Password-authenticated key agreement
Password authenticated key agreement(PAKE) - method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.
An important property is that an eavesdropper or man in the middle cannot obtain enough information to be able to brute force guess a password without further interactions with the parties for each (few) guesses. This means that strong security can be obtained using weak passwords.
The first milestone in PAKE research came in 1992 when Bellovin and Merrit introduced the Encrypted Key Exchange  In this article so called hybrid method is taking place, where the password is just a one more security layer in addition to public key. The other, in fact more strict thesis was introduced in paper, authored by S. Bellovin и M. Merritt in 1992. However in their work any security proof of protocol described was apparently absent including security proof to be applied in different threat models. First proven to be secure PAKE protocols was developed by M. Bellare, D. Pointcheval, и P. Rogaway  and V. Boyko, P. MacKenzie, и S. Patel . Proof of security for those protocols was described in applicetion to the random oracle model. A bit after common thesis about various threat models generalization was developed. and possibility of secure negotiating even in most powerfull eavesdropper was actually proven.
Nowadays protocols, that considered to be part of PAKE are one of the most widely deployed cryptographic primitives because of require Protocols family PAKE are among the most common cryptographic primitives in view of the fact that the distribution of the public key needed to perform high-level tasks, such as encryption and MAC calculation. When it comes to key agreement parties need the information, which would have each of the parties. As is known, currently the most common approach is the key to raspredeleraspredeleniyu preliminary exchange of public keys between the parties and then send encrypted distributed, cryptographically strong key. There are many in the accuracy of such and similar protocols based usually on the Diffie-Hellman protocol. However, all of these reports have one common fundamental flaw - they confront listening and do not provide any mechanism whatsoever authentication sides, not to mention the confirmation of possession of the key to counter the imposition of traffic. Thus, if the certificate containing the public key of the second party was somehow intercepted and replaced by an intruder own, then, in the absence of actual knowledge of the recipient's type certificate, listening without being detected. Also, the applicability of protocols family PAKE can be justified by the requirements of interactivity in guessing the password the attacker as opposed to the absolute in the case of non-interactive authentication for the classic protocols based on Diffie-Hellman protocol.
Areas of PAKE applicability:
- Ensuring the safe matching public key, provided the attacker control of the active data link between the parties.
- Agreement on high-entropy cryptographically strong key using low-entropy passwords for mutual authentication.
- Some classes protocols avoid the relatively computationally expensive generation procedure of private key (RSA or ECDSA) authentication and / or signature for one of the sides that allows the use of these protocols (EKE / SRP) for low-end devices (tokens / smart card).
Password authenticated key exchange (PAKE) is where two or more parties, based only on their knowledge of a password, establish a cryptographic key using an exchange of messages, such that an unauthorized party (one who controls the communication channel but does not possess the password) cannot participate in the method and is constrained as much as possible from brute force guessing the password. (The optimal case yields exactly one guess per run exchange.) Two forms of PAKE are Balanced and Augmented methods.
Password-authenticated key agreement generally encompasses methods such as:
- Balanced password-authenticated key exchange
- Augmented password-authenticated key exchange
- Password-authenticated key retrieval
- Multi-server methods
- Multi-party methods
In the most stringent password-only security models, there is no requirement for the user of the method to remember any secret or public data other than the password.
Balanced PAKE allows parties that use the same password to negotiate and authenticate a shared key. This means that both parties have either password or, in some cases, private key for corresponding public key. In some scenarios PKI can be represented by ephemeral keys in order to simplify key exchange and take less user interaction for public key management.
Examples of these are:
- Encrypted Key Exchange (EKE)
- PAK and PPK
- SPEKE (Simple password exponential key exchange)
- Dragonfly-- IEEE Std 802.11-2012, RFC 5931, RFC 6617
- SPAKE1 and SPAKE2
- J-PAKE (Password Authenticated Key Exchange by Juggling)
Augmented PAKE is a variation applicable to client/server scenarios, in which the server does not store password-equivalent data. This means that an attacker that stole the server data still cannot masquerade as the client unless they first perform a brute force search for the password. Either there is one more vector for application of AugPAKE. When it comes to low-end devices private key absence could be huge deal and some of the most popular and secure Balanced PAKE methods simply could not be applied. Examples include:
- B-SPEKE and W-SPEKE
- SRP (Secure Remote Password protocol)
- AugPAKE (RFC 6628)
Password-authenticated key retrieval is a process in which a client obtains a static key in a password-based negotiation with a server that knows data associated with the password. In this type of protocols user is about getting necessary data from server after authenticated each other by password. It's important, that even after N-1 of all N servers gets complietly compromised none of N-1 servers can neither masquerade client nor N servers. This make such schemes useful when some variation of threshold signature or other threshold cryptoalgorithm are needed to be implemented.
Multi-party and multi-server methods here is just modification of well known protocols to be used in for broadcast of the cryptographic key among parties, that have some shared low-entropy password. Most of the multi-party cases use balanced methods and most multi-server use modifications of augmented methods as well.
Go to bibliography under section Password authenticated key agreement.
Гoлoвчeнko А., 2015