Encrypted key exchange: password-based protocols secure against dictionary attacks
04 May 1992-pp 72-84
TL;DR: A combination of asymmetric (public-key) and symmetric (secret- key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced.
Abstract: Classic cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. A combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced. In particular, a protocol relying on the counter-intuitive motion of using a secret key to encrypt a public key is presented. Such protocols are secure against active attacks, and have the property that the password is protected against offline dictionary attacks. >
Citations
More filters
01 Jan 2010
13 citations
TL;DR: It is shown that Sun-Chen-Hwang's three-party key agreement protocols using passwords are insecure against an active adversary and a small change to the protocols is recommended that fixes the security problem.
Abstract: We show that Sun-Chen-Hwang's three-party key agreement protocols using passwords are insecure against an active adversary. Further, we recommend a small change to the protocols that fixes the security problem.
13 citations
Cites background or methods from "Encrypted key exchange: password-ba..."
...References [1] S.M. Bellovin and M. Merritt, “Encrypted key exchange: Passwordbased protocols secure against dictionary attacks,” Proc....
[...]
...The possibility of secure password-authenticated key exchange was recognized in the work of Bellovin and Merritt [1], which shows how to bootstrap a high-entropy cryptographic key from a weak, low-entropy password....
[...]
...[4] proposed a three-party protocol for password-based key agreement which builds on the earlier protocol, known as encrypted key exchange, or EKE, proposed by Bellovin and Merritt [1] in the two-party setting....
[...]
...Roughly a decade ago, Steiner et al. [4] proposed a three-party protocol for password-based key agreement which builds on the earlier protocol, known as encrypted key exchange, or EKE, proposed by Bellovin and Merritt [1] in the two-party setting....
[...]
01 Jan 2008
TL;DR: This doctoral thesis presents a formal model of location privacy for WPAN, and discusses the cryptographic and physical design principles that have to be taken into account to design a secure distance bounding protocol, and presents some interesting applications ofdistance bounding protocols.
Abstract: Communication between mobile devices allows them to work together and augments their functionality. This idea resulted in the concept of a Wireless Personal Area Network (WPAN). Supporting security and privacy are essential before these networks can become an everyday reality. Without the necessary countermeasures, wireless communications are easy to intercept and modify, and the activities of users can be traced. Moreover, the specific properties of WPANs present interesting challenges when designing security and privacy solutions in this environment. In this doctoral thesis, we present several solutions for a number of important security and privacy problems in WPANs. The thesis starts with an overview of the most common techniques to construct an out-of-band channel, a building block used in pairing protocols, and the essential part to securely bootstrap key establishment protocols in a WPAN. This doctoral thesis presents two efficient pairing protocols, and discusses their main (security) properties. Distance bounding protocols enable a verifying party to determine an upper bound on the distance between itself and a prover, who claims to be within a certain range. This thesis discusses the cryptographic and physical design principles that have to be taken into account to design a secure distance bounding protocol, and presents some interesting applications of distance bounding protocols. As distance bounding protocols are conducted over noisy wireless ad hoc channels, they should be designed to cope well with substantial bit error rates during the rapid single bit exchanges. This thesis presents the noise resilient MAD protocol and compares its performance to the Hancke–Kuhn protocol for both moderately low and relatively high bit error rates. The results of this analysis help to choose the appropriate design parameters. Finally, the thesis deals with location privacy in WPANs. Several communication scenarios for WPAN are presented and for each of these scenarios, practical techniques that make use of temporary pseudonyms are proposed. To analyze and evaluate these solutions and other techniques that have been proposed in the literature, this doctoral thesis presents a formal model of location privacy for WPAN.
13 citations
04 Dec 2016
TL;DR: This work introduces and instantiates the concept of Structure-Preserving Smooth Projective Hash Function, and gives as applications more efficient instantiations for one-round and three-round instantiations, and information retrieval thanks to Anonymous Credentials, all UC-secure against adaptive adversaries.
Abstract: Smooth projective hashing has proven to be an extremely useful primitive, in particular when used in conjunction with commitments to provide implicit decommitment. This has lead to applications proven secure in the UC framework, even in presence of an adversary which can do adaptive corruptions, like for example Password Authenticated Key Exchange $$\mathsf {PAKE}$$, and 1-out-of-m Oblivious Transfer $$\textsf {OT} $$. However such solutions still lack in efficiency, since they heavily scale on the underlying message length.
Structure-preserving cryptography aims at providing elegant and efficient schemes based on classical assumptions and standard group operations on group elements. Recent trend focuses on constructions of structure-preserving signatures, which require message, signature and verification keys to lie in the base group, while the verification equations only consist of pairing-product equations. Classical constructions of Smooth Projective Hash Function suffer from the same limitation as classical signatures: at least one part of the computation messages for signature, witnesses for SPHF is a scalar.
