Encrypted key exchange: password-based protocols secure against dictionary attacks

doi:10.1109/RISP.1992.213269

Home
/
Papers
/
Encrypted key exchange: password-based protocols secure against dictionary attacks

Proceedings Article•DOI•

Encrypted key exchange: password-based protocols secure against dictionary attacks

Steven M. Bellovin¹, Michael Merritt¹•Institutions (1)

Bell Labs¹

04 May 1992-pp 72-84

TL;DR: A combination of asymmetric (public-key) and symmetric (secret- key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced.

read less

Abstract: Classic cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. A combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced. In particular, a protocol relying on the counter-intuitive motion of using a secret key to encrypt a public key is presented. Such protocols are secure against active attacks, and have the property that the password is protected against offline dictionary attacks. >

...read moreread less

Content maybe subject to copyright Report

Citations

PDF

Open Access

More filters

Automated Verification of Selected Equivalences for Security Protocols

[...]

Bruno Blanchet¹, Martín Abadi², Cédric Fournet³•Institutions (3)

Max Planck Society¹, University of California, Santa Cruz², Microsoft³

01 Jan 2005

TL;DR: This work focuses on proving equivalences P/spl ap/Q in which P and Q are two processes that differ only in the choice of some terms, and shows how to treat them as predicates on the behaviors of a process that represents P andQ at the same time.

...read moreread less

Abstract: In the analysis of security protocols, methods and tools for reasoning about protocol behaviors have been quite effective. We aim to expand the scope of those methods and tools. We focus on proving equivalences P ≈ Q in which P and Q are two processes that differ only in the choice of some terms. These equivalences arise often in applications. We show how to treat them as predicates on the behaviors of a process that represents P and Q at the same time. We develop our techniques in the context of the applied pi calculus and implement them in the tool ProVerif.

...read moreread less

18 citations

Cites methods from "Encrypted key exchange: password-ba..."

...Following this approach, we have proved that four variants of EKE [9, 10] are resistant to off-line guessing attacks....
[...]
...(Password-based protocols such as EKE have attracted much attention in recent years, partly because of the difficulty of reasoning about them.)...
[...]
...Specifically, we use ProVerif for an infinite-state analysis of the important Encrypted Key Exchange (EKE) protocol [9, 10]....
[...]

Journal Article•DOI•

ID2S Password-Authenticated Key Exchange Protocols

[...]

Xun Yi¹, Fang-Yu Rao², Zahir Tari¹, Feng Hao³, Elisa Bertino², Ibrahim Khalil¹, Albert Y. Zomaya⁴ - Show less +3 more•Institutions (4)

RMIT University¹, Purdue University², Newcastle University³, University of Sydney⁴

01 Dec 2016-IEEE Transactions on Computers

TL;DR: Two compilers are presented that transform any two-party PAke protocol to a two-server PAKE protocol on the basis of the identity-based cryptography, called ID2SPAKE protocol, which can be proven to be secure without random oracles.

...read moreread less

Abstract: In a two-server password-authenticated key exchange (PAKE) protocol, a client splits its password and stores two shares of its password in the two servers, respectively, and the two servers then cooperate to authenticate the client without knowing the password of the client. In case one server is compromised by an adversary, the password of the client is required to remain secure. In this paper, we present two compilers that transform any two-party PAKE protocol to a two-server PAKE protocol on the basis of the identity-based cryptography, called ID2S PAKE protocol. By the compilers, we can construct ID2S PAKE protocols which achieve implicit authentication. As long as the underlying two-party PAKE protocol and identity-based encryption or signature scheme have provable security without random oracles, the ID2S PAKE protocols constructed by the compilers can be proven to be secure without random oracles. Compared with the Katz et al.'s two-server PAKE protocol with provable security without random oracles, our ID2S PAKE protocol can save from 22 to 66 percent of computation in each server.

...read moreread less

18 citations

Cites background or methods from "Encrypted key exchange: password-ba..."

...Since Bellovin and Merritt [4] introduced the idea of PAKE, numerous PAKE protocols have been proposed....
[...]
...Password-only PAKE: Typical examples are the “encrypted key exchange” (EKE) protocols given by Bellovin and Merritt [4], where two parties, who share a password, exchange messages encrypted by the password, and establish a common secret key....
[...]
...Password-only PAKE: Typical examples are the “encrypted key exchange” (EKE) protocols given by Bellovin and Merritt [4], where two parties, who share a pass-...
[...]
...Bellovin and Merritt [4] were the first to introduce password-based authenticated key exchange (PAKE), where two parties, based only on their knowledge of a password, establish a cryptographic key by exchange of messages....
[...]

