scispace - formally typeset
Search or ask a question
Proceedings ArticleDOI

Encrypted key exchange: password-based protocols secure against dictionary attacks

04 May 1992-pp 72-84
TL;DR: A combination of asymmetric (public-key) and symmetric (secret- key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced.
Abstract: Classic cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. A combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced. In particular, a protocol relying on the counter-intuitive motion of using a secret key to encrypt a public key is presented. Such protocols are secure against active attacks, and have the property that the password is protected against offline dictionary attacks. >

Content maybe subject to copyright    Report

Citations
More filters
Book ChapterDOI
16 Aug 2005
TL;DR: The current paper demonstrates the vulnerability of Kim et al.'s scheme to off-line password guessing attacks and the integrity violence of the session key from illegal modification, and presents an improved protocol based on the elliptic curve discrete logarithm problem ECDLP to resolve such problems.
Abstract: Recently, Kim et al. proposed an improvement to the Simple Authenticated Key Agreement SAKA protocol that has the same stability as the existing methods, and that has a much efficient processing performance. However, this improved scheme is still susceptible to off-line password guessing attacks and the integrity violence of a session key from illegal modification. The current paper demonstrates the vulnerability of Kim et al.'s scheme to off-line password guessing attacks and the integrity violence of the session key from illegal modification, and then presents an improved protocol based on the elliptic curve discrete logarithm problem ECDLP to resolve such problems. As a result, the proposed protocol resists off-line password guessing attacks and modification attack, while also providing more security and efficiency.

9 citations


Cites methods from "Encrypted key exchange: password-ba..."

  • ...There have been several methods to solve this problem, such as key exchange protocol using certificates [3] and the authenticated key exchange protocol in which two parties share a secret password (pre-shared password) beforehand [ 4 , 5]. The former has a weakness in that it needs a trusted third certification party....

    [...]

01 Jan 2003
TL;DR: These are the first protocols which are provably secure in the standard model (i.e. no random oracles are used for the proof of security) and are reasonably efficient and implementable in practice.
Abstract: We present two protocols for threshold password authenti- cated key exchange. In this model, the password is not stored in a single authenticating server but rather shared among a set of n servers so that an adversary can learn the password only by breaking into t + 1 of them. The protocols require n> 3t servers to work. The goal is to protect the password against hackers attacks that can break into the authenticating server and steal password information. All known centralized password authentication schemes are susceptible to such an attack. Ours are the first protocols which are provably secure in the standard model (i.e. no random oracles are used for the proof of security). More- over our protocols are reasonably efficient and implementable in practice. In particular a goal of the design was to avoid costly zero-knowledge proofs to keep interaction to a minimum.

9 citations


Additional excerpts

  • ...Research in password-authentication protocols resistant to off-line attacks started with the work of Bellovin and Merritt [3] and continued in [15,19]....

    [...]

Journal ArticleDOI
01 Dec 2013
TL;DR: Whether password protocols can be safely composed, even when a same password is reused is studied, and a transformation which maps a password protocol that is secure for a single protocol session (a decidable problem) to a protocol that are secure for an unbounded number of sessions is presented.
Abstract: Formal and symbolic techniques are extremely useful for modelling and analysing security protocols. They have helped to improve our understanding of such protocols, allowed us to discover flaws, and they also provide support for protocol design. However, such analyses usually consider that the protocol is executed in isolation or assume a bounded number of protocol sessions. Hence, no security guarantee is provided when the protocol is executed in a more complex environment. In this paper, we study whether password protocols can be safely composed, even when a same password is reused. More precisely, we present a transformation which maps a password protocol that is secure for a single protocol session (a decidable problem) to a protocol that is secure for an unbounded number of sessions. Our result provides an effective strategy to design secure password protocols: (i) design a protocol intended to be secure for one protocol session; (ii) apply our transformation and obtain a protocol which is secure for an unbounded number of sessions. Our technique also applies to compose different password protocols allowing us to obtain both inter-protocol and inter-session composition.

9 citations

Book ChapterDOI
Julia Hesse1
14 Sep 2020
TL;DR: It is proved that a strong assumption like a programmable random oracle is necessary to achieve security of asymmetric PAKE in the Universal Composability (UC) framework and usefulness is demonstrated by proving that the \(\varOmega \)-method proposed by Gentry et al satisfies the authors' new security notion for asymmetricPAKE.
Abstract: Password-Authenticated Key Exchange (PAKE) is a method to establish cryptographic keys between two users sharing a low-entropy password. In its asymmetric version, one of the users acts as a server and only stores some function of the password, e.g., a hash. Upon server compromise, the adversary learns \(H(\mathsf {pw})\). Depending on the strength of the password, the attacker now has to invest more or less work to reconstruct \(\mathsf {pw} \) from \(H(\mathsf {pw})\). Intuitively, asymmetric PAKE seems more challenging than symmetric PAKE since the latter is not supposed to protect the password upon compromise. In this paper, we provide three contributions: Separating symmetric and asymmetric PAKE. We prove that a strong assumption like a programmable random oracle is necessary to achieve security of asymmetric PAKE in the Universal Composability (UC) framework. For symmetric PAKE, programmability is not required. Our results also rule out the existence of UC-secure asymmetric PAKE in the CRS model. Revising the security definition. We identify and close some gaps in the UC security definition of 2-party asymmetric PAKE given by Gentry, MacKenzie and Ramzan (Crypto 2006). For this, we specify a natural corruption model for server compromise attacks. We further remove an undesirable weakness that lets parties wrongly believe in security of compromised session keys. We demonstrate usefulness by proving that the \(\varOmega \)-method proposed by Gentry et al. satisfies our new security notion for asymmetric PAKE. To our knowledge, this is the first formal security proof of the \(\varOmega \)-method in the literature. Composable multi-party asymmetric PAKE. We showcase how our revisited security notion for 2-party asymmetric PAKE can be used to obtain asymmetric PAKE protocols in the multi-user setting and discuss important aspects for implementing such a protocol.

