Abstract
Currently, the Simple Password-Based Encrypted Key Exchange (SPAKE2) protocol of Abdalla and Pointcheval (CT-RSA 2005) is being considered by the IETF for standardization and integration in TLS 1.3. Although it has been proven secure in the Find-then-Guess model of Bellare, Pointcheval and Rogaway (EUROCRYPT 2000), whether it satisfies some notion of forward secrecy remains an open question.
In this work, we prove that the SPAKE2 protocol satisfies the so-called weak forward secrecy introduced by Krawczyk (CRYPTO 2005). Furthermore, we demonstrate that the incorporation of key-confirmation codes in SPAKE2 results in a protocol that provably satisfies the stronger notion of perfect forward secrecy. As forward secrecy is an explicit requirement for cipher suites supported in the TLS handshake, we believe this work could fill the gap in the literature and facilitate the adoption of SPAKE2 in the recently approved TLS 1.3.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A typical client should not be expected to verify the certificate details.
- 2.
However, in TLS 1.3, there still remains some configurations that do not satisfy forward secrecy.
- 3.
The server usually stores some function \(f(\cdot )\) of the password while the clients needs to compute \(f(\pi )\) for every protocol run. This difference is relevant in (i) PPK, PAK and (ii) SPAKE2 and PFS-SPAKE2, as \(f(\cdot )\) requires hashing into groups in (i) and group exponentiations in (ii).
References
Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: 1992 IEEE Symposium on Research in Security and Privacy, SP 1992, pp. 72–84 (1992)
Boyko, V., MacKenzie, P., Patel, S.: Provably secure password-authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_12
MacKenzie, P.: The PAK suite: protocols for password-authenticated key exchange. DIMACS Technical report 2002–46 (2002)
Hao, F., Ryan, P.: J-PAKE: authenticated key exchange without PKI. Trans. Comput. Sci. 11, 192–206 (2010)
Abdalla, M., Benhamouda, F., MacKenzie, P.: Security of the J-PAKE password authenticated key exchange protocol. In: IEEE Symposium on Security and Privacy, SP 2015, pp. 571–587. IEEE Computer Society (2015)
Wu, T.D.: The secure remote password protocol. In: Proceedings of the Network and Distributed System Security Symposium. The Internet Society (1998)
Jablon, D.P.: Strong password-only authenticated key exchange. ACM SIGCOMM Comput. Commun. Rev. 26(5), 5–26 (1996)
Abdalla, M., Pointcheval, D.: Simple password-based encrypted key exchange protocols. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 191–208. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_14
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_11
Abdalla, M., Fouque, P.-A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30580-4_6
Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_24
Chen, L., Lim, H.W., Yang, G.: Cross-domain password-based authenticated key exchange revisited. ACM Trans. Inf. Syst. Secur. 16(4), 15:1–15:32 (2014)
Goldreich, O., Lindell, Y.: Session-key generation using human passwords only. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 408–432. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_24
Kunz-Jacques, S., Pointcheval, D.: About the security of MTI/C0 and MQV. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 156–172. Springer, Heidelberg (2006). https://doi.org/10.1007/11832072_11
Vacca, J.R.: Computer and Information Security Handbook, 2nd edn. Morgan Kaufmann Publishers Inc., San Francisco (2013)
Ladd, W., Kaduk, B.: SPAKE2, a PAKE. Internet-Draft draft-irtf-cfrg-spake2-05, IETF Secretariat, February 2018. http://www.ietf.org/internet-drafts/draft-irtf-cfrg-spake2-05.txt
McCallum, N., Sorce, S., Harwood, R., Hudson, G.: Spake pre-authentication. Internet-Draft draft-ietf-kitten-krb-spake-preauth-05, IETF Secretariat, February 2018. http://www.ietf.org/internet-drafts/draft-ietf-kitten-krb-spake-preauth-05.txt