Journal Article•DOI•

LEVER: Secure Deduplicated Cloud Storage With Encrypted Two-Party Interactions in Cyber--Physical Systems

[...]

Zahra Pooranian¹, Mohammad Shojafar², Sahil Garg³, Rahim Taheri⁴, Rahim Tafazolli² - Show less +1 more•Institutions (4)

The Turing Institute¹, University of Surrey², École de technologie supérieure³, Shiraz University of Technology⁴

01 Aug 2021-IEEE Transactions on Industrial Informatics

TL;DR: A message lock encryption with neVer-decrypt homomorphic encRyption (LEVER) protocol between the uploading CCPS user and cloud storage to reconcile the encryption and data deduplication is proposed.

...read moreread less

Abstract: Cloud envisioned cyber--physical systems (CCPS) is a practical technology that relies on the interaction among cyber elements like mobile users to transfer data in cloud computing. In CCPS, cloud storage applies data deduplication techniques aiming to save data storage and bandwidth for real-time services. In this infrastructure, data deduplication eliminates duplicate data to increase the performance of the CCPS application. However, it incurs security threats and privacy risks. For example, the encryption from independent users with different keys is not compatible with data deduplication. In this area, several types of research have been done. Nevertheless, they are suffering from a lack of security, high performance, and applicability. Motivated by this, in this article, we propose a message lock encryption with neVer-decrypt homomorphic encRyption (LEVER) protocol between the uploading CCPS user and cloud storage to reconcile the encryption and data deduplication. Interestingly, LEVER is the first brute-force resilient encrypted deduplication with only cryptographic two-party interactions. We perform several numerical analysis of LEVER and confirm that it provides high performance and practicality compared to the literature.

...read moreread less

18 citations

Cites methods from "Encrypted key exchange: password-ba..."

..., oblivious pseudorandom function [23], homomorphic encryption [24], and PAKE [25]) are used....
[...]
...The method in [11] also uses 2Various vulnerabilities (e.g., CVE-2014-0224 CCS injection vulnerability, CVE-2015-0204 FREAK, CVE-2016-0800 DROWN attack [10], and CVE2016-2183 SWEET32 birthday attack) are known to be able to derive the sensitive data encrypted by SSL/TLS session key. two heavyweight cryptographic techniques, password authenticated key exchange (PAKE) and homomorphic encryption (HE), leading to the computation inefficiency....
[...]
...The solutions mentioned above suffer from performance degradation, because of heavyweight cryptographic primitives (e.g., oblivious pseudorandom function [23], homomorphic encryption [24], and PAKE [25]) are used....
[...]

Book Chapter•DOI•

Distributed CA-based PKI for Mobile Ad Hoc Networks Using Elliptic Curve Cryptography

[...]

Charikleia Zouridaki¹, Brian L. Mark¹, Kris Gaj¹, Roshan K. Thomas²•Institutions (2)

George Mason University¹, McAfee²

25 Jun 2004

TL;DR: This work proposes a practical distributed CA-based PKI scheme for MANETs based on Elliptic Curve Cryptography (ECC) that is resistant to a wide range of security attacks and can scale easily to networks of large size.

...read moreread less

Abstract: The implementation of a standard PKI in a mobile ad hoc network (MANET) is not practical for several reasons: (1) lack of a fixed infrastructure; (2) a centralized certification authority (CA) represents a single point of failure in the network; (3) the relative locations and logical assignments of nodes vary in time; (4) nodes often have limited transmission and computational power, storage, and battery life. We propose a practical distributed CA-based PKI scheme for MANETs based on Elliptic Curve Cryptography (ECC) that overcomes these challenges. In this scheme, a relatively small number of mobile CA servers provide distributed service for the mobile nodes. The key elements of our approach include the use of threshold cryptography, cluster-based key management with mobile CA servers, and ECC. We show that the proposed scheme is resistant to a wide range of security attacks and can scale easily to networks of large size.

...read moreread less

18 citations

Book Chapter•DOI•

Password-Based Authenticated Key Exchange: An Overview

[...]

Michel Abdalla¹•Institutions (1)

École Normale Supérieure¹

09 Oct 2014

TL;DR: This survey considers the problem of designing authenticated key exchange protocols in the password-based setting and discusses the different security goals that one can consider as well as different ways of realizing these goals.

...read moreread less

Abstract: Password-based authenticated key exchange (PAKE) protocols are a particular case of authenticated key exchange protocols in which the secret key or password used for authentication is not uniformly distributed over a large space, but rather chosen from a small set of possible values (a four-digit pin, for example) Since PAKE protocols rely on short and easily memorizable secrets, they also seem more convenient to use as they do not require an additional cryptographic devices capable of storing high-entropy secret keys In this survey, we consider the problem of designing authenticated key exchange protocols in the password-based setting In particular, we discuss the different security goals that one can consider as well as different ways of realizing these goals Finally, we recall some of the most recent results in the area and discuss some of the issues regarding the implementation of these protocols

...read moreread less

18 citations

Cites background or methods from "Encrypted key exchange: password-ba..."

