Sandnes

Found /www/bigissue/cache/Sandnes

SPEKE is an acronym for the simple password exponential key exchange scheme, a cryptographic method for password-authenticated key agreement.

The protocol consists of little more than a Diffie-Hellman key exchange where the Diffie-Hellman generator g is created from a hash of the password. SPEKE was first described by David Jablon in 1996 (1), and refined and enhanced in 1997 (2) with additional variations, including an augmented form called B-SPEKE.

Contents 1 Description 2 Security 3 Patents 4 Standards 5 References 6 See also 7 External links

Description

Here is one simple form of SPEKE:

1. Alice and Bob agree to use an appropriately large and randomly selected safe prime p.
2. Alice and Bob agree on a shared password π.
3. Alice and Bob both construct g = hash(π)² mod p. (Squaring makes g a generator of the prime order subgroup of the multiplicative group of integers modulo p.)
4. Alice chooses a secret random integer a, then sends Bob g^a mod p.
5. Bob chooses a secret random integer b, then sends Alice g^b mod p.
6. Alice and Bob each abort if their received values are not in the range [2,p-2], to prevent small subgroup confinement attack.
7. Alice computes K = (g^b mod p)^a mod p.
8. Bob computes K = (g^a mod p)^b mod p.

Both Alice and Bob will arrived at the same value for K if and only if they use the same value for π. Once Alice and Bob compute the shared secret K they can use it in a key confirmation protocol to prove to each other that they know the same password π, and to derive a shared secret encryption key for sending secure and authenticated messages to each other.

More generally, Alice and Bob can agree to use any prime order subgroup of a finite cyclic group G where it is easy to create a password-based generator of the subgroup.

Security

Unlike unauthenticated Diffie-Hellman, SPEKE prevents man in the middle attack by the incorporation of the password. An attacker who is able to read and modify all messages between Alice and Bob cannot learn the shared key K and cannot make more than one guess for the password in each interaction with a party that knows it.

The protocol is one of the older and well-known in the relatively new field of password-authenticated key exchange, and no flaws have been published for it since 1997 (2). A proof was published by MacKenzie in 2001 (3) that reduces the security of the scheme to a variation of the Decision Diffie-Hellman problem, in a somewhat relaxed security model.

Patents

U.S. patent 6,226,383  describes several variations of the method.

Standards

Standards that describe SPEKE include IEEE P1363.2 and ISO/IEC Draft 11770-4.

References

• (1) D. Jablon. Strong Password-Only Authenticated Key Exchange. Computer Communication Review, ACM SIGCOMM, vol. 26, no. 5, pp. 5-26, October 1996. [Author's link]

• (2) D. Jablon. Extended Password Key Exchange Protocols Immune to Dictionary Attacks. Proceedings of the Sixth Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET-ICE '97), IEEE Computer Society, June 18-20, 1997, Cambridge, MA, pp. 248-255. [Author's link]

• (3) P. MacKenzie. On the Security of the SPEKE Password-Authenticated Key Exchange Protocol. [Cryptology ePrint Archive: Report 2001/057].

See also

• Password-authenticated key agreement
• Password
• IEEE 1363
• Diffie-Hellman key exchange

External links

• [Links for password-based cryptography]