Barnes, R., Friel, O.: Usage of spake with TLS 1.3. Internet-Draft draft-barnes-tls-pake-01, IETF Secretariat, April 2018. http://www.ietf.org/internet-drafts/draft-barnes-tls-pake-01.txt
Rescorla, E.: The transport layer security (TLS) protocol version 1.3. Internet-Draft draft-ietf-tls-tls13-28, IETF Secretariat, March 2018. http://www.ietf.org/internet-drafts/draft-ietf-tls-tls13-28.txt
Taylor, D., Wu, T., Mavrogiannopoulos, N., Perrin, T.: Using the secure remote password (SRP) protocol for TLS authentication. RFC 5054, RFC Editor, November 2007
Engler, J., Karlof, C., Shi, E., Song, D.: Is it too late for PAKE? In: Web 2.0 Security and Privacy Workshop 2009 (W2SP 2009), May 2009
Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Des. Codes Cryptogr. 28(2), 119–134 (2003)
Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_33
Diffie, W., Van Oorschot, P.C., Wiener, M.J.: Authentication and authenticated key exchanges. Des. Codes Cryptogr. 2(2), 107–125 (1992). Jun
Shoup, V.: On formal models for secure key exchange. Cryptology ePrint Archive, Report 1999/012 (1999). http://eprint.iacr.org/1999/012
Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_28
LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75670-5_1
Katz, J., Ostrovsky, R., Yung, M.: Forward secrecy in password-only key exchange protocols. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 29–44. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36413-7_3
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21
Bellare, M., Rogaway, P.: Provably secure session key distribution: the three party case. In: Leighton, F.T., Borodin, A. (eds.) Proceedings of the Twenty-Seventh Annual ACM Symposium on Theory of Computing, STOC 1995, pp. 57–66. ACM (1995)
Becerra, J., Iovino, V., Ostrev, D., Šala, P., Škrobot, M.: Tightly-secure PAK(E). Cryptology ePrint Archive, Report 2017/1045 (2017). https://eprint.iacr.org/2017/1045
MacKenzie, P.: On the security of the SPEKE password-authenticated key exchange protocol. Cryptology ePrint Archive, Report 2001/057 (2001). http://eprint.iacr.org/2001/057
Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. IACR Cryptology ePrint Archive 2004/332 (2004)
Acknowledgements
The authors are especially grateful to the Luxembourg National Research Fund for supporting this work under CORE project AToMS.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Terminology from [3]
A Terminology from [3]
We introduce the terminology necessary to refer to adversary’s actions.
We say “in a CLIENT ACTION k query to \(\varPi _{C}^{i}\)” to refer to “in a Send query directed to the client instance \(\varPi _{C}^{i}\) that results in CLIENT ACTION k procedure being executed” and “in a SERVER ACTION k” to refer to “in a Send query directed to the server instance \(\varPi _{S}^{j}\) that results in SERVER ACTION k procedure being executed”.
A client instance \(\varPi _{C}^{i}\) is paired with server instance \(\varPi _{S}^{j}\) if there was a CLIENT ACTION 0 query to \(\varPi _{C}^{i}\) with output \(\langle C, X^* \rangle \), a SERVER ACTION 1 to \(\varPi _{S}^{j}\) with input \(\langle C, X^* \rangle \) and output \(\langle S,Y,k \rangle \) and a CLIENT ACTION 1 to \(\varPi _{C}^{i}\) with input \(\langle S,Y,k \rangle \). A server instance \(\varPi _{S}^{j}\) is paired with client instance \(\varPi _{C}^{i}\) if there was a CLIENT ACTION 0 query to \(\varPi _{C}^{i}\) with output \(\langle C, X^* \rangle \) and a SERVER ACTION 1 to \(\varPi _{S}^{j}\) with input \(\langle C, X^* \rangle \) and output \(\langle Y,k \rangle \), additionally, if there is a SERVER ACTION 2 query with input \(k'\), then there was a previous CLIENT ACTION 1 to \(\varPi _{C}^{i}\) with input \(\langle Y,k \rangle \) and ouput \(k'\).
Next we define the events that will allow us to proof the security of the protocol by sequence of games.
testpw(\(C,i,S,\pi ,l\)): Adversary \(\mathcal {A}\) makes (i) an \(H_l(C,S,X^*,Y,\sigma ,\pi )\) query for some \(l\in \{1,2,3\}\), (ii) a CLIENT ACTION 0 to \(\varPi _{C}^{i}\) with output \(\langle S,X^*\rangle \) and (iii) a CLIENT ACTION 1 to \(\varPi _{C}^{i}\) with input \(\langle C,Y,k \rangle \), where \(X^* = X \cdot M^\pi \) and \(\sigma =DH(X,Y)\). The associated value to this event is the output of the \(H_l(\cdot )\) query, or the \(k,k',sk_C^i\) values, respectively for \(l=1,2,3\), whichever is set first.
testpw(\(S,j,C,\pi ,l\)): \(\mathcal {A}\) makes an \(H_l(C,S,X^*,Y,\sigma ,\pi )\) for some \(l\in \{1,2,3\}\) and a SERVER ACTION 1 to \(\varPi _{S}^{j}\) with input \(\langle S,X^*\rangle \) and output \(\langle C,Y,k \rangle \), where \(X^* = X \cdot M^{\pi }\) and \(\sigma = DH(X,Y)\). The associated value to this event is the output of the \(H_l(\cdot )\) query, or the \(k,k',sk_S^j\) values, respectively for \(l=1,2,3\), whichever is set first.
testpw!(\(C,i,S,\pi \)): In a CLIENT ACTION 1 query with input \(\langle \mu ,k \rangle \), causes a testpw\((C,i,S,\pi ,2)\) event to occurs, with associated value k.
testexecpw(\(C,i,S,j,\pi \)): \(\mathcal {A}\) makes (i) an \(H_l(C,S,X^*,Y,\sigma ,\pi )\) for some \(l\in \{1,2,3\}\), where \(X^* = X \cdot M^\pi \) and \(\sigma =DH(X,Y)\) and (ii) previously an Execute(C, i, S, j) which produces \(X^*,Y\). The associated value to this event is the output of the \(H_l(\cdot )\) query, or the \(k,k',sk_S^j\) values, respectively for \(l=1,2,3\), whichever is set first.
correctpw: Before any Corrupt query, either a testpw!(\(C,i,S,\pi _c\)) event occurs, for some C, i, S, or a testpw(\(S,j,C,\pi _c,l\)) event occurs for some S, j, C and \(l\in \{1,2,3\}\), where \(\pi _c\) is the correct password.
pairedpwguess: For some client and server instance \(\varPi _{C}^{i}\) and \(\varPi _{S}^{j}\) respectively, both testpw(\(C,i,S,\pi _c,l\)) and testpw(\(S,j,C,\pi ,l\)) event occurs for \(l\in \{1,2,3\}\), where \(\varPi _{C}^{i}\) is paired with \(\varPi _{S}^{j}\), and \(\varPi _{S}^{j}\) is paired with \(\varPi _{C}^{i}\) after its SERVER ACTION 1.
doublepwserver: Before any Corrupt query, both a testpw(\(S,j,C,\pi _1,l\)) and a testpw(\(S,j,C,\pi _2,l\)) event occurs, for some S, j, \(\pi _1\) and \(\pi _2\), with \(\pi _1 \ne \pi _2\) and \(l \in \{1,2,3\}\).
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Becerra, J., Ostrev, D., Škrobot, M. (2018). Forward Secrecy of SPAKE2. In: Baek, J., Susilo, W., Kim, J. (eds) Provable Security. ProvSec 2018. Lecture Notes in Computer Science(), vol 11192. Springer, Cham. https://doi.org/10.1007/978-3-030-01446-9_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-01446-9_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01445-2
Online ISBN: 978-3-030-01446-9
eBook Packages: Computer ScienceComputer Science (R0)