Encrypted key exchange: password-based protocols secure against dictionary attacks
04 May 1992-pp 72-84
TL;DR: A combination of asymmetric (public-key) and symmetric (secret- key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced.
Abstract: Classic cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. A combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced. In particular, a protocol relying on the counter-intuitive motion of using a secret key to encrypt a public key is presented. Such protocols are secure against active attacks, and have the property that the password is protected against offline dictionary attacks. >
Citations
More filters
TL;DR: Goldreich and Lindell as mentioned in this paper presented a simplified version of the GL protocol for the special case when the dictionary is of the form ρ = ρ 0, 1 ρ √ d, i.e., the password is a short string chosen uniformly at random (in the spirit of an ATM PIN number).
Abstract: Goldreich and Lindell (CRYPTO ’01) recently presented the first protocol for password-authenticated key exchange in the standard model (with no common reference string or set-up assumptions other than the shared password). However, their protocol uses several heavy tools and has a complicated analysis.
We present a simplification of the Goldreich–Lindell (GL) protocol and analysis for the special case when the dictionary is of the form $\mathcal{D}=\{0,1\}^{d}$ i.e., the password is a short string chosen uniformly at random (in the spirit of an ATM PIN number). The security bound achieved by our protocol is somewhat worse than the GL protocol. Roughly speaking, our protocol guarantees that the adversary can “break” the scheme with probability at most $O(\mathrm{poly}(n)/|\mathcal{D}|)^{\Omega(1)}$, whereas the GL protocol guarantees a bound of $O(1/|\mathcal{D}|)$.
We also present an alternative, more natural definition of security than the “augmented definition” of Goldreich and Lindell, and prove that the two definitions are equivalent.
15 citations
01 Jan 1997
TL;DR: This paper considers the problem of key agreement in a group setting with highly-dynamic group member population and develops a protocol suite, called CLIQUES, developed by extending the well-known Diie-Hellman key agreement method to support dynamic group operations.
Abstract: LIMITED DISTRIBUTION NOTICE This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and speciic requests. After outside publication, requests should be lled only by reprints or legally obtained copies of the article (e.g., payment of royalties). Abstract This paper considers the problem of key agreement in a group setting with highly-dynamic group member population. A protocol suite, called CLIQUES, is developed by extending the well-known Diie-Hellman key agreement method to support dynamic group operations. Constituent protocol are secure, eecient and applicable to any protocol layer, communication paradigm and network topology.
14 citations
Patent•
15 Apr 1999
TL;DR: In this article, the identification of a user and securely establishing an encryption key for a communication between the user and a verifying entity, such as a bank, is discussed. But the system and method replaces a public parameter with the customer's PIN to provide an encryption mechanism that is less complex than existing protocols.
Abstract: A system and method for verifying the identification of a user and securely establishing an encryption key for a communication between the user and a verifying entity, such as a bank, which makes use of the numeric value of the user's personal identification number (PIN) known only to the user and the bank and resolves the man-in-the-middle problem. The system and method replaces a public parameter with the customer's PIN to provide an encryption mechanism that is less complex than existing protocols. Use of the protocol enables new products and improvement of existing products using a service access device and service access device interface, including, for example, self-service terminals.
14 citations
01 Jan 2007
TL;DR: A formalism for unambiguously specifying security protocols, their goals, and the intruder model is defined, and it is proved that safety of a protocol in the over-approximation implies its safety in the standard model.
Abstract: The automated analysis of security protocols requires efficient methods to address the specific problems that arise in the verification of security protocols, such as the deductions of an intruder. In this thesis, we develop new such methods and improve existing ones. Our proposed methods are built upon symbolic model-checking with constraints to efficiently represent the intruder. We integrate into the constraint-based approach ideas from partial-order reduction to deal with the problem of parallelism, leading to a novel technique called constraint differentiation. Moreover, we use modular rewriting techniques to allow for the consideration of algebraic properties of cryptographic operations. We have implemented these techniques into the tool OFMC (On-The-Fly ModelChecker for security protocols). As we demonstrate by a number of case studies and experiments on complex security protocols, OFMC has improved the state of the art both in terms of performance and in terms of the class of security protocols that can be considered. As part of the AVISPA tool, OFMC is used by dozens of researchers and protocol designers world wide to validate the design of security protocols. Besides the development of methods and tools, this thesis is also concerned with the subtle issues of modeling security protocols. We define a formalism for unambiguously specifying security protocols, their goals, and the intruder model. Moreover, we formally compare our model with other models based on over-approximation and formally describe their relationship. Besides a better understanding of these models, this allows us to prove that safety of a protocol in the over-approximation implies its safety in the standard model.
