Password-authenticated key agreement

Last updated

In cryptography, a password-authenticated key agreement (PAK) method is an interactive method for two or more parties to establish cryptographic keys based on one or more parties' knowledge of a password.

Contents

An important property is that an eavesdropper or man-in-the-middle cannot obtain enough information to be able to brute-force guess a password without further interactions with the parties for each (few) guesses. This means that strong security can be obtained using weak passwords.[ citation needed ]

Types

Password-authenticated key agreement generally encompasses methods such as:

In the most stringent password-only security models, there is no requirement for the user of the method to remember any secret or public data other than the password.

Password-authenticated key exchange (PAKE) is a method in which two or more parties, based only on their knowledge of a shared password, [1] establish a cryptographic key using an exchange of messages, such that an unauthorized party (one who controls the communication channel but does not possess the password) cannot participate in the method and is constrained as much as possible from brute-force guessing the password. (The optimal case yields exactly one guess per run exchange.) Two forms of PAKE are balanced and augmented methods. [1]

Balanced PAKE

Balanced PAKE assumes the two parties in either a client-client or client-server situation use the same secret password to negotiate and authenticate a shared key. [1] Examples of these are:

Augmented PAKE

Augmented PAKE is a variation applicable to client/server scenarios, in which the server does not store password-equivalent data. This means that an attacker that stole the server data still cannot masquerade as the client unless they first perform a brute force search for the password. Some augmented PAKE systems use an oblivious pseudorandom function to mix the user's secret password with the server's secret salt value, so that the user never learns the server's secret salt value and the server never learns the user's password (or password-equivalent value) or the final key. [8]

Examples include:

Key retrieval

Password-authenticated key retrieval is a process in which a client obtains a static key in a password-based negotiation with a server that knows data associated with the password, such as the Ford and Kaliski methods. In the most stringent setting, one party uses only a password in conjunction with N (two or more) servers to retrieve a static key. This is completed in a way that protects the password (and key) even if N  1 of the servers are completely compromised.

Brief history

The first successful password-authenticated key agreement methods were Encrypted Key Exchange methods described by Steven M. Bellovin and Michael Merritt in 1992. Although several of the first methods were flawed, the surviving and enhanced forms of EKE effectively amplify a shared password into a shared key, which can then be used for encryption and/or message authentication. The first provably-secure PAKE protocols were given in work by M. Bellare, D. Pointcheval, and P. Rogaway (Eurocrypt 2000) and V. Boyko, P. MacKenzie, and S. Patel (Eurocrypt 2000). These protocols were proven secure in the so-called random oracle model (or even stronger variants), and the first protocols proven secure under standard assumptions were those of O. Goldreich and Y. Lindell (Crypto 2001) which serves as a plausibility proof but is not efficient, and J. Katz, R. Ostrovsky, and M. Yung (Eurocrypt 2001) which is practical.

The first password-authenticated key retrieval methods were described by Ford and Kaliski in 2000.

A considerable number of alternative, secure PAKE protocols were given in work by M. Bellare, D. Pointcheval, and P. Rogaway, variations, and security proofs have been proposed in this growing class of password-authenticated key agreement methods. Current standards for these methods include IETF RFC 2945, RFC 5054, RFC 5931, RFC 5998, RFC 6124, RFC 6617, RFC 6628 and RFC 6631, IEEE Std 1363.2-2008, ITU-T X.1035 and ISO-IEC 11770-4:2006.

PAKE selection process for use in internet protocols

On request of the internet engineering task force IETF, a PAKE selection process has been carried out in 2018 and 2019 by the IRTF crypto forum research group (CFRG). The selection process has been carried out in several rounds. [15] In the final round in 2019 four finalists AuCPace, OPAQUE (augmented cases) and CPace, SPAKE2 (balanced PAKE) prevailed. As a result of the CFRG selection process, two winner protocols were declared as "recommended by the CFRG for usage in IETF protocols": CPace and OPAQUE. [16]

See also

Related Research Articles

<span class="mw-page-title-main">Diffie–Hellman key exchange</span> Method of exchanging cryptographic keys

Diffie–Hellman (DH) key exchange is a mathematical method of securely generating a symmetric cryptographic key over a public channel and was one of the first public-key protocols as conceived by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography. Published in 1976 by Diffie and Hellman, this is the earliest publicly known work that proposed the idea of a private key and a corresponding public key.

