Encrypted key exchange: password-based protocols secure against dictionary attacks
04 May 1992-pp 72-84
TL;DR: A combination of asymmetric (public-key) and symmetric (secret- key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced.
Abstract: Classic cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. A combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced. In particular, a protocol relying on the counter-intuitive motion of using a secret key to encrypt a public key is presented. Such protocols are secure against active attacks, and have the property that the password is protected against offline dictionary attacks. >
Citations
More filters
Posted Content•
TL;DR: In this article, the authors analyzed the only one password-authenticated key retrieval protocol (PAKR-1) standardized in IEEE 1363.2 and its multi-server system and showed that any passive/active attacker can find out the client's password and the static key with off-line dictionary attacks.
Abstract: A PAKR (Password-Authenticated Key Retrieval) protocol and its multi-server system allow one party (say, client), who has a rememberable password, to retrieve a long-term static key in an exchange of messages with at least one other party (say, server) that has a private key associated with the password. In this paper, we analyze the only one PAKR (named as PKRS-1) standardized in IEEE 1363.2 [9] and its multi-server system (also, [11]) by showing that any passive/active attacker can find out the client’s password and the static key with off-line dictionary attacks. This result is contrary to the security statement of PKRS1 (see Chapter 10.2 of IEEE 1363.2 [9]).
6 citations
21 Aug 2017
TL;DR: A lightweight authentication method for use on a smart sensor is tested and a possible implementations of the authentication mechanism on a hardware security module are described.
Abstract: Sensors are a vital component for the Internet of Things. These sensors gather information about their environment and pass this information to control algorithms and/or actuators. To operate as effective as possible the sensors need to be reconfigurable, which allows the operators to optimize the sensing activities. In this work we focus on the mechanisms of such reconfiguration possibilities. As the reconfiguration can also be used to manipulate the sensors (and their attached systems) in a subtle way, the security of the reconfiguration interface is of utmost importance. Within this work we test a lightweight authentication method for use on a smart sensor and describe a possible implementations of the authentication mechanism on a hardware security module.
6 citations
Dissertation•
29 Feb 2016
TL;DR: This thesis sets out to bring cryptographic passwords-based protocols closer to real world deployment as well as improving their security guarantees by proposing frameworks for password-based authentication and key-exchange in the verifier-based and two-server setting.
Abstract: Password-based authentication is the most popular authentication mechanism for humans today, not only on the internet.
Despite increasing efforts to move to supposedly more secure alternatives, password-based authentication is most likely to stay for the foreseeable future due to its user experience and convenience.
However, although secure cryptographic protocols for password-based authentication and key-exchange exist, they are hardly used in practice.
While previous work on password-based cryptography including secure password-based key-exchange, authentication, and secret sharing protocols, this thesis sets out to bring cryptographic password-based protocols closer to real world deployment as well as improving their security guarantees.
To this end we propose frameworks for password-based authentication and key-exchange in the verifier-based and two-server setting as a step towards deploying cryptographically secure password-based protocols.
These frameworks do not only include the authentication/key-exchange step, which has been researched before, but also investigate registration of prospective client passwords, which has not been considered before.
In particular, the first step of each proposed framework is the secure registration of passwords with limited trust assumptions on server and client that requires the server to enforce a password policy for minimum security of client passwords and enables the client to compute the password verifier or password shares on the client side.
While this first essential step for password-based authentication and key-exchange has hardly been explored before, the second step, the actual authentication and key-exchange protocol enjoys a large body of research in the plain single-server setting.
In this thesis however we focus on the less well studied verifier-based and two-server settings where we propose new protocols for both settings and the first security model for two-server protocols in the UC framework.
The theoretical work is underpinned by implementations of the password registration phase that allows the comparison of not only security but also performance of the proposed protocols.
To further facilitate adoption and demonstrate usability we show real world usage of the verifier-based framework by implementing a demo application and Firefox extension that allows the use of the proposed framework for account registration and authentication.
6 citations
Cites methods from "Encrypted key exchange: password-ba..."
...The notion of PAKE was introduced by Bellovin and Merritt [27] and corresponding security models were initially developed by Bellare et al. [24], Boyko et al. [44], and Goldreich and Lindell [107]....
[...]
...The notion of PAKE was introduced by Bellovin and Merritt [27] and corresponding security models were initially developed by Bellare et al....
[...]
...Bellovin and Merritt [28] first described how password authenticated key-exchange can be performed while the server stores only a verifier of the actual password....
[...]
...The idea sketched by Bellovin and Merritt [28] resembles the concept of Verifier-based PAKE (VPAKE)....
[...]
...It has been mentioned from the first PAKE protocols by Bellovin and Merritt [28] (augmented 3The work by Goldreich and Lindell [107] is concerned with the general possibility of such a protocol rather than building a practical one....
[...]
TL;DR: The security of the proposed scheme of user authentication based on the secret data stored inside a smart card and the property of an n-dimensional circle is investigated and it is shown that the scheme is insecure under the dictionary attack, the impersonation attack, and the attack of impersonating the central authority.
Abstract: A scheme of user authentication had been proposed to authenticate users based on the secret data stored inside a smart card and the property of an n-dimensional circle. We investigate the security of the scheme and show that the scheme is insecure under the dictionary attack, the impersonation attack, and the attack of impersonating the central authority. Due to the insecurity under various attacks, we suggest that a cryptographic scheme should be provably secure.
6 citations
Cites background from "Encrypted key exchange: password-ba..."
...First, we find that it is feasible to mount a dictionary attack [ 9 ] on the scheme Usually, the users tend to choose easily remembered password....
[...]
TL;DR: An entropy-based approach to estimate the probability of a successful attack on a protocol given the prescribed knowledge of the attacker is presented and it is proved that, for an attacker whose knowledge increases with the security parameter, computing this quantity is NP-hard in the security parameters.
6 citations
Cites background from "Encrypted key exchange: password-ba..."
...Their main weakness, however, is that it is hard to prove that these abstractions are sound, since in practice cryptographic primitives have properties which the attacker may explore and attack: for example, the redundancy of certain messages may be explored by the attacker to guess a weak password [ 8 ]....
[...]
References
More filters
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
14,980 citations
"Encrypted key exchange: password-ba..." refers background or methods in this paper
...ElGamal’s algorithm is derived from the DiffieHellman exponential key exchange protocol[2]; accordingly, we will review the latter first....
[...]
...And even this risk is minimal if B performs certain checks to guard against easily-solvable choices: that β is indeed prime, that it is large enough (and hence not susceptible to precalculation of tables), that β − 1 have at least one large prime factor (to guard against Pohlig and Hellman’s algorithm[13]), and that α is a primitive root of GF (β)....
[...]
...The use given above for asymmetric encryption — simply using it to pass a key for a symmetric encryption system — is an example of what Diffie and Hellman[2] call a public key distribution system....
[...]
...It works especially well with exponential key exchange [2]....
[...]
TL;DR: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key.
Abstract: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n.
14,659 citations
"Encrypted key exchange: password-ba..." refers methods in this paper
...Section 2 describes the asymmetric cryptosystem variant and implementations using RSA[ 3 ] and ElGamal[4]....
[...]
...We will use RSA[ 3 ] to illustrate the difficulties....
[...]
23 Aug 1985
TL;DR: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem that relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
7,514 citations
19 Aug 1984
TL;DR: In this article, a new signature scheme is proposed together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem and the security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed together with an implementation of the Diffie - Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
2,351 citations
Book•
01 Jan 1982TL;DR: The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks.
Abstract: From the Preface (See Front Matter for full Preface)
Electronic computers have evolved from exiguous experimental enterprises in the 1940s to prolific practical data processing systems in the 1980s. As we have come to rely on these systems to process and store data, we have also come to wonder about their ability to protect valuable data.
Data security is the science and study of methods of protecting data in computer and communication systems from unauthorized disclosure and modification. The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks. The book is for students and professionals seeking an introduction to these principles. There are many references for those who would like to study specific topics further.
Data security has evolved rapidly since 1975. We have seen exciting developments in cryptography: public-key encryption, digital signatures, the Data Encryption Standard (DES), key safeguarding schemes, and key distribution protocols. We have developed techniques for verifying that programs do not leak confidential data, or transmit classified data to users with lower security clearances. We have found new controls for protecting data in statistical databases--and new methods of attacking these databases. We have come to a better understanding of the theoretical and practical limitations to security.
1,937 citations
"Encrypted key exchange: password-ba..." refers background in this paper
...Can such a random odd number less than a known n be distinguished from a valid public key e? Assume that p and q are chosen to be of the form 2p′ + 1 and 2q′ + 1, where p′ and q′ are primes, a choice that is recommended for other reasons [9]....
[...]