14 citations
Proceedings Article•
IBM1
TL;DR: The Network Randomization Protocol is described -- a proactive protocol for generating cryptographically secure pseudo-random numbers and is designed for operation in the Internet and includes defenses against clogging attacks.
Abstract: A major security threat to any security solutions based on a centralized server is the possibility of an adversary gaining access to and taking control of the server. The adversary may then learn secrets, corrupt data, or send erroneous messages. In practice, such an adversary may be more prevalent than one would like to admit. It may be a malicious hacker, a virus in an application program, or an unscrupulous system administrator.
Proactive security is a novel approach to the server security problem. It uses the distribution of data and control to multiple servers and periodic refreshes between servers. By distributing data and control, one or more servers may be compromised without compromising the system. Periodic refreshes between servers allow a compromised server to "recover" after the attacker leaves, thereby contributing to the system security. A fraction (in some cases all) of the servers must be compromised simultaneously in order to compromise the system.
This paper describes the Network Randomization Protocol (NRP) -- a proactive protocol for generating cryptographically secure pseudo-random numbers. The protocol is designed for operation in the Internet and includes defenses against clogging attacks. Issues related to the design and implementation of the protocol are discussed.
As virtually no cryptographic task is possible without a source of randomness or pseudorandomness, NRP is an important basic building block for many cryptographic functions. Furthermore, it serves to illustrate the main ideas and intuitions of proactive security.
14 citations
References
More filters
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
14,980 citations
"Encrypted key exchange: password-ba..." refers background or methods in this paper
...ElGamal’s algorithm is derived from the DiffieHellman exponential key exchange protocol[2]; accordingly, we will review the latter first....
[...]
...And even this risk is minimal if B performs certain checks to guard against easily-solvable choices: that β is indeed prime, that it is large enough (and hence not susceptible to precalculation of tables), that β − 1 have at least one large prime factor (to guard against Pohlig and Hellman’s algorithm[13]), and that α is a primitive root of GF (β)....
[...]
...The use given above for asymmetric encryption — simply using it to pass a key for a symmetric encryption system — is an example of what Diffie and Hellman[2] call a public key distribution system....
[...]
...It works especially well with exponential key exchange [2]....
[...]
TL;DR: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key.
Abstract: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n.
14,659 citations
"Encrypted key exchange: password-ba..." refers methods in this paper
...Section 2 describes the asymmetric cryptosystem variant and implementations using RSA[ 3 ] and ElGamal[4]....
[...]
...We will use RSA[ 3 ] to illustrate the difficulties....
[...]
23 Aug 1985
TL;DR: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem that relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
7,514 citations
19 Aug 1984
TL;DR: In this article, a new signature scheme is proposed together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem and the security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed together with an implementation of the Diffie - Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
2,351 citations
Book•
01 Jan 1982TL;DR: The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks.
Abstract: From the Preface (See Front Matter for full Preface)
Electronic computers have evolved from exiguous experimental enterprises in the 1940s to prolific practical data processing systems in the 1980s. As we have come to rely on these systems to process and store data, we have also come to wonder about their ability to protect valuable data.
Data security is the science and study of methods of protecting data in computer and communication systems from unauthorized disclosure and modification. The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks. The book is for students and professionals seeking an introduction to these principles. There are many references for those who would like to study specific topics further.
Data security has evolved rapidly since 1975. We have seen exciting developments in cryptography: public-key encryption, digital signatures, the Data Encryption Standard (DES), key safeguarding schemes, and key distribution protocols. We have developed techniques for verifying that programs do not leak confidential data, or transmit classified data to users with lower security clearances. We have found new controls for protecting data in statistical databases--and new methods of attacking these databases. We have come to a better understanding of the theoretical and practical limitations to security.
1,937 citations
"Encrypted key exchange: password-ba..." refers background in this paper
...Can such a random odd number less than a known n be distinguished from a valid public key e? Assume that p and q are chosen to be of the form 2p′ + 1 and 2q′ + 1, where p′ and q′ are primes, a choice that is recommended for other reasons [9]....
[...]