scispace - formally typeset
Search or ask a question
Proceedings ArticleDOI

Encrypted key exchange: password-based protocols secure against dictionary attacks

04 May 1992-pp 72-84
TL;DR: A combination of asymmetric (public-key) and symmetric (secret- key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced.
Abstract: Classic cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. A combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced. In particular, a protocol relying on the counter-intuitive motion of using a secret key to encrypt a public key is presented. Such protocols are secure against active attacks, and have the property that the password is protected against offline dictionary attacks. >

Content maybe subject to copyright    Report

Citations
More filters
01 Sep 2009
TL;DR: Syntax Notation One (ASN.1) ist eine Beschreibungssprache zur Definition of Datenstrukturen, die verwendeten bzw.
Abstract: Syntax Notation One (ASN.1) ist eine Beschreibungssprache zur Definition von Datenstrukturen. Die Domain-Parameter und die verwendeten bzw. unterstützten kryptographischen Protokolle sind auf dem elektronischen Personalausweis in der Datei EF.CardAccess abgelegt und in ASN.1 kodiert. Für die Ausführung des PACE Protokolls muss diese Datei ausgelesen werden und die benötigten Informationen extrahiert werden. Paket: de.tud.cdc.mecca.asn1 • de.tud.cdc.mecca.asn1.ECDHAlgorithmIdentifier Der Algorithm Identifier bzw. die Domain-Parameter für elliptische Kurven sind in dieser Klasse implementiert. Dabei werden die jeweiligen Informationen bzw. Werte aus der Datei EF.CardAccess extrahiert. • de.tud.cdc.mecca.asn1.TLV Die Daten im EF.CardAccess sind im TLV-Format (Type, Length, Value) gespeichert. Die Klasse implementiert das Kodieren und Dekodieren des TLV-Formats. Paket: de.tud.cdc.mecca.asn1.eac • de.tud.cdc.mecca.asn1.eac.ISecurityInfo Die Klasse definiert eine Schnittstelle für alle SecurityInfos. • de.tud.cdc.mecca.asn1.eac.SecurityInfo Diese Klasse bildet eine einzelne SecurityInfo ab, bestehend aus dem Object Identifier des Protokolls und den dazugehörigen benötigten bzw. optionalen Daten [3, Kapitel A.1]. SecurityInfo ::= SEQUENCE { protocol OBJECT IDENTIFIER, requiredData ANY DEFINED BY protocol, optionalData ANY DEFINED BY protocol OPTIONAL } • de.tud.cdc.mecca.asn1.eac.SecurityInfos Die Klasse repräsentiert eine Menge der einzelnen SecurityInfos und vereint alle in der EF.CardAccess vorhandenen SecurityInfos. Die Klasse implementiert folgende ASN.1 Datenstruktur [3, Kapitel A.1]. SecurityInfos ::= SET OF SecurityInfo Paket: de.tud.cdc.mecca.asn1.eac.pace • de.tud.cdc.mecca.asn1.eac.pace.PACEDomainParameterInfo Die Klasse implementiert folgende ASN.1 Datenstruktur: PACEDomainParameterInfo ::= SEQUENCE { protocol OBJECT IDENTIFIER(id-PACE-DH | id-PACE-ECDH), domainParameter AlgorithmIdentifier, parameterId INTEGER OPTIONAL } Zum Zugriff auf die Daten stehen die Methoden getProtocol(), getDomainParameter() und getParameterId() zur Verfügung. Mit Hilfe der Methode isPACEObjectIdentifer(DERObjectIdentifier o) lässt sich überprüfen, ob der gegebene Object Identifer ein PACE Object Identifer der Form id-PACE-DH oder id-PACE-ECDH ist.

8 citations

Journal ArticleDOI
TL;DR: In this paper, the authors evaluate group extensions of a regular key exchange protocol, i.e., the elliptic curve version of the Diffie-Hellman protocol, by using both a standardized NIST ECC curve as well as the faster, more recently proposed Four $\mathbb {Q}$ curve.
Abstract: The security of vehicle communication buses and electronic control units has received much attention in the recent years. However, while essential for practical deployments, the problem of securely exchanging cryptographic keys between electronic control units on the CAN bus received little attention so far. In this work, we evaluate group extensions of a regular key exchange protocol, i.e., the elliptic curve version of the Diffie-Hellman protocol, by using both a standardized NIST elliptic curve as well as the faster, more recently proposed Four $\mathbb {Q}$ curve. We deploy protocol implementations and determine crisp performance bounds on real-world automotive-grade platforms with Infineon and ARM cores. For an up-to-date analysis, we use both CAN and its more recent extension CAN-FD as communication layers. Roughly, the computational runtime of the key exchange protocol scales logarithmically or linearly with the number of nodes, depending on the protocol version. The computational time proves to be more critical than bandwidth due to the more demanding elliptic curve operations.

8 citations

Book ChapterDOI
28 Mar 2017
TL;DR: In this article, explainable projective hash proofs are introduced to explain any message sent by the simulator in case of corruption, hence the notion of Explainable Projective Hashing.
Abstract: An important problem in secure multi-party computation is the design of protocols that can tolerate adversaries that are capable of corrupting parties dynamically and learning their internal states. In this paper, we make significant progress in this area in the context of password-authenticated key exchange (\(\textsf {PAKE}\)) and oblivious transfer (\(\textsf {OT}\)) protocols. More precisely, we first revisit the notion of projective hash proofs and introduce a new feature that allows us to explain any message sent by the simulator in case of corruption, hence the notion of Explainable Projective Hashing. Next, we demonstrate that this new tool generically leads to efficient \(\textsf {PAKE}\) and \(\textsf {OT}\) protocols that are secure against semi-adaptive adversaries without erasures in the Universal Composability (UC) framework. We then show how to make these protocols secure even against adaptive adversaries, using non-committing encryption, in a much more efficient way than generic conversions from semi-adaptive to adaptive security. Finally, we provide concrete instantiations of explainable projective hash functions that lead to the most efficient \(\textsf {PAKE}\) and \(\textsf {OT}\) protocols known so far, with UC-security against adaptive adversaries, without assuming reliable erasures, in the single global CRS setting.

8 citations

Posted Content
01 Jan 2014
TL;DR: Wang et al. as mentioned in this paper revisited Tsai et al.'s and Li's anonymous two-factor authentication schemes and systematically explored the inherent conflicts and unavoidable trade-offs among the design criteria.
Abstract: Despite two decades of intensive research, it remains a challenge to design a practical anonymous two-factor authentication scheme, for the designers are confronted with an impressive list of security requirements (e.g., resistance to smart card loss attack) and desirable attributes (e.g., local password update). Numerous solutions have been proposed, yet most of them are shortly found either unable to satisfy some critical security requirements or short of a few important features. To overcome this unsatisfactory situation, researchers often work around it in hopes of a new proposal (but no one has succeeded so far), while paying little attention to the fundamental question: whether or not there are inherent limitations that prevent us from designing an “ideal” scheme that satisfies all the desirable goals? In this work, we aim to provide a definite answer to this question. We first revisit two foremost proposals, i.e. Tsai et al.’s scheme and Li’s scheme, revealing some subtleties and challenges in designing such schemes. Then, we systematically explore the inherent conflicts and unavoidable trade-offs among the design criteria. Our results indicate that, under the current widely accepted adversarial model, certain goals are beyond attainment. This also suggests a negative answer to the open problem left by Huang et al. in 2014. To the best of knowledge, the present study makes the first step towards understanding the underlying evaluation metric for anonymous two-factor authentication, which we believe will facilitate better design of anonymous two-factor protocols that offer acceptable trade-offs among usability, security and privacy.

8 citations

Posted Content
TL;DR: This work revisits Abdalla and Pointcheval’s three-party PAKE protocol, and demonstrates that the protocol is vulnerable to an off-line dictionary attack whereby a malicious client can find out the passwords of other clients.
Abstract: Despite all the research efforts made so far, the design of protocols for password-authenticated key exchange (PAKE) still remains a non-trivial task One of the major challenges in designing such protocols is to protect low-entropy passwords from the notorious dictionary attacks In this work, we revisit Abdalla and Pointcheval’s three-party PAKE protocol presented in Financial Cryptography 2005, and demonstrate that the protocol is vulnerable to an off-line dictionary attack whereby a malicious client can find out the passwords of other clients

8 citations


Cites background from "Encrypted key exchange: password-ba..."

  • ...[6] Bellovin S. and Merritt M., Encrypted Key Exchange: Password-Based Protocols Secure against Dictionary Attacks, In 1992 IEEE Symposium on Research in Security and Privacy, 72–84, 1992....

    [...]

  • ...Bellovin and Merritt [6] was the first to consider how two parties, who only share a password, establish a common session key over a public network which might be fully controlled by an adversary....

    [...]

References
More filters
Journal ArticleDOI
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.

14,980 citations


"Encrypted key exchange: password-ba..." refers background or methods in this paper

  • ...ElGamal’s algorithm is derived from the DiffieHellman exponential key exchange protocol[2]; accordingly, we will review the latter first....

    [...]

  • ...And even this risk is minimal if B performs certain checks to guard against easily-solvable choices: that β is indeed prime, that it is large enough (and hence not susceptible to precalculation of tables), that β − 1 have at least one large prime factor (to guard against Pohlig and Hellman’s algorithm[13]), and that α is a primitive root of GF (β)....

    [...]

  • ...The use given above for asymmetric encryption — simply using it to pass a key for a symmetric encryption system — is an example of what Diffie and Hellman[2] call a public key distribution system....

    [...]

  • ...It works especially well with exponential key exchange [2]....

    [...]

Journal ArticleDOI
TL;DR: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key.
Abstract: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n.

14,659 citations


"Encrypted key exchange: password-ba..." refers methods in this paper

  • ...Section 2 describes the asymmetric cryptosystem variant and implementations using RSA[ 3 ] and ElGamal[4]....

    [...]

  • ...We will use RSA[ 3 ] to illustrate the difficulties....

    [...]

Journal ArticleDOI
Taher Elgamal1
23 Aug 1985
TL;DR: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem that relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.

7,514 citations

Book ChapterDOI
Taher Elgamal1
19 Aug 1984
TL;DR: In this article, a new signature scheme is proposed together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem and the security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed together with an implementation of the Diffie - Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.

2,351 citations

Book
01 Jan 1982
TL;DR: The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks.
Abstract: From the Preface (See Front Matter for full Preface) Electronic computers have evolved from exiguous experimental enterprises in the 1940s to prolific practical data processing systems in the 1980s. As we have come to rely on these systems to process and store data, we have also come to wonder about their ability to protect valuable data. Data security is the science and study of methods of protecting data in computer and communication systems from unauthorized disclosure and modification. The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks. The book is for students and professionals seeking an introduction to these principles. There are many references for those who would like to study specific topics further. Data security has evolved rapidly since 1975. We have seen exciting developments in cryptography: public-key encryption, digital signatures, the Data Encryption Standard (DES), key safeguarding schemes, and key distribution protocols. We have developed techniques for verifying that programs do not leak confidential data, or transmit classified data to users with lower security clearances. We have found new controls for protecting data in statistical databases--and new methods of attacking these databases. We have come to a better understanding of the theoretical and practical limitations to security.

1,937 citations


"Encrypted key exchange: password-ba..." refers background in this paper

  • ...Can such a random odd number less than a known n be distinguished from a valid public key e? Assume that p and q are chosen to be of the form 2p′ + 1 and 2q′ + 1, where p′ and q′ are primes, a choice that is recommended for other reasons [9]....

    [...]