Password Authenticated Key Exchange by Juggling

Last updated November 23, 2023

The Password Authenticated Key Exchange by Juggling (or J-PAKE) is a password-authenticated key agreement protocol, proposed by Feng Hao and Peter Ryan.^[1] This protocol allows two parties to establish private and authenticated communication solely based on their shared (low-entropy) password without requiring a Public Key Infrastructure. It provides mutual authentication to the key exchange, a feature that is lacking in the Diffie–Hellman key exchange protocol.

Description

Two parties, Alice and Bob, agree on a group $G$ with generator $g$ of prime order $q$ in which the discrete log problem is hard. Typically a Schnorr group is used. In general, J-PAKE can use any prime order group that is suitable for public key cryptography, including Elliptic curve cryptography. Let $s$ be their shared (low-entropy) secret, which can be a password or a hash of a password ( $s\neq 0$ ). The protocol executes in two rounds.

Round 1: Alice selects $x_{1}\in _{R}[0,q-1]$ , $x_{2}\in _{R}[1,q-1]$ and sends out $g^{x_{1}}$ , $g^{x_{2}}$ together with the Zero-knowledge proofs (using for example Schnorr non-interactive zero-knowledge proof as specified in RFC 8235) for the proof of the exponents $x_{1}$ and $x_{2}$ . Similarly, Bob selects $x_{3}\in _{R}[0,q-1]$ , $x_{4}\in _{R}[1,q-1]$ and sends out $g^{x_{3}}$ , $g^{x_{4}}$ together with the Zero-knowledge proofs for the proof of the exponents $x_{3}$ and $x_{4}$ . The above communication can be completed in one round as neither party depends on the other. When it finishes, Alice and Bob verify the received Zero-knowledge proofs and also check $g^{x_{2}},g^{x_{4}}\neq 1$ .

Round 2: Alice sends out $A=g^{(x_{1}+x_{3}+x_{4})x_{2}s}$ and a Zero-knowledge proof for the proof of the exponent $x_{2}s$ . (Note Alice actually derives a new public key using $g^{x_{1}+x_{3}+x_{4}}$ as the generator). Similarly, Bob sends out $B=g^{(x_{1}+x_{2}+x_{3})x_{4}s}$ and a Zero-knowledge proof for the proof of the exponent $x_{4}s$ .

After Round 2, Alice computes $K=(B/g^{x_{2}x_{4}s})^{x_{2}}=g^{(x_{1}+x_{3})x_{2}x_{4}s}$ . Similarly, Bob computes $K=(A/g^{x_{2}x_{4}s})^{x_{4}}=g^{(x_{1}+x_{3})x_{2}x_{4}s}$ . With the same keying material $K$ , Alice and Bob can derive a session key using a Cryptographic hash function: $\kappa =H(K)$ .

The two-round J-PAKE protocol is completely symmetric. This helps significantly simplify the security analysis. For example, the proof that one party does not leak any password information in the data exchange must hold true for the other party based on the symmetry. This reduces the number of the needed security proofs by half.

In practice, it is more likely to implement J-PAKE in three flows since one party shall normally take the initiative. This can be done trivially without loss of security. Suppose Alice initiates the communication by sending to Bob: $g^{x_{1}},g^{x_{2}}$ and Zero-knowledge proofs. Then Bob replies with: $g^{x_{3}},g^{x_{4}},B=g^{(x_{1}+x_{2}+x_{3})x_{4}s}$ and Zero-knowledge proofs. Finally, Alice sends to Bob: $A=g^{(x_{1}+x_{3}+x_{4})x_{2}s}$ and a Zero-knowledge proof. Both parties can now derive the same session key.

Depending on the application requirement, Alice and Bob may perform an optional key confirmation step. There are several ways to do it. A simple method described in SPEKE works as follows: Alice sends to Bob $H(H(\kappa ))$ , and then Bob replies with $H(\kappa )$ .^[2] Alternatively, Alice and Bob can realize explicit key confirmation by using the newly constructed session key to encrypt a known value (or a random challenge). EKE, Kerberos and Needham-Schroeder all attempt to provide explicit key confirmation by exactly this method.

