Encrypted key exchange: password-based protocols secure against dictionary attacks
04 May 1992-pp 72-84
TL;DR: A combination of asymmetric (public-key) and symmetric (secret- key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced.
Abstract: Classic cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. A combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced. In particular, a protocol relying on the counter-intuitive motion of using a secret key to encrypt a public key is presented. Such protocols are secure against active attacks, and have the property that the password is protected against offline dictionary attacks. >
Citations
More filters
14 May 2004
TL;DR: This paper presents a new password-based authenticated key agreement protocol, PAKA, which provides mutual authentication and key agreement over an insecure channel between two parties knowing only a small password having low entropy, and extends it to a protocol called PAKA-X.
Abstract: In this paper, we present a new password-based authenticated key agreement protocol called PAKA, which provides mutual authentication and key agreement over an insecure channel between two parties knowing only a small password having low entropy. We then extend PAKA to a protocol called PAKA-X, in which the client uses a plaintext version of the password, while the server stores a verifier for the password, and which does not allow an adversary who compromises the server to impersonate a client without actually running a dictionary attack on the password file. The proposed protocols are secure against passive and active attacks and provide perfect forward secrecy.
12 citations
TL;DR: Four protocols are proposed, which body sensors can use to derive keys from cryptographically weak environmental data without the necessity of using traditional encryption, and map the applicability of each protocol to the corresponding characteristics found in different types of environmental data.
Abstract: Wireless sensor networks provide solutions to a range of monitoring problems. However, they also introduce a new set of challenges mainly due to small memories, weak processors, and limited energy. As an example application, body sensor network is examined in detail in this paper. It is used as the basis for the requirements for the proposed key establishment protocols. Four protocols are proposed, which body sensors can use to derive keys from cryptographically weak environmental data. This is achieved without the necessity of using traditional encryption. We map the applicability of each protocol to the corresponding characteristics found in different types of environmental data. Detailed analysis of each of the protocols is provided. The protocols were implemented in TinyOS and simulated using TOSSIM. Energy consumption and memory requirements are analysed and found that an RSA implementation of our protocols has some advantages over an ECC implementation.
12 citations
Cites background from "Encrypted key exchange: password-ba..."
...The encryption of tA, tB, nA, and nB can be implemented with an exclusive-or function, as originally described by Bellovin and Merritt (1992)....
[...]
...An example of a two-party protocol where the new key will not be compromised if the old key becomes compromised is the EKE protocol (Bellovin and Merritt, 1992), as shown in Protocol 2....
[...]
01 Jan 2007
TL;DR: In this article, a performance comparison of several well-known automatic tools for security protocol verication is presented, where they model a set of protocols and their properties as homogeneously as possible for each tool.
Abstract: Many tools exist for automatic security protocol verication, and most of them have their own particular language for specifying protocols and properties. Several protocol specication models and security properties have been already formally related to each other. However, there is an important dierence between verication tools, which has not been investigated in depth before: the explored state space. Some tools explore all possible behaviors, whereas others explore strict subsets, often by using so-called scenarios. Ignoring such dierences can lead to wrong interpretations of the output of a tool. We relate the explored state spaces to each other and nd previously unreported dierences between the various approaches. We apply our study of state space relations in a performance comparison of several well-known automatic tools for security protocol verication. We model a set of protocols and their properties as homogeneously as possible for each tool. We analyze the performance of the tools over comparable state spaces. This work enables us to eectively compare these automatic tools, i.e. using the same protocol description and exploring the same state space. We also propose some explanations for our experimental results, leading to a better understanding of the tools.
12 citations
23 Oct 2006
TL;DR: This paper proposes the first provably-secure PAGKE protocol in the standard model, a two-round protocol and the security of the protocol is reduced to the Decisional Diffie-Hellman (DDH) problem.
