262:
sessions with the victim. The second attack allows a man-in-the-middle attacker to manipulate the session key between two honest users without being detected. The first attack indicates a practical weakness of the protocol while the second attack has theoretical implications on security proofs of SPEKE. During the ISO/IEC JTC 1/SC 27 meeting in Mexico City in
October 2014, the two attacks were discussed by the technical committee in ISO/IEC SC 27/Work Group 2, and it had been agreed that the SPEKE specification in ISO/IEC 11770-4 (2006) should be revised to address the identified issues. The proposed patch involves explicitly defining session identities, and including those identities into the key derivation function in a way that does not change the symmetry of the protocol. The patched SPEKE has been published in ISO/IEC 11770-4 (2017). However, the SPEKE specification in IEEE P1363.2 remains unpatched.
1359:
220:. However, when SPEKE is realized by using Elliptic-curve cryptography, the protocol is essentially changed by requiring an additional primitive that must securely map a password onto a random point on the designated elliptic curve. (This primitive is called the IOP or Integer-to-Point function in IEEE P1363.2 and ISO/IEC 11770-4.)
254:
method called B-SPEKE. A paper published by MacKenzie in 2001 presents a proof in the random oracle model that SPEKE is a secure PAKE protocol (using a somewhat relaxed definition) based on a variation of the
Decision Diffie-Hellman assumption. However, the proof treats the key confirmation function
261:
In 2014, two attacks are identified against the SPEKE protocol as specified in the original Jablon's 1996 paper and in the IEEE P1363.2 (D26) and ISO/IEC 11770-4 (2006) standards. The first attack allows an active attacker to impersonate a user without knowing the password by launching two parallel
201:
to prove to each other that they know the same password π, and to derive a shared secret encryption key for sending secure and authenticated messages to each other. The use of a key confirmation protocol is optional, as specified in the IEEE P1363.2 and ISO/IEC 11770-4 standards.
250:. However, this construction turned out to be insecure against dictionary attacks and was therefore not recommended anymore in a revised version of the paper. In 1997 Jablon refined and enhanced SPEKE with additional variations, including an augmented
287:.2 and ISO/IEC 11770-4. In the latest ISO/IEC 11770-4 (2017) standard, the SPEKE specification is revised from the previous one in ISO/IEC 11770-4 (2006) to address the two attacks reported by Hao and Shahandashti in 2014.
1339:
1169:
799:
509:
927:
1022:
922:
651:
830:
824:
228:
SPEKE is one of the older and well-known protocols in the relatively new field of password-authenticated key exchange. It was first described by
209:
by the incorporation of the password. An attacker who is able to read and modify all messages between Alice and Bob cannot learn the shared key
258:
Since 1999, the protocol has been used by several companies in a variety of products, typically supplementing other cryptographic techniques.
948:
502:
384:
251:
24:
566:
634:
591:
556:
1015:
140:
546:
1387:
495:
624:
571:
36:
710:
1218:
735:
619:
1008:
876:
809:
551:
1334:
1289:
1102:
973:
866:
715:
629:
614:
217:
1213:
725:
596:
1329:
978:
958:
1319:
1309:
1164:
917:
688:
206:
198:
255:
in SPEKE as mandatory, which is not how SPEKE is specified in the IEEE P1363.2 and ISO/IEC 11770-4 standards.
1314:
1304:
1107:
1067:
1060:
1050:
1045:
871:
518:
1055:
953:
804:
743:
678:
362:
317:
1362:
1208:
1154:
819:
576:
533:
448:
216:
In general, SPEKE can use any prime order group that is suitable for public key cryptography, including
359:
Proceedings of IEEE 6th
Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises
1324:
1248:
730:
541:
213:
and cannot make more than one guess for the password in each interaction with a party that knows it.
