论文信息 - The SPEKE Protocol Revisited

The SPEKE Protocol Revisited

The SPEKE protocol is commonly considered one of the classic Password Authenticated Key Exchange (PAKE) schemes. It has been included in international standards (particularly, ISO/IEC 11770-4 and IEEE 1363.2) and deployed in commercial products (e.g., Blackberry). We observe that the original SPEKE specification is subtly different from those defined in the ISO/IEC 11770-4 and IEEE 1363.2 standards. We show that those differences have critical security implications by presenting two new attacks on SPEKE: an impersonation attack and a key-malleability attack. The first attack allows an attacker to impersonate a user without knowing the password by engaging in two parallel sessions with the victim. The second attack allows an attacker to manipulate the session key established between two honest users without being detected. Both attacks are applicable to the original SPEKE scheme, and are only partially addressed in the ISO/IEC 11770-4 and IEEE 1363.2 standards. We highlight deficiencies in both standards and suggest concrete changes.

Feng Hao | Siamak Fayyaz Shahandashti

[1] Elaine B. Barker,et al. SP 800-56A. Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) , 2007 .

[2] Elaine B. Barker,et al. Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography , 2007 .

[3] David P. Jablon. Strong password-only authenticated key exchange , 1996, CCRV.

[4] Feng Hao. On Robust Key Agreement Based on Public Key Authentication , 2010, Financial Cryptography.

[5] Steven M. Bellovin,et al. Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[6] Qiang Tang,et al. On the Security of Some Password-Based Key Agreement Schemes , 2005, CIS.

[7] Muxiang Zhang. Analysis of the SPEKE password-authenticated key exchange protocol , 2004, IEEE Commun. Lett..

[8] Feng Hao,et al. Password Authenticated Key Exchange by Juggling , 2008, Security Protocols Workshop.

[9] Steven M. Bellovin,et al. Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.