Encrypted key exchange: password-based protocols secure against dictionary attacks
04 May 1992-pp 72-84
TL;DR: A combination of asymmetric (public-key) and symmetric (secret- key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced.
Abstract: Classic cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. A combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced. In particular, a protocol relying on the counter-intuitive motion of using a secret key to encrypt a public key is presented. Such protocols are secure against active attacks, and have the property that the password is protected against offline dictionary attacks. >
Citations
More filters
08 Dec 2003
TL;DR: A password authentication system that can tolerate server compromises and can be used to build intrusion-tolerant applications is described.
Abstract: In a password-based authentication system, to authenticate a user, a server typically stores password verification data (PVD), which is a value derived from the user's password using publicly known functions. For those users whose passwords fall within an attacker's dictionary, their PVDs, if stolen (for example, through server compromise), allows the attacker to mount off-line dictionary attacks. We describe a password authentication system that can tolerate server compromises. The described system uses multiple (say n) servers to share password verification data and never reconstructs the shared PVD during user authentications. Only a threshold number (say t, t/spl les/n) of these servers are required for a user authentication and compromising up to (t-1) of these servers will not allow an attacker to mount off-line dictionary attacks, even if a user's password falls within the attacker's dictionary. The described system can still function if some of the servers are unavailable. We give the system architecture and implementation details. Our experimental results show that the described system works well. The given system can be used to build intrusion-tolerant applications.
15 citations
Cites methods from "Encrypted key exchange: password-ba..."
...To date, several PAKE protocols have been proposed, including the Encrypted Key Exchange (EKE) [3, 4], Secure Password Exponential Key Exchange (SPEKE) [18, 17], Simple Remote Password (SRP) [30], the PAK protocol [5], the BPR00 protocol [1], the SNAPI protocol [23], and the KOY01 protocol [20]....
[...]
...A new protocol paradigm following this path, called password-authenticated key exchange (PAKE), was developed [3]....
[...]
...The SPEKE, SRP, PAK and KOY01 protocols use the Diffie-Hellman key exchange algorithm [12] while BPR00 and SNAPI use the RSA algorithm [27]....
[...]
TL;DR: This paper presents the first three-party PAKE protocol whose security is proven without any idealized assumptions in a model that captures insider attacks and achieves not only the typical indistinguishability-based security of session keys but also the password security against undetectable online dictionary attacks.
Abstract: Protocols for password-only authenticated key exchange (PAKE) in the three-party setting allow two clients registered with the same authentication server to derive a common secret key from their individual password shared with the server. Existing three-party PAKE protocols were proven secure under the assumption of the existence of random oracles or in a model that does not consider insider attacks. Therefore, these protocols may turn out to be insecure when the random oracle is instantiated with a particular hash function or an insider attack is mounted against the partner client. The contribution of this paper is to present the first three-party PAKE protocol whose security is proven without any idealized assumptions in a model that captures insider attacks. The proof model we use is a variant of the indistinguishability-based model of Bellare, Pointcheval, and Rogaway (2000), which is one of the most widely accepted models for security analysis of password-based key exchange protocols. We demonstrated that our protocol achieves not only the typical indistinguishability-based security of session keys but also the password security against undetectable online dictionary attacks.
15 citations
Cites background from "Encrypted key exchange: password-ba..."
...In 1992, Bellovin and Merritt [1] introduced encrypted key exchange (or EKE) protocols, which allow...
[...]
...Since the work of Bellovin andMerritt [1], password-only authenticated key exchange (PAKE) protocols have attracted much greater attention mainly due to the persistent popularity of passwords as a practical (and cheap) authentication method [2]....
[...]
...In 1992, Bellovin and Merritt [1] introduced encrypted key exchange (or EKE) protocols, which allow arbitrary two parties, who share only a lowentropy password, to establish a common highentropy secret key (called a session key) over an insecure public network....
[...]
TL;DR: These protocols preserve anonymity, exploit the difference in capabilities between resource constrained clients and highly resourceful servers and thus are suitable for wireless applications and perform better in terms of the number of messages and bits exchanged and computing time as compared to the previous AKA protocols.
Abstract: Anonymity is a very important security feature in addition to authentication and key agreement features in communication protocols. In this paper, we propose two authentication and key agreement (AKA) protocols: the AKA protocol with user anonymity (UAP) and the AKA protocol with user and server anonymity (USAP). The proposed protocols have the following advantages: first of all, they preserve anonymity, which is a security feature that was ignored in most of the previously proposed AKA protocols; secondly, they exploit the difference in capabilities between resource constrained clients and highly resourceful servers and thus are suitable for wireless applications; thirdly, they resist known attacks; and finally, they perform better in terms of the number of messages and bits exchanged and computing time as compared to the previously proposed AKA protocols. For example, USAP preserves user and server anonymity, exchanges 3 messages with 1920 bits in total, and requires only 280 msec of processing time on the user side when implemented on Mitsubishis M16C microprocessor. Similarly, the UAP is scalable, preserves user anonymity, requires 440 msec, and exchanges 2560 bits.
15 citations
Cites background from "Encrypted key exchange: password-ba..."
