Password-Authenticated Key Exchange
A whole range of protocols rather robust against dictionary attacks has appeared. The list includes Protocol EKE (31), Encrypted Key Exchange, defined in [34], Protocol EKE2 (32), a second Encrypted Key Exchange, defined in [30], Protocol SPEKE (33), defined in [91], and Augmented-EKE, Protocol A-EKE (34), which has been described in [35] and further discussed in [176].
Protocol SRP (35), the SRP Authentication and Key Exchange System, is defined in [208].
Each of these protocols, Protocol EKE, Protocol EKE2, Protocol SPEKE, Protocol A-EKE, and Protocol SRP should provide Authentication and Secrecy (G1,2,12). (Depending on the version they also provide Key Agreement).
Background and motivation for these protocols is as follows. To send a password in the clear, or a static function of it, is obviously insecure: an attacker can replay this information. The idea behind so-called challenge-response techniques is that challenges are never reused and that the response depends both on the password and on the challenge. Thus responses can not be replayed. Nevertheless many password based challenge-response protocols are vulnerable to dictionary attacks. This occurs when an attacker captures the messages exchanged during a legitimate run of the protocol and uses that information to verify a series of guessed passwords taken from a precompiled dictionary of common passwords. This works because users often choose simple, easy-to-remember passwords, which invariably are also easy to guess.