|
SPEKE (Simple Password Exponential Key Exchange) is a cryptographic method for password-authenticated key agreement. ==Description== The protocol consists of little more than a Diffie-Hellman key exchange where the Diffie-Hellman generator ''g'' is created from a hash of the password. Here is one simple form of SPEKE: # Alice and Bob agree to use an appropriately large and randomly selected safe prime ''p'', as well as a hash function ''H''(). # Alice and Bob agree on a shared password ''π''. # Alice and Bob both construct ''g'' = ''H''(''π'')2 mod ''p''. (Squaring makes ''g'' a generator of the prime order subgroup of the multiplicative group of integers modulo ''p''.) # Alice chooses a secret random integer ''a'', then sends Bob ''ga'' mod ''p''. # Bob chooses a secret random integer ''b'', then sends Alice ''gb'' mod p. # Alice and Bob each abort if their received values are not in the range (), to prevent small subgroup confinement attack. # Alice computes ''K'' = (''gb'' mod ''p'')''a'' mod ''p''. # Bob computes ''K'' = (''ga'' mod ''p'')''b'' mod ''p''. Both Alice and Bob will arrive at the same value for ''K'' if and only if they use the same value for ''π''. Once Alice and Bob compute the shared secret ''K'' they can use it in a key confirmation protocol to prove to each other that they know the same password π, and to derive a shared secret encryption key for sending secure and authenticated messages to each other. The use of a key confirmation protocol is optional, as specified in the IEEE P1363.2 and ISO/IEC 11770-4 standards. Unlike unauthenticated Diffie-Hellman, SPEKE prevents man in the middle attack by the incorporation of the password. An attacker who is able to read and modify all messages between Alice and Bob cannot learn the shared key ''K'' and cannot make more than one guess for the password in each interaction with a party that knows it. In general, SPEKE can use any prime order group that is suitable for public key cryptography, including elliptic curve cryptography. However, when SPEKE is realized by using elliptic curve cryptography, the protocol is essentially changed by requiring an additional primitive that must securely map a password onto a random point on the designated elliptic curve. (This primitive is called the IOP or Integer-to-Point function in IEEE P1363.2 and ISO/IEC 11770-4.) 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「SPEKE (cryptography)」の詳細全文を読む スポンサード リンク
|