1087:
836:
367:
322:
229:
1193:
1177:
1124:
861:
683:
606:
586:
581:
561:
390:
335:
44:
232:
in 1996. In this publication Jablon also suggested a variant where, in step 2 of the protocol,
1253:
1243:
1114:
943:
886:
814:
700:
380:
1188:
789:
372:
327:
437:
Proceedings of the 1st
International Conference on Security Standardisation Research, 2014.
1263:
1183:
1144:
1092:
1077:
103:
1381:
1344:
1299:
1258:
1238:
1134:
1097:
1072:
58:
394:
139:
Alice and Bob each abort if their received values are not in the range , to prevent
1294:
1139:
1129:
1119:
1082:
1031:
983:
963:
474:
339:
469:
354:
305:
1273:
881:
758:
452:
275:
describes several variations of the method. This patent expired in March 2017.
1233:
1203:
1198:
1159:
907:
639:
376:
284:
271:
62:
1223:
410:"On the Security of the SPEKE Password-Authenticated Key Exchange Protocol"
331:
1268:
1228:
968:
902:
773:
768:
763:
644:
48:
794:
753:
432:
355:"Extended password key exchange protocols immune to dictionary attack"
1149:
912:
409:
748:
673:
666:
661:
656:
1004:
491:
361:. Cambridge, MA, USA: IEEE Computer Society. pp. 248–255.
841:
695:
61:
agree to use an appropriately large and randomly selected
1170:
Cryptographically secure pseudorandom number generator
205:
Unlike unauthenticated Diffie-Hellman, SPEKE prevents
185:
Both Alice and Bob will arrive at the same value for
479:
1282:
1038:
936:
895:
854:
782:
724:
605:
532:
525:
306:"Strong Password-Only Authenticated Key Exchange"
193:. Once Alice and Bob compute the shared secret
102:a generator of the prime order subgroup of the
1016:
503:
8:
35:The protocol consists of little more than a
189:if and only if they use the same value for
1023:
1009:
1001:
529:
510:
496:
488:
484:
480:
366:
321:
310:ACM SIGCOMM Computer Communication Review
75:Alice and Bob agree on a shared password
21:Simple Password Exponential Key Exchange
475:IETF - SPEKE methods (work in progress)
296:
283:Standards that describe SPEKE include
113:Alice chooses a secret random integer
470:Links for password-based cryptography
7:
831:Naccache–Stern knapsack cryptosystem
427:
425:
252:password-authenticated key agreement
128:Bob chooses a secret random integer
25:password-authenticated key agreement
39:where the Diffie-Hellman generator
54:Here is one simple form of SPEKE:
14:
141:small subgroup confinement attack
1358:
1357:
449:"Online Browsing Platform (OBP)"
408:MacKenzie, Philip (2001-07-19).
23:) is a cryptographic method for
862:Discrete logarithm cryptography
1219:Information-theoretic security
353:Jablon, David (20 June 1997).
304:Jablon, David (October 1996).
1:
82:Alice and Bob both construct
68:, as well as a hash function
877:Non-commutative cryptography
433:The SPEKE Protocol Revisited
1335:Message authentication code
1290:Cryptographic hash function
1103:Cryptographic hash function
974:Identity-based cryptography
867:Elliptic-curve cryptography
431:F. Hao, S.F. Shahandashti.