Abstract: Password-authenticated group key exchange (PAGKE) allows group users to share a session key using a human-memorable password only. The fundamental security goal of PAGKE is security against dictionary attacks. Several solutions have been proposed to solve this problem while most ones require rounds linearly increasing in the number of group users, so they are neither scalable nor practical. Recently a provably-secure constant-round PAGKE protocol overcoming this shortcoming is proposed at PKC '06. However current PAGKE protocols have been proven secure in the ideal model. The ideal model assumes that some functions are “ideal” functions (or random functions). In the ideal cipher model, we assume a block cipher is an ideal cipher and in the ideal hash model (also the so-called the random oracle model), we assume a hash function is an ideal hash function. However it is well-known that a provably-secure scheme in the ideal model may be insecure if the ideal functions are implemented by the real functions. In this paper we propose the first provably-secure PAGKE protocol in the standard model. Our protocol is a two-round protocol and the security of the protocol is reduced to the Decisional Diffie-Hellman (DDH) problem.
12 citations
TL;DR: In this letter, it is shown that the Lo protocol is vulnerable to an active off-line dictionary attack and the Yang-Wang protocol is vulnerability to a passive off- line dictionary attack.
Abstract: In 2002, Zhu et al. proposed a password-based authenticated key exchange protocol based on RSA. Many researchers pointed out that Zhu et al.'s protocol is vulnerable to off-line dictionary attack. In 2003, Yeh et al. proposed an improved protocol. Recently, Lo and Yang-Wang pointed out that Yeh et al.'s improved protocol is also vulnerable to offline dictionary attack. To avoid this weakness existed in Yeh et al.'s protocol, Lo and Yang-Wang proposed two improved protocols. However, in this letter, we show that the Lo protocol is vulnerable to an active off-line dictionary attack and the Yang-Wang protocol is vulnerable to a passive off-line dictionary attack
12 citations
References
More filters
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
14,980 citations
"Encrypted key exchange: password-ba..." refers background or methods in this paper
...ElGamal’s algorithm is derived from the DiffieHellman exponential key exchange protocol[2]; accordingly, we will review the latter first....
[...]
...And even this risk is minimal if B performs certain checks to guard against easily-solvable choices: that β is indeed prime, that it is large enough (and hence not susceptible to precalculation of tables), that β − 1 have at least one large prime factor (to guard against Pohlig and Hellman’s algorithm[13]), and that α is a primitive root of GF (β)....
[...]
...The use given above for asymmetric encryption — simply using it to pass a key for a symmetric encryption system — is an example of what Diffie and Hellman[2] call a public key distribution system....
[...]
...It works especially well with exponential key exchange [2]....
[...]
TL;DR: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key.
Abstract: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n.
14,659 citations
"Encrypted key exchange: password-ba..." refers methods in this paper
...Section 2 describes the asymmetric cryptosystem variant and implementations using RSA[ 3 ] and ElGamal[4]....
[...]
...We will use RSA[ 3 ] to illustrate the difficulties....
[...]
23 Aug 1985
TL;DR: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem that relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
7,514 citations
19 Aug 1984
TL;DR: In this article, a new signature scheme is proposed together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem and the security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed together with an implementation of the Diffie - Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
2,351 citations
Book•
01 Jan 1982TL;DR: The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks.
Abstract: From the Preface (See Front Matter for full Preface)
Electronic computers have evolved from exiguous experimental enterprises in the 1940s to prolific practical data processing systems in the 1980s. As we have come to rely on these systems to process and store data, we have also come to wonder about their ability to protect valuable data.
Data security is the science and study of methods of protecting data in computer and communication systems from unauthorized disclosure and modification. The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks. The book is for students and professionals seeking an introduction to these principles. There are many references for those who would like to study specific topics further.
Data security has evolved rapidly since 1975. We have seen exciting developments in cryptography: public-key encryption, digital signatures, the Data Encryption Standard (DES), key safeguarding schemes, and key distribution protocols. We have developed techniques for verifying that programs do not leak confidential data, or transmit classified data to users with lower security clearances. We have found new controls for protecting data in statistical databases--and new methods of attacking these databases. We have come to a better understanding of the theoretical and practical limitations to security.
1,937 citations
"Encrypted key exchange: password-ba..." refers background in this paper
...Can such a random odd number less than a known n be distinguished from a valid public key e? Assume that p and q are chosen to be of the form 2p′ + 1 and 2q′ + 1, where p′ and q′ are primes, a choice that is recommended for other reasons [9]....
[...]