In cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.

An important property is that an eavesdropper or man-in-the-middle cannot obtain enough information to be able to brute-force guess a password without further interactions with the parties for each (few) guesses. This means that strong security can be obtained using weak passwords.


Password-authenticated key agreement generally encompasses methods such as:

In the most stringent password-only security models, there is no requirement for the user of the method to remember any secret or public data other than the password.

Password-authenticated key exchange (PAKE) is a method in which two or more parties, based only on their knowledge of a shared password,[1] establish a cryptographic key using an exchange of messages, such that an unauthorized party (one who controls the communication channel but does not possess the password) cannot participate in the method and is constrained as much as possible from brute-force guessing the password. (The optimal case yields exactly one guess per run exchange.) Two forms of PAKE are balanced and augmented methods.[1]

Balanced PAKE

Balanced PAKE assumes the two parties in either a client-client or client-server situation use the same secret password to negotiate and authenticate a shared key.[1] Examples of these are:

Augmented PAKE

Augmented PAKE is a variation applicable to client/server scenarios, in which the server does not store password-equivalent data. This means that an attacker that stole the server data still cannot masquerade as the client unless they first perform a brute force search for the password. Some augmented PAKE systems use an oblivious pseudorandom function to mix the user's secret password with the server's secret salt value, so that the user never learns the server's secret salt value and the server never learns the user's password (or password-equivalent value) or the final key.[9]

Examples include:

Key retrieval

Password-authenticated key retrieval is a process in which a client obtains a static key in a password-based negotiation with a server that knows data associated with the password, such as the Ford and Kaliski methods. In the most stringent setting, one party uses only a password in conjunction with N (two or more) servers to retrieve a static key. This is completed in a way that protects the password (and key) even if N − 1 of the servers are completely compromised.

Brief history

The first successful password-authenticated key agreement methods were Encrypted Key Exchange methods described by Steven M. Bellovin and Michael Merritt in 1992. Although several of the first methods were flawed, the surviving and enhanced forms of EKE effectively amplify a shared password into a shared key, which can then be used for encryption and/or message authentication. The first provably-secure PAKE protocols were given in work by M. Bellare, D. Pointcheval, and P. Rogaway (Eurocrypt 2000) and V. Boyko, P. MacKenzie, and S. Patel (Eurocrypt 2000). These protocols were proven secure in the so-called random oracle model (or even stronger variants), and the first protocols proven secure under standard assumptions were those of O. Goldreich and Y. Lindell (Crypto 2001) which serves as a plausibility proof but is not efficient, and J. Katz, R. Ostrovsky, and M. Yung (Eurocrypt 2001) which is practical.

The first password-authenticated key retrieval methods were described by Ford and Kaliski in 2000.

A considerable number of alternative, secure PAKE protocols were given in work by M. Bellare, D. Pointcheval, and P. Rogaway, variations, and security proofs have been proposed in this growing class of password-authenticated key agreement methods. Current standards for these methods include IETF RFC 2945, RFC 5054, RFC 5931, RFC 5998, RFC 6124, RFC 6617, RFC 6628 and RFC 6631, IEEE Std 1363.2-2008, ITU-T X.1035 and ISO-IEC 11770-4:2006.

PAKE selection process for use in internet protocols

On request of the internet engineering task force IETF, a PAKE selection process has been carried out in 2018 and 2019 by the IRTF crypto forum research group (CFRG). The selection process has been carried out in several rounds.[17] In the final round in 2019 four finalists AuCPace, OPAQUE (augmented cases) and CPace, SPAKE2 (balanced PAKE) prevailed. As a result of the CFRG selection process, two winner protocols were declared as "recommended by the CFRG for usage in IETF protocols": CPace and OPAQUE. [18]

See also


  1. ^ Designed to be not encumbered by patents.[10]
  1. ^ a b c Hao, Feng; Ryan, Peter Y. A. (2011). Christianson, Bruce; Malcolm, James A.; Matyas, Vashek; Roe, Michael (eds.). "Password Authenticated Key Exchange by Juggling". Security Protocols XVI. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer. 6615: 159–171. doi:10.1007/978-3-642-22137-8_23. ISBN 978-3-642-22137-8.
  2. ^ a b Boyko, V.; P. MacKenzie; S. Patel (2000). Provably Secure Password-Authenticated Key Exchange Using Diffie–Hellman. Advances in Cryptology – Eurocrypt 2000, LNCS. Lecture Notes in Computer Science. Vol. 1807. Springer-Verlag. pp. 156–171. doi:10.1007/3-540-45539-6_12. ISBN 978-3-540-67517-4.
  3. ^ Wang, Yongge (2006). "Security Analysis of a Password-Based Authentication Protocol Proposed to IEEE 1363" (PDF). Theoretical Computer Science. 352 (1–3): 280–287. arXiv:1207.5442. doi:10.1016/j.tcs.2005.11.038. S2CID 11618269.
  4. ^ "EC-SRP Java Card Applet". GitHub. March 2020.
  5. ^ Haase, Björn; Hesse, Julia; Abdalla, Michel (2021). "Security analysis of CPace" (PDF). Advances in Cryptology. Lecture Notes in Computer Science. 10822 (ASIACRYPT 2021): 456–486. doi:10.1007/978-3-319-78372-7_15. S2CID 4046378.
  6. ^ Abdalla, M.; D. Pointcheval (2005). Simple Password-Based Encrypted Key Exchange Protocols (PDF). Topics in Cryptology – CT-RSA 2005. Lecture Notes in Computer Science. Vol. 3376. Springer Berlin Heidelberg. pp. 191–208. CiteSeerX doi:10.1007/978-3-540-30574-3_14. ISBN 978-3-540-24399-1.
  7. ^ Ladd, Watson. Kaduk, Benjamin (ed.). "SPAKE2, a PAKE (Draft)". IETF.
  8. ^ a b US11025421B2, Fay, Bjorn, "Advanced modular handshake for key agreement and optional authentication", issued 2021-06-01 
  9. ^ Matthew Green. "Let's talk about PAKE". 2018.
  10. ^ "What is SRP?". Stanford University.
  11. ^ Shin, SeongHan; Kobara, Kazukuni (June 2012). "Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2". Internet Engineering Task Force. Archived from the original on 12 May 2021.
  12. ^ Krawczyk, Hugo; Lewi, Kevin; Wood, Christopher. "The OPAQUE Asymmetric PAKE Protocol (Draft)". Internet Engineering Task Force.
  13. ^ Tatiana Bradley (2020-12-08). "OPAQUE: The Best Passwords Never Leave your Device". The Cloudflare Blog.
  14. ^ Bourdrez, Daniel; Krawczyk, Hugo; Lewi, Kevin; Wood, Christopher A. (2022-07-06). "The OPAQUE Asymmetric PAKE Protocol (Internet Draft)". IETF.
  15. ^ Haase, Björn; Labrique, Benoît (August 2010). "AuCPace: Efficient verifier-based PAKE protocol tailored for the IIoT" (PDF). TCHES: 1–48. doi:10.13154/tches.v2019.i2.1-48. S2CID 4603454.
  16. ^ Taubert, T.; Wood, C. "SPAKE2+, an Augmented PAKE (Draft)". IETF.
  17. ^ Repository for the CFRG Pake selection process
  18. ^ Results of the CFRG PAKE selection process

Further reading