218:elliptic-curve cryptography
37:Diffie–Hellman key exchange
1404:
1214:Harvest now, decrypt later
1353:
1330:Post-quantum cryptography
1000:
979:Post-quantum cryptography
928:Post-Quantum Cryptography
487:
483:
377:10.1109/ENABL.1997.630822
199:key confirmation protocol
106:group of integers modulo
1320:Quantum key distribution
1310:Authenticated encryption
1165:Random number generation
207:man-in-the-middle attack
1388:Key-agreement protocols
1315:Public-key cryptography
1305:Symmetric-key algorithm
1108:Key derivation function
1068:Cryptographic primitive
1061:Authentication protocol
1051:Outline of cryptography
1046:History of cryptography
872:Hash-based cryptography
519:Public-key cryptography
1056:Cryptographic protocol
1209:End-to-end encryption
1155:Cryptojacking malware
534:Integer factorization
332:10.1145/242896.242897
272:U.S. patent 6,226,383
197:they can use it in a
1325:Quantum cryptography
1249:Trusted timestamping
1088:Cryptographic nonce
837:Three-pass protocol
132:, then sends Alice
1194:Subliminal channel
1178:Pseudorandom noise
1125:Key (cryptography)
607:Discrete logarithm
98:. (Squaring makes
43:is created from a
1375:
1374:
1371:
1370:
1254:Key-based routing
1244:Trapdoor function
1115:Digital signature
996:
995:
992:
991:
944:Digital signature
887:Trapdoor function
850:
849:
567:Goldwasser–Micali
386:978-0-8186-7967-4
236:is calculated as
117:, then sends Bob
1395:
1361:
1360:
1189:Insecure channel
1025:
1018:
1011:
1002:
833:
734:
729:
689:signature scheme
592:Okamoto–Uchiyama
530:
512:
505:
498:
489:
485:
481:
457:
456:
451:. Archived from
445:
439:
429:
420:
419:
417:
416:
405:
399:
398:
370:
350:
344:
343:
325:
301:
274:
243:with a constant
1403:
1402:
1398:
1397:
1396:
1394:
1393:
1392:
1378:
1377:
1376:
1367:
1349:
1278:
1034:
1029:
988:
932:
896:Standardization
891:
846:
829:
778:
726:Lattice/SVP/CVP
720:
601:
547:Blum–Goldwasser
521:
516:
466:
461:
460:
447:
446:
442:
430:
423:
414:
412:
407:
406:
402:
387:
352:
351:
347:
303:
302:
298:
293:
281:
270:
268:
248:
241:
226:
146:Alice computes
33:
12:
11:
5:
1401:
1399:
1391:
1390:
1380:
1379:
1373:
1372:
1369:
1368:
1366:
1365:
1354:
1351:
1350:
1348:
1347:
1342:
1340:Random numbers
1337:
1332:
1327:
1322:
1317:
1312:
1307:
1302:
1297:
1292:
1286:
1284:
1280:
1279:
1277:
1276:
1271:
1266:
1264:Garlic routing
1261:
1256:
1251:
1246:
1241:
1236:
1231:
1226:
1221:
1216:
1211:
1206:
1201:
1196:
1191:
1186:
1184:Secure channel
1181:
1175:
1174:
1173:
1162:
1157:
1152:
1147:
1145:Key stretching
1142:
1137:
1132:
1127:
1122:
1117:
1112:
1111:
1110:
1105:
1095:
1093:Cryptovirology
1090:
1085:
1080:
1078:Cryptocurrency
1075:
1070:
1065:
1064:
1063:
1053:
1048:
1042:
1040:
1036:
1035:
1030:
1028:
1027:
1020:
1013:
1005:
998:
997:
994:
993:
990:
989:
987:
986:
981:
976:
971:
966:
961:
956:
951:
946:
940:
938:
934:
933:
931:
930:
925:
920:
915:
910:
905:
899:
897:
893:
892:
890:
889:
884:
879:
874:
869:
864:
858:
856:
852:
851:
848:
847:
845:
844:
839:
834:
827:
825:Merkle–Hellman
822:
817:
812:
807:
802:
797:
792:
786:
784:
780:
779:
777:
776:
771:
766:
761:
756:
751:
746:
740:
738:
722:
721:
719:
718:
713:
708:
703:
698:
693:
692:
691:
681:
676:
671:
670:
669:
664:
654:
649:
648:
647:
642:
632:
627:
622:
617:
611:
609:
603:
602:
600:
599:
594:
589:
584:
579:
574:
572:Naccache–Stern
569:
564:
559:
554:
549:
544:
538:
536:
527:
523:
522:
517:
515:
514:
507:
500:
492:
478:
477:
472:
465:
464:External links
462:
459:
458:
455:on 2012-08-21.
