Password-authenticated key agreement
Encyclopedia
In cryptography
, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password
.
In the most stringent password-only security models, there is no requirement for the user of the method to remember any secret or public data other than the password.
Password authenticated key exchange (PAKE) is where two or more parties, based only on their knowledge of a password, establish a cryptographic key using an exchange of messages, such that an unauthorized party (one who controls the communication channel but does not possess the password) cannot participate in the method and is constrained as much as possible from guessing the password. (The optimal case yields exactly one guess per run exchange.) Two forms of PAKE are Balanced and Augmented methods.
Balanced PAKE allows parties that use the same password to negotiate and authenticate a shared key. Examples of these are:
Augmented PAKE is a variation applicable to client/server scenarios, in which an attacker must perform a successful brute-force attack in order to masquerade as the client using stolen server data. Examples of these are:
Password-authenticated key retrieval is a process in which a client obtains a static key in a password-based negotiation with a server that knows data associated with the password, such as the Ford and Kaliski methods. In the most stringent setting, one party uses only a password in conjunction with two or more (N) servers to retrieve a static key, in a way that protects the password (and key) even if any N-1 of the servers are completely compromised.
methods described by Steven M. Bellovin
and Michael Merritt in 1992. Although several of the first methods were flawed, the surviving and enhanced forms of EKE effectively amplify a shared password into a shared key, which can then be used for encryption and/or message authentication.
The first provably-secure PAKE protocols were given in work by M. Bellare, D. Pointcheval, and P. Rogaway (Eurocrypt 2000) and V. Boyko, P. MacKenzie, and S. Patel (Eurocrypt 2000). These protocols were proven secure in the so-called random oracle model
(or even stronger variants), and the first protocols proven secure under standard assumptions were those of O. Goldreich and Y. Lindell (Crypto 2001) and J. Katz, R. Ostrovsky, and M. Yung (Eurocrypt 2001).
The first password-authenticated key retrieval methods were described by Ford and Kaliski in 2000.
A considerable number of refinements, alternatives, variations, and security proofs have been proposed in this growing class of password-authenticated key agreement methods. Current standards for these methods include IETF RFC 2945 and RFC 5054, IEEE Std 1363.2-2008, ITU-T
X.1035
and ISO-IEC 11770-4:2006.
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
.
Types
Password-authenticated key agreement generally encompasses methods such as:- Balanced password-authenticated key exchange
- Augmented password-authenticated key exchange
- Password-authenticated key retrieval
- Multi-server methods
- Multi-party methods
In the most stringent password-only security models, there is no requirement for the user of the method to remember any secret or public data other than the password.
Password authenticated key exchange (PAKE) is where two or more parties, based only on their knowledge of a password, establish a cryptographic key using an exchange of messages, such that an unauthorized party (one who controls the communication channel but does not possess the password) cannot participate in the method and is constrained as much as possible from guessing the password. (The optimal case yields exactly one guess per run exchange.) Two forms of PAKE are Balanced and Augmented methods.
Balanced PAKE allows parties that use the same password to negotiate and authenticate a shared key. Examples of these are:
- Encrypted Key ExchangeEncrypted key exchangeEncrypted Key Exchange is a family of password-authenticated key agreement methods described by Steven M. Bellovin and Michael Merritt...
(EKE) - PAK and PPK
- SPEKESPEKE (cryptography)SPEKE is a cryptographic method for password-authenticated key agreement.-Description:The protocol consists of little more than a Diffie-Hellman key exchange where the Diffie-Hellman generator g is created from a hash of the password.Here is one simple form of SPEKE:# Alice and Bob agree to use an...
(Simple password exponential key exchange) - J-PAKE (Password Authenticated Key Exchange by Juggling)
Augmented PAKE is a variation applicable to client/server scenarios, in which an attacker must perform a successful brute-force attack in order to masquerade as the client using stolen server data. Examples of these are:
- AMP
- Augmented-EKE
- B-SPEKE
- PAK-Z
- SRPSecure remote password protocolThe Secure Remote Password protocol is a password-authenticated key agreement protocol.- Overview :The SRP protocol has a number of desirable properties: it allows a user to authenticate themselves to a server, it is resistant to dictionary attacks mounted by an eavesdropper, and it does not...
Password-authenticated key retrieval is a process in which a client obtains a static key in a password-based negotiation with a server that knows data associated with the password, such as the Ford and Kaliski methods. In the most stringent setting, one party uses only a password in conjunction with two or more (N) servers to retrieve a static key, in a way that protects the password (and key) even if any N-1 of the servers are completely compromised.
Brief history
The first successful password-authenticated key agreement methods were Encrypted Key ExchangeEncrypted key exchange
Encrypted Key Exchange is a family of password-authenticated key agreement methods described by Steven M. Bellovin and Michael Merritt...
methods described by Steven M. Bellovin
Steven M. Bellovin
Steven M. Bellovin is a researcher on computer networking and security. He is currently a Professor in the Computer Science department at Columbia University, having previously been a Fellow at AT&T Labs Research in Florham Park, New Jersey.- Career :...
and Michael Merritt in 1992. Although several of the first methods were flawed, the surviving and enhanced forms of EKE effectively amplify a shared password into a shared key, which can then be used for encryption and/or message authentication.
The first provably-secure PAKE protocols were given in work by M. Bellare, D. Pointcheval, and P. Rogaway (Eurocrypt 2000) and V. Boyko, P. MacKenzie, and S. Patel (Eurocrypt 2000). These protocols were proven secure in the so-called random oracle model
Random oracle
In cryptography, a random oracle is an oracle that responds to every query with a random response chosen uniformly from its output domain, except that for any specific query, it responds the same way every time it receives that query...
(or even stronger variants), and the first protocols proven secure under standard assumptions were those of O. Goldreich and Y. Lindell (Crypto 2001) and J. Katz, R. Ostrovsky, and M. Yung (Eurocrypt 2001).
The first password-authenticated key retrieval methods were described by Ford and Kaliski in 2000.
A considerable number of refinements, alternatives, variations, and security proofs have been proposed in this growing class of password-authenticated key agreement methods. Current standards for these methods include IETF RFC 2945 and RFC 5054, IEEE Std 1363.2-2008, ITU-T
ITU-T
The ITU Telecommunication Standardization Sector is one of the three sectors of the International Telecommunication Union ; it coordinates standards for telecommunications....
X.1035
X.1035
ITU-T Recommendation X.1035 specifies a password-authenticated key agreement protocol that ensures mutual authentication of two parties by using a Diffie–Hellman key exchange to establish a symmetric cryptographic key...
and ISO-IEC 11770-4:2006.
See also
- Cryptographic protocolCryptographic protocolA security protocol is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods.A protocol describes how the algorithms should be used...
- IEEE P1363IEEE P1363IEEE P1363 is an Institute of Electrical and Electronics Engineers standardization project for public-key cryptography. It includes specifications for:* Traditional public-key cryptography...
- PasswordPasswordA password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
- Topics in cryptography
- Zero-knowledge password proofZero-knowledge password proofIn cryptography, a zero-knowledge password proof is an interactive method for one party to prove to another party that it knows a value of a password, without revealing anything other than the fact that it knows that password to the verifier...