Security properties

Given that the underlying Schnorr non-interactive zero-knowledge proof is secure, the J-PAKE protocol is proved to satisfy the following properties:^[3]

Off-line dictionary attack resistance - It does not leak any password verification information to a passive/active attacker.
Forward secrecy - It produces session keys that remain secure even when the password is later disclosed.
Known-key security - It prevents a disclosed session key from affecting the security of other sessions.
On-line dictionary attack resistance - It limits an active attacker to test only one password per protocol execution.

In 2015, Abdalla, Benhamouda and MacKenzie conducted an independent formal analysis of J-PAKE to prove its security in a random oracle model assuming algebraic adversaries.^[4]

The protocol design

The J-PAKE protocol is designed by combining random public keys in such a structured way to achieve a vanishing effect if both parties supplied exactly the same passwords. This is somehow similar to the Anonymous veto network protocol design. The essence of the idea, however, can be traced back to David Chaum's original Dining Cryptographers network protocol,^[5] where binary bits are combined in a structured way to achieve a vanishing effect.

The implementation

J-PAKE has been implemented in OpenSSL and OpenSSH as an experimental authentication protocol. It was removed from the OpenSSH source code at the end of January 2014.^[6] It has also been implemented in Smoke Crypto Chat Messenger,^[7] in NSS and was used by Firefox Sync version 1.1 but discontinued in 1.5 which uses a different key exchange and storage method.^[8] Mozilla's J-PAKE server was shut down along with the Sync 1.1 storage servers on 30 September 2015.^[9] Pale Moon continues to use J-PAKE as part of its Sync service.^[10] Since February 2013, J-PAKE has been added to the lightweight API in Bouncycastle (1.48 and onwards). J-PAKE is also used in the Thread (network protocol) ^[11]

Standardization

J-PAKE was included in ISO/IEC 11770-4 (2017) as an international standard.^[12] It is also published in RFC 8236.

Related Research Articles

Diffie–Hellman key exchange is a mathematical method of securely exchanging cryptographic keys over a public channel and was one of the first public-key protocols as conceived by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography. Published in 1976 by Diffie and Hellman, this is the earliest publicly known work that proposed the idea of a private key and a corresponding public key.

Quantum key distribution (QKD) is a secure communication method that implements a cryptographic protocol involving components of quantum mechanics. It enables two parties to produce a shared random secret key known only to them, which then can be used to encrypt and decrypt messages. The process of quantum key distribution is not to be confused with quantum cryptography, as it is the best-known example of a quantum-cryptographic task.

In cryptography, a key-agreement protocol is a protocol whereby two or more parties can agree on a cryptographic key in such a way that both influence the outcome. If properly done, this precludes undesired third parties from forcing a key choice on the agreeing parties. Protocols that are useful in practice also do not reveal to any eavesdropping party what key has been agreed upon.

In computer security, challenge–response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated.

A commitment scheme is a cryptographic primitive that allows one to commit to a chosen value while keeping it hidden to others, with the ability to reveal the committed value later. Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Commitment schemes have important applications in a number of cryptographic protocols including secure coin flipping, zero-knowledge proofs, and secure computation.

A replay attack is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a spoofing attack by IP packet substitution. This is one of the lower-tier versions of a man-in-the-middle attack. Replay attacks are usually passive in nature.

The Secure Remote Password protocol (SRP) is an augmented password-authenticated key exchange (PAKE) protocol, specifically designed to work around existing patents.

Encrypted Key Exchange is a family of password-authenticated key agreement methods described by Steven M. Bellovin and Michael Merritt. Although several of the forms of EKE in this paper were later found to be flawed, the surviving, refined, and enhanced forms of EKE effectively make this the first method to amplify a shared password into a shared key, where the shared key may subsequently be used to provide a zero-knowledge password proof or other functions.

