scispace - formally typeset
Search or ask a question
Proceedings ArticleDOI

Encrypted key exchange: password-based protocols secure against dictionary attacks

04 May 1992-pp 72-84
TL;DR: A combination of asymmetric (public-key) and symmetric (secret- key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced.
Abstract: Classic cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. A combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced. In particular, a protocol relying on the counter-intuitive motion of using a secret key to encrypt a public key is presented. Such protocols are secure against active attacks, and have the property that the password is protected against offline dictionary attacks. >

Content maybe subject to copyright    Report

Citations
More filters
Journal ArticleDOI
Feng Hao1
TL;DR: This paper critically analyze several authenticated key agreement protocols and uncover various theoretical and practical flaws and presents two new attacks on the Hashed Menezes-Qu-Vanstone HMQV protocol, which is currently being standardized by IEEE P1363.
Abstract: This paper discusses public key-authenticated key agreement protocols. First, we critically analyze several authenticated key agreement protocols and uncover various theoretical and practical flaws. In particular, we present two new attacks on the Hashed Menezes-Qu-Vanstone HMQV protocol, which is currently being standardized by IEEE P1363. These attacks suggest the caution one should take when interpreting theoretical results from a formal model. We further point out that many of the protocol failures in the past are caused by sidestepping an important engineering principle, namely, "Do not assume that a message you receive has a particular form such as gr for known r unless you can check this." Constructions in the past generally resisted this principle on the grounds of efficiency: checking the knowledge of the exponent is commonly seen as too expensive. In a concrete example, we demonstrate how to effectively integrate the zero-knowledge proof primitive into the protocol design and, meanwhile, achieve good efficiency. Our new key agreement protocol, YAK, has comparable computational efficiency to the MQV and HMQV protocols with clear advantages on security. Among all the related techniques, our protocol appears to be the simplest so far. We believe simplicity is also an important engineering principle. Copyright © 2012 John Wiley & Sons, Ltd.

17 citations


Cites background from "Encrypted key exchange: password-ba..."

  • ...However, this trick has limited pratical signifiicance and is not used in for example [3], [4]....

    [...]

Proceedings ArticleDOI
22 Jun 2010
TL;DR: An improved anti-phishing protocol is proposed that provides several security attributes including mutual authentication, forward secrecy, known session key security, no key control, Key confirmation, and resilience to Denning-Sacco while it provides better efficiency when compared with the APA protocol.
Abstract: The phishing as an online identity theft is one of the fastest growing crimes in the Internet. Several counter-measures are proposed through the years, one of them is the Anti-phishing Authentication (APA) protocol that is based on SPEKE which is a Password Authenticated Key Exchange (PAKE) protocol. In this paper, it is shown that the APA protocol is vulnerable to password compromise impersonation, ephemeral key compromise impersonation and malicious server attacks. An improved anti-phishing protocol is also proposed that provides several security attributes including mutual authentication, forward secrecy, known session key security, no key control, Key confirmation, and resilience to Denning-Sacco, password compromise impersonation, Unknown Key Share (UKS), off-line dictionary, undetectable online dictionary, ephemeral key compromise impersonation, Key Compromise Impersonation (KCI), eavesdropping, message loss, message modification, message insertion and message replay attacks while it provides better efficiency when compared with the APA protocol.

17 citations


Cites background from "Encrypted key exchange: password-ba..."

  • ...In 1992, Bellovin and Merritt exhibited for the first time how the human memorable passwords can be used to establish a strong cryptographic key [6]....

    [...]

Book ChapterDOI
14 Dec 2008
TL;DR: This paper defines a new formal security model of 3-party PAKE which is stronger than the previous model and captures all known desirable security requirements of3- party PAKE, like resistance to key-compromise impersonation, to leakage of ephemeral private keys of servers and to undetectable on-line dictionary attack.
Abstract: In ACNS'06, Cliff et al. proposed the password-based server aided key exchange (PSAKE) as one of password-based authenticated key exchanges in the three-party setting (3-party PAKE) in which two clients with different passwords exchange a session key by the help of their corresponding server. Though they also studied a strong security definition of 3-party PAKE, their security model is not strong enough because there are desirable security properties which cannot be captured. In this paper, we define a new formal security model of 3-party PAKE which is stronger than the previous model. Our model captures all known desirable security requirements of 3-party PAKE, like resistance to key-compromise impersonation, to leakage of ephemeral private keys of servers and to undetectable on-line dictionary attack. Also, we propose a new scheme as an improvement of PSAKE with the optimal number of rounds for a client, which is secure in the sense of our model.

17 citations

Journal ArticleDOI
TL;DR: The analysis of protocols of Tan, Lim et al., Chen et al. and five protocols of Holbl et al found that they are insecure against the impersonation attack and the man-in-the-middle attack, Chen et [email protected]?s protocol cannot withstand the key-compromise impersonation attacked.

17 citations

References
More filters
Journal ArticleDOI
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.

14,980 citations


"Encrypted key exchange: password-ba..." refers background or methods in this paper

  • ...ElGamal’s algorithm is derived from the DiffieHellman exponential key exchange protocol[2]; accordingly, we will review the latter first....

    [...]

  • ...And even this risk is minimal if B performs certain checks to guard against easily-solvable choices: that β is indeed prime, that it is large enough (and hence not susceptible to precalculation of tables), that β − 1 have at least one large prime factor (to guard against Pohlig and Hellman’s algorithm[13]), and that α is a primitive root of GF (β)....

    [...]

  • ...The use given above for asymmetric encryption — simply using it to pass a key for a symmetric encryption system — is an example of what Diffie and Hellman[2] call a public key distribution system....

    [...]

  • ...It works especially well with exponential key exchange [2]....

    [...]

Journal ArticleDOI
TL;DR: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key.
Abstract: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n.

14,659 citations


"Encrypted key exchange: password-ba..." refers methods in this paper

  • ...Section 2 describes the asymmetric cryptosystem variant and implementations using RSA[ 3 ] and ElGamal[4]....

    [...]

  • ...We will use RSA[ 3 ] to illustrate the difficulties....

    [...]

Journal ArticleDOI
Taher Elgamal1
23 Aug 1985
TL;DR: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem that relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.

7,514 citations

Book ChapterDOI
Taher Elgamal1
19 Aug 1984
TL;DR: In this article, a new signature scheme is proposed together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem and the security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed together with an implementation of the Diffie - Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.

2,351 citations

Book
01 Jan 1982
TL;DR: The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks.
Abstract: From the Preface (See Front Matter for full Preface) Electronic computers have evolved from exiguous experimental enterprises in the 1940s to prolific practical data processing systems in the 1980s. As we have come to rely on these systems to process and store data, we have also come to wonder about their ability to protect valuable data. Data security is the science and study of methods of protecting data in computer and communication systems from unauthorized disclosure and modification. The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks. The book is for students and professionals seeking an introduction to these principles. There are many references for those who would like to study specific topics further. Data security has evolved rapidly since 1975. We have seen exciting developments in cryptography: public-key encryption, digital signatures, the Data Encryption Standard (DES), key safeguarding schemes, and key distribution protocols. We have developed techniques for verifying that programs do not leak confidential data, or transmit classified data to users with lower security clearances. We have found new controls for protecting data in statistical databases--and new methods of attacking these databases. We have come to a better understanding of the theoretical and practical limitations to security.

1,937 citations


"Encrypted key exchange: password-ba..." refers background in this paper

  • ...Can such a random odd number less than a known n be distinguished from a valid public key e? Assume that p and q are chosen to be of the form 2p′ + 1 and 2q′ + 1, where p′ and q′ are primes, a choice that is recommended for other reasons [9]....

    [...]