Why are PAKE protocols not widely used?

Question

While there are plenty of PAKE protocols, especially those augmented ones which are practical in C/S model, actually they seem to be not widely used. Even TLS-Standardized SRP, the most popular one among them, I just know it's used in apple's iCloud. In addition, J-PAKE was used in Mozilla's synchronization but aborted for its weird usage.

So, Is there any situation or famous system in which PAKEs are widely used that I don't know? If no, why are they not used even when their patents are expired?

Note that why questions like this cannot be objectively answered, unless somebody performs some significant statistics (and where would they get significant input data)? So some subjectivity is to be expected at the very minimum. — Maarten Bodewes, Sep 19 '19 at 11:02
FYI, there is ongoing discussion at the IRTF CFRG as we type to choose a symmetric PAKE and an asymmetric PAKE for adoption in IETF protocols. — Squeamish Ossifrage, Sep 19 '19 at 15:42

score 5 · Answer 1 · answered Sep 19 '19 at 08:25

5

I see three main reasons why PAKEs are not widely used yet:

The lack of IETF standards. SRP has limitations discussed in the link @fgrieu posted above. Many PAKE protocols have been designed, but they lack a convincing security proof, or properties some applications may expect. This is being solved as we speak. The CFRG is currently having a selection process, existing PAKEs are being carefully reviewed, and the outcome will be a small set of recommendations for each use case.
The lack of implementations. Possibly due to the above.
The lack of awareness. Most people have never heard of PAKEs.

answered Sep 19 '19 at 08:25

Frank Denis

2,964
15
17

That last point is probably a huge contributor. We're still trying to convince people to not use MD5, let alone to use some PAKE. – Ella Rose Sep 19 '19 at 14:56
In my experience it's mostly the second point. All PAKE libraries we found out there are either experimental, discontinued or offer a naive implementation only (which is not protected against side-channel attacks etc.).
When it comes to the standards there are at least two RFCs: Dragonfly (widely deployed since it's used in WPA3) and J-PAKE (which is e.g. used by the German ID card).
– K. Biermann Oct 21 '19 at 13:26
@K.Biermann Could you give a source suggesting J-PAKE is actually used by the German ID card ? I found mention of "PACE" here, but nothing about J-PAKE. Plus, using J-PAKE with a constrained device seems a rather odd choice, since it is computationally heavier than alternative such as CPace (or any other balanced PAKE for that matter). – Faulst Jan 31 '20 at 13:10

Why are PAKE protocols not widely used?

1 Answers1