MQV (Menezes–Qu–Vanstone) is an authenticated protocol for key agreement based on the Diffie–Hellman scheme. Like other authenticated Diffie–Hellman schemes, MQV provides protection against an active attacker. The protocol can be modified to work in an arbitrary finite group, and, in particular, elliptic curve groups, where it is known as elliptic curve MQV (ECMQV).

In cryptography, a zero-knowledge password proof (ZKPP) is a type of zero-knowledge proof that allows one party to prove to another party that it knows a value of a password, without revealing anything other than the fact that it knows the password to the verifier. The term is defined in IEEE P1363.2, in reference to one of the benefits of using a password-authenticated key exchange (PAKE) protocol that is secure against off-line dictionary attacks. A ZKPP prevents any party from verifying guesses for the password without interacting with a party that knows it and, in the optimal case, provides exactly one guess in each interaction.

In cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.

SPEKE is a cryptographic method for password-authenticated key agreement.

Elliptic-curve Diffie–Hellman (ECDH) is a key agreement protocol that allows two parties, each having an elliptic-curve public–private key pair, to establish a shared secret over an insecure channel. This shared secret may be directly used as a key, or to derive another key. The key, or the derived key, can then be used to encrypt subsequent communications using a symmetric-key cipher. It is a variant of the Diffie–Hellman protocol using elliptic-curve cryptography.

In cryptography, a proof of knowledge is an interactive proof in which the prover succeeds in 'convincing' a verifier that the prover knows something. What it means for a machine to 'know something' is defined in terms of computation. A machine 'knows something', if this something can be computed, given the machine as an input. As the program of the prover does not necessarily spit out the knowledge itself a machine with a different program, called the knowledge extractor is introduced to capture this idea. We are mostly interested in what can be proven by polynomial time bounded machines. In this case the set of knowledge elements is limited to a set of witnesses of some language in NP.

In cryptography, the socialist millionaire problem is one in which two millionaires want to determine if their wealth is equal without disclosing any information about their riches to each other. It is a variant of the Millionaire's Problem whereby two millionaires wish to compare their riches to determine who has the most wealth without disclosing any information about their riches to each other.

In cryptography, the anonymous veto network is a multi-party secure computation protocol to compute the boolean-OR function. It was first proposed by Feng Hao and Piotr Zieliński in 2006. This protocol presents an efficient solution to the Dining cryptographers problem.

In cryptography, subliminal channels are covert channels that can be used to communicate secretly in normal looking communication over an insecure channel. Subliminal channels in digital signature crypto systems were found in 1984 by Gustavus Simmons.

The YAK is a public-key authenticated key-agreement protocol, proposed by Feng Hao in 2010. It is claimed to be the simplest authenticated key exchange protocol among the related schemes, including MQV, HMQV, Station-to-Station protocol, SSL/TLS etc. The authentication is based on public key pairs. As with other protocols, YAK normally requires a Public Key Infrastructure to distribute authentic public keys to the communicating parties. The security of YAK is disputed.

Non-commutative cryptography is the area of cryptology where the cryptographic primitives, methods and systems are based on algebraic structures like semigroups, groups and rings which are non-commutative. One of the earliest applications of a non-commutative algebraic structure for cryptographic purposes was the use of braid groups to develop cryptographic protocols. Later several other non-commutative structures like Thompson groups, polycyclic groups, Grigorchuk groups, and matrix groups have been identified as potential candidates for cryptographic applications. In contrast to non-commutative cryptography, the currently widely used public-key cryptosystems like RSA cryptosystem, Diffie–Hellman key exchange and elliptic curve cryptography are based on number theory and hence depend on commutative algebraic structures.

In cryptography, the open vote network is a secure multi-party computation protocol to compute the boolean-count function: namely, given a set of binary values 0/1 in the input, compute the total count of ones without revealing each individual value. This protocol was proposed by Feng Hao, Peter Ryan, and Piotr Zieliński in 2010. It extends Hao and Zieliński's anonymous veto network protocol by allowing each participant to count the number of veto votes while preserving the anonymity of those who have voted. The protocol can be generalized to support a wider range of inputs beyond just the binary values 0 and 1.

References

↑ F. Hao, P. Ryan. Password Authenticated Key Exchange by Juggling. Proceedings of the 16th International Workshop on Security Protocols, 2008.
↑ Jablon, David (October 1996). "Strong Password-Only Authenticated Key Exchange". ACM SIGCOMM Computer Communication Review. 26 (5): 5–26. CiteSeerX 10.1.1.57.4798 . doi:10.1145/242896.242897. S2CID 2870433.
↑ F. Hao, P. Ryan. J-PAKE: Authenticated Key Exchange Without PKI. Springer Transactions on Computational Science XI, Special Issue on Security in Computing, Part II, Vol. 6480, pp. 192-206, 2010.
↑ M. Abdalla, F. Benhamouda, P. MacKenzie Security of the J-PAKE Password-Authenticated Key Exchange Protocol.
↑ Chaum, David (1988). "The dining cryptographers problem: Unconditional sender and recipient untraceability". Journal of Cryptology. 1: 65–75. doi:10.1007/BF00206326. S2CID 2664614.
↑ "CVS log for src/usr.bin/ssh/Attic/jpake.c". cvsweb.openbsd.org. Retrieved 17 November 2023.
↑ Moonlander, Casio (2020). Smoke - An Android Echo Chat Software Application:: Personal Chat Messenger / Open Source Technical Website Reference Documentation. Norderstedt: BOD. p. 44. ISBN 9783752691993.
↑ "Firefox Sync's New Security Model". 30 April 2014.
↑ "Shutting down the legacy Sync service". 31 July 2015.
↑ "Pale Moon updated to 25.7.3! - Pale Moon forum".
↑ "Archived copy" (PDF). Archived from the original (PDF) on 2015-09-11. Retrieved 2015-09-15.{{cite web}}: CS1 maint: archived copy as title (link)
↑ "ISO/IEC 11770-4:2017(en)". iso.org. Retrieved 17 November 2023.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] F. Hao, P. Ryan. Password Authenticated Key Exchange by Juggling. Proceedings of the 16th International Workshop on Security Protocols, 2008.

[2] Jablon, David (October 1996). "Strong Password-Only Authenticated Key Exchange". ACM SIGCOMM Computer Communication Review. 26 (5): 5–26. CiteSeerX 10.1.1.57.4798 . doi:10.1145/242896.242897. S2CID 2870433.

[3] F. Hao, P. Ryan. J-PAKE: Authenticated Key Exchange Without PKI. Springer Transactions on Computational Science XI, Special Issue on Security in Computing, Part II, Vol. 6480, pp. 192-206, 2010.

[4] M. Abdalla, F. Benhamouda, P. MacKenzie Security of the J-PAKE Password-Authenticated Key Exchange Protocol.

[5] Chaum, David (1988). "The dining cryptographers problem: Unconditional sender and recipient untraceability". Journal of Cryptology. 1: 65–75. doi:10.1007/BF00206326. S2CID 2664614.

[6] "CVS log for src/usr.bin/ssh/Attic/jpake.c". cvsweb.openbsd.org. Retrieved 17 November 2023.

[7] Moonlander, Casio (2020). Smoke - An Android Echo Chat Software Application:: Personal Chat Messenger / Open Source Technical Website Reference Documentation. Norderstedt: BOD. p. 44. ISBN 9783752691993.

[8] "Firefox Sync's New Security Model". 30 April 2014.

[9] "Shutting down the legacy Sync service". 31 July 2015.

[10] "Pale Moon updated to 25.7.3! - Pale Moon forum".

[11] "Archived copy" (PDF). Archived from the original (PDF) on 2015-09-11. Retrieved 2015-09-15.{{cite web}}: CS1 maint: archived copy as title (link)

[12] "ISO/IEC 11770-4:2017(en)". iso.org. Retrieved 17 November 2023.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]