Encrypted key exchange: password-based protocols secure against dictionary attacks
04 May 1992-pp 72-84
TL;DR: A combination of asymmetric (public-key) and symmetric (secret- key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced.
Abstract: Classic cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. A combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced. In particular, a protocol relying on the counter-intuitive motion of using a secret key to encrypt a public key is presented. Such protocols are secure against active attacks, and have the property that the password is protected against offline dictionary attacks. >
Citations
More filters
Patent•
29 Jul 2004TL;DR: In this paper, a system and method for name resolution stores an identity information document containing a user-friendly handle signifying identity, such as an email address, and a machine location, for the publishing computer system where the documents are stored.
Abstract: In accordance with various aspects, the present invention relates to accessing and publishing documents between two computer systems or nodes that are connected together in a network environment. The system and method for name resolution stores an identity information document containing a user-friendly handle signifying identity, such as an email address, and a machine location, such as an IP address, for the publishing computer system where the documents are stored. Next, the system and method intercepts an initial request for access to documents when the initial request includes a user-friendly handle and replaces the user-friendly handle with the machine location, so that network users may easily access these documents through knowledge only of the user-friendly handle.
13 citations
14 Dec 2018
TL;DR: This paper proposes the first two-round PAKE protocol over lattices without NIZK, which is in accordance with the framework of Abdalla et al. (PKC’15) while attaining post-quantum security.
Abstract: Reducing the number of communication rounds of Password-based Authenticated Key Exchange (\(\textsf {PAKE} \)) protocols is of great practical significance. At PKC’15, Abdalla et al. relaxed the requirements of Gennaro-Lindell’s framework for three-round PAKE protocols, and obtained a two-round PAKE protocol under the traditional DDH-based smooth projective hash function (\(\mathsf {SPHF} \)). At ASIACRYPT’17, Zhang and Yu proposed a lattice-based two-round PAKE protocol via the approximate \(\mathsf {SPHF} \). However, the language of Zhang-Yu’s SPHF depends on simulation-sound non-interactive zero-knowledge (NIZK) proofs, for which there is no concrete construction without random oracle under lattice-based assumptions. To our knowledge, how to design a lattice-based two-round \(\textsf {PAKE} \) protocol via an efficient \(\mathsf {SPHF} \) scheme without NIZK remains a challenge. In this paper, we propose the first two-round \(\textsf {PAKE} \) protocol over lattices without NIZK. Our protocol is in accordance with the framework of Abdalla et al. (PKC’15) while attaining post-quantum security. We overcome the limitations of existing schemes by relaxing previous security assumptions (i.e., both the client and the sever need IND-CCA-secure encryption), and build two new lattice-based \(\mathsf {SPHF} \)s, one for IND-CCA-secure Micciancio-Peikert ciphertext (at the client side) and the other for IND-CPA-secure Regev ciphertext (at the server side). Particularly, our protocol attains provable security.
13 citations
TL;DR: This paper proposes the first LR PAKE protocol by using Diffie-Hellman key exchange, LR storage (LRS) and LR refreshing of LRS appropriately and formally present a security proof in the standard model.
Abstract: The password-based authenticated key exchange (PAKE) protocol is one of most practical cryptographic primitives for trusted computing, which is used to securely authenticate devices’ identities and generate shared session keys among devices in insecure environments by using a short, human-memorable password. With the fast development of the Internet of Things (IoT), new challenges regarding PAKE have emerged. The traditional PAKE protocols are completely insecure in IoT environments, since there are many kinds of side-channel attacks. Therefore, it is very important to model and design leakage-resilient (LR) PAKE protocols. However, there has been no prior work on modeling and constructing LR PAKE protocols. In this paper, we first formalize an LR eCK security model for PAKE based on the eCK-secure PAKE model and the only computation leakage model. Then, we propose the first LR PAKE protocol by using Diffie-Hellman key exchange, LR storage (LRS) and LR refreshing of LRS appropriately and formally present a security proof in the standard model.
13 citations
Additional excerpts
...[4] S. M. Bellovin and M. Merritt, ‘‘Encrypted key exchange: Password-based protocols secure against dictionary attacks,’’ in Proc....
[...]
...The concept of PAKE was introduced by Bellovin and Merritt [4]....
[...]
Journal Article•
TL;DR: Several attacks on two recent elliptic curve-based PAKE protocols that have been suggested for use in body area networks and smart environments are presented.
Abstract: Password-authenticated key exchange (PAKE) protocols enable two or more entities to authenticate each other and share a strong cryptographic key based on a pre-shared human memorable password. In this paper, we present several attacks on two recent elliptic curve-based PAKE protocols that have been suggested for use in body area networks and smart environments. A variant of the rst PAKE protocol has been included in the latest standard for body area networks. The second PAKE protocol is a modied variant of the rst protocol, and has been
13 citations
Cites methods from "Encrypted key exchange: password-ba..."
...Since introduction of the first PAKE protocol in 1992 [4], many PAKE protocols have been proposed....
[...]
TL;DR: This work addresses the secure pairing of mobile devices based on accelerometer data under various transportation environments by establishing the amount of entropy that can be collected from these environments in order to determine concrete security bounds for each environment.