440:
421:
400:
385:
368:10.1.1.30.8102
345:
323:10.1.1.57.4798
295:
294:
292:
289:
280:
277:
267:
264:
246:
239:
225:
222:
183:
182:
163:
144:
137:
126:
111:
104:multiplicative
80:
73:
32:
29:
13:
10:
9:
6:
4:
3:
2:
1400:
1389:
1386:
1385:
1383:
1364:
1356:
1355:
1352:
1346:
1345:Steganography
1343:
1341:
1338:
1336:
1333:
1331:
1328:
1326:
1323:
1321:
1318:
1316:
1313:
1311:
1308:
1306:
1303:
1301:
1300:Stream cipher
1298:
1296:
1293:
1291:
1288:
1287:
1285:
1281:
1275:
1272:
1270:
1267:
1265:
1262:
1260:
1259:Onion routing
1257:
1255:
1252:
1250:
1247:
1245:
1242:
1240:
1239:Shared secret
1237:
1235:
1232:
1230:
1227:
1225:
1222:
1220:
1217:
1215:
1212:
1210:
1207:
1205:
1202:
1200:
1197:
1195:
1192:
1190:
1187:
1185:
1182:
1179:
1176:
1171:
1168:
1167:
1166:
1163:
1161:
1158:
1156:
1153:
1151:
1148:
1146:
1143:
1141:
1138:
1136:
1135:Key generator
1133:
1131:
1128:
1126:
1123:
1121:
1118:
1116:
1113:
1109:
1106:
1104:
1101:
1100:
1099:
1098:Hash function
1096:
1094:
1091:
1089:
1086:
1084:
1081:
1079:
1076:
1074:
1073:Cryptanalysis
1071:
1069:
1066:
1062:
1059:
1058:
1057:
1054:
1052:
1049:
1047:
1044:
1043:
1041:
1037:
1033:
1026:
1021:
1019:
1014:
1012:
1007:
1006:
1003:
999:
985:
982:
980:
977:
975:
972:
970:
967:
965:
962:
960:
957:
955:
952:
950:
947:
945:
942:
941:
939:
935:
929:
926:
924:
921:
919:
916:
914:
911:
909:
906:
904:
901:
900:
898:
894:
888:
885:
883:
880:
878:
875:
873:
870:
868:
865:
863:
860:
859:
857:
853:
843:
840:
838:
835:
832:
828:
826:
823:
821:
818:
816:
813:
811:
808:
806:
803:
801:
798:
796:
793:
791:
788:
787:
785:
781:
775:
772:
770:
767:
765:
762:
760:
757:
755:
752:
750:
747:
745:
742:
741:
739:
737:
732:
727:
723:
717:
714:
712:
709:
707:
704:
702:
699:
697:
694:
690:
687:
686:
685:
682:
680:
677:
675:
672:
668:
665:
663:
660:
659:
658:
655:
653:
650:
646:
643:
641:
638:
637:
636:
633:
631:
628:
626:
623:
621:
618:
616:
613:
612:
610:
608:
604:
598:
597:Schmidt–Samoa
595:
593:
590:
588:
585:
583:
580:
578:
575:
573:
570:
568:
565:
563:
560:
558:
557:Damgård–Jurik
555:
553:
552:Cayley–Purser
550:
548:
545:
543:
540:
539:
537:
535:
531:
528:
524:
520:
513:
508:
506:
501:
499:
494:
493:
490:
486:
482:
476:
473:
471:
468:
467:
463:
454:
450:
444:
441:
438:
434:
428:
426:
422:
411:
404:
401:
396:
392:
388:
382:
378:
374:
369:
364:
360:
356:
349:
346:
341:
337:
333:
329:
324:
319:
315:
311:
307:
300:
297:
290:
288:
286:
278:
276:
273:
265:
263:
259:
256:
253:
249:
242:
235:
231:
223:
221:
219:
214:
212:
208:
203:
200:
196:
192:
188:
180:
176:
172:
168:
165:Bob computes
164:
161:
157:
153:
149:
145:
142:
138:
135:
131:
127:
124:
120:
116:
112:
109:
105:
101:
97:
93:
89:
85:
81:
78:
74:
71:
67:
64:
60:
59:Alice and Bob
57:
56:
55:
52:
50:
46:
42:
38:
30:
28:
26:
22:
18:
1295:Block cipher
1140:Key schedule
1130:Key exchange
1120:Kleptography
1083:Cryptosystem
1032:Cryptography
984:OpenPGP card
964:Web of trust
705:
620:Cramer–Shoup
453:the original
443:
436:
413:. Retrieved
403:
358:
348:
313:
309:
299:
282:
269:
260:
257:
244:
237:
233:
230:David Jablon
227:
215:
210:
204:
194:
190:
186:
184:
178:
174:
170:
166:
159:
155:
151:
147:
133:
129:
122:
118:
114:
107:
99:
95:
91:
87:
83:
76:
69:
65:
53:
40:
34:
20:
16:
15:
1283:Mathematics
1274:Mix network
954:Fingerprint
918:NSA Suite B
882:RSA problem
759:NTRUEncrypt
316:(5): 5–26.
31:Description
1234:Ciphertext
1204:Decryption
1199:Encryption
1160:Ransomware
908:IEEE P1363
526:Algorithms
415:2008-03-22
291:References
285:IEEE P1363
63:safe prime
1224:Plaintext
363:CiteSeerX
318:CiteSeerX
279:Standards
1382:Category
1363:Category
1269:Kademlia
1229:Codetext
1172:(CSPRNG)
969:Key size
903:CRYPTREC
820:McEliece
774:RLWE-SIG
769:RLWE-KEX
764:NTRUSign
577:Paillier
395:10568917
49:password
1039:General
815:Lamport
795:CEILIDH
754:NewHope
701:Schnorr
684:ElGamal
662:Ed25519
542:Benaloh
340:2870433
266:Patents
224:History
47:of the
1150:Keygen
937:Topics
913:NESSIE
855:Theory
783:Others
640:X25519
393:
383:
365:
338:
320:
177:) mod
158:) mod
136:mod p.
94:) mod
1180:(PRN)
749:Kyber
744:BLISS
706:SPEKE
674:ECMQV
667:Ed448
657:EdDSA
652:ECDSA
582:Rabin
391:S2CID
336:S2CID
238:g = g
17:SPEKE
949:OAEP
923:CNSA
800:EPOC
645:X448
635:ECDH
381:ISBN
173:mod
154:mod
121:mod
45:hash
959:PKI
842:XTR
810:IES
805:HFE
736:SIS
731:LWE
716:STS
711:SRP
696:MQV
679:EKE
630:DSA
615:BLS
587:RSA
562:GMR
373:doi
328:doi
169:= (
150:= (
72:().
1384::
790:AE
625:DH
435:.
424:^
389:.
379:.
371:.
357:.
334:.
326:.
314:26
312:.
308:.
110:.)
86:=
51:.
27:.
1024:e
1017:t
1010:v
733:/
728:/
511:e
504:t
497:v
418:.
397:.
375::
342:.
330::
247:q
245:g
240:q
234:g
211:K
195:K
191:Ď€
187:K
181:.
179:p
175:p
171:g
167:K
162:.
160:p
156:p
152:g
148:K
143:.
134:g
130:b
125:.
123:p
119:g
115:a
108:p
100:g
96:p
92:Ď€
90:(
88:H
84:g
79:.
77:Ď€
70:H
66:p
41:g
19:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.