- Each side of the exchange contributes entropy.
- Passive attackers cannot determine the shared key.
- Active attackers cannot perform a machine-in-the-middle attack.

- SPAKE's encryption method ensures that the result is a member of the underlying group, so it can be used with elliptic curve cryptography, which is believed to provide equivalent security levels to finite-field DH key exchange at much smaller key sizes.
- It can compute the shared key after just one message from each party, minimizing the need for additional round trips and state.
- It requires a small number of group operations; therefore, it can be implemented simply and efficiently.

- Calculation and exchange of the public key
- Calculation of the shared secret (K)
- Derivation of an encryption key (K')
- Verification of the derived encryption key (K')

- to fit within the framework of
, - to ensure negotiation integrity using a transcript hash,
- to derive different keys for each use, and
- to bind the KDC-REQ-BODY to the pre-authentication exchange.

- PA-SPAKE
- 151

- Determine the length of the multiplier octet string as defined in
the "Kerberos SPAKE Groups" registry (see
). - Compose a pepper string by concatenating the string "SPAKEsecret" and the group number as a big-endian four-byte two's complement binary number.
- Produce an octet string of the required length using PRF+(K,
pepper), where K is the initial reply key and PRF+ is as defined in
. - Convert the octet string to a multiplier scalar using the
multiplier conversion method defined in the "Kerberos SPAKE
Groups" registry (see
).

- updated with the concatenation of the client's support message and the KDC's challenge, then
- updated a second time with the client's pubkey value.

- The fixed string "SPAKEkey".
- The group number as a big-endian four-byte two's complement binary number.
- The encryption type of the initial reply key as a big-endian four-byte two's complement binary number.
- The PRF+ output used to compute the initial secret input w (as specified in
). - The SPAKE result K, converted to an octet string (as specified in
). - The transcript hash.
- The KDC-REQ-BODY encoding for the request being sent or responded
to. Within a FAST channel, the inner KDC-REQ-BODY encoding
MUST be used. - The value n as a big-endian, four-byte, and unsigned binary number.
- A single-byte block counter with the initial value 0x01.

- SF-NONE
- 1

- KEY_USAGE_SPAKE
- 65

Type | Value | Reference |
---|---|---|

PA-SPAKE | 151 | RFC 9588 |

- ID Number:
- A value that uniquely identifies this entry. It is a signed integer in the range -2147483648 to 2147483647, inclusive. Positive values must be assigned only for algorithms specified in accordance with these rules for use with Kerberos and related protocols. Negative values should be used for private and experimental algorithms only. Zero is reserved and must not be assigned. Values should be assigned in increasing order.
- Name:
- A brief, unique, human-readable name for this algorithm.
- Reference:
- A URI or otherwise unique identifier for where the details of this algorithm can be found. It should be as specific as reasonably possible.

- ID Number:
- 0
- Name:
- Reserved
- Reference:
- RFC 9588

- ID Number:
- 1
- Name:
- SF-NONE
- Reference:
- RFC 9588

- ID Number:
- A value that uniquely identifies this entry. It is a signed integer in the range -2147483648 to 2147483647, inclusive. Positive values must be assigned only for algorithms specified in accordance with these rules for use with Kerberos and related protocols. Negative values should be used for private and experimental use only. Zero is reserved and must not be assigned. Values should be assigned in increasing order.
- Name:
- A brief, unique, human-readable name for this entry.
- Specification:
- A reference to the definition of the group parameters and operations.
- Serialization:
- A reference to the definition of the method used to serialize and deserialize group elements.
- Multiplier Length:
- The length of the input octet string to multiplication operations.
- Multiplier Conversion:
- A reference to the definition of the method used to convert an octet string to a multiplier scalar.
- SPAKE M Constant:
- The serialized value of the SPAKE M constant in hexadecimal notation.
- SPAKE N Constant:
- The serialized value of the SPAKE N constant in hexadecimal notation.
- Hash Function:
- The group's associated hash function.

- ID Number:
- 1
- Name:
- edwards25519
- Specification:
(edwards25519) - Serialization:
- Multiplier Length:
- 32
- Multiplier Conversion:
- SPAKE M Constant:
- d048032c6ea0b6d697ddc2e86bda85a33adac920f1bf18e1b0c6d166a5cecdaf
- SPAKE N Constant:
- d3bfb518f44f3430f29d0c92af503865a1ed3281dc69b35dd868ba85f886c4ab
- Hash function:
- SHA-256

- ID Number:
- 2
- Name:
- P-256
- Specification:
- Section 2.4.2 of
- Serialization:
- Section 2.3.3 of
(compressed format) - Multiplier Length:
- 32
- Multiplier Conversion:
- Section 2.3.8 of
- SPAKE M Constant:
- 02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f
- SPAKE N Constant:
- 03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49
- Hash function:
- SHA-256

- ID Number:
- 3
- Name:
- P-384
- Specification:
- Section 2.5.1 of
- Serialization:
- Section 2.3.3 of
(compressed format) - Multiplier Length:
- 48
- Multiplier Conversion:
- Section 2.3.8 of
- SPAKE M Constant:
- 030ff0895ae5ebf6187080a82d82b42e2765e3b2f8749c7e05eba366434b363d3dc36f15314739074d2eb8613fceec2853
- SPAKE N Constant:
- 02c72cf2e390853a1c1c4ad816a62fd15824f56078918f43f922ca21518f9c543bb252c5490214cf9aa3f0baab4b665c10
- Hash function:
- SHA-384

- ID Number:
- 4
- Name:
- P-521
- Specification:
- Section 2.6.1 of
- Serialization:
- Section 2.3.3 of
(compressed format) - Multiplier Length:
- 48
- Multiplier Conversion:
- Section 2.3.8 of
- SPAKE M Constant:
- 02003f06f38131b2ba2600791e82488e8d20ab889af753a41806c5db18d37d85608cfae06b82e4a72cd744c719193562a653ea1f119eef9356907edc9b56979962d7aa
- SPAKE N Constant:
- 0200c7924b9ec017f3094562894336a53c50167ba8c5963876880542bc669e494b2532d76c5b53dfb349fdf69154b9e0048c58a42e8ed04cef052a3bc349d95575cd25
- Hash function:
- SHA-512

- For group 1 M: edwards25519 point generation seed (M)
- For group 1 N: edwards25519 point generation seed (N)
- For group 2 M: 1.2.840.10045.3.1.7 point generation seed (M)
- For group 2 N: 1.2.840.10045.3.1.7 point generation seed (N)
- For group 3 M: 1.3.132.0.34 point generation seed (M)
- For group 3 N: 1.3.132.0.34 point generation seed (N)
- For group 4 M: 1.3.132.0.35 point generation seed (M)
- For group 4 N: 1.3.132.0.35 point generation seed (N)

- The key is the string-to-key of "password" with the salt "ATHENA.MIT.EDUraeburn" for the designated initial reply key encryption type.
- x and y were chosen randomly within the order of the designated group, then multiplied by the cofactor.
- The SPAKESupport message contains only the designated group's number.
- The SPAKEChallenge message offers only the SF-NONE second-factor type.
- The KDC-REQ-BODY message does not contain KDC options, but does contain the client principal name "raeburn@ATHENA.MIT.EDU", the server principal name "krbtgt/ATHENA.MIT.EDU", the realm "ATHENA.MIT.EDU", the till field "19700101000000Z", the nonce zero, and an etype list containing only the designated encryption type.