Reverse Online Guessing Attacks on PAKE Protocols

TL;DR

This paper reveals a new class of reverse online guessing attacks on PAKE protocols, highlighting vulnerabilities when server authentication relies solely on passwords, and suggests stronger server authentication measures.

Contribution

It introduces the concept of reverse guessing attacks on PAKE protocols and analyzes their effectiveness and implications for protocol security.

Findings

Reverse guessing attacks are effective against password-only server authentication.

Existing defenses against traditional guessing are ineffective against reverse guessing.

Stronger server authentication measures are recommended to mitigate these attacks.

Abstract

Though not yet widely deployed, password-authenticated key exchange (PAKE) protocols have been the subject of several recent standardization efforts, partly because of their resistance against various guessing attacks, but also because they do not require a public-key infrastructure (PKI), making them naturally resistant against PKI failures. The goal of this paper is to reevaluate the PAKE model by noting that the absence of a PKI -- or, more generally, of a mechanism aside from the password for authenticating the server -- makes such protocols vulnerable to reverse online guessing attacks, in which an adversary attempts to validate password guesses by impersonating a server. While their logic is similar to traditional guessing, where the attacker impersonates a client, reverse guessing poses a unique risk because the burden of detection is shifted to the clients, rendering existing defenses against traditional guessing moot. Our results demonstrate that reverse guessing is particularly effective when an adversary attacks clients indiscriminately, such as in phishing or password-spraying attacks, or for applications with automated login processes or a universal password, such as WPA3-SAE. Our analysis suggests that stakeholders should, by default, authenticate the server using more stringent measures than just the user's password, and that a password-only mode of operation should be a last resort against catastrophic security failures when other authentication mechanisms are not available.