Abstract: We address the secure pairing of mobile devices based on accelerometer data under various transportation environments, e.g., train, tram, car, bike, walking, etc. As users commonly commute by several transportation modes, extracting session keys from various scenarios to secure the private network of user’s devices or even the public network formed by devices belonging to distinct users that share the same location is crucial. The main goal of our work is to establish the amount of entropy that can be collected from these environments in order to determine concrete security bounds for each environment. We test several signal processing techniques on the extracted data, e.g., low-pass and high-pass filters, then apply sigma-delta modulation in order to expand the size of the feature vectors and increase both the pairing success rate and security level. Further, we bootstrap secure session keys by the use of existing cryptographic building blocks EKE (Encrypted Key Exchange) and SPEKE (Simple Password Exponential Key Exchange). We implement our proof-of-concept application on Android smart-phones and take benefit from numerical processing environments for the off-line analysis of the collected datasets.
13 citations
Cites background from "Encrypted key exchange: password-ba..."
...Finally, we rely on a secure key-exchange protocol that is guessing resilient, i.e., the Encrypted Key Exchange (EKE) [1], [2] and one if its derivatives [15], which are known to achieve provable security....
[...]
...9254 VOLUME 8, 2020 A. EXCHANGING ACCELEROMETER DATA WITH EKE-DH In Figure 13 we depict the flowchart of the key-exchange process starting from synchronization, collecting the data then processing and splitting it into ` windows for the final key-exchange....
[...]
...In case of the elliptical curve version of the EKE-DH protocol, decryption of the key shares, i.e., ew(aP) and ew(bP), may result in points that do not belong to the curve....
[...]
...Each of the two phones, A and B, follows the procedures below over wireless connectivity (Bluetooth in our experiments): 1) Coll(1) in which both phones A and B collect data during a fixed time-windows 1, apply the filtering algorithms (time-alignment, scaling, high-pass and sigma-delta modulation accordingly) then split the data into ` windows, i.e., wid1 ,w id 2 , . . . ,w id ` where id ∈ {A,B}; 2) EKE−DH(widi , id ∈ {A,B}, i = 1..`) in which phones A and B exchange data using the Diffie-Hellman version of the EKE protocol by encrypting the Diffie-Hellman key-shares with the data from each window w, i.e., for i = 1..l A→ B : ew1 (g a1 )modp B→ A : ew1 (g b1 )modp,H (sk1, 1) A→ B : H (sk1, 2) . . ....
[...]
...[13] F. Hao and S. F. Shahandashti, ‘‘The SPEKE protocol revisited,’’ in Proc....
[...]
References
More filters
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
14,980 citations
"Encrypted key exchange: password-ba..." refers background or methods in this paper
...ElGamal’s algorithm is derived from the DiffieHellman exponential key exchange protocol[2]; accordingly, we will review the latter first....
[...]
...And even this risk is minimal if B performs certain checks to guard against easily-solvable choices: that β is indeed prime, that it is large enough (and hence not susceptible to precalculation of tables), that β − 1 have at least one large prime factor (to guard against Pohlig and Hellman’s algorithm[13]), and that α is a primitive root of GF (β)....
[...]
...The use given above for asymmetric encryption — simply using it to pass a key for a symmetric encryption system — is an example of what Diffie and Hellman[2] call a public key distribution system....
[...]
...It works especially well with exponential key exchange [2]....
[...]
TL;DR: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key.
Abstract: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n.
14,659 citations
"Encrypted key exchange: password-ba..." refers methods in this paper
...Section 2 describes the asymmetric cryptosystem variant and implementations using RSA[ 3 ] and ElGamal[4]....
[...]
...We will use RSA[ 3 ] to illustrate the difficulties....
[...]
23 Aug 1985
TL;DR: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem that relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
7,514 citations
19 Aug 1984
TL;DR: In this article, a new signature scheme is proposed together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem and the security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed together with an implementation of the Diffie - Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
2,351 citations
Book•
01 Jan 1982TL;DR: The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks.
Abstract: From the Preface (See Front Matter for full Preface)
Electronic computers have evolved from exiguous experimental enterprises in the 1940s to prolific practical data processing systems in the 1980s. As we have come to rely on these systems to process and store data, we have also come to wonder about their ability to protect valuable data.
Data security is the science and study of methods of protecting data in computer and communication systems from unauthorized disclosure and modification. The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks. The book is for students and professionals seeking an introduction to these principles. There are many references for those who would like to study specific topics further.
Data security has evolved rapidly since 1975. We have seen exciting developments in cryptography: public-key encryption, digital signatures, the Data Encryption Standard (DES), key safeguarding schemes, and key distribution protocols. We have developed techniques for verifying that programs do not leak confidential data, or transmit classified data to users with lower security clearances. We have found new controls for protecting data in statistical databases--and new methods of attacking these databases. We have come to a better understanding of the theoretical and practical limitations to security.
1,937 citations
"Encrypted key exchange: password-ba..." refers background in this paper
...Can such a random odd number less than a known n be distinguished from a valid public key e? Assume that p and q are chosen to be of the form 2p′ + 1 and 2q′ + 1, where p′ and q′ are primes, a choice that is recommended for other reasons [9]....
[...]