Password-authenticated key agreement

Password-authenticated key agreement

In cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.



Password-authenticated key agreement generally encompasses methods such as:

  • Balanced password-authenticated key exchange
  • Augmented password-authenticated key exchange
  • Password-authenticated key retrieval
  • Multi-server methods
  • Multi-party methods

In the most stringent password-only security models, there is no requirement for the user of the method to remember any secret or public data other than the password.

Password authenticated key exchange (PAKE) is where two or more parties, based only on their knowledge of a password, establish a cryptographic key using an exchange of messages, such that an unauthorized party (one who controls the communication channel but does not possess the password) cannot participate in the method and is constrained as much as possible from guessing the password. (The optimal case yields exactly one guess per run exchange.) Two forms of PAKE are Balanced and Augmented methods.

Balanced PAKE allows parties that use the same password to negotiate and authenticate a shared key. Examples of these are:

  • Encrypted Key Exchange (EKE)
  • PAK and PPK
  • SPEKE (Simple password exponential key exchange)
  • J-PAKE (Password Authenticated Key Exchange by Juggling)

Augmented PAKE is a variation applicable to client/server scenarios, in which an attacker must perform a successful brute-force attack in order to masquerade as the client using stolen server data. Examples of these are:

  • AMP
  • Augmented-EKE
  • PAK-Z
  • SRP

Password-authenticated key retrieval is a process in which a client obtains a static key in a password-based negotiation with a server that knows data associated with the password, such as the Ford and Kaliski methods. In the most stringent setting, one party uses only a password in conjunction with two or more (N) servers to retrieve a static key, in a way that protects the password (and key) even if any N-1 of the servers are completely compromised.

Brief history

The first successful password-authenticated key agreement methods were Encrypted Key Exchange methods described by Steven M. Bellovin and Michael Merritt in 1992. Although several of the first methods were flawed, the surviving and enhanced forms of EKE effectively amplify a shared password into a shared key, which can then be used for encryption and/or message authentication.

The first provably-secure PAKE protocols were given in work by M. Bellare, D. Pointcheval, and P. Rogaway (Eurocrypt 2000) and V. Boyko, P. MacKenzie, and S. Patel (Eurocrypt 2000). These protocols were proven secure in the so-called random oracle model (or even stronger variants), and the first protocols proven secure under standard assumptions were those of O. Goldreich and Y. Lindell (Crypto 2001) and J. Katz, R. Ostrovsky, and M. Yung (Eurocrypt 2001).

The first password-authenticated key retrieval methods were described by Ford and Kaliski in 2000.

A considerable number of refinements, alternatives, variations, and security proofs have been proposed in this growing class of password-authenticated key agreement methods. Current standards for these methods include IETF RFC 2945 and RFC 5054, IEEE Std 1363.2-2008, ITU-T X.1035 and ISO-IEC 11770-4:2006.

See also


  • Bellare, M.; D. Pointcheval; P. Rogaway (2000). "Authenticated Key Exchange Secure against Dictionary Attacks". Advances in Cryptology -- Eurocrypt 2000 LNCS. Lecture Notes in Computer Science (Springer-Verlag) 1807: 139. doi:10.1007/3-540-45539-6_11. ISBN 978-3-540-67517-4. 
  • Bellovin, S. M.; M. Merritt (May 1992). "Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks". Proceedings of the I.E.E.E. Symposium on Research in Security and Privacy (Oakland): 72. doi:10.1109/RISP.1992.213269. ISBN 0-8186-2825-1. 
  • Boyko, V.; P. MacKenzie; S. Patel (2000). "Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman". Advances in Cryptology -- Eurocrypt 2000, LNCS. Lecture Notes in Computer Science (Springer-Verlag) 1807: 156. doi:10.1007/3-540-45539-6_12. ISBN 978-3-540-67517-4. 
  • Ford, W.; B. Kaliski (14–16 June 2000). "Server-Assisted Generation of a Strong Secret from a Password". Proceedings of the IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (Gaithersburg MD: NIST): 176. doi:10.1109/ENABL.2000.883724. ISBN 0-7695-0798-0. 
  • Goldreich, O.; Y. Lindell (2001). "Session-Key Generation Using Human Passwords Only". Advances in Cryptology -- Crypto 2001 LNCS (Springer-Verlag) 2139. 
  • IEEE Std 1363.2-2008: IEEE Standard Specifications for Password-Based Public-Key Cryptographic Techniques. IEEE. 2009 
  • Katz, J.; R. Ostrovsky; M. Yung (2001). Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords. 2045. Springer-Vergal. 
  • T. Wu. The SRP-3 Secure Remote Password Protocol. IETF RFC 2945.
  • D. Taylor, T. Wu, N. Mavrogiannopoulos, T. Perrin. Using the Secure Remote Password (SRP) Protocol for TLS Authentication. IETF RFC 5054.
  • Y. Sheffer, G. Zorn, H. Tschofenig, S. Fluhrer. An EAP Authentication Method Based on the Encrypted Key Exchange (EKE) Protocol. IETF RFC 6124.
  • ISO/IEC 11770-4:2006 Information technology—Security techniques—Key management—Part 4: Mechanisms based on weak secrets.

External links

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Key-agreement protocol — In cryptography, a key agreement protocol is a protocol whereby two or more parties can agree on a key in such a way that both influence the outcome. If properly done, this precludes undesired third parties from forcing a key choice on the… …   Wikipedia

  • Password-based cryptography — generally refers to two distinct classes of methods:*Single party methods *Multi party methodsingle party methodsSome systems attempt to derive a cryptographic key directly from a password. However, such practice is generally ill advised when… …   Wikipedia

  • Password cracking — is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password. The purpose of password cracking might be to help a user recover a… …   Wikipedia

  • Password — For other uses, see Password (disambiguation). A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (example: an access code is a type of password). The password… …   Wikipedia

  • Password authentication protocol — A password authentication protocol (PAP) is an authentication protocol that uses a password. PAP is used by Point to Point Protocol to validate users before allowing them access to server resources. Almost all network operating system remote… …   Wikipedia

  • Diffie–Hellman key exchange — (D–H)[nb 1] is a specific method of exchanging keys. It is one of the earliest practical examples of key exchange implemented within the field of cryptography. The Diffie–Hellman key exchange method allows two parties that have no prior knowledge …   Wikipedia

  • Diffie-Hellman key exchange — (D H) is a cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications… …   Wikipedia

  • Encrypted key exchange — (also known as EKE) is a family of password authenticated key agreement methods described by Steven M. Bellovin and Michael Merritt. [cite conference|author=S. M. Bellovin|coauthors=M. Merritt|title=Encrypted Key Exchange: Password Based… …   Wikipedia

  • Zero-knowledge password proof — A zero knowledge password proof (ZKPP) refers to a password authenticated key agreement protocol that is secure against off line dictionary attacks. The terminology zero knowledge password proof is not used in the technical (cryptographic)… …   Wikipedia

  • Public-key cryptography — In an asymmetric key encryption scheme, anyone can encrypt messages using the public key, but only the holder of the paired private key can decrypt. Security depends on the secrecy of that private key …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”