SPEKE (cryptography)
Encyclopedia
SPEKE is a cryptographic method for password-authenticated key agreement
.
where the Diffie-Hellman generator g is created from a hash of the password.
Here is one simple form of SPEKE:
Both Alice and Bob will arrive at the same value for K if and only if they use the same value for π.
Once Alice and Bob compute the shared secret K they can use it in a key confirmation protocol to prove to each other that they know the same password π, and to derive a shared secret encryption key for sending secure and authenticated messages to each other.
Unlike unauthenticated Diffie-Hellman, SPEKE prevents man in the middle attack by the incorporation of the password. An attacker who is able to read and modify all messages between Alice and Bob cannot learn the shared key K and cannot make more than one guess for the password in each interaction with a party that knows it.
In general, SPEKE can use any prime order group that is suitable for public key cryptography, including elliptic curve cryptography
.
method called B-SPEKE. Since 1997 no flaws have been published for SPEKE. A paper published by MacKenzie in 2001 presents a proof in the random oracle model that SPEKE is a secure PAKE protocol (using a somewhat relaxed definition) based on a variation of the Decision Diffie-Hellman assumption.
Since 1999, the protocol has been used by several companies in a variety of products, typically supplementing other cryptographic techniques.
Password-authenticated key agreement
In cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.-Types:...
.
Description
The protocol consists of little more than a Diffie-Hellman key exchangeDiffie-Hellman key exchange
Diffie–Hellman key exchange Synonyms of Diffie–Hellman key exchange include:*Diffie–Hellman key agreement*Diffie–Hellman key establishment*Diffie–Hellman key negotiation...
where the Diffie-Hellman generator g is created from a hash of the password.
Here is one simple form of SPEKE:
- Alice and BobAlice and BobThe names Alice and Bob are commonly used placeholder names for archetypal characters in fields such as cryptography and physics. The names are used for convenience; for example, "Alice sends a message to Bob encrypted with his public key" is easier to follow than "Party A sends a message to Party...
agree to use an appropriately large and randomly selected safe primeSafe primeA safe prime is a prime number of the form 2p + 1, where p is also a prime. The first few safe primes are...
p. - Alice and Bob agree on a shared password π.
- Alice and Bob both construct g = hash(π)2 mod p. (Squaring makes g a generator of the prime order subgroup of the multiplicativeMultiplicativeMultiplicative may refer to:*Multiplication*Multiplicative partition*A Multiplicative function* For the Multiplicative numerals, once, twice, and thrice, see English numerals...
group of integers modulo p.) - Alice chooses a secret random integer a, then sends Bob ga mod p.
- Bob chooses a secret random integer b, then sends Alice gb mod p.
- Alice and Bob each abort if their received values are not in the range [2,p-2], to prevent small subgroup confinement attackSmall subgroup confinement attackIn cryptography, a subgroup confinement attack on a cryptographic method that operates in a large finite group is where an attacker attempts to compromise the method by forcing a key to be confined to an unexpectedly small subgroup of the desired group.Several methods have been found to be...
. - Alice computes K = (gb mod p)a mod p.
- Bob computes K = (ga mod p)b mod p.
Both Alice and Bob will arrive at the same value for K if and only if they use the same value for π.
Once Alice and Bob compute the shared secret K they can use it in a key confirmation protocol to prove to each other that they know the same password π, and to derive a shared secret encryption key for sending secure and authenticated messages to each other.
Unlike unauthenticated Diffie-Hellman, SPEKE prevents man in the middle attack by the incorporation of the password. An attacker who is able to read and modify all messages between Alice and Bob cannot learn the shared key K and cannot make more than one guess for the password in each interaction with a party that knows it.
In general, SPEKE can use any prime order group that is suitable for public key cryptography, including elliptic curve cryptography
Elliptic curve cryptography
Elliptic curve cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S...
.
History
SPEKE is one of the older and well-known protocols in the relatively new field of password-authenticated key exchange. It was first described by David Jablon in 1996. In this publication Jablon also suggested a variant where, in step 2 of the protocol, g is calculated as g = gqS with a constant gq. However, this construction turned out to be insecure against dictionary attacks and was therefore not recommended anymore in a revised version of the paper. In 1997 Jablon refined and enhanced SPEKE with additional variations, including an augmented password-authenticated key agreementPassword-authenticated key agreement
In cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.-Types:...
method called B-SPEKE. Since 1997 no flaws have been published for SPEKE. A paper published by MacKenzie in 2001 presents a proof in the random oracle model that SPEKE is a secure PAKE protocol (using a somewhat relaxed definition) based on a variation of the Decision Diffie-Hellman assumption.
Since 1999, the protocol has been used by several companies in a variety of products, typically supplementing other cryptographic techniques.
See also
- Password-authenticated key agreementPassword-authenticated key agreementIn cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.-Types:...
- PasswordPasswordA password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
- IEEE P1363IEEE P1363IEEE P1363 is an Institute of Electrical and Electronics Engineers standardization project for public-key cryptography. It includes specifications for:* Traditional public-key cryptography...
- Diffie-Hellman key exchangeDiffie-Hellman key exchangeDiffie–Hellman key exchange Synonyms of Diffie–Hellman key exchange include:*Diffie–Hellman key agreement*Diffie–Hellman key establishment*Diffie–Hellman key negotiation...