PAKE
also: Password-Authenticated Key Exchange, SRP, SPAKE2
PAKE (Password-Authenticated Key Exchange) is a cryptographic protocol that allows two parties to establish a secure shared secret using only a weak password, without transmitting the password itself.
PAKE enables secure authentication and encryption key derivation from a low-entropy password alone. Unlike traditional approaches where passwords are transmitted or hashed directly, PAKE ensures that an attacker who intercepts the exchange cannot perform offline dictionary attacks or recover the password, even with the captured protocol messages.
Common PAKE variants include SRP (Secure Remote Password) and SPAKE2. They work by having both parties perform cryptographic operations that bind the password to the key agreement, so the final shared key is only derivable by someone who knows the correct password.
Example use case: A user logs into a remote server over an untrusted network. Instead of sending the password, both client and server run a PAKE protocol. Even if an attacker captures all network traffic, they cannot feasibly guess the password through offline attacks because the protocol's mathematics requires knowledge of the actual password to compute the correct shared key.