Types
Password-authenticated key agreement generally encompasses methods such as: * Balanced password-authenticated key exchange * Augmented password-authenticated key exchange * Password-authenticated key retrieval * Multi-server methods * Multi-party methods In the most stringent password-only security models, there is no requirement for the user of the method to remember any secret or public data other than the password. Password-authenticated key exchange (PAKE) is a method in which two or more parties, based only on their knowledge of a shared password, establish a cryptographic key using an exchange of messages, such that an unauthorized party (one who controls the communication channel but does not possess the password) cannot participate in the method and is constrained as much as possible from brute-force guessing the password. (The optimal case yields exactly one guess per run exchange.) Two forms of PAKE are balanced and augmented methods.Balanced PAKE
Balanced PAKE assumes the two parties in either a client-client or client-server situation use the same secret password to negotiate and authenticate a shared key. Examples of these are: * Encrypted Key Exchange (EKE) * PAK and PPK * SPEKE (Simple password exponential key exchange) * Elliptic Curve based Secure Remote Password protocol (EC-SRP or SRP5) There is a free Java card implementation. * Dragonfly – IEEE Std 802.11-2012, RFC 5931, RFC 6617 * CPace * SPAKE1 and SPAKE2 * SESPAKE – RFC 8133 *Augmented PAKE
Augmented PAKE is a variation applicable to client/server scenarios, in which the server does not store password-equivalent data. This means that an attacker that stole the server data still cannot masquerade as the client unless they first perform a brute force search for the password. Some augmented PAKE systems use an oblivious pseudorandom function to mix the user's secret password with the server's secret salt value, so that the user never learns the server's secret salt value and the server never learns the user's password (or password-equivalent value) or the final key. Matthew GreenKey retrieval
Password-authenticated key retrieval is a process in which a client obtains a static key in a password-based negotiation with a server that knows data associated with the password, such as the Ford and Kaliski methods. In the most stringent setting, one party uses only a password in conjunction with ''N'' (two or more) servers to retrieve a static key. This is completed in a way that protects the password (and key) even if ''N'' − 1 of the servers are completely compromised.Brief history
The first successful password-authenticated key agreement methods were Encrypted Key Exchange methods described byPAKE selection process for use in internet protocols
On request of the internet engineering task force IETF, a PAKE selection process has been carried out in 2018 and 2019 by the IRTF crypto forum research group (CFRG). The selection process has been carried out in several rounds. In the final round in 2019 four finalists AuCPace, OPAQUE (augmented cases) and CPace, SPAKE2 (balanced PAKE) prevailed. As a result of the CFRG selection process, two winner protocols were declared as "recommended by the CFRG for usage in IETF protocols": CPace and OPAQUE.See also
* Cryptographic protocol * IEEE P1363 * Simultaneous Authentication of Equals * Outline of cryptography * Zero-knowledge password proofReferences
Further reading
* * * * * * * * * * * *ISO/IEC 11770-4:2006 Information technology—Security techniques—Key management—Part 4: Mechanisms based on weak secrets. * * *External links