Questions tagged [pake]

Question 1

Background: The OPAQUE aPAKE scheme is vulnerable to quantum computing shenanigans. If we directly blind the user's password using the scheme, then we give attackers the opportunity to "harvest ...

Question 2

If the server is honest-but-curious, it can attempt to guess the user’s password $\mathsf{pw}$ by computing $\mathsf{rw} = H(\mathsf{pw}, H'(\mathsf{pw})^s)$,where $s$ is the server's OPRF key. Then, ...

Question 3

Both RFC 9382 (SPAKE2) and RFC 9383 (SPAKE2+) have language that seems to require 4 messages to complete the protocol. In particular, A sends a key confirmation message cA to B, and B responds with ...

Question 4

Are there any password-authenticated key exchange (PAKE) algorithms in FIPS standards?

Question 5

As I understand it, in WPA2, the shared key (for encryption) is derived from the password, plus nonces and identities used in the initial 4-way exchange. An attacker who was able to sniff the initial ...

Question 6

I've been studying the OPAQUE protocol, and I like it (so far). The RFC suggests using Argon2 as the Key-Stretching Function. Argon2 can take an optional "Secret value" (2, page 5). I had ...

Question 7

My understanding is that for PAKE protocols such as OPAQUE (https://eprint.iacr.org/2018/163.pdf), the the adversary has no choice but to just do online attacks on the password. If this is true, I ...

Question 8

Is it possible for a client to send a blinded password to a server, so that the server does key derivation+stretching on that blinded value, but the key can then be unblinded by the client? ...

Question 9

Let's say client side has a secret password $\pi$. The server has a series of indices $0..n-1$ and a salt associated value $s_i$ for all $i \in \{0,n-1\}$ call it set $S=\{s_i | i \in \{0,n-1\}\}$ ...

Question 10

Consider the following (simplification of a) PAKE protocol: Alice and Bob start with a pre-agreed password pw. To establish a new session key $k$, first Alice samples a random nonce $r$ and sends it ...

Question 11

My intuition for the security a symmetric PAKE is supposed to provide comes from the example of a login page. Both the user and the server know the password (assuming unhashed passwords), and the ...

Question 12

Define three hash functions: $H_1: \{0, 1\}^* \rightarrow \mathbb{G}$ mapping $x$ to the group $\mathbb{G}$ of prime order $q$ $H_2: \mathbb{G} \rightarrow \{0, 1\}^\tau$ $H_3: \{0, 1\}^* \times \...

Question 13

In TLS 1.2, there was TLS-SRP (RFC 5054,) which provided a password-authenticated key exchange (PAKE) protocol for use with TLS. However, it apparently relied on handshake messages that have been ...

Question 14

In the secure remote password protocol version 6a, the identifier for the user, I, is hashed along with the salt and the password on the client. While I understand ...

Question 15

I've been looking into implementing cPace, and I saw that two cipher suites defined for it refered to draft-irtf-cfrg-hash-to-curve for its protocol definition. Part of cPace requires mapping a string ...

Stack Exchange Network

Questions tagged [pake]

Are unique identifiers acceptable salts for client-side key stretching?

Is the user's password revealed to a curious server in the OPAQUE PAKE?

In SPAKE2(+) is it safe for B to send the key confirmation first?

Does FIPS have any PAKE algorithms?

Is PAKE more secure than WPA2?

Could a Yubikey Provide the Optional Secret to OPAQUE When Using Argon2?

Password entropy requirements for online dictionary attacks on OPAQUE?

"Oblivious" Argon2id? (or comparable KDF/KSF)?

Anonymous PAKE using two party computation

Is the following PAKE protocol UC secure?

Why does the PAKE ideal functionallity allow the keys to be the same when the passwords differ?

Questions on PRF

Have any PAKE extensions been added to TLS 1.3?

What is the purpose of hashing the identifier in the secure remote password (SRP) protocol? [duplicate]

What's going on with the complicated implementations for map_to_curve in draft-irtf-cfrg-hash-to-curve?

Hot Network Questions