Skip to main content

SPAKE Pre-Authentication

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Replaced".
Expired & archived
Author Nathaniel McCallum
Last updated 2015-11-02 (Latest revision 2015-04-24)
Replaced by draft-ietf-kitten-krb-spake-preauth
RFC stream (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document defines a new password authenticated key exchange based pre-authentication mechanism for performing Kerberos authentication. This mechanism has three goals. First, it makes Kerberos pre- authentication more resilient against time synchronization errors by removing the need to transfer an encrypted timestamp. Second, it increases the security of the Kerberos pre-authentication exchange by making offline brute-force attacks impossible. Third, it enables the use of secure second factor authentication without FAST by utilizing the existing trust relationship established by the shared first factor.


Nathaniel McCallum

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)