In this work, we introduce and instantiate the concept of Structure-Preserving Smooth Projective Hash Function, and give as applications more efficient instantiations for one-round $$\mathsf {PAKE}$$ and three-round $$\textsf {OT} $$, and information retrieval thanks to Anonymous Credentials, all UC-secure against adaptive adversaries.
13 citations
Cites methods from "Encrypted key exchange: password-ba..."
...Password-Authenticated Key Exchange (PAKE) protocols were proposed in 1992 by Bellovin and Merritt [12] where authentication is done using a simple password, possibly drawn from a small entropy space subject to exhaustive search....
[...]
TL;DR: A threshold MFA key exchange protocol built on the top of a threshold oblivious pseudorandom function and an authenticated key Exchange protocol that achieves the “highest-attainable” security against all attacking attempts in the context of parties/factors being compromised/corrupted.
Abstract: Multi-factor authentication (MFA) has been widely used to safeguard high-value assets. Unlike single-factor authentication (e.g., password-only login), $t$ -factor authentication ( $t$ FA) requires a user always to carry and present $t$ specified factors so as to strengthen the security of login. Nevertheless, this may restrict user experience in limiting the flexibility of factor usage, e.g., the user may prefer to choose any factors at hand for login authentication. To bring back usability and flexibility without loss of security, we introduce a new notion of authentication, called $(t,n)$ threshold MFA , that allows a user to actively choose $t$ factors out of $n$ based on preference. We further define the “most-rigorous” multi-factor security model for the new notion, allowing attackers to control public channels, launch active/passive attacks, and compromise/corrupt any subset of parties as well as factors. We state that the model can capture the most practical security needs in the literature. We design a threshold MFA key exchange (T-MFAKE) protocol built on the top of a threshold oblivious pseudorandom function and an authenticated key exchange protocol. Our protocol achieves the “highest-attainable” security against all attacking attempts in the context of parties/factors being compromised/corrupted. As for efficiency, our design only requires $4+t$ exponentiations, 2 multi-exponentiations and $\mathbf {2}$ communication rounds. Compared with existing $t$ FA schemes, even the degenerated $(t,t)$ version of our protocol achieves the strongest security (stronger than most schemes) and higher efficiency on computational and communication. We instantiate our design on real-world platform to highlight its practicability and efficiency.
13 citations
References
More filters
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
14,980 citations
"Encrypted key exchange: password-ba..." refers background or methods in this paper
...ElGamal’s algorithm is derived from the DiffieHellman exponential key exchange protocol[2]; accordingly, we will review the latter first....
[...]
...And even this risk is minimal if B performs certain checks to guard against easily-solvable choices: that β is indeed prime, that it is large enough (and hence not susceptible to precalculation of tables), that β − 1 have at least one large prime factor (to guard against Pohlig and Hellman’s algorithm[13]), and that α is a primitive root of GF (β)....
[...]
...The use given above for asymmetric encryption — simply using it to pass a key for a symmetric encryption system — is an example of what Diffie and Hellman[2] call a public key distribution system....
[...]
...It works especially well with exponential key exchange [2]....
[...]
TL;DR: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key.
Abstract: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n.
14,659 citations
"Encrypted key exchange: password-ba..." refers methods in this paper
...Section 2 describes the asymmetric cryptosystem variant and implementations using RSA[ 3 ] and ElGamal[4]....
[...]
...We will use RSA[ 3 ] to illustrate the difficulties....
[...]
23 Aug 1985
TL;DR: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem that relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
7,514 citations
19 Aug 1984
TL;DR: In this article, a new signature scheme is proposed together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem and the security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed together with an implementation of the Diffie - Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
2,351 citations
Book•
01 Jan 1982TL;DR: The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks.
Abstract: From the Preface (See Front Matter for full Preface)
Electronic computers have evolved from exiguous experimental enterprises in the 1940s to prolific practical data processing systems in the 1980s. As we have come to rely on these systems to process and store data, we have also come to wonder about their ability to protect valuable data.
Data security is the science and study of methods of protecting data in computer and communication systems from unauthorized disclosure and modification. The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks. The book is for students and professionals seeking an introduction to these principles. There are many references for those who would like to study specific topics further.
Data security has evolved rapidly since 1975. We have seen exciting developments in cryptography: public-key encryption, digital signatures, the Data Encryption Standard (DES), key safeguarding schemes, and key distribution protocols. We have developed techniques for verifying that programs do not leak confidential data, or transmit classified data to users with lower security clearances. We have found new controls for protecting data in statistical databases--and new methods of attacking these databases. We have come to a better understanding of the theoretical and practical limitations to security.
1,937 citations
"Encrypted key exchange: password-ba..." refers background in this paper
...Can such a random odd number less than a known n be distinguished from a valid public key e? Assume that p and q are chosen to be of the form 2p′ + 1 and 2q′ + 1, where p′ and q′ are primes, a choice that is recommended for other reasons [9]....
[...]