Requirements for Password-Authenticated Key Agreement (PAKE) Schemes
RFC 8125
| Document | Type |
RFC - Informational
(April 2017; No errata)
Was draft-irtf-cfrg-pake-reqs (cfrg RG)
|
|
|---|---|---|---|
| Last updated | 2017-04-19 | ||
| Stream | IRTF | ||
| Formats | plain text pdf html bibtex | ||
| IETF conflict review | conflict-review-irtf-cfrg-pake-reqs | ||
| Stream | IRTF state | Published RFC | |
| Consensus Boilerplate | Yes | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | RFC 8125 (Informational) | |
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | (None) | ||
| IANA | IANA review state | Version Changed - Review Needed | |
| IANA action state | No IC | ||
Internet Research Task Force (IRTF) J. Schmidt Request for Comments: 8125 secunet Security Networks Category: Informational April 2017 ISSN: 2070-1721 Requirements for Password-Authenticated Key Agreement (PAKE) Schemes Abstract Password-Authenticated Key Agreement (PAKE) schemes are interactive protocols that allow the participants to authenticate each other and derive shared cryptographic keys using a (weaker) shared password. This document reviews different types of PAKE schemes. Furthermore, it presents requirements and gives recommendations to designers of new schemes. It is a product of the Crypto Forum Research Group (CFRG). Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Research Task Force (IRTF). The IRTF publishes the results of Internet-related research and development activities. These results might not be suitable for deployment. This RFC represents the consensus of the Crypto Forum Research Group of the Internet Research Task Force (IRTF). Documents approved for publication by the IRSG are not a candidate for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8125. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Schmidt Informational [Page 1] RFC 8125 PAKE Scheme Requirements April 2017 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 3 3. PAKE Taxonomy . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Storage of the Password . . . . . . . . . . . . . . . . . 3 3.2. Transmission of Public Keys . . . . . . . . . . . . . . . 4 3.3. Two Party versus Multiparty . . . . . . . . . . . . . . . 4 4. Security of PAKEs . . . . . . . . . . . . . . . . . . . . . . 5 4.1. Implementation Aspects . . . . . . . . . . . . . . . . . 6 4.2. Special Case: Elliptic Curves . . . . . . . . . . . . . . 6 5. Protocol Considerations and Applications . . . . . . . . . . 7 6. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 7. Performance . . . . . . . . . . . . . . . . . . . . . . . . . 8 8. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 8 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 10. Security Considerations . . . . . . . . . . . . . . . . . . . 9 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 11.1. Normative References . . . . . . . . . . . . . . . . . . 9 11.2. Informative References . . . . . . . . . . . . . . . . . 9 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction Passwords are the predominant method of accessing the Internet today due, in large part, to their intuitiveness and ease of use. Since a user needs to enter passwords repeatedly in many connections and applications, these passwords tend to be easy to remember and can be entered repeatedly with a low probability of error. They tend to be low-grade and not-so-random secrets that are susceptible to brute- force guessing attacks. A Password-Authenticated Key Exchange (PAKE) attempts to address this issue by constructing a cryptographic key exchange that does not result in the password, or password-derived data, being transmitted across an unsecured channel. Two parties in the exchange prove possession of the shared password without revealing it. Such exchanges are therefore resistant to offline, brute-force dictionary attacks. The idea was initially described by Bellovin and Merritt in [BM92] and has received considerable cryptographic attention since then. PAKEs are especially interesting due to the fact that they can achieve mutual authentication without requiring any Public Key Infrastructure (PKI). Schmidt Informational [Page 2]Show full document text