Analysing and Patching SPEKE in ISO/IEC

TL;DR

This paper analyzes the SPEKE protocol in ISO/IEC standards, identifies two new vulnerabilities, and proposes a patched version, P-SPEKE, which is formally verified and incorporated into the standards.

Contribution

It identifies two novel vulnerabilities in SPEKE, proposes a formal patch called P-SPEKE, and demonstrates its effectiveness through formal analysis and standard revision.

Findings

Identified impersonation and key-malleability attacks on SPEKE.

Proposed P-SPEKE patch prevents these attacks.

Patch adopted into ISO/IEC 11770-4 standard.

Abstract

Simple Password Exponential Key Exchange (SPEKE) is a well-known Password Authenticated Key Exchange (PAKE) protocol that has been used in Blackberry phones for secure messaging and Entrust's TruePass end-to-end web products. It has also been included into international standards such as ISO/IEC 11770-4 and IEEE P1363.2. In this paper, we analyse the SPEKE protocol as specified in the ISO/IEC and IEEE standards. We identify that the protocol is vulnerable to two new attacks: an impersonation attack that allows an attacker to impersonate a user without knowing the password by launching two parallel sessions with the victim, and a key-malleability attack that allows a man-in-the-middle (MITM) to manipulate the session key without being detected by the end users. Both attacks have been acknowledged by the technical committee of ISO/IEC SC 27, and ISO/IEC 11770-4 revised as a result. We propose a patched SPEKE called P-SPEKE and present a formal analysis in the Applied Pi Calculus using ProVerif to show that the proposed patch prevents both attacks. The proposed patch has been included into the latest revision of ISO/IEC 11770-4 published in 2017.