...Further, an efficient and elegant scheme for EKE that was considered for standardization by the IEEE P1363 Standard working group is AuthA, which was later enhanced by Bresson et al. in [8] to resist the denial-of-service attack....
[...]
...Later, Bellovin and Merrit presented a password based key exchange protocol for two-party communications known as Encrypted Key Exchange (EKE) [7]....
[...]
...In [30], Zhang showed that Strong Password only Authenticated Key Exchange (SPEKE), a password authenticated key exchange protocol defined in [15] was susceptible to password guessing attack....
[...]
TL;DR: It is shown that the efficient password-based authentication protocol proposed recently in the Australasian conference on information security and privacy (ACISP) 2003 is vulnerable to the server compromise attack on the contrary to the original assumption.
Abstract: We analyze and improve the security of the efficient password-based authentication protocol that has been proposed recently in the Australasian conference on information security and privacy (ACISP) 2003. Its distinct idea is to utilize two generators of a certain cyclic group for efficiency, while the protocol is vulnerable to the server compromise attack on the contrary to the original assumption. Fortunately, we improve its security in this paper and also remark on its extended version called EPA+.
15 citations
Cites background from "Encrypted key exchange: password-ba..."
...There has been a great deal of related work [1], [2], [6], [7], [8], [9], [11], while several methods...
[...]
05 Jun 2007
TL;DR: This work proposes a new and the first forward-secure authenticated GKE protocol that achieves both constant round complexity and logarithmic computation complexity, and is fully scalable in all key metrics when considered in the context of a broadcast network.
Abstract: Protocols for group key exchange (GKE) are cryptographic algorithms that describe how a group of parties communicating over a public network can come up with a common secret key Due to their critical role in building secure multicast channels, a number of GKE protocols have been proposed over the years in a variety of settings However despite many impressive achievements, it still remains a challenging problem to design a secure GKE protocol which scales very well for large groups Our observation is that all constant-round authenticated GKE protocols providing forward secrecy thus far are not fully scalable, but have a computation complexity that scales only linearly in group size Motivated by this observation, we propose a new and the first forward-secure authenticated GKE protocol that achieves both constant round complexity and logarithmic computation complexity In particular, our GKE protocol is fully scalable in all key metrics when considered in the context of a broadcast network The scalability of the protocol is achieved by using a complete binary tree structure combined with a so-called "nonce-chained authentication technique" Besides its scalability, our protocol features provable security against active adversaries under the decisional Diffie-Hellman assumption We provide a rigorous proof of security for the protocol in a well-defined formal model of communication and adversary capabilities The result of the current work means that forward-secure generation of session keys even for very large groups can be now done both securely and efficiently
15 citations
References
More filters
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
14,980 citations
"Encrypted key exchange: password-ba..." refers background or methods in this paper
...ElGamal’s algorithm is derived from the DiffieHellman exponential key exchange protocol[2]; accordingly, we will review the latter first....
[...]
...And even this risk is minimal if B performs certain checks to guard against easily-solvable choices: that β is indeed prime, that it is large enough (and hence not susceptible to precalculation of tables), that β − 1 have at least one large prime factor (to guard against Pohlig and Hellman’s algorithm[13]), and that α is a primitive root of GF (β)....
[...]
...The use given above for asymmetric encryption — simply using it to pass a key for a symmetric encryption system — is an example of what Diffie and Hellman[2] call a public key distribution system....
[...]
...It works especially well with exponential key exchange [2]....
[...]
TL;DR: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key.
Abstract: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n.
14,659 citations
"Encrypted key exchange: password-ba..." refers methods in this paper
...Section 2 describes the asymmetric cryptosystem variant and implementations using RSA[ 3 ] and ElGamal[4]....
[...]
...We will use RSA[ 3 ] to illustrate the difficulties....
[...]
23 Aug 1985
TL;DR: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem that relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
7,514 citations
19 Aug 1984
TL;DR: In this article, a new signature scheme is proposed together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem and the security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed together with an implementation of the Diffie - Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
2,351 citations
Book•
01 Jan 1982TL;DR: The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks.
Abstract: From the Preface (See Front Matter for full Preface)
Electronic computers have evolved from exiguous experimental enterprises in the 1940s to prolific practical data processing systems in the 1980s. As we have come to rely on these systems to process and store data, we have also come to wonder about their ability to protect valuable data.
Data security is the science and study of methods of protecting data in computer and communication systems from unauthorized disclosure and modification. The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks. The book is for students and professionals seeking an introduction to these principles. There are many references for those who would like to study specific topics further.
Data security has evolved rapidly since 1975. We have seen exciting developments in cryptography: public-key encryption, digital signatures, the Data Encryption Standard (DES), key safeguarding schemes, and key distribution protocols. We have developed techniques for verifying that programs do not leak confidential data, or transmit classified data to users with lower security clearances. We have found new controls for protecting data in statistical databases--and new methods of attacking these databases. We have come to a better understanding of the theoretical and practical limitations to security.
1,937 citations
"Encrypted key exchange: password-ba..." refers background in this paper
...Can such a random odd number less than a known n be distinguished from a valid public key e? Assume that p and q are chosen to be of the form 2p′ + 1 and 2q′ + 1, where p′ and q′ are primes, a choice that is recommended for other reasons [9]....
[...]