Questions tagged [pake]

Password-Authenticated Key Exchanges (PAKE) are a special class of authenticated key exchange protocols. In general, an authenticated key-exchange protocol allows two parties to establish a secret shared session key, while at the same time authenticating themselves to one-another. In a PAKE, the authentication factor is a password, i.e. a low entropy long-term secret. The authentication can be mutual, where each party authenticates themselves to the other, or one-sided, where only one party authenticates themselves to the other.

A PAKE should guarantee, that the parties establish a shared session key if and only if the authentication was successful and this secret key should be remain computationally hidden from any outside observer, even if this observer can engage in other protocol executions with those parties. While there is a multitude of different formal definitions of security, most are derived from the classic Bellare-Rogaway model for authenticated key-exchange.

One of the important fact to notice about PAKE is that due to the low entropy of passwords, dictionary attacks are always feasible. For this reason it is crucial in the protocol design to prevent offline dictionary attacks. An offline dictionary attack is possible, whenever an outside observer can use one or more protocol transcripts to verify a guess for the password. Since passwords have low entropy, this would render the PAKE broken. In contrast, online dictionary attacks cannot be prevented. In an online dictionary attack,an attacker has to run a new protocol execution for each guess they are trying to verify. This allows to mitigate the attack through approaches such as rate limiting.