Purpose and Scope of IEEE P1363.2

P1363.2: Standard Specification for Password-Based Public-Key Cryptographic Techniques


Specifications of common public-key cryptographic techniques for performing password-based authentication and key exchange, supplemental to the techniques considered in IEEE P1363 and IEEE P1363a. Specifications of primitives, schemes, and protocols designed to safely utilize passwords and other low-grade secrets as a basis for securing electronic transactions. Class of computer and communications systems is not restricted.


Ensuring privacy and authenticity in personal electronic transactions is a process that necessarily involves human beings. Memorized secrets are an important factor in human authentication. Many common cryptographic methods for authentication require large, random high-grade secret keys, yet, the secrets that human beings can conveniently memorize and reliably reproduce tend to be low-grade secrets. Passwords are widely used low-grade secrets that are typically not-so-random and relatively small, and introduce risks of brute-force attack when inappropriately used as cryptographic keys. P1363.2 will specify public-key cryptographic techniques specifically designed to securely perform password-based authentication and key exchange. These techniques provide a way to authenticate people and distribute high-quality cryptographic keys for people, while preventing off-line brute-force attacks associated with passwords. A resulting high quality key may be more confidently used in combination with other cryptographic methods, such as symmetric encryption methods and public-key encryption, identification, and digital signature methods. P1363.2 will provide a reference for a variety of such password- based techniques within a suitable framework. It is not the purpose of this project to mandate any particular set of password-based techniques or security requirements (including key sizes). Rather, the purpose is to provide: (1) a reference for specification of a variety of techniques from which applications may select, (2) the appropriate theoretic background, and (3) extensive discussion of security and implementation considerations so that a solution provider can choose appropriate security requirements.

PAR as approved by IEEE Standards Board December 7, 2000.
This site was last modified on October 31, 2002.
IEEE Logo IEEE Standards Logo IEEE P1363 Logo
IEEE Home Page IEEE Standards IEEE P1363