The Password Authenticated Key Exchange by Juggling (or J-PAKE) is a password-authenticated key agreement protocol. This protocol allows two parties to establish private and authenticated communication solely based on their shared (low-entropy) password without requiring a Public Key Infrastructure. It provides mutual authentication to the key exchange, a feature that is lacking in the Diffie-Hellman key exchange protocol.
Contents
Description
Two parties, Alice and Bob, agree on a group
After Round 2, Alice computes
The two-round J-PAKE protocol is completely symmetric. This helps significantly simplify the security analysis. For example, the proof that one party does not leak any password information in the data exchange must hold true for the other party based on the symmetry. This reduces the number of the needed security proofs by half.
In practice, it is more likely to implement J-PAKE in three flows since one party shall normally take the initiative. This can be done trivially without loss of security. Suppose Alice initiates the communication by sending to Bob:
Depending on the application requirement, Alice and Bob may perform an optional key confirmation step. There are several ways to do it. A simple method described in SPEKE works as follows: Alice sends to Bob
Security properties
The J-PAKE protocol claims to provide the following properties:
- Off-line dictionary attack resistance - It does not leak any password verification information to a passive/active attacker.
- Forward secrecy - It produces session keys that remain secure even when the password is later disclosed.
- Known-key security - It prevents a disclosed session key from affecting the security of other sessions.
- On-line dictionary attack resistance - It limits an active attacker to test only one password per protocol execution.
Since 2015, J-PAKE has a formal security proof.
The protocol design
The J-PAKE protocol is designed by combining random public keys in such a structured way to achieve a vanishing effect if both parties supplied exactly the same passwords. This is somehow similar to the Anonymous veto network protocol design. The essence of the idea, however, can be traced back to David Chaum's original Dining Cryptographers network protocol, where binary bits are combined in a structured way to achieve a vanishing effect.
The implementation
J-PAKE has been implemented in OpenSSL and OpenSSH as an experimental authentication protocol. It was removed from the OpenSSH source code at the end of January 2014. It has also been implemented in NSS and was used by Firefox Sync version 1.1 but discontinued in 1.5 which uses a different key exchange and storage method. Mozilla's J-PAKE server was shut down along with the Sync 1.1 storage servers on 30 September 2015. Pale Moon continues to use J-PAKE as part of its Sync service. Since February 2013, J-PAKE has been added to the lightweight API in Bouncycastle (1.48 and onwards). J-PAKE is also used in the Thread (network protocol)