...First, we recall in Section 2 the first seminal work in this area, namely the encrypted key exchange (EKE) protocol by Bellovin and Merritt [13], together with its main variants....
[...]
...The seminal work in the area of password-based key exchange is the encrypted key exchange (EKE) protocol of Bellovin and Merritt [13] (see Fig....
[...]
...The encrypted key exchange protocol [13]....
[...]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
…
98
99
100
101
102
103
104
…
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200

Collapse

References

PDF

Open Access

More filters

Journal Article•DOI•

New Directions in Cryptography

[...]

Whitfield Diffie¹, Martin E. Hellman¹•Institutions (1)

Stanford University¹

01 Nov 1976-IEEE Transactions on Information Theory

TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.

...read moreread less

Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.

...read moreread less

14,980 citations

"Encrypted key exchange: password-ba..." refers background or methods in this paper

...ElGamal’s algorithm is derived from the DiffieHellman exponential key exchange protocol[2]; accordingly, we will review the latter first....
[...]
...And even this risk is minimal if B performs certain checks to guard against easily-solvable choices: that β is indeed prime, that it is large enough (and hence not susceptible to precalculation of tables), that β − 1 have at least one large prime factor (to guard against Pohlig and Hellman’s algorithm[13]), and that α is a primitive root of GF (β)....
[...]
...The use given above for asymmetric encryption — simply using it to pass a key for a symmetric encryption system — is an example of what Diffie and Hellman[2] call a public key distribution system....
[...]
...It works especially well with exponential key exchange [2]....
[...]

Journal Article•DOI•

A method for obtaining digital signatures and public-key cryptosystems

[...]

Ronald L. Rivest¹, Adi Shamir¹, Leonard M. Adleman¹•Institutions (1)

Massachusetts Institute of Technology¹

01 Feb 1978-Communications of The ACM

TL;DR: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key.

...read moreread less

Abstract: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n.

...read moreread less

14,659 citations

"Encrypted key exchange: password-ba..." refers methods in this paper

...Section 2 describes the asymmetric cryptosystem variant and implementations using RSA[ 3 ] and ElGamal[4]....
[...]
...We will use RSA[ 3 ] to illustrate the difficulties....
[...]

Journal Article•DOI•

A public key cryptosystem and a signature scheme based on discrete logarithms

[...]

Taher Elgamal¹•Institutions (1)

Hewlett-Packard¹

23 Aug 1985

TL;DR: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem that relies on the difficulty of computing discrete logarithms over finite fields.

...read moreread less

Abstract: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.

...read moreread less

7,514 citations

Book Chapter•DOI•

A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

[...]

Taher Elgamal¹•Institutions (1)

Hewlett-Packard¹

19 Aug 1984

TL;DR: In this article, a new signature scheme is proposed together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem and the security of both systems relies on the difficulty of computing discrete logarithms over finite fields.

...read moreread less

Abstract: A new signature scheme is proposed together with an implementation of the Diffie - Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.

...read moreread less

2,351 citations

Book•

Cryptography and data security

[...]

Dorothy E. Denning¹•Institutions (1)

Purdue University¹

01 Jan 1982

TL;DR: The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks.

...read moreread less

Abstract: From the Preface (See Front Matter for full Preface) Electronic computers have evolved from exiguous experimental enterprises in the 1940s to prolific practical data processing systems in the 1980s. As we have come to rely on these systems to process and store data, we have also come to wonder about their ability to protect valuable data. Data security is the science and study of methods of protecting data in computer and communication systems from unauthorized disclosure and modification. The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks. The book is for students and professionals seeking an introduction to these principles. There are many references for those who would like to study specific topics further. Data security has evolved rapidly since 1975. We have seen exciting developments in cryptography: public-key encryption, digital signatures, the Data Encryption Standard (DES), key safeguarding schemes, and key distribution protocols. We have developed techniques for verifying that programs do not leak confidential data, or transmit classified data to users with lower security clearances. We have found new controls for protecting data in statistical databases--and new methods of attacking these databases. We have come to a better understanding of the theoretical and practical limitations to security.

...read moreread less

1,937 citations

"Encrypted key exchange: password-ba..." refers background in this paper

...Can such a random odd number less than a known n be distinguished from a valid public key e? Assume that p and q are chosen to be of the form 2p′ + 1 and 2q′ + 1, where p′ and q′ are primes, a choice that is recommended for other reasons [9]....
[...]