In cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.
An important property is that an eavesdropper or
man-in-the-middle
In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
cannot obtain enough information to be able to
brute-force guess a password without further interactions with the parties for each (few) guesses. This means that strong security can be obtained using weak passwords.
Types
Password-authenticated key agreement generally encompasses methods such as:
* Balanced password-authenticated key exchange
* Augmented password-authenticated key exchange
* Password-authenticated key retrieval
* Multi-server methods
* Multi-party methods
In the most stringent password-only security models, there is no requirement for the user of the method to remember any secret or public
data
In the pursuit of knowledge, data (; ) is a collection of discrete values that convey information, describing quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted ...
other than the password.
Password-authenticated key exchange (PAKE) is a method in which two or more parties, based only on their knowledge of a shared password,
establish a cryptographic key using an exchange of messages, such that an unauthorized party (one who controls the communication channel but does not possess the password) cannot participate in the method and is constrained as much as possible from brute-force guessing the password. (The optimal case yields exactly one guess per run exchange.) Two forms of PAKE are balanced and augmented methods.
Balanced PAKE
Balanced PAKE assumes the two parties in either a client-client or client-server situation use the same secret password to negotiate and authenticate a shared key.
Examples of these are:
*
Encrypted Key Exchange
Encrypted Key Exchange (also known as EKE) is a family of password-authenticated key agreement methods described by Steven M. Bellovin and Michael Merritt. Although several of the forms of EKE in this paper were later found to be flawed , the survi ...
(EKE)
* PAK and PPK
*
SPEKE
Speke () is a suburb of Liverpool. It is southeast of the city centre. Located near the widest part of the River Mersey, it is bordered by the suburbs of Garston and Hunts Cross, and nearby to Halewood, Hale Village, and Widnes. The rural are ...
(Simple password exponential key exchange)
* Elliptic Curve based Secure Remote Password protocol (EC-SRP or SRP5) There is a free Java card implementation.
* Dragonfly – IEEE Std 802.11-2012, RFC 5931, RFC 6617
* CPace
* SPAKE1 and SPAKE2
* SESPAKE – RFC 8133
*
J-PAKE The Password Authenticated Key Exchange by Juggling (or J-PAKE) is a password-authenticated key agreement protocol, proposed by Feng Hao and Peter Ryan. This protocol allows two parties to establish private and authenticated communication solely bas ...
(Password Authenticated Key Exchange by Juggling) –
ISO/IEC
ISO/IEC JTC 1, entitled "Information technology", is a joint technical committee (JTC) of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its purpose is to develop, maintain and pr ...
11770-4 (2017), RFC 8236
*
ITU-T
The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors (divisions or units) of the International Telecommunication Union (ITU). It is responsible for coordinating standards for telecommunications and Information Commu ...
Recommendation
X.1035
ITU-T Recommendation X.1035 specifies a password-authenticated key agreement protocol that ensures mutual authentication of two parties by using a Diffie–Hellman key exchange to establish a symmetric cryptographic key. The use of Diffie-Hellman ...
*"Advanced modular handshake for key agreement and optional authentication"
Augmented PAKE
Augmented PAKE is a variation applicable to client/server scenarios, in which the server does not store password-equivalent data. This means that an attacker that stole the server data still cannot masquerade as the client unless they first perform a brute force search for the password.
Some augmented PAKE systems use an
oblivious pseudorandom function to mix the user's secret password with the server's secret salt value, so that the user never learns the server's secret salt value and the server never learns the user's password (or password-equivalent value) or the final key.
[
Matthew Green]
"Let's talk about PAKE"
2018.
Examples include:
* AMP
* Augmented-EKE
* B-SPEKE
* PAK-X
*
SRP
*
AugPAKE
* OPAQUE
* AuCPace
* SPAKE2+
*"Advanced modular handshake for key agreement and optional authentication"
Key retrieval
Password-authenticated key retrieval is a process in which a client obtains a static key in a password-based negotiation with a server that knows data associated with the password, such as the Ford and Kaliski methods. In the most stringent setting, one party uses only a password in conjunction with ''N'' (two or more) servers to retrieve a static key. This is completed in a way that protects the password (and key) even if ''N'' − 1 of the servers are completely compromised.
