Skip to main content
SpringerLink
Log in

The SPEKE Protocol Revisited

  • Conference paper
Security Standardisation Research (SSR 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8893))

Included in the following conference series:

Abstract

The SPEKE protocol is commonly considered one of the classic Password Authenticated Key Exchange (PAKE) schemes. It has been included in international standards (particularly, ISO/IEC 11770-4 and IEEE 1363.2) and deployed in commercial products (e.g., Blackberry). We observe that the original SPEKE specification is subtly different from those defined in the ISO/IEC 11770-4 and IEEE 1363.2 standards. We show that those differences have critical security implications by presenting two new attacks on SPEKE: an impersonation attack and a key-malleability attack. The first attack allows an attacker to impersonate a user without knowing the password by engaging in two parallel sessions with the victim. The second attack allows an attacker to manipulate the session key established between two honest users without being detected. Both attacks are applicable to the original SPEKE scheme, and are only partially addressed in the ISO/IEC 11770-4 and IEEE 1363.2 standards. We highlight deficiencies in both standards and suggest concrete changes.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Barker, E., Johnson, D., Smid, M.: Recommendation for pair-wise key establishment schemes using discrete logarithm cryptography (revised), NIST Special Publication 800-56A (March 2007), http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf

  2. Bellovin, S., Merritt, M.: Encrypted Key Exchange: password-based protocols secure against dictionary attacks. In: Proceedings of the IEEE Symposium on Research in Security and Privacy (May 1992)

    Google Scholar 

  3. Hao, F.: On robust key agreement based on public key authentication. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 383–390. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  4. Hao, F., Ryan, P.Y.A.: Password authenticated key exchange by juggling. In: Christianson, B., Malcolm, J.A., Matyas, V., Roe, M. (eds.) Security Protocols 2008. LNCS, vol. 6615, pp. 159–171. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  5. Entrust TruePass Product Portfolio: Strong Authentication, Digital Signatures and end-to-end encryption for the Web Portal, Technical Overview, Entrust Inc. (July 2003), http://www.entrust.com/wp-content/uploads/2013/05/entrust_truepass_tech_overview.pdf

  6. BlackBerry Bridge App and BlackBerry PlayBook Tablet, Security Technical Overview - Version 2.0, Research in Motion Ltd. (February 2012), Available online through Blackberry Knowledge Base at http://btsc.webapps.blackberry.com/btsc/microsites/searchEntry.do

  7. Jablon, D.: Strong password-only authenticated key exchange. ACM Computer Communications Review 26(5), 5–26 (1996)

    Article  Google Scholar 

  8. Zhang, M.: Analysis of the SPEKE password-authenticated key exchange protocol. IEEE Communications Letters 8(1), 63–65 (2004)

    Article  Google Scholar 

  9. Tang, Q., Mitchell, C.J.: On the security of some password-based key agreement schemes. In: Hao, Y., Liu, J., Wang, Y.-P., Cheung, Y.-M., Yin, H., Jiao, L., Ma, J., Jiao, Y.-C. (eds.) CIS 2005. LNCS (LNAI), vol. 3802, pp. 149–154. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  10. IEEE P1363 Working Group, P1363.2: Standard Specifications for Password-Based Public-Key Cryptographic Techniques. Draft available at http://grouper.ieee.org/groups/1363/

  11. International Standard on Information Technology, Security Techniques, Key Management, Part 4: “Mechanisms based on week secrets”, ISO/IEC 11770-4:2006

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Newcastle University, UK

    Feng Hao & Siamak F. Shahandashti

Authors
  1. Feng Hao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Siamak F. Shahandashti
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. HP Labs, Bristol, UK

    Liqun Chen

  2. Information Security Group, University of London, Royal Holloway, TW20 0EX, Egham, Surrey, UK

    Chris Mitchell

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Hao, F., Shahandashti, S.F. (2014). The SPEKE Protocol Revisited. In: Chen, L., Mitchell, C. (eds) Security Standardisation Research. SSR 2014. Lecture Notes in Computer Science, vol 8893. Springer, Cham. https://doi.org/10.1007/978-3-319-14054-4_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-14054-4_2

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-14053-7

  • Online ISBN: 978-3-319-14054-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation