Though not yet widely deployed, password-authenticated key exchange (PAKE) protocols have been the subject of several recent standardization efforts, partly because of their resistance against various guessing attacks, but also because they do not require a public-key infrastructure (PKI), making them naturally resistant against PKI failures. The goal of this paper is to reevaluate the PAKE model by noting that the absence of a PKI -- or, more generally, of a mechanism aside from the password for authenticating the server -- makes such protocols vulnerable to reverse online guessing attacks, in which an adversary attempts to validate password guesses by impersonating a server. While their logic is similar to traditional guessing, where the attacker impersonates a client, reverse guessing poses a unique risk because the burden of detection is shifted to the clients, rendering existing defenses against traditional guessing moot. Our results demonstrate that reverse guessing is particularly effective when an adversary attacks clients indiscriminately, such as in phishing or password-spraying attacks, or for applications with automated login processes or a universal password, such as WPA3-SAE. Our analysis suggests that stakeholders should, by default, authenticate the server using more stringent measures than just the user's password, and that a password-only mode of operation should be a last resort against catastrophic security failures when other authentication mechanisms are not available.

翻译：尽管尚未广泛部署，密码认证密钥交换（PAKE）协议已成为近期多项标准化工作的主题，部分原因在于其能抵抗各类猜测攻击，同时也因其无需公钥基础设施（PKI），天然具备抵抗PKI失效的能力。本文旨在通过指出以下事实重新评估PAKE模型：缺乏PKI——或更广义地说，缺乏除密码之外的服务器认证机制——会使此类协议易受反向在线猜测攻击。在此类攻击中，攻击者通过冒充服务器来验证密码猜测。虽然其逻辑与传统猜测攻击（攻击者冒充客户端）相似，但反向猜测构成独特风险，因为检测责任转移至客户端，使得现有针对传统猜测的防御措施失效。我们的研究结果表明，当攻击者无差别攻击客户端时（例如钓鱼攻击或密码喷洒攻击），或针对具有自动化登录流程或通用密码的应用（如WPA3-SAE），反向猜测攻击尤为有效。我们的分析表明，相关方默认应采用比用户密码更严格的措施认证服务器，而纯密码操作模式应仅作为其他认证机制不可用时的最后应急手段。