In a forthcoming paper (to be presented at SSR’14), we (with Siamak Shahandashti) present some new attacks on SPEKE, an internationally standardized protocol. The idea originated from a causal chat over coffee with my colleague, Siamak Shahandashti, four days before the SSR’14 submission deadline. But the idea was interesting enough (to us) that we decided to write a paper. It was intensive a few days’ work, but it turned out to an enjoyable experience. A preprint of the paper can be found here (also in the IACR ePrint).
Background: SPEKE is one of the most well-known Password Authentication Key Exchange (PAKE) techniques. It was first designed in 1996 by David Jablon. Over the past twenty years, it seems to have withstood various attacks, and yet no major flaws has been found. To date, the SPEKE protocol has been included into the IEEE P1363.2 and ISO/IEC 11770-4 standards, and deployed in commercial products (for example, Blackberry).
Our findings: However, in our paper, we identity two weaknesses in SPEKE, which seem to have evaded previous efforts of cryptanalysis. First, we show an impersonation attack, in which an attacker is able to impersonate a user by engaging in two parallel sessions with the victim. Second, we show a key-malleability attack, in which a man-in-the-middle attacker is able to manipulate the session key established between two honest users without being detected. We further explain the applicability of the attack to the SPEKE variants defined in IEEE P1363.2 and ISO/IEC 11770-4 and point out deficiencies in both standards.
Suggested changes to standards: Finally, we propose concrete changes to both the IEEE and ISO/IEC standards. The changes that we propose not only address all currently known attacks against SPEKE, but also improve the round efficiency of SPEKE as it is currently defined in the standards.
For more technical details, please refer to our paper. Any comments are of course most welcome.
Updates:
- 2014-10-24: during the ISO/IEC JTC 1/SC 27 Meeting held in Mexico (19-24 Oct, 2014), it has been agreed by the national bodies present in the meeting to revise the SPEKE specification in ISO/IEC 11770-4 to address the two attacks reported in our SSR’14 paper.