Requirements for Password-Authenticated Key Agreement (PAKE) Schemes
RFC 8125

Document Type RFC - Informational (April 2017; No errata)
Last updated 2017-04-19
Stream IRTF
Formats plain text pdf html bibtex
IETF conflict review conflict-review-irtf-cfrg-pake-reqs
Stream IRTF state Published RFC
Consensus Boilerplate Yes
RFC Editor Note (None)
IESG IESG state RFC 8125 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
IANA IANA review state Version Changed - Review Needed
IANA action state No IC
Internet Research Task Force (IRTF)                           J. Schmidt
Request for Comments: 8125                     secunet Security Networks
Category: Informational                                       April 2017
ISSN: 2070-1721

  Requirements for Password-Authenticated Key Agreement (PAKE) Schemes

Abstract

   Password-Authenticated Key Agreement (PAKE) schemes are interactive
   protocols that allow the participants to authenticate each other and
   derive shared cryptographic keys using a (weaker) shared password.
   This document reviews different types of PAKE schemes.  Furthermore,
   it presents requirements and gives recommendations to designers of
   new schemes.  It is a product of the Crypto Forum Research Group
   (CFRG).

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Research Task Force
   (IRTF).  The IRTF publishes the results of Internet-related research
   and development activities.  These results might not be suitable for
   deployment.  This RFC represents the consensus of the Crypto Forum
   Research Group of the Internet Research Task Force (IRTF).  Documents
   approved for publication by the IRSG are not a candidate for any
   level of Internet Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc8125.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Schmidt                       Informational                     [Page 1]
RFC 8125                PAKE Scheme Requirements              April 2017

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Notation . . . . . . . . . . . . . . . . . . . .   3
   3.  PAKE Taxonomy . . . . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Storage of the Password . . . . . . . . . . . . . . . . .   3
     3.2.  Transmission of Public Keys . . . . . . . . . . . . . . .   4
     3.3.  Two Party versus Multiparty . . . . . . . . . . . . . . .   4
   4.  Security of PAKEs . . . . . . . . . . . . . . . . . . . . . .   5
     4.1.  Implementation Aspects  . . . . . . . . . . . . . . . . .   6
     4.2.  Special Case: Elliptic Curves . . . . . . . . . . . . . .   6
   5.  Protocol Considerations and Applications  . . . . . . . . . .   7
   6.  Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . .   7
   7.  Performance . . . . . . . . . . . . . . . . . . . . . . . . .   8
   8.  Requirements  . . . . . . . . . . . . . . . . . . . . . . . .   8
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
   10. Security Considerations . . . . . . . . . . . . . . . . . . .   9
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     11.1.  Normative References . . . . . . . . . . . . . . . . . .   9
     11.2.  Informative References . . . . . . . . . . . . . . . . .   9
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  10

1.  Introduction

   Passwords are the predominant method of accessing the Internet today
   due, in large part, to their intuitiveness and ease of use.  Since a
   user needs to enter passwords repeatedly in many connections and
   applications, these passwords tend to be easy to remember and can be
   entered repeatedly with a low probability of error.  They tend to be
   low-grade and not-so-random secrets that are susceptible to brute-
   force guessing attacks.

   A Password-Authenticated Key Exchange (PAKE) attempts to address this
   issue by constructing a cryptographic key exchange that does not
   result in the password, or password-derived data, being transmitted
   across an unsecured channel.  Two parties in the exchange prove
   possession of the shared password without revealing it.  Such
   exchanges are therefore resistant to offline, brute-force dictionary
   attacks.  The idea was initially described by Bellovin and Merritt in
   [BM92] and has received considerable cryptographic attention since
   then.  PAKEs are especially interesting due to the fact that they can
   achieve mutual authentication without requiring any Public Key
   Infrastructure (PKI).

Schmidt                       Informational                     [Page 2]
Show full document text