<span class="mw-page-title-main">Kerberos (protocol)</span> Computer authentication protocol

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

The Secure Shell (SSH) Protocol is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

Telnet is a client/server application protocol that provides access to virtual terminals of remote systems on local area networks or the Internet. It is a protocol for bidirectional 8-bit communications. Its main goal was to connect terminal devices and terminal-oriented processes.

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

<span class="mw-page-title-main">Email client</span> Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

In cryptography, a key-agreement protocol is a protocol whereby two parties generate a cryptographic key as a function of information provided by each honest party so that no party can predetermine the resulting value. In particular, all honest participants influence the outcome. A key-agreement protocol is a specialisation of a key-exchange protocol.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

In computing, Internet Key Exchange is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication ‒ either pre-shared or distributed using DNS ‒ and a Diffie–Hellman key exchange to set up a shared session secret from which cryptographic keys are derived. In addition, a security policy for every peer which will connect must be manually maintained.

An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for transfer of authentication data between two entities. It allows the receiving entity to authenticate the connecting entity as well as authenticate itself to the connecting entity by declaring the type of information needed for authentication as well as syntax. It is the most important layer of protection needed for secure communication within computer networks.

S/KEY is a one-time password system developed for authentication to Unix-like operating systems, especially from dumb terminals or untrusted public computers on which one does not want to type a long-term password. A user's real password is combined in an offline device with a short set of characters and a decrementing counter to form a single-use password. Because each password is only used once, they are useless to password sniffers.

The Secure Remote Password protocol (SRP) is an augmented password-authenticated key exchange (PAKE) protocol, specifically designed to work around existing patents.

<span class="mw-page-title-main">Encrypted key exchange</span>

Encrypted Key Exchange is a family of password-authenticated key agreement methods described by Steven M. Bellovin and Michael Merritt. Although several of the forms of EKE in this paper were later found to be flawed, the surviving, refined, and enhanced forms of EKE effectively make this the first method to amplify a shared password into a shared key, where the shared key may subsequently be used to provide a zero-knowledge password proof or other functions.

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.

In cryptography, a zero-knowledge password proof (ZKPP) is a type of zero-knowledge proof that allows one party to prove to another party that it knows a value of a password, without revealing anything other than the fact that it knows the password to the verifier. The term is defined in IEEE P1363.2, in reference to one of the benefits of using a password-authenticated key exchange (PAKE) protocol that is secure against off-line dictionary attacks. A ZKPP prevents any party from verifying guesses for the password without interacting with a party that knows it and, in the optimal case, provides exactly one guess in each interaction.

<span class="mw-page-title-main">Forward secrecy</span> Practice in cryptography

In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised, limiting damage. For HTTPS, the long-term secret is typically the private key of the server. Forward secrecy protects past sessions against future compromises of keys or passwords. By generating a unique session key for every session a user initiates, the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key. This by itself is not sufficient for forward secrecy which additionally requires that a long-term secret compromise does not affect the security of past session keys.

Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality and authenticity. Examples of encryption modes that provide AE are GCM, CCM.

Distributed key generation (DKG) is a cryptographic process in which multiple parties contribute to the calculation of a shared public and private key set. Unlike most public key encryption models, distributed key generation does not rely on Trusted Third Parties. Instead, the participation of a threshold of honest parties determines whether a key pair can be computed successfully. Distributed key generation prevents single parties from having access to a private key. The involvement of many parties requires Distributed key generation to ensure secrecy in the presence of malicious contributions to the key calculation.

ChaCha20-Poly1305 is an authenticated encryption with associated data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. It has fast software performance, and without hardware acceleration, is usually faster than AES-GCM.

An oblivious pseudorandom function (OPRF) is a cryptographic function, similar to a keyed-hash function, but with the distinction that in an OPRF two parties cooperate to securely compute a pseudorandom function (PRF).

References

  1. Designed to be not encumbered by patents. [9]
  1. 1 2 3 Hao, Feng; Ryan, Peter Y. A. (2011). "Password Authenticated Key Exchange by Juggling". In Christianson, Bruce; Malcolm, James A.; Matyas, Vashek; Roe, Michael (eds.). Security Protocols XVI. Lecture Notes in Computer Science. Vol. 6615. Berlin, Heidelberg: Springer. pp. 159–171. doi:10.1007/978-3-642-22137-8_23. ISBN   978-3-642-22137-8.
  2. 1 2 Boyko, V.; P. MacKenzie; S. Patel (2000). "Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman". Advances in Cryptology — EUROCRYPT 2000. Lecture Notes in Computer Science. Vol. 1807. Springer-Verlag. pp. 156–171. doi:10.1007/3-540-45539-6_12. ISBN   978-3-540-67517-4.
  3. Haase, Björn; Hesse, Julia; Abdalla, Michel (2021). "OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-computation Attacks" (PDF). Advances in Cryptology – EUROCRYPT 2018. Lecture Notes in Computer Science. Vol. 10822. pp. 456–486. doi:10.1007/978-3-319-78372-7_15. ISBN   978-3-319-78371-0. S2CID   4046378.
  4. Abdalla, M.; D. Pointcheval (2005). "Simple Password-Based Encrypted Key Exchange Protocols". Topics in Cryptology – CT-RSA 2005 (PDF). Lecture Notes in Computer Science. Vol. 3376. Springer Berlin Heidelberg. pp. 191–208. CiteSeerX   10.1.1.59.8930 . doi:10.1007/978-3-540-30574-3_14. ISBN   978-3-540-24399-1.
  5. Ladd, Watson (September 2023). Kaduk, Benjamin (ed.). "RFC 9382: SPAKE2, a Password-Authenticated Key Exchange". IETF.
  6. Alekseev, Evgeny; Oshkin, Igor; Popov, Vladimir (March 2017). Smyshlyaev, Stanislav (ed.). "RFC 8133: The Security Evaluated Standardized Password-Authenticated Key Exchange (SESPAKE) Protocol". IETF.
  7. 1 2 US11025421B2,Fay, Bjorn,"Advanced modular handshake for key agreement and optional authentication",issued 2021-06-01
  8. Matthew Green. "Let's talk about PAKE". 2018.
  9. "What is SRP?". Stanford University.
  10. Shin, SeongHan; Kobara, Kazukuni (June 2012). "Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2". Internet Engineering Task Force. Archived from the original on 11 May 2021.
  11. Tatiana Bradley (2020-12-08). "OPAQUE: The Best Passwords Never Leave your Device". The Cloudflare Blog.
  12. Bourdrez, Daniel; Krawczyk, Hugo; Lewi, Kevin; Wood, Christopher A. (2023-06-12). "The OPAQUE Asymmetric PAKE Protocol (Internet Draft)". IETF.
  13. Haase, Björn; Labrique, Benoît (August 2010). "AuCPace: Efficient verifier-based PAKE protocol tailored for the IIoT" (PDF). TCHES: 1–48. doi:10.13154/tches.v2019.i2.1-48. S2CID   4603454.
  14. Taubert, T.; Wood, C. (September 2023). "SPAKE2+, an Augmented Password-Authenticated Key Exchange (PAKE) Protocol". IETF.
  15. Repository for the CFRG Pake selection process
  16. Results of the CFRG PAKE selection process

Further reading