- Each side of the exchange contributes entropy.
- Passive attackers cannot determine the shared key.
- Active attackers cannot perform a machine-in-the-middle attack.

- Because SPAKE's encryption method ensures that the result is a member of the underlying group, it can be used with elliptic curve cryptography, which is believed to provide equivalent security levels to finite-field DH key exchange at much smaller key sizes.
- It can compute the shared key after just one message from each party, minimizing the need for additional round trips and state.
- It requires a small number of group operations, and can therefore be implemented simply and efficiently.

- Calculation and exchange of the public key
- Calculation of the shared secret (K)
- Derivation of an encryption key (K')
- Verification of the derived encryption key (K')

- PA-SPAKE
- 151

- Determine the length of the multiplier octet string as defined in the IANA "Kerberos SPAKE Groups" registry created by this document.
- Compose a pepper string by concatenating the string "SPAKEsecret" and the group number as a big-endian four-byte two's complement binary number.
- Produce an octet string of the required length using PRF+(K,
pepper), where K is the initial reply key and PRF+ is defined in
Section 5.1 of
. - Convert the octet string to a multiplier scalar using the multiplier conversion method defined in the IANA "Kerberos SPAKE Groups" registry created by this document.

- The fixed string "SPAKEkey".
- The group number as a big-endian four-byte two's complement binary number.
- The encryption type of the initial reply key as a big-endian four-byte two's complement binary number.
- The PRF+ output used to compute the initial secret input w as
specified in
. - The SPAKE result K, converted to an octet string as specified in
. - The transcript hash.
- The KDC-REQ-BODY encoding for the request being sent or responded to. Within a FAST channel, the inner KDC-REQ-BODY encoding MUST be used.
- The value n as a big-endian four-byte unsigned binary number.
- A single-byte block counter, with the initial value 0x01.

- SF-NONE
- 1

- KEY_USAGE_SPAKE
- 65

Type | Value | Reference |
---|---|---|

PA-SPAKE | 151 | [this document] |

- ID Number:
- This is a value that uniquely identifies this entry. It is a signed integer in range -2147483648 to 2147483647, inclusive. Positive values must be assigned only for algorithms specified in accordance with these rules for use with Kerberos and related protocols. Negative values should be used for private and experimental algorithms only. Zero is reserved and must not be assigned. Values should be assigned in increasing order.
- Name:
- Brief, unique, human-readable name for this algorithm.
- Reference:
- URI or otherwise unique identifier for where the details of this algorithm can be found. It should be as specific as reasonably possible.

- ID Number:
- 1
- Name:
- SF-NONE
- Reference:
- [this document]

- ID Number:
- This is a value that uniquely identifies this entry. It is a signed integer in range -2147483648 to 2147483647, inclusive. Positive values must be assigned only for algorithms specified in accordance with these rules for use with Kerberos and related protocols. Negative values should be used for private and experimental use only. Zero is reserved and must not be assigned. Values should be assigned in increasing order.
- Name:
- Brief, unique, human readable name for this entry.
- Specification:
- Reference to the definition of the group parameters and operations.
- Serialization:
- Reference to the definition of the method used to serialize and deserialize group elements.
- Multiplier Length:
- The length of the input octet string to multiplication operations.
- Multiplier Conversion:
- Reference to the definition of the method used to convert an octet string to a multiplier scalar.
- SPAKE M Constant:
- The serialized value of the SPAKE M constant in hexadecimal notation.
- SPAKE N Constant:
- The serialized value of the SPAKE N constant in hexadecimal notation.
- Hash Function:
- The group's associated hash function.

- ID Number:
- 1
- Name:
- edwards25519
- Specification:
- Section 4.1 of
(edwards25519) - Serialization:
- Section 3.1 of
- Multiplier Length:
- 32
- Multiplier Conversion:
- Section 3.1 of
- SPAKE M Constant:
- d048032c6ea0b6d697ddc2e86bda85a33adac920f1bf18e1b0c6d166a5cecdaf
- SPAKE N Constant:
- d3bfb518f44f3430f29d0c92af503865a1ed3281dc69b35dd868ba85f886c4ab
- Hash function:
- SHA-256 (
)

- ID Number:
- 2
- Name:
- P-256
- Specification:
- Section 2.4.2 of
- Serialization:
- Section 2.3.3 of
(compressed format) - Multiplier Length:
- 32
- Multiplier Conversion:
- Section 2.3.8 of
- SPAKE M Constant:
- 02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f
- SPAKE N Constant:
- 03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49
- Hash function:
- SHA-256 (
)

- ID Number:
- 3
- Name:
- P-384
- Specification:
- Section 2.5.1 of
- Serialization:
- Section 2.3.3 of
(compressed format) - Multiplier Length:
- 48
- Multiplier Conversion:
- Section 2.3.8 of
- SPAKE M Constant:
- 030ff0895ae5ebf6187080a82d82b42e2765e3b2f8749c7e05eba366434b363d3dc36f15314739074d2eb8613fceec2853
- SPAKE N Constant:
- 02c72cf2e390853a1c1c4ad816a62fd15824f56078918f43f922ca21518f9c543bb252c5490214cf9aa3f0baab4b665c10
- Hash function:
- SHA-384 (
)

- ID Number:
- 4
- Name:
- P-521
- Specification:
- Section 2.6.1 of
- Serialization:
- Section 2.3.3 of
(compressed format) - Multiplier Length:
- 48
- Multiplier Conversion:
- Section 2.3.8 of
- SPAKE M Constant:
- 02003f06f38131b2ba2600791e82488e8d20ab889af753a41806c5db18d37d85608cfae06b82e4a72cd744c719193562a653ea1f119eef9356907edc9b56979962d7aa
- SPAKE N Constant:
- 0200c7924b9ec017f3094562894336a53c50167ba8c5963876880542bc669e494b2532d76c5b53dfb349fdf69154b9e0048c58a42e8ed04cef052a3bc349d95575cd25
- Hash function:
- SHA-512 (
)

- For group 1 M: edwards25519 point generation seed (M)
- For group 1 N: edwards25519 point generation seed (N)
- For group 2 M: 1.2.840.10045.3.1.7 point generation seed (M)
- For group 2 N: 1.2.840.10045.3.1.7 point generation seed (N)
- For group 3 M: 1.3.132.0.34 point generation seed (M)
- For group 3 N: 1.3.132.0.34 point generation seed (N)
- For group 4 M: 1.3.132.0.35 point generation seed (M)
- For group 4 N: 1.3.132.0.35 point generation seed (N)

- The key is the string-to-key of "password" with the salt "ATHENA.MIT.EDUraeburn" for the designated initial reply key encryption type.
- x and y were chosen randomly within the order of the designated group, then multiplied by the cofactor..
- The SPAKESupport message contains only the designated group's number.
- The SPAKEChallenge message offers only the SF-NONE second factor type.
- The KDC-REQ-BODY message contains no KDC options, the client principal name "raeburn@ATHENA.MIT.EDU", the server principal name "krbtgt/ATHENA.MIT.EDU", the realm "ATHENA.MIT.EDU", the till field "19700101000000Z", the nonce zero, and an etype list containing only the designated encryption type.