Brief history
The first successful password-authenticated key agreement methods were
Encrypted Key Exchange
Encrypted Key Exchange (also known as EKE) is a family of password-authenticated key agreement methods described by Steven M. Bellovin and Michael Merritt. Although several of the forms of EKE in this paper were later found to be flawed , the survi ...
methods described by
Steven M. Bellovin
Steven M. Bellovin is a researcher on computer networking and computer security, security. He has been a professor in the Computer Science department at Columbia University since 2005. Previously, Bellovin was a Fellow at AT&T Labs Research in Flo ...
and Michael Merritt in 1992. Although several of the first methods were flawed, the surviving and enhanced forms of EKE effectively amplify a shared password into a shared key, which can then be used for
encryption
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
and/or message authentication.
The first provably-secure PAKE protocols were given in work by M. Bellare, D. Pointcheval, and P. Rogaway (Eurocrypt 2000) and V. Boyko, P. MacKenzie, and S. Patel (Eurocrypt 2000). These protocols were proven secure in the so-called
random oracle model
In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every ''unique query'' with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time t ...
(or even stronger variants), and the first protocols proven secure under standard assumptions were those of O. Goldreich and Y. Lindell (Crypto 2001) which serves as a plausibility proof but is not efficient, and J. Katz, R. Ostrovsky, and M. Yung (Eurocrypt 2001) which is practical.
The first password-authenticated key retrieval methods were described by Ford and Kaliski in 2000.
A considerable number of alternative, secure PAKE protocols were given in work by M. Bellare, D. Pointcheval, and P. Rogaway, variations, and security proofs have been proposed in this growing class of password-authenticated key agreement methods. Current standards for these methods include IETF RFC 2945, RFC 5054, RFC 5931, RFC 5998, RFC 6124, RFC 6617, RFC 6628 and RFC 6631, IEEE Std 1363.2-2008,
ITU-T
The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors (divisions or units) of the International Telecommunication Union (ITU). It is responsible for coordinating standards for telecommunications and Information Commu ...
X.1035
ITU-T Recommendation X.1035 specifies a password-authenticated key agreement protocol that ensures mutual authentication of two parties by using a Diffie–Hellman key exchange to establish a symmetric cryptographic key. The use of Diffie-Hellman ...
and ISO-IEC 11770-4:2006.
PAKE selection process for use in internet protocols
On request of the internet engineering task force IETF, a PAKE selection process has been carried out in 2018 and 2019 by the IRTF crypto forum research group (CFRG).
The selection process has been carried out in several rounds.
In the final round in 2019 four finalists AuCPace, OPAQUE (augmented cases) and CPace, SPAKE2 (balanced PAKE) prevailed. As a result of the CFRG selection process, two winner protocols were declared as "recommended by the CFRG for usage in IETF protocols": CPace and OPAQUE.
[Results of the CFRG PAKE selection process]
/ref>
See also
* Cryptographic protocol
A security protocol (cryptographic protocol or encryption protocol) is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol describe ...
* IEEE P1363
* Simultaneous Authentication of Equals In cryptography, Simultaneous Authentication of Equals (SAE) is a password-based authentication and password-authenticated key agreement method.
Authentication
SAE is a variant of the Dragonfly Key Exchange defined in , based on Diffie–Hellma ...
* Outline of cryptography
The following outline is provided as an overview of and topical guide to cryptography:
Cryptography (or cryptology) – practice and study of hiding information. Modern cryptography intersects the disciplines of mathematics, computer scie ...
* Zero-knowledge password proof In cryptography, a zero-knowledge password proof (ZKPP) is a type of zero-knowledge proof that allows one party (the prover) to prove to another party (the verifier) that it knows a value of a password, without revealing anything other than the fact ...
References
Further reading
*
*
*
*
*
*
*
*
*
*
*
*ISO/IEC 11770-4:2006 Information technology—Security techniques—Key management—Part 4: Mechanisms based on weak secrets.
*
*
*
External links
IEEE P1363 Working Group
IEEE Std 1363.2-2008: IEEE Standard Specifications for Password-Based Public-Key Cryptographic Techniques
Simple Password-Based Encrypted Key Exchange Protocols Abdalla et al 2005
{{DEFAULTSORT:Password-Authenticated Key Agreement
Cryptography
Password authentication
Authentication protocols
Key-agreement protocols