In cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password. An important property is that an eavesdropper or man in the middle cannot obtain enough information to be able to brute force guess a password without further interactions with the parties for each guesses. This means that strong security can be obtained using weak passwords.
Types
Password-authenticated key agreement generally encompasses methods such as:
In the most stringent password-only security models, there is no requirement for the user of the method to remember any secret or public data other than the password. Password authenticated key exchange is where two or more parties, based only on their knowledge of a password, establish a cryptographic key using an exchange of messages, such that an unauthorized party cannot participate in the method and is constrained as much as possible from brute force guessing the password. Two forms of PAKE are Balanced and Augmented methods. Balanced PAKE allows parties that use the same password to negotiate and authenticate a shared key. Examples of these are:
Augmented PAKE is a variation applicable to client/server scenarios, in which the server does not store password-equivalent data. This means that an attacker that stole the server data still cannot masquerade as the client unless they first perform a brute force search for the password. Examples include:
AMP
Augmented-EKE
B-SPEKE
PAK-X
SRP – designed to be not encumbered by patents.
AugPAKE
OPAQUE
SPAKE2+
Password-authenticated key retrieval is a process in which a client obtains a static key in a password-based negotiation with a server that knows data associated with the password, such as the Ford and Kaliski methods. In the most stringent setting, one party uses only a password in conjunction with N servers to retrieve a static key. This is completed in a way that protects the password even if N − 1 of the servers are completely compromised.
Brief history
The first successful password-authenticated key agreement methods were Encrypted Key Exchange methods described by Steven M. Bellovin and Michael Merritt in 1992. Although several of the first methods were flawed, the surviving and enhanced forms of EKE effectively amplify a shared password into a shared key, which can then be used for encryption and/or message authentication. The first provably-secure PAKE protocols were given in work by M. Bellare, D. Pointcheval, and P. Rogaway and V. Boyko, P. MacKenzie, and S. Patel. These protocols were proven secure in the so-called random oracle model, and the first protocols proven secure under standard assumptions were those of O. Goldreich and Y. Lindell which serves as a plausibility proof but is not efficient, and J. Katz, R. Ostrovsky, and M. Yung which is practical. The first password-authenticated key retrieval methods were described by Ford and Kaliski in 2000. A considerable number of alternative, secure PAKE protocols were given in work by M. Bellare, D. Pointcheval, and P. Rogaway,variations, and security proofs have been proposed in this growing class of password-authenticated key agreement methods. Current standards for these methods include IETF RFC 2945, RFC 5054, RFC 5931, RFC 5998, RFC 6124, RFC 6617, RFC 6628 and RFC 6631, IEEE Std 1363.2-2008, ITU-T X.1035 and ISO-IEC 11770-4:2006.