9 citations

Book ChapterDOI
28 May 2006
TL;DR: The computational cost of the proposed TAKE protocol is less than that of the PP-TAKE protocol, as is the number of steps needed to communicate is one fewer in which needs only three steps.
Abstract: Recently, Park and Park proposed a new two factor authenticated key exchange (PP-TAKE) protocol that can be applied to low-power PDAs in Public Wireless LANs (PWLANs). The current paper proposes an efficient TAKE protocol based upon the PP-TAKE protocol. The computational cost of the proposed TAKE protocol is less than that of the PP-TAKE protocol, as is the number of steps needed to communicate is one fewer in which needs only three steps.

9 citations


Cites background from "Encrypted key exchange: password-ba..."

  • ...Phishing, or server impersonation, occurs when a malicious server convinces a user to reveal sensitive personal information, such as a username and password, to a malicious server instead of the real server....

    [...]

  • ...Password-authenticated key exchange was first introduced by Bellovin and Merritt in 1992 (Bellovin & Merritt 1992) as the encrypted key exchange (EKE) protocol, in which the client and server shared the plaintext password and exchanged encrypted information to allow them to derive a shared session…...

    [...]

References
More filters
Journal ArticleDOI
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.

14,980 citations


"Encrypted key exchange: password-ba..." refers background or methods in this paper

  • ...ElGamal’s algorithm is derived from the DiffieHellman exponential key exchange protocol[2]; accordingly, we will review the latter first....

    [...]

  • ...And even this risk is minimal if B performs certain checks to guard against easily-solvable choices: that β is indeed prime, that it is large enough (and hence not susceptible to precalculation of tables), that β − 1 have at least one large prime factor (to guard against Pohlig and Hellman’s algorithm[13]), and that α is a primitive root of GF (β)....

    [...]

  • ...The use given above for asymmetric encryption — simply using it to pass a key for a symmetric encryption system — is an example of what Diffie and Hellman[2] call a public key distribution system....

    [...]

  • ...It works especially well with exponential key exchange [2]....

    [...]

Journal ArticleDOI
TL;DR: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key.
Abstract: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n.

14,659 citations


"Encrypted key exchange: password-ba..." refers methods in this paper

  • ...Section 2 describes the asymmetric cryptosystem variant and implementations using RSA[ 3 ] and ElGamal[4]....

    [...]

  • ...We will use RSA[ 3 ] to illustrate the difficulties....

    [...]

Journal ArticleDOI
Taher Elgamal1
23 Aug 1985
TL;DR: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem that relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.

7,514 citations

Book ChapterDOI
Taher Elgamal1
19 Aug 1984
TL;DR: In this article, a new signature scheme is proposed together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem and the security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed together with an implementation of the Diffie - Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.

2,351 citations

Book
01 Jan 1982
TL;DR: The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks.
Abstract: From the Preface (See Front Matter for full Preface) Electronic computers have evolved from exiguous experimental enterprises in the 1940s to prolific practical data processing systems in the 1980s. As we have come to rely on these systems to process and store data, we have also come to wonder about their ability to protect valuable data. Data security is the science and study of methods of protecting data in computer and communication systems from unauthorized disclosure and modification. The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks. The book is for students and professionals seeking an introduction to these principles. There are many references for those who would like to study specific topics further. Data security has evolved rapidly since 1975. We have seen exciting developments in cryptography: public-key encryption, digital signatures, the Data Encryption Standard (DES), key safeguarding schemes, and key distribution protocols. We have developed techniques for verifying that programs do not leak confidential data, or transmit classified data to users with lower security clearances. We have found new controls for protecting data in statistical databases--and new methods of attacking these databases. We have come to a better understanding of the theoretical and practical limitations to security.

1,937 citations


"Encrypted key exchange: password-ba..." refers background in this paper

  • ...Can such a random odd number less than a known n be distinguished from a valid public key e? Assume that p and q are chosen to be of the form 2p′ + 1 and 2q′ + 1, where p′ and q′ are primes, a choice that is recommended for other reasons [9]....

    [...]