Encrypted key exchange: password-based protocols secure against dictionary attacks
04 May 1992-pp 72-84
TL;DR: A combination of asymmetric (public-key) and symmetric (secret- key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced.
Abstract: Classic cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. A combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced. In particular, a protocol relying on the counter-intuitive motion of using a secret key to encrypt a public key is presented. Such protocols are secure against active attacks, and have the property that the password is protected against offline dictionary attacks. >
Citations
More filters
TL;DR: This work proposes a secure three-party EKE protocol without server public-keys, which is suitable for applications requiring secure communications between many light-weight clients (end users) and is impractical for some environments.
Abstract: Three-party key-exchange protocols with password authentication-clients share an easy-to-remember password with a trusted server only-are very suitable for applications requiring secure communications between many light-weight clients (end users); it is simply impractical that every two clients share a common secret. Steiner, Tsudik and Waidner (1995) proposed a realization of such a three-party protocol based on the encrypted key exchange (EKE) protocols. However, their protocol was later demonstrated to be vulnerable to off-line and undetectable on-line guessing attacks. Lin, Sun and Hwang (see ACM Operating Syst. Rev., vol.34, no. 4, p.12-20, 2000) proposed a secure three-party protocol with server public-keys. However, the approach of using server public-keys is not always a satisfactory solution and is impractical for some environments. We propose a secure three-party EKE protocol without server public-keys.
139 citations
Cites background from "Encrypted key exchange: password-ba..."
...I N 1992, Bellovin and Merritt [1] proposed the Encrypted...
[...]
...I. INTRODUCTION I N 1992, Bellovin and Merritt [1] proposed theEncryptedKey Exchange(EKE) family of key exchange protocols, which allow people to use easy-to-remember (and, therefore, intrinsically weak) passwords without being threatened by dictionary attacks [2]....
[...]
13 Mar 1995
TL;DR: New protocols that are resistant to guessing attacks and also optimal in both messages and rounds are given, thus refuting the previous belief that protection against guessing attacks makes an authentification protocol inherently more expensive.
Abstract: Users are typically authenticated by their passwords. Because people are known to choose convenient passwords, which tend to be easy to guess, authentication protocols have been developed that protect user passwords from guessing attacks. These proposed protocols, however, use more messages and rounds than those protocols that are not resistant to guessing attacks. This paper gives new protocols that are resistant to guessing attacks and also optimal in both messages and rounds, thus refuting the previous belief that protection against guessing attacks makes an authentification protocol inherently more expensive.
138 citations
Patent•
IBM1
TL;DR: In this paper, a method for authenticating communication partners utilizing communication flows which are passed over an insecure communication channel is presented, where a trusted intermediary is provided which is capable of communicating with the communication partners over the insecure communication channels.
Abstract: A method is provided for authenticating communication partners utilizing communication flows which are passed over an insecure communication channel. The method includes a number of method steps. A trusted intermediary is provided which is capable of communication with the communication partners over the insecure communication channel. A plurality of long-lived secret keys are provided, one for each communication partner. The plurality of long-lived secret keys are distributed to a particular one of the communication partners, and to the trusted intermediary. Therefore, the long-lived secret key is known only by the particular communication partner to which it is assigned, and the trusted intermediary. A request for communication between communication partners is provided to the trusted intermediary. The trusted intermediary is utilized to generate a short-lived secret key for utilization in a communication session between the communication partners. The short-lived secret key for each particular partner is masked in a manner which is dependent upon that particular partner's long-lived secret key. The masked short-lived secret keys are distributed in a plurality of communication flows to the communication partners. Finally, the trusted intermediary and communication partners exchange authentication proofs with one another in a plurality of communication flows. Preferably