Specifications of common public-key cryptographic techniques for performing password-based authentication and key exchange, supplemental to the techniques considered in IEEE P1363 and IEEE P1363a. Specifications of primitives, schemes, and protocols designed to safely utilize passwords and other low-grade secrets as a basis for securing electronic transactions. Class of computer and communications systems is not restricted.
Ensuring privacy and authenticity in personal electronic transactions is a process that necessarily involves human beings. Memorized secrets are an important factor in human authentication. Many common cryptographic methods for authentication require large, random high-grade secret keys, yet, the secrets that human beings can conveniently memorize and reliably reproduce tend to be low-grade secrets. Passwords are widely used low-grade secrets that are typically not-so-random and relatively small, and introduce risks of brute-force attack when inappropriately used as cryptographic keys. P1363.2 will specify public-key cryptographic techniques specifically designed to securely perform password-based authentication and key exchange. These techniques provide a way to authenticate people and distribute high-quality cryptographic keys for people, while preventing off-line brute-force attacks associated with passwords. A resulting high quality key may be more confidently used in combination with other cryptographic methods, such as symmetric encryption methods and public-key encryption, identification, and digital signature methods. P1363.2 will provide a reference for a variety of such password- based techniques within a suitable framework. It is not the purpose of this project to mandate any particular set of password-based techniques or security requirements (including key sizes). Rather, the purpose is to provide: (1) a reference for specification of a variety of techniques from which applications may select, (2) the appropriate theoretic background, and (3) extensive discussion of security and implementation considerations so that a solution provider can choose appropriate security requirements.
|IEEE Home Page||IEEE Standards||IEEE P1363|