Encrypted key exchange: password-based protocols secure against dictionary attacks
Citations
18 citations
Cites methods from "Encrypted key exchange: password-ba..."
...Following this approach, we have proved that four variants of EKE [9, 10] are resistant to off-line guessing attacks....
[...]
...(Password-based protocols such as EKE have attracted much attention in recent years, partly because of the difficulty of reasoning about them.)...
[...]
...Specifically, we use ProVerif for an infinite-state analysis of the important Encrypted Key Exchange (EKE) protocol [9, 10]....
[...]
18 citations
Cites background or methods from "Encrypted key exchange: password-ba..."
...Since Bellovin and Merritt [4] introduced the idea of PAKE, numerous PAKE protocols have been proposed....
[...]
...Password-only PAKE: Typical examples are the “encrypted key exchange” (EKE) protocols given by Bellovin and Merritt [4], where two parties, who share a password, exchange messages encrypted by the password, and establish a common secret key....
[...]
...Password-only PAKE: Typical examples are the “encrypted key exchange” (EKE) protocols given by Bellovin and Merritt [4], where two parties, who share a pass-...
[...]
...Bellovin and Merritt [4] were the first to introduce password-based authenticated key exchange (PAKE), where two parties, based only on their knowledge of a password, establish a cryptographic key by exchange of messages....
[...]
18 citations
Cites methods from "Encrypted key exchange: password-ba..."
..., oblivious pseudorandom function [23], homomorphic encryption [24], and PAKE [25]) are used....
[...]
...The method in [11] also uses 2Various vulnerabilities (e.g., CVE-2014-0224 CCS injection vulnerability, CVE-2015-0204 FREAK, CVE-2016-0800 DROWN attack [10], and CVE2016-2183 SWEET32 birthday attack) are known to be able to derive the sensitive data encrypted by SSL/TLS session key. two heavyweight cryptographic techniques, password authenticated key exchange (PAKE) and homomorphic encryption (HE), leading to the computation inefficiency....
[...]
...The solutions mentioned above suffer from performance degradation, because of heavyweight cryptographic primitives (e.g., oblivious pseudorandom function [23], homomorphic encryption [24], and PAKE [25]) are used....
[...]
18 citations
18 citations
Cites background or methods from "Encrypted key exchange: password-ba..."
...First, we recall in Section 2 the first seminal work in this area, namely the encrypted key exchange (EKE) protocol by Bellovin and Merritt [13], together with its main variants....
[...]
...The seminal work in the area of password-based key exchange is the encrypted key exchange (EKE) protocol of Bellovin and Merritt [13] (see Fig....
[...]
...The encrypted key exchange protocol [13]....
[...]
References
14,980 citations
"Encrypted key exchange: password-ba..." refers background or methods in this paper
...ElGamal’s algorithm is derived from the DiffieHellman exponential key exchange protocol[2]; accordingly, we will review the latter first....
[...]
...And even this risk is minimal if B performs certain checks to guard against easily-solvable choices: that β is indeed prime, that it is large enough (and hence not susceptible to precalculation of tables), that β − 1 have at least one large prime factor (to guard against Pohlig and Hellman’s algorithm[13]), and that α is a primitive root of GF (β)....
[...]
...The use given above for asymmetric encryption — simply using it to pass a key for a symmetric encryption system — is an example of what Diffie and Hellman[2] call a public key distribution system....
[...]
...It works especially well with exponential key exchange [2]....
[...]
14,659 citations
"Encrypted key exchange: password-ba..." refers methods in this paper
...Section 2 describes the asymmetric cryptosystem variant and implementations using RSA[ 3 ] and ElGamal[4]....
[...]
...We will use RSA[ 3 ] to illustrate the difficulties....
[...]
7,514 citations
2,351 citations
1,937 citations
"Encrypted key exchange: password-ba..." refers background in this paper
...Can such a random odd number less than a known n be distinguished from a valid public key e? Assume that p and q are chosen to be of the form 2p′ + 1 and 2q′ + 1, where p′ and q′ are primes, a choice that is recommended for other reasons [9]....
[...]