Information security — Key management — Part 7: Cross-domain password-based authenticated key exchange

This document specifies mechanisms for cross-domain password-based authenticated key exchange, all of which are four-party password-based authenticated key exchange (4PAKE) protocols. Such protocols let two communicating entities establish a shared session key using just the login passwords that they share with their respective domain authentication servers. The authentication servers, assumed to be part of a standard public key infrastructure (PKI), act as ephemeral certification authorities (CAs) that certify key materials that the users can subsequently use to exchange and agree on as a session key. This document does not specify the means to be used to establish a shared password between an entity and its corresponding domain server. This document also does not define the implementation of a PKI and the means for two distinct domain servers to exchange or verify their respective public key certificates.

Sécurité de l'information — Gestion des clés — Partie 7: Échange de clés authentifié entre mots de passe entre domaines

Standards Content (Sample)

STANDARD 11770-7
First edition
Information security — Key
management —
Part 7:
Cross-domain password-based
authenticated key exchange
Sécurité de l'information — Gestion des clés —
Partie 7: Échange de clés authentifié entre mots de passe entre
Reference number
ISO/IEC 11770-7:2021(E)
ISO/IEC 2021

ISO/IEC 11770-7:2021(E)

© ISO/IEC 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Published in Switzerland
ii © ISO/IEC 2021 – All rights reserved

ISO/IEC 11770-7:2021(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 3
4.1 Abbreviated terms . 3
4.2 Symbols . 4
5 Requirements . 6
6 Mechanisms . 6
6.1 General . 6
6.2 Sub-protocols and functions . 7
6.2.1 General. 7
6.2.2 Two-party password-based authenticated key exchange . 7
6.2.3 Two-party asymmetric-key authenticated key exchange . 8
6.2.4 Two-party symmetric-key authenticated key exchange . 9
6.2.5 Two-party non-interactive key exchange .10
6.2.6 Session identity function .10
6.3 Mechanism 1 .11
6.3.1 General.11
6.3.2 Prior shared parameters .11
6.3.3 Key exchange operation .11
6.4 Mechanism 2 .14
6.4.1 General.14
6.4.2 Prior shared parameters .14
6.4.3 Key exchange operation .15
6.5 Mechanism 3 .17
6.5.1 General.17
6.5.2 Prior shared parameters .18
6.5.3 Key exchange operation .18
Annex A (normative) Object identifiers .22
Annex B (normative) Conversion functions .23
Bibliography .26
ISO/IEC 11770-7:2021(E)

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC
list of patent declarations received (see http:// patents .iec .ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 11770 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
Introduction

In a security domain, two entities can authenticate each other and establish a shared session key to
protect their communication. This authentication is typically based on pre-established information,
such as a shared password or symmetric key or possession of each other’s public key certificates. In
a cross-domain communication, two entities assigned to two distinct security domains may not have
suitable pre-established authentication information. However, they can still establish a shared session
key by using the authentication information that each entity shares with its own domain server and
relying on the domain servers themselves to authenticate each other.
Practical cross-domain communication scenarios include email communication, mobile phone
communication, and instant messaging. In these cases, communications need to be protected against
both passive and active attackers. In these scenarios, each entity is typically registered with a domain-
specific server, such as an email exchange server (for email communications) or a home location register
(for mobile phone communications). Moreover, the two communicating entities from different domains
typically neither share a password or a symmetric key nor possess each other’s public key certificate.
An authenticated key exchange (AKE) mechanism enables two entities to establish a shared session
key based on their pre-established authentication information. A password-based AKE mechanism
is based on two entities pre-sharing a password. Similarly, a symmetric key or an asymmetric key
based AKE mechanism is based on two entities pre-sharing a secret key or possessing each other’s
public key certificate (and a trusted means to verify a certificate). In this document, these three types
of mechanisms are referred to as two-party password-based authenticated key exchange (2PAKE)
protocols, two-party symmetric key based authenticated key exchange (2SAKE) protocols and two-
party asymmetric key based authenticated key exchange (2AAKE) protocols, respectively. 2PAKE
protocols are specified in ISO/IEC 11770-4, 2SAKE protocols are specified in ISO/IEC 11770-2 and
2AAKE protocols are specified in ISO/IEC 11770-3. All the mechanisms specified in ISO/IEC 11770-1 ,
ISO/IEC 11770-2 and ISO/IEC 11770-3 are appropriate for use in a single security domain. For example,
the mechanisms specified in ISO/IEC 11770-4 are used in authenticated key exchange applications,
where two players, usually referred to as a server and a client, are in the same security domain.
This document (i.e. ISO/IEC 11770-7) specifies cross-domain password-based authenticated key
exchange mechanisms. Such mechanisms enable a user from one domain to establish a session key
shared with another user from a different domain through their respective domain servers, and the
only pre-established authentication information that each user has is a password shared with their
domain server.
More specifically, each mechanism specified in this document involves four parties in two security
domains, in which each user and server pair are in the same domain. This type of mechanism is referred
to as a four-party password-based authenticated key exchange (4PAKE) protocol. This document
contains a framework for designing such 4PAKE protocols using a compositional approach. That is, a
4PAKE protocol can be implemented based on two building blocks:
a) a 2PAKE protocol;
b) a 2SAKE protocol or a 2AAKE protocol.
This document also specifies several mechanisms for such 4PAKE protocols. The 2PAKE, 2SAKE
and 2AAKE protocols used to implement such 4PAKE protocols are chosen from ISO/IEC 11770-4,
ISO/IEC 11770-2 and ISO/IEC 11770-3 respectively.
The hash functions and key derivation functions used in the mechanisms specified in this document
are specified in ISO/IEC 10118-3 and ISO/IEC 11770-6, respectively.
The conversion functions in Annex B used in the mechanisms specified in this document are specified
in ISO/IEC JTC 1/SC 27 WG 2 SD 7 .
Information security — Key management —
Part 7:
Cross-domain password-based authenticated key exchange
1 Scope
This document specifies mechanisms for cross-domain password-based authenticated key exchange, all
of which are four-party password-based authenticated key exchange (4PAKE) protocols. Such protocols
let two communicating entities establish a shared session key using just the login passwords that they
share with their respective domain authentication servers. The authentication servers, assumed to be
part of a standard public key infrastructure (PKI), act as ephemeral certification authorities (CAs) that
certify key materials that the users can subsequently use to exchange and agree on as a session key.
This document does not specify the means to be used to establish a shared password between an entity
and its corresponding domain server. This document also does not define the implementation of a
PKI and the means for two distinct domain servers to exchange or verify their respective public key
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 11770-2, IT Security techniques — Key management — Part 2: Mechanisms using symmetric
ISO/IEC 11770-3, Information technology — Security techniques — Key management — Part 3:
Mechanisms using asymmetric techniques
ISO/IEC 11770-4, Information technology — Security techniques — Key management — Part 4:
Mechanisms based on weak secrets
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 11770-4 and the following
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
asymmetric key pair
pair of related keys where the private key defines the private transformation and the public key defines
the public transformation
[SOURCE: ISO/IEC 11770-3:2015, 3.3]
ISO/IEC 11770-7:2021(E)

asymmetric-key authenticated key exchange
process of establishing one or more shared secret keys between two entities using asymmetric-key
techniques and neither of them can predetermine the values of the shared secret keys
certification authority
entity trusted to create and assign public key certificates (3.9)
[SOURCE: ISO/IEC 11770-1:2010, 2.3]
cross-domain password-based authenticated key exchange
process of establishing one or more shared secret keys between two entities associated with two
distinct security domains (3.10) using the entity’s prior domain-specific password-based information
such that neither of the entities can predetermine the values of the shared secret keys
distinguishing identifier
information which unambiguously distinguishes an entity
[SOURCE: ISO/IEC 11770-1:2010, 2.9]
key derivation function
function which takes as input a number of parameters, at least one of which is secret, and which gives
as output keys appropriate for the intended algorithm(s) and applications
[SOURCE: ISO/IEC 11770-2:2018, 3.6, modified — Note 1 to entry has been removed.]
key establishment
process of making available a shared key to one or more entities, where the process includes key
agreement or key transport
[SOURCE: ISO/IEC 11770-3:2015, 3.23]
non-interactive key exchange
process of establishing one or more shared secret keys between two entities in a non-interactive
manner with mutual implicit key authentication
public key certificate
public key information of an entity signed by the certification authority (3.3)
[SOURCE: ISO/IEC 11770-1:2010, 2.37]
security domain
set of elements, security policy, security authority and set of security-relevant activities in which the
set of elements are subject to the security policy for the specified activities, and the security policy is
administered by the security authority for the security domain
[SOURCE: ISO/IEC 11770-1:2010, 2.43]
ISO/IEC 11770-7:2021(E)

data unit appended to, or a cryptographic transformation of, a data unit that allows a recipient of the
data unit to verify the origin and integrity of the data unit and protect the sender and the recipient of
the data unit against forgery by third parties, and the sender against forgery by the recipient
[SOURCE: ISO/IEC 11770-3:2015, 3.7, modified — the word "digital" has been removed from the term.]
key used with symmetric cryptographic techniques and usable only by a set of specified entities
symmetric-key authenticated key exchange
process of establishing one or more shared secret keys between two entities using symmetric-key (3.12)
techniques such that neither of the entities can predetermine the values of the shared secret keys
4 Symbols and abbreviated terms
4.1 Abbreviated terms
2AAKE two-party asymmetric-key authenticated key exchange
2NIKE two-party non-interactive key exchange protocol
2PAKE two-party password-based authenticated key exchange
2SAKE two-party symmetric-key authenticated key exchange
4PAKE four-party password-based authenticated key exchange
BS2I function that converts a bit string into an integer
BS2OS function that converts a bit string to an octet string
CA certification authority
FE2I function that converts a field element to an integer
FE2OS function that converts a field element to an octet string
GE2OS function that converts a group element with x-coordinate to an octet string
I2BS function that converts an integer to a bit string
I2OS function that converts an integer to an octet string
KD key derivation function
MAC message authentication code
MAX maximum value function
MIN minimum value function
PKI public key infrastructure
Param 2AAKE prior shared system parameters
Param 2NIKE prior shared system parameters
ISO/IEC 11770-7:2021(E)

Param 2SAKE prior shared system parameters
Param 2PAKE prior shared system parameters
SIF session identity generation function
4.2 Symbols
A, B distinguishing clients’ identities including their respective domain names repre-
sented as octet strings
AK symmetric authentication key shared between X and Y
X, Y
aKG authentication public/private key pair generation function
aKV authentication public key validation function
apk entity X's authentication public key
ask entity X's authentication private key corresponding to apk
c ciphertext generated from a symmetric encryption function by entity X
DEC(K, c) symmetric decryption function taking a secret key K and a ciphertext c as input and
giving as output a message m or a decryption failure symbol "⊥"
DL discrete logarithm setting
EC elliptic curve setting
ENC(K, m) symmetric encryption function taking a secret key K and a variable-length message
m as input and giving a ciphertext c as output, e.g. by using one of the symmetric
[9] [10]
encryption systems specified in ISO/IEC 18033-3 and ISO/IEC 18033-4
EK symmetric encryption key shared between X and Y
X, Y
eKG ephemeral public/private key pair generation function
eKV ephemeral public key validation function
epk entity X's ephemeral public key
esk entity X's ephemeral private key corresponding to epk
GE group element under either discrete logarithm or elliptic curve setting
H hash-function taking an octet string as input and giving a bit string as output, e.g.
one of the dedicated hash-functions specified in ISO/IEC 10118-3
h entity X's private key agreement key corresponding to p
K symmetric key shared between two entities X and Y
X, Y
MAC(K, m) MAC function taking a symmetric key K and a variable-length message m as input
and giving a fixed-length cryptographic checksum μ as output, e.g., by using one of
the MAC algorithms specified in ISO/IEC 9797-2
MAX(x, y) maximum value function taking two integers x and y as input and giving the maxi-
mum value between x and y as output
4 © ISO/IEC 2021 – All rights reserved

ISO/IEC 11770-7:2021(E)

MIN(x, y) minimum value function taking two integers x and y as input and giving the mini-
mum value between x and y as output
MiX step i performed by entity X in a mechanism
p entity X's public key agreement key
pwd password shared between a domain server S and a domain client C
S, C
S , S distinguishing identities of domain servers of clients A and B, respectively, repre-
sented as octet strings
SI group setting index
sid session identity which is uniquely indicating to the session
SK entity X's private signature key corresponding to VK
sn session id contribution from entity A
TK 2SAKE symmetric authentication key
ts timestamp specifying a start time and an end time
VK entity X's public verification key
μ cryptographic checksum generated from a MAC function by entity X
Σ digital signature system
σ digital signature generated from Σ.SIG by entity X
Σ.SIG(SK , m) private signature transformation function taking entity X's private signature key
SK and a variable-length message m as input and giving a digital signature σ as
output, e.g. by using one of the digital signature systems specified in ISO/IEC 9796
[2] [8]
(all parts) and ISO/IEC 14888 (all parts)
Σ.VER(VK, m, σ ) public signature verification function taking entity X's public verification key VK ,
a variable-length message m and a digital signature σ as input, and giving a single
bit output: 0 (invalid) or 1 (valid)
|| X||Y denotes the result of the concatenation of octet strings X and Y in the order
specified. In cases where the result of concatenating two or more octet strings is
input to a cryptographic function as part of one of the mechanisms specified in this
document, this result shall be composed so that it can be uniquely resolved into its
constituent octet strings, i.e. so that there is no possibility of ambiguity in interpre-
tation. This latter property can be achieved in a variety of different ways, depend-
ing on the application. For example, it can be guaranteed by a) fixing the length
of each of the octet strings throughout the domain of use of the mechanism, or b)
encoding the sequence of concatenated octet strings using a method that guaran-
tees unique decoding, e.g. using the distinguished encoding rules defined in ISO/
IEC 8825-1 .
|y| bit length of a binary string y
© ISO/IEC 2021 – All rights reserved 5

ISO/IEC 11770-7:2021(E)

⎾x⏋ ceiling function taking a real number x as input and giving the least integer greater
than or equal to x as output
⎿x⏌ floor function taking a real number x as input and giving the greatest integer less
than or equal to x as output
0 point at infinity on an elliptic curve E
5 Requirements
Each security domain shall have a trusted domain server acting as an authentication server governing
a group of entities. Each entity within the domain shall share a password with the server. The entity
shall possess a copy of its server’s credential, such as a public key certificate and the means to verify
it, in order to verify messages generated by the server. However, it is not necessarily for the server
credential to be distributed in advance. In practice, the servers can distribute their credentials to the
entities within their respective domains during the execution of a cross-domain key exchange protocol
as specified in this document.
Further, a domain server shall make its public key available to other domain servers in the form of a
public key certificate. That is, each domain server shall have access to the authenticated credentials of
other domain servers. However, there is no interaction between domain servers during a protocol run.
The 4PAKE protocols specified in this document shall make use of currently available secure two-party
key exchange protocols, including:
— 2PAKE protocols as specified in ISO/IEC 11770-4;
— 2AAKE protocols as specified in ISO/IEC 11770-3;
— 2SAKE protocols as specified in ISO/IEC 11770-2;
— 2NIKE protocols as specified in ISO/IEC 11770-3.
NOTE Further information about these protocols can be found in References [12], [15] (for 2PAKE) and [13]
(for 2AAKE and 2SAKE).
In addition, Annex A lists the object identifiers which shall be used to identify the mechanisms specified
in this document.
6 Mechanisms
6.1 General
This clause specifies three cross-domain password-based authenticated key exchange mechanisms.
The key exchange mechanisms specified in 6.3 to 6.5 require that:
a) each domain client involved shares a password-based weak secret with its domain server;
b) each domain server involved shall possess an asymmetric key pair.
For the key exchange mechanisms specified in 6.3 and 6.4, each domain server involved possesses a
private signature key and the corresponding public verification key of a digital signature system.
For the key exchange mechanism specified in 6.5, each domain server involved possesses a pair of
private and public key agreement keys for a two-party non-interactive key exchange protocol.
All three cross-domain password-based authenticated key exchange mechanisms have the following
initialization and key establishment processes.
---------------------- Page: 11 ----------------------
ISO/IEC 11770-7:2021(E)

Initialization process
a) The two involved domain servers acquire each other's public key and agree to provide authentication
tokens to assist their respective domain clients in establishing a shared secret key.
b) Each involved domain client and its respective domain server agree to use a shared password,
which is known only to them, and a two-party password-based authenticated key exchange
(2PAKE) protocol to perform intra-domain client-server authentication and key exchange. Each
domain server also makes its public key available to all its domain clients.
c) The two involved clients and their respective domain servers agree to use a two-party
authenticated key exchange protocol, which is either symmetric or asymmetric key based, to
perform authenticated key exchange between the two clients.
A domain server can deliver its pubic key to other entities using one of the public key transport
mechanisms specified in ISO/IEC 11770-3. To prevent potential attacks, it is recommended to use public
key transport mechanism 3 specified in ISO/IEC 11770-3:2015, which uses digital certificates issued
by trusted certification authorities (i.e. a public key infrastructure) to bind together the identity and
public key of a domain server.
Key establishment process
a) Initial information exchange: both the involved domain clients generate an ephemeral public key
according to the agreed two-party symmetric-key or asymmetric-key authenticated key exchange
(2SAKE or 2AAKE) protocol. The two clients then exchange their user identities and ephemeral
public keys, and validate the received public key from the peer client according to the agreed 2SAKE
or 2AAKE protocol. If any validat

