International Association
for Cryptologic Research

The SPEKE protocol is commonly considered one of the classic Password Authenticated Key Exchange (PAKE) schemes. It has been included in international standards (particularly, ISO/IEC 11770-4 and IEEE 1363.2) and has been deployed in commercial products. We observe that the original SPEKE specification is subtly different from those defined in the ISO/IEC 11770-4 and IEEE 1363.2 standards. We show that those differences have critical security implications. First of all, we present two new attacks on SPEKE: a relay attack and a key-malleability attack. The first attack allows an attacker to impersonate a user without knowing the password by engaging in two parallel sessions with the victim. The second attack allows an attacker to malleate the session key established between two honest users without being detected. Both attacks are applicable to the original SPEKE scheme. However, they are to some extent addressed in the ISO/IEC 11770-4 and IEEE 1363.2 standards, but in a vaguely defined manner. The vagueness makes it extremely difficult for a security-conscious developer to implement the protocol correctly. We propose countermeasures and suggest concrete changes to the standards.