Editing Encrypted key exchange

[[File:EKE scheme.svg|thumb|upright=1.5|DH-EKE scheme]]
'''Encrypted Key Exchange''' (also known as '''EKE''') is a family of [[password-authenticated key agreement]] methods described by [[Steven M. Bellovin]] and Michael Merritt.<ref>{{cite conference|author=S. M. Bellovin|author2=M. Merritt|title=Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks|book-title=Proceedings of the I.E.E.E. Symposium on Research in Security and Privacy, Oakland|date=May 1992|url=https://www.cs.columbia.edu/~smb/papers/neke.pdf}}</ref> Although several of the forms of EKE in this paper were later found to be flawed {{clarify|date=December 2011}}, the surviving, refined, and enhanced forms of EKE effectively make this the first method to amplify a shared [[password]] into a shared key, where the [[shared key]] may subsequently be used to provide a [[zero-knowledge password proof]] or other functions.

In the most general form of EKE, at least one party encrypts an ephemeral (one-time) public key using a password, and sends it to a second party, who decrypts it and uses it to negotiate a shared key with the first party.

A second paper describes Augmented-EKE,<ref>{{cite conference|author=S. M. Bellovin|author2=M. Merritt|title=Augmented Encrypted Key Exchange: A Password-Based Protocol Secure Against Dictionary Attacks and Password File Compromise|book-title=Proceedings of the 1st ACM Conference on Computer and Communications Security|pages =244–250|publisher=ACM Press|date=November 1993| url = https://www.cs.columbia.edu/~smb/papers/aeke.pdf}}</ref> and introduced the concept of '''augmented''' [[password-authenticated key agreement]] for client/server scenarios.  Augmented methods have the added goal of ensuring that password verification data stolen from a server cannot be used by an attacker to masquerade as the client, unless the attacker first determines the password (e.g. by performing a brute force attack on the stolen data).

A version of EKE based on [[Diffie–Hellman key exchange|Diffie–Hellman]], known as DH-EKE, has survived attack and has led to improved variations, such as the PAK family of methods in [[IEEE P1363|IEEE P1363.2]].

Since the [[US patent]] on EKE expired in late 2011, an [[Extensible Authentication Protocol|EAP]] authentication method using EKE was published as an IETF RFC.<ref>{{citation|author1=Y. Sheffer|author2=G. Zorn|author3=H. Tschofenig|author4=S. Fluhrer|title=An EAP Authentication Method Based on the Encrypted Key Exchange (EKE) Protocol.|date=February 2011|url=http://tools.ietf.org/html/rfc6124}}</ref> The EAP method uses the [[Diffie–Hellman key exchange|Diffie–Hellman]] variant of EKE.

==Patents==
{{US patent|5241599}}, owned by [[Lucent]], describes the initial EKE method. It expired in October 2011.<br />
{{US patent|5440635}}, owned by [[Lucent]], describes the augmented EKE method. It expired in August 2013.

==See also==
* [[Password-authenticated key agreement]]

==References==
{{reflist}}


{{Cryptography navbox | public-key}}

[[Category:Cryptographic protocols]]
[[Category:Key-agreement protocols]]