Paper 2017/562

Making Password Authenticated Key Exchange Suitable For Resource-Constrained Industrial Control Devices

Björn Haase and Benoît Labrique


Connectivity becomes increasingly important also for small embedded systems such as typically found in industrial control installations. More and more use-cases require secure remote user access increasingly incorporating handheld based human machine interfaces, using wireless links such as Bluetooth. Correspondingly secure operator authentication becomes of utmost importance. Unfortunately, often passwords with all their well-known pitfalls remain the only practical mechanism. We present an assessment of the security requirements for the industrial setting, illustrating that offline attacks on passwords-based authentication protocols should be considered a significant threat. Correspondingly use of a Password Authenticated Key Exchange protocol becomes desirable. We review the signif-icant challenges faced for implementations on resource-constrained devices. We explore the design space and shown how we succeeded in tailoring a partic-ular variant of the Password Authenticated Connection Establishment (PACE) protocol, such that acceptable user interface responsiveness was reached even for the constrained setting of an ARM Cortex-M0+ based Bluetooth low-energy transceiver running from a power budget of 1.5 mW without notable energy buffers for covering power peak transients.

Available format(s)
Publication info
A minor revision of an IACR publication in Ches 2017
PAKEARM Cortex-M0Curve25519ECDHPACECurve25519ECDH key-exchangeelliptic-curve cryptographyEmbedded DevicesElligatorProcess IndustryBluetoothCurve19119X19119Bluetooth low energy
Contact author(s)
bjoern haase @ conducta endress com
2017-06-14: received
Short URL
Creative Commons Attribution


      author = {Björn Haase and Benoît Labrique},
      title = {Making Password Authenticated Key Exchange Suitable For Resource-Constrained Industrial Control Devices},
      howpublished = {Cryptology ePrint Archive, Paper 2017/562},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.