both the client and host have access to the same secret password or hash thereof. There is one variant
of EKE, known as
Augmented EKE
or A-EKE [2], which makes EKE a verier-based proto col, but the
modication also destroys forward secrecy [17].
Recently, additional work has b een done to extend the EKE family of proto cols to address the issue
of holding plaintext-equivalent data in password les [10]. B-SPEKE is an example of such an extended
method. These proto cols add another key exchange round to verify the client's p ossession of the actual
password as opposed to a stolen verier from the password le. This xes a ma jor issue with EKE, at the
expense of substantially increasing the running time and computational complexity of the resulting protocol.
The issue of avoiding plaintext-equivalence has b een a glaring omission in secure proto col designs for
quite some time, yet it must be addressed if it is to be considered a viable replacement for authentication
systems like the
/etc/passwd
le in Unix systems [13]. In addition, p o or performance has often been an
obstacle to the adoption of stronger proto cols; the proto cols described in [2] and [10] are just slow enough to
be uncomfortable for frequent, lightweight authentication purposes. An improvement in p erformance from,
say, a 3 second delay to a 1.5 second delay at login time can often make the dierence between an unbearable
solution and a workable one.
3 A new framework
Designing a verier-based protocol is considerably more dicult than designing a conventional shared-secret
authentication proto col, because the verier and password are by denition not equivalent (though the
former may be derived from the latter), forcing the computational structure of the protocol to be inherently
asymmetric. As is the case with public-key cryptography, only a handful of metho ds lend themselves to the
mathematical manipulation necessary to construct secure verier-based proto cols. This is one of the reasons
why such protocols are relatively rare in practice.
Wehave already seen protocols that use digital signatures (A-EKE) and protocols that use a secondary
one-sided key exchange (B-SPEKE); this section introduces a new construction called
Asymmetric Key
Exchange
, or AKE for short, which is a generalized form for a third class of verier-based protocols. Later,
we will introduce the Secure Remote Password proto col itself, which will refer to the more well-dened and
specied instance of AKE that is of interest to mo dern password authentication systems.
3.1 Asymmetric key exchange
Like EKE, the primary function of AKE is to exchange keys between two parties, the client and server,
and to use this key to verify that b oth parties actually know their passwords. Unlike EKE, AKE does
not encrypt any of the protocol ows. Instead, it uses predened mathematical relationships to combine
exchanged ephemeral values with established password parameters. Avoiding encryption is advantageous for
anumber of reasons:
It simplies the proto col by eliminating the need to negotiate a common encryption algorithm. The
alternative, sp ecifying the algorithm with the proto col, makes the proto col dep endent on one particular
encryption algorithm.
Anyweakness in the encryption will usually result in a weakness in the resulting authentication pro-
tocol. In addition, when passwords are used as key material, issues of padding and veriable plaintext
can op en the proto col to a variety of attacks [6]. Not using encryption in the protocol itself removes
this potential hole.
In some jurisdictions, software and hardware implementations of encryption algorithms are sub ject to
legal restrictions or exp ort regulations. A proto col that do es not use encryption is not aected by such
concerns.
4