Paper 2014/585

The SPEKE Protocol Revisited

Feng Hao and Siamak F. Shahandashti

Abstract

The SPEKE protocol is commonly considered one of the classic Password Authenticated Key Exchange (PAKE) schemes. It has been included in international standards (particularly, ISO/IEC 11770-4 and IEEE 1363.2) and deployed in commercial products (e.g., Blackberry). We observe that the original SPEKE specification is subtly different from those defined in the ISO/IEC 11770-4 and IEEE 1363.2 standards. We show that those differences have critical security implications by presenting two new attacks on SPEKE: an impersonation attack and a key-malleability attack. The first attack allows an attacker to impersonate a user without knowing the password by engaging in two parallel sessions with the victim. The second attack allows an attacker to manipulate the session key established between two honest users without being detected. Both attacks are applicable to the original SPEKE scheme, and are only partially addressed in the ISO/IEC 11770-4 and IEEE 1363.2 standards. We highlight deficiencies in both standards and suggest concrete changes.

Note: Updated version to be consistent with the camera-ready version that will appear at SSR'14.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Keywords
SPEKEPAKEIEEE P1362.2ISOIEC 11770-4
Contact author(s)
haofeng66 @ gmail com
History
2014-09-25: revised
2014-07-30: received
See all versions
Short URL
https://ia.cr/2014/585
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2014/585,
      author = {Feng Hao and Siamak F.  Shahandashti},
      title = {The SPEKE Protocol Revisited},
      howpublished = {Cryptology ePrint Archive, Paper 2014/585},
      year = {2014},
      note = {\url{https://eprint.iacr.org/2014/585}},
      url = {https://eprint.iacr.org/2014/585}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.