SPEKE (cryptography)

SPEKE (cryptography)

SPEKE (Simple Password Exponential Key Exchange) is a cryptographic method for password-authenticated key agreement.

Description

The protocol consists of little more than a Diffie-Hellman key exchange where the Diffie-Hellman generator "g" is created from a hash of the password.

Here is one simple form of SPEKE:

# Alice and Bob agree to use an appropriately large and randomly selected safe prime "p".
# Alice and Bob agree on a shared password "π".
# Alice and Bob both construct "g" = "hash"("π")2 mod "p". (Squaring makes "g" a generator of the prime order subgroup of the multiplicative group of integers modulo "p".)
# Alice chooses a secret random integer "a", then sends Bob "ga" mod "p".
# Bob chooses a secret random integer "b", then sends Alice "gb" mod p.
# Alice and Bob each abort if their received values are not in the range [2,"p"-2] , to prevent small subgroup confinement attack.
# Alice computes "K" = ("gb" mod "p")"a" mod "p".
# Bob computes "K" = ("ga" mod "p")"b" mod "p".

Both Alice and Bob will arrive at the same value for "K" if and only if they use the same value for "π".Once Alice and Bob compute the shared secret "K" they can use it in a key confirmation protocol to prove to each other that they know the same password π, and to derive a shared secret encryption key for sending secure and authenticated messages to each other.

Unlike unauthenticated Diffie-Hellman, SPEKE prevents man in the middle attack by the incorporation of the password. An attacker who is able to read and modify all messages between Alice and Bob cannot learn the shared key "K" and cannot make more than one guess for the password in each interaction with a party that knows it.

In general, SPEKE can use any prime order group that is suitable for public key cryptography, including elliptic curve cryptography.

History

SPEKE is one of the older and well-known protocols in the relatively new field of password-authenticated key exchange. It was first described by David Jablon in 1996. [cite journal | first = David | last = Jablon | title = Strong Password-Only Authenticated Key Exchange | journal = Computer Communication Review | publisher = ACM SIGCOMM | volume = 26 | issue = 5 | pages = 5–26 | month = October | year = 1996 | url = http://www.jablon.org/passwordlinks.html#Jab96 | doi = 10.1145/242896.242897] In this publication Jablon also suggested a variant where, in step 2 of the protocol, "g" is calculated as "g = gqS" with a constant "gq". However, this construction turned out to be insecure against dictionary attacks and was therefore not recommended anymore in a revised version of the paper. In 1997 Jablon refined and enhanced SPEKE with additional variations, including an augmented password-authenticated key agreement method called B-SPEKE. [cite journal | first = David | last = Jablon | title = Extended Password Key Exchange Protocols Immune to Dictionary Attack | journal = Proceedings of the Sixth Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET-ICE '97) | publisher = IEEE Computer Society, | day = 20 | year = 1997 | location = Cambridge, MA, USA | pages = 248–255 | url = http://www.jablon.org/passwordlinks.html#Jab97 | doi = 10.1109/LCN.1997.630994 | unused_data = |month June] Since 1997 no flaws have been published for SPEKE. A paper published by MacKenzie in 2001 presents a proof in the random oracle model that SPEKE is a secure PAKE protocol (using a somewhat relaxed definition) based on a variation of the Decision Diffie-Hellman assumption. [cite paper | first = Philip | last = MacKenzie | title = On the Security of the SPEKE Password-Authenticated Key Exchange Protocol | url = http://eprint.iacr.org/2001/057/ | date = 2001-07-19 | accessdate = 2008-03-22]

Since 1999, the protocol has been used by several companies in a variety of products, typically supplementing other cryptographic techniques.

Patents

US patent|6226383 describes several variations of the method.

tandards

Standards that describe SPEKE include IEEE P1363.2 and ISO/IEC Draft 11770-4.

References

ee also

* Password-authenticated key agreement
* Password
* IEEE P1363
* Diffie-Hellman key exchange

External links

* [http://www.jablon.org/passwordlinks.html#Jab97 Links for password-based cryptography]


Wikimedia Foundation. 2010.

Игры ⚽ Поможем решить контрольную работу

Look at other dictionaries:

  • Elliptic curve cryptography — (ECC) is an approach to public key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz[1] and Victor S. Miller[2] in 1985.… …   Wikipedia

  • Public-key cryptography — In an asymmetric key encryption scheme, anyone can encrypt messages using the public key, but only the holder of the paired private key can decrypt. Security depends on the secrecy of that private key …   Wikipedia

  • IEEE P1363 — IEEE P1363  проект Института инженеров по электротехнике и электронике (англ. Institute of Electrical and Electronics Engineers, IEEE) по стандартизации криптосистем с открытым ключом. Целью проекта было объединение опыта разработчиков… …   Википедия

  • IEEE P1363 — is an Institute of Electrical and Electronics Engineers (IEEE) standardization project for public key cryptography. It includes specifications for: Traditional public key cryptography (IEEE Std 1363 2000 and 1363a 2004) Lattice based public key… …   Wikipedia

  • Diffie–Hellman key exchange — (D–H)[nb 1] is a specific method of exchanging keys. It is one of the earliest practical examples of key exchange implemented within the field of cryptography. The Diffie–Hellman key exchange method allows two parties that have no prior knowledge …   Wikipedia

  • Digital signature — This article is about secure cryptographic signatures. For simple signatures in digital form, see Electronic signature. A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital… …   Wikipedia

  • NTRUEncrypt — The NTRUEncrypt public key cryptosystem, also known as the NTRU encryption algorithm, is a lattice based alternative to RSA and ECC and is based on the shortest vector problem in a lattice (i.e. is not breakable using quantum computers).… …   Wikipedia

  • McEliece cryptosystem — In cryptography, the McEliece cryptosystem is an asymmetric encryption algorithm developed in 1978 by Robert McEliece.[1] It was the first such scheme to use randomization in the encryption process. The algorithm has never gained much acceptance… …   Wikipedia

  • MQV — (Menezes–Qu–Vanstone) is an authenticated protocol for key agreement based on the Diffie–Hellman scheme. Like other authenticated Diffie Hellman schemes, MQV provides protection against an active attacker. The protocol can be modified to work in… …   Wikipedia

  • Web of trust — For the internet security website, see WOT: Web of Trust. In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP compatible systems to establish the authenticity of the binding between a public key and its owner. Its… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”