part of PACE itself, although normative references usually declare PACE and Secure Messaging combinations. Application-level communication takes place on a secure and authenticated channel, the host calculates G` as G* nonce, i.e. using nonce as the private key and calculating the corresponding public key (use keyAgreement Plain with G as the public point and nonce as its own secret) The host uses G` as the basis for a classic ECDH G` and sends the resulting public key to the card in cryptography, A password-authenticated key agreement method is an interactive method that allows two or more parties to configure cryptographic keys based on one or more parties` knowledge of a password. The card uses the previously selected nonce to compute G` and processes the classic ECDH with the public host key and stores the result as H (could already calculate G“ = G` + H) Password-authenticated key retrieval is a process in which a client receives a static key in a password-based negotiation with a server that knows the data associated with the password, like the Ford and Kaliski methods. In the strictest setting, a party uses only one password in conjunction with N (two or more) servers to retrieve a static key. This is completed so that the password (and key) are protected even if N − 1 of the servers are completely compromised. The first password-authenticated key recovery methods were described by Ford and Kaliski in 2000. The host requests PACE for authentication and may give preference to Password Authenticated Key Exchange (PAKE) when two or more parties based solely on their knowledge of a password set up a cryptographic key using a message exchange so that an unauthorized party (a party that controls the communication channel but does not have the password) cannot participate in the method and to the extent that perhaps limited by the brute force of guessing the password. (The optimal case gives exactly one estimate per barrel exchange.) Two forms of PAKE are balanced and augmented methods. Augmented PAKE is a variant applicable to client/server scenarios where the server does not store data equivalent to a password. This means that an attacker who has stolen data from the server still cannot impersonate a client unless they first perform a brute force search for the password.
Examples: The adapter treats the host`s public key as an ECDH G“ and calculates S, generates its own second public key and sends it to the host Authentication tokens are exchanged and verified, hosts start with the second public key of the card, the card sends its own public key G` ECDH (Q1) to the host the host requests an adapter resource, The card is rejected due to a lack of authentication. As an example of the host page, you can take a look at The PersoApp`s PACE code. (Excerpt from JC3.0.5 API public documents: “Elliptic curve Generic Mapping according to TR03110 v2. Performs the calculation s * G + H, passing s as the EC private key value, G as the base point of the private key object, and H as the public data in the generateSecret() method. The host processes the public key of the card with the G`-ECDH and generates H. The password-authenticated key agreement usually includes methods such as: The x-coordinate of S is the input for the KDF counter to create secure email keys for encryption and MAC The card validates the authentication token and generates auth_token_card from P2, the host decrypts the 128-bit nonce with PACE_nonce_AES128key derived from user input, as described above, Balanced PAKE allows parties that use the same password to negotiate and authenticate a shared key. Examples: The host adds G` and H and sets them as new G“ for the second ECDH and generates a new public key and sends it to the card. .