Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Understanding ISO/IEC 11770-4:2018 — Key Management Mechanisms Based on Weak Secrets
A comprehensive technical guide to implementing password-based and weak-secret key establishment protocols
Scope and Introduction
ISO/IEC 11770-4:2018, also adopted as CAN/CSA-ISO/IEC 11770-4:18, defines key management mechanisms that derive cryptographic keys from weak secrets—such as human-memorable passwords or PINs. Unlike strong secrets (e.g., long random keys), weak secrets have low entropy and are vulnerable to offline dictionary attacks. The standard specifies protocols for password-authenticated key exchange (PAKE) and key establishment that resist such attacks while remaining practical for real-world deployment.
The scope covers two primary classes of mechanisms:
- Balanced mechanisms: Both parties share the same weak secret (symmetric password).
- Augmented mechanisms: One party holds a verifier derived from the weak secret, protecting the other party even if the server is compromised.
The standard applies to any environment where a shared secret of low entropy must be used to establish a secure session key, including web authentication, IoT device pairing, and remote access.
Tip: ISO/IEC 11770-4:2018 is independent of specific cryptographic primitives; implementers may choose underlying functions (hash, block cipher, etc.) as long as the required security properties are met.
Technical Requirements and Mechanisms
Mechanism Classes
The standard defines four mechanism families, each designed for different trust models and security targets:
- Mechanism 1 — Balanced PAKE (Encrypted Key Exchange variant): Uses symmetric encryption under the weak secret to mutually authenticate and produce a shared session key.
- Mechanism 2 — Augmented PAKE (verifier-based): Stores only a one-way verifier on one side (e.g., server); prevents offline dictionary attacks even if the verifier database leaks.
- Mechanism 3 — Key agreement with password confirmation: A simpler approach using the weak secret to authenticate a Diffie-Hellman exchange.
- Mechanism 4 — Hybrid mechanisms combining symmetric and asymmetric techniques: For scenarios with additional public-key infrastructure.
| Mechanism | Type | Entropy source | Key confirmation | Resists server compromise |
|---|---|---|---|---|
| 1 — Balanced (EKE) | Balanced | Symmetric weak secret | Yes | No |
| 2 — Augmented (Verifier) | Augmented | Verifier (derived) | Yes | Yes (passwords remain safe) |
| 3 — Password-confirmed DH | Balanced / Augmented | Weak secret + ephemeral | Optional | Depends on variant |
| 4 — Hybrid (PKI + password) | Augmented | Weak secret + certificate | Yes | Yes |
Security Requirements
The standard mandates that implementations must:
- Prevent offline dictionary attacks: The protocol must ensure that an eavesdropper or active attacker cannot test password guesses without interacting with the legitimate party.
- Provide explicit key confirmation (when required): Each party must prove knowledge of the session key before considering the exchange complete.
- Protect against partitioning attacks: Messages must be constructed so that an attacker cannot reduce the set of possible passwords.
- Use fresh random nonces/ephemerals for each session to guarantee forward secrecy.
Warning: Implementers must ensure that the underlying cryptographic primitives (hash, encryption, MAC) are chosen carefully. Many early PAKE proposals were found vulnerable due to poor choices (e.g., textbook RSA for EKE). Always refer to the latest security analysis in the standard’s bibliography.
Implementation Highlights
When integrating ISO/IEC 11770-4:2018 into a product, developers should focus on the following aspects:
Protocol Negotiation
The standard is parametric: it defines a framework rather than a single fixed protocol. Implementations must specify the exact mechanism, underlying primitives (e.g., AES-128 for encryption, SHA-256 for hashing), and protocol message flows in a companion specification.
Error Handling and Timing
To avoid side-channel leakage, error messages during authentication must not reveal whether the password or the key confirmation failed. Use constant-time comparisons for secrets and add random delays if needed.
Performance Considerations
Balanced PAKE mechanisms (Mechanism 1) typically require fewer exponentiations than augmented ones. However, augmented mechanisms are strongly recommended when one party (e.g., a server) may face database compromise. The overhead is usually acceptable for interactive sessions (a few milliseconds to hundreds of milliseconds on modern hardware).
Success: Standard-conformant PAKE is now deployed in major protocols such as OPAQUE (which aligns with Augmented PAKE) and is part of IETF RFC 9383. ISO/IEC 11770-4:2018 provides the foundational framework for such secure password-based authentication.
Compliance and Certification Notes
For organizations seeking to claim conformance with ISO/IEC 11770-4:2018 (or its Canadian adoption CAN/CSA-ISO/IEC 11770-4:18), the following points should be considered:
- Self-declaration vs. third-party testing: The standard does not mandate certification, but many procurement frameworks (e.g., FIPS, Common Criteria) may reference it. Independent testing laboratories can validate protocol correctness and resistance to known attacks.
- Mapping to other standards: Part 4 is part of the ISO/IEC 11770 family (Key management). It is used together with Part 2 (symmetric mechanisms) and Part 3 (asymmetric mechanisms). Compliance with the key management lifecycle described in ISO/IEC 11770-1 is also recommended.
- Regional adoptions: The Canadian version (CAN/CSA-ISO/IEC 11770-4:18) is identical to the international edition. European (EN) and other national adoptions maintain the same technical content. Check local requirements for mandatory use.
Important: Do not confuse ISO/IEC 11770-4:2018 with older versions (e.g., the 2006 edition). The 2018 revision resolves several known attacks and adds new mechanism options. Always use the latest edition for new implementations.
Regulatory bodies in finance, healthcare, and government increasingly mandate strong mutual authentication based on passwords. Adhering to ISO/IEC 11770-4:2018 helps meet security assurance levels while avoiding patent-encumbered proprietary solutions.
Frequently Asked Questions
Q: What is the difference between balanced and augmented PAKE?
A: In a balanced PAKE, both parties share the same weak secret (password). If the server is compromised, the attacker learns all passwords. In an augmented PAKE, the server stores only a one-way verifier; an attacker who steals the verifier still cannot impersonate clients without conducting an online attack. Augmented PAKE is strongly recommended for client-server deployments.
A: In a balanced PAKE, both parties share the same weak secret (password). If the server is compromised, the attacker learns all passwords. In an augmented PAKE, the server stores only a one-way verifier; an attacker who steals the verifier still cannot impersonate clients without conducting an online attack. Augmented PAKE is strongly recommended for client-server deployments.
Q: Is ISO/IEC 11770-4:2018 compatible with protocols like SRP or OPAQUE?
A: The standard is mechanism-based and does not prescribe specific protocol names. However, mechanisms 2 and 4 are generally aligned with the design of secure augmented PAKEs such as OPAQUE (IETF RFC 9492). SRP (Secure Remote Password) is conceptually similar but predates the 2018 version; implementers should verify that their chosen SRP variant meets the security requirements of the standard.
A: The standard is mechanism-based and does not prescribe specific protocol names. However, mechanisms 2 and 4 are generally aligned with the design of secure augmented PAKEs such as OPAQUE (IETF RFC 9492). SRP (Secure Remote Password) is conceptually similar but predates the 2018 version; implementers should verify that their chosen SRP variant meets the security requirements of the standard.
Q: Can I use ISO/IEC 11770-4:2018 for authentication in IoT devices?
A: Yes. The standard is well-suited for IoT environments where devices have limited entropy (e.g., a PIN printed on a device). Balanced PAKE with low computational overhead can be used. However, care must be taken to choose aggressive timeouts and handle lockout policies offline if internet connectivity is not always available.
A: Yes. The standard is well-suited for IoT environments where devices have limited entropy (e.g., a PIN printed on a device). Balanced PAKE with low computational overhead can be used. However, care must be taken to choose aggressive timeouts and handle lockout policies offline if internet connectivity is not always available.
Q: How does conformance testing work for this standard?
A: The standard itself does not provide test vectors. Conformance is usually demonstrated by specifying the exact mechanism and primitives in a security policy, then performing protocol verification (e.g., using formal methods) and running penetration tests against dictionary attacks. Third-party labs such as those accredited under ISO/IEC 17025 may perform these evaluations.
A: The standard itself does not provide test vectors. Conformance is usually demonstrated by specifying the exact mechanism and primitives in a security policy, then performing protocol verification (e.g., using formal methods) and running penetration tests against dictionary attacks. Third-party labs such as those accredited under ISO/IEC 17025 may perform these evaluations.