PAKE (Password-Authenticated Key Exchange)
What is PAKE (Password-Authenticated Key Exchange)?
PAKE (Password-Authenticated Key Exchange)A class of cryptographic protocols (SRP, OPAQUE, SPAKE2, CPace) that let two parties derive a strong shared key from a low-entropy password without exposing the password to offline brute-force or to passive eavesdroppers.
Password-Authenticated Key Exchange (PAKE) protocols solve a long-standing problem: how to let a user prove possession of a password to a server, and derive an authenticated session key, without ever sending the password (or anything offline-brute-forceable from it) over the wire. The first widely deployed PAKE was SRP-6a (used by Apple iCloud, 1Password, ProtonMail). Modern designs include SPAKE2 (used in CHIP/Matter device commissioning, IETF RFC 9382), CPace (the IETF augmented PAKE recommended in RFC 9380), and OPAQUE (an asymmetric / augmented PAKE that hides the password from the server even during enrolment). PAKE properties matter: a passive attacker on the network learns nothing about the password; an active attacker can only attempt one password per online interaction (no offline grinding); and an attacker who breaches the server's password database cannot impersonate users without further work. The IETF CFRG selected CPace and OPAQUE in 2020 as recommended modern PAKE designs. Adoption is growing: Matter uses SPAKE2 for QR-code device pairing, WPA3 uses Dragonfly (a PAKE-like SAE handshake), and several password managers and identity products now ship OPAQUE.
● Examples
- 01
Matter (smart-home protocol) uses SPAKE2 with a setup code printed on the device's QR sticker to establish an authenticated channel during commissioning.
- 02
A password manager replaces 'hash and compare' login with OPAQUE so its server never learns the user's master password even at registration.
● Frequently asked questions
What is PAKE (Password-Authenticated Key Exchange)?
A class of cryptographic protocols (SRP, OPAQUE, SPAKE2, CPace) that let two parties derive a strong shared key from a low-entropy password without exposing the password to offline brute-force or to passive eavesdroppers. It belongs to the Cryptography category of cybersecurity.
What does PAKE (Password-Authenticated Key Exchange) mean?
A class of cryptographic protocols (SRP, OPAQUE, SPAKE2, CPace) that let two parties derive a strong shared key from a low-entropy password without exposing the password to offline brute-force or to passive eavesdroppers.
How does PAKE (Password-Authenticated Key Exchange) work?
Password-Authenticated Key Exchange (PAKE) protocols solve a long-standing problem: how to let a user prove possession of a password to a server, and derive an authenticated session key, without ever sending the password (or anything offline-brute-forceable from it) over the wire. The first widely deployed PAKE was SRP-6a (used by Apple iCloud, 1Password, ProtonMail). Modern designs include SPAKE2 (used in CHIP/Matter device commissioning, IETF RFC 9382), CPace (the IETF augmented PAKE recommended in RFC 9380), and OPAQUE (an asymmetric / augmented PAKE that hides the password from the server even during enrolment). PAKE properties matter: a passive attacker on the network learns nothing about the password; an active attacker can only attempt one password per online interaction (no offline grinding); and an attacker who breaches the server's password database cannot impersonate users without further work. The IETF CFRG selected CPace and OPAQUE in 2020 as recommended modern PAKE designs. Adoption is growing: Matter uses SPAKE2 for QR-code device pairing, WPA3 uses Dragonfly (a PAKE-like SAE handshake), and several password managers and identity products now ship OPAQUE.
How do you defend against PAKE (Password-Authenticated Key Exchange)?
Defences for PAKE (Password-Authenticated Key Exchange) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for PAKE (Password-Authenticated Key Exchange)?
Common alternative names include: Password-Authenticated Key Exchange, Augmented PAKE.
● Related terms
- cryptography№ 352
Diffie–Hellman Key Exchange
A public-key protocol that lets two parties derive a shared secret over an insecure channel without ever transmitting it, based on the difficulty of the discrete logarithm problem.
- identity-access№ 089
Authentication
The process of verifying that an entity — user, device or service — really is who or what it claims to be before granting access.
- identity-access№ 889
Passphrase
A long sequence of words or characters used as an authentication secret, typically chosen for high entropy and memorability rather than complexity.
- identity-access№ 890
Password
A secret string of characters that a user supplies to prove identity to a system, traditionally the dominant single-factor authentication mechanism.
- network-security№ 1381
WPA3
The third generation of Wi-Fi Protected Access, introducing SAE-based authentication, forward secrecy, and stronger protections for personal and enterprise Wi-Fi.
- attacks№ 396
Dragonblood
A family of side-channel and downgrade attacks against WPA3 SAE (Dragonfly) that can leak the Wi-Fi password to a nearby attacker.
● See also
- № 729Matter Protocol