Requirements for Password-Authenticated Key Agreement (PAKE) Schemes
RFC 8125
Internet Research Task Force (IRTF) J. Schmidt
Request for Comments: 8125 secunet Security Networks
Category: Informational April 2017
ISSN: 2070-1721
Requirements for Password-Authenticated Key Agreement (PAKE) Schemes
Abstract
Password-Authenticated Key Agreement (PAKE) schemes are interactive
protocols that allow the participants to authenticate each other and
derive shared cryptographic keys using a (weaker) shared password.
This document reviews different types of PAKE schemes. Furthermore,
it presents requirements and gives recommendations to designers of
new schemes. It is a product of the Crypto Forum Research Group
(CFRG).
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Research Task Force
(IRTF). The IRTF publishes the results of Internet-related research
and development activities. These results might not be suitable for
deployment. This RFC represents the consensus of the Crypto Forum
Research Group of the Internet Research Task Force (IRTF). Documents
approved for publication by the IRSG are not a candidate for any
level of Internet Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8125.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Schmidt Informational [Page 1]
RFC 8125 PAKE Scheme Requirements April 2017
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 3
3. PAKE Taxonomy . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Storage of the Password . . . . . . . . . . . . . . . . . 3
3.2. Transmission of Public Keys . . . . . . . . . . . . . . . 4
3.3. Two Party versus Multiparty . . . . . . . . . . . . . . . 4
4. Security of PAKEs . . . . . . . . . . . . . . . . . . . . . . 5
4.1. Implementation Aspects . . . . . . . . . . . . . . . . . 6
4.2. Special Case: Elliptic Curves . . . . . . . . . . . . . . 6
5. Protocol Considerations and Applications . . . . . . . . . . 7
6. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
7. Performance . . . . . . . . . . . . . . . . . . . . . . . . . 8
8. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 8
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
10. Security Considerations . . . . . . . . . . . . . . . . . . . 9
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
11.1. Normative References . . . . . . . . . . . . . . . . . . 9
11.2. Informative References . . . . . . . . . . . . . . . . . 9
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
Passwords are the predominant method of accessing the Internet today
due, in large part, to their intuitiveness and ease of use. Since a
user needs to enter passwords repeatedly in many connections and
applications, these passwords tend to be easy to remember and can be
entered repeatedly with a low probability of error. They tend to be
low-grade and not-so-random secrets that are susceptible to brute-
force guessing attacks.
A Password-Authenticated Key Exchange (PAKE) attempts to address this
issue by constructing a cryptographic key exchange that does not
result in the password, or password-derived data, being transmitted
across an unsecured channel. Two parties in the exchange prove
possession of the shared password without revealing it. Such
exchanges are therefore resistant to offline, brute-force dictionary
attacks. The idea was initially described by Bellovin and Merritt in
[BM92] and has received considerable cryptographic attention since
then. PAKEs are especially interesting due to the fact that they can
achieve mutual authentication without requiring any Public Key
Infrastructure (PKI).
Schmidt Informational [Page 2]
RFC 8125 PAKE Scheme Requirements April 2017
Different types of PAKE schemes are reviewed in this document. It
defines requirements for new schemes and gives additional
Show full document text