J-PAKE: Password-Authenticated Key Exchange by Juggling
RFC 8236

Document Type RFC - Informational (September 2017; No errata)
Was draft-hao-jpake (individual)
Last updated 2017-09-05
Stream ISE
Formats plain text pdf html bibtex
IETF conflict review conflict-review-hao-jpake
Stream ISE state Published RFC
Consensus Boilerplate Unknown
Document shepherd Nevil Brownlee
Shepherd write-up Show (last changed 2017-05-10)
IESG IESG state RFC 8236 (Informational)
Telechat date
Responsible AD (None)
Send notices to Nevil Brownlee <rfc-ise@rfc-editor.org>
IANA IANA review state IANA OK - No Actions Needed
IANA action state No IC
Independent Submission                                       F. Hao, Ed.
Request for Comments: 8236                     Newcastle University (UK)
Category: Informational                                   September 2017
ISSN: 2070-1721

        J-PAKE: Password-Authenticated Key Exchange by Juggling

Abstract

   This document specifies a Password-Authenticated Key Exchange by
   Juggling (J-PAKE) protocol.  This protocol allows the establishment
   of a secure end-to-end communication channel between two remote
   parties over an insecure network solely based on a shared password,
   without requiring a Public Key Infrastructure (PKI) or any trusted
   third party.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not a candidate for any level of Internet
   Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc8236.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Hao                           Informational                     [Page 1]
RFC 8236                         J-PAKE                   September 2017

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
     1.2.  Notation  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  J-PAKE over Finite Field  . . . . . . . . . . . . . . . . . .   4
     2.1.  Protocol Setup  . . . . . . . . . . . . . . . . . . . . .   4
     2.2.  Two-Round Key Exchange  . . . . . . . . . . . . . . . . .   5
     2.3.  Computational Cost  . . . . . . . . . . . . . . . . . . .   6
   3.  J-PAKE over Elliptic Curve  . . . . . . . . . . . . . . . . .   7
     3.1.  Protocol Setup  . . . . . . . . . . . . . . . . . . . . .   7
     3.2.  Two-Round Key Exchange  . . . . . . . . . . . . . . . . .   7
     3.3.  Computational Cost  . . . . . . . . . . . . . . . . . . .   8
   4.  Three-Pass Variant  . . . . . . . . . . . . . . . . . . . . .   8
   5.  Key Confirmation  . . . . . . . . . . . . . . . . . . . . . .   9
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  11
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  12
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  12
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  12
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  14
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  15
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  15

1.  Introduction

   Password-Authenticated Key Exchange (PAKE) is a technique that aims
   to establish secure communication between two remote parties solely
   based on their shared password, without relying on a Public Key
   Infrastructure or any trusted third party [BM92].  The first PAKE
   protocol, called Encrypted Key Exchange (EKE), was proposed by Steven
   Bellovin and Michael Merrit in 1992 [BM92].  Other well-known PAKE
   protocols include Simple Password Exponential Key Exchange (SPEKE) by
   David Jablon in 1996 [Jab96] and Secure Remote Password (SRP) by Tom
   Wu in 1998 [Wu98].  SRP has been revised several times to address
   reported security and efficiency issues.  In particular, the version
   6 of SRP, commonly known as SRP-6, is specified in [RFC5054].

   This document specifies a PAKE protocol called Password-Authenticated
   Key Exchange by Juggling (J-PAKE), which was designed by Feng Hao and
   Peter Ryan in 2008 [HR08].  There are a few factors that may be
   considered in favor of J-PAKE.  First, J-PAKE has security proofs,
   while equivalent proofs are lacking in EKE, SPEKE and SRP-6.  Second,
   J-PAKE follows a completely different design approach from all other
   PAKE protocols, and is built upon a well-established Zero Knowledge
   Proof (ZKP) primitive: Schnorr NIZK proof [RFC8235].  Third, J-PAKE
   adopts novel engineering techniques to optimize the use of ZKP so
   that overall the protocol is sufficiently efficient for practical
   use.  Fourth, J-PAKE is designed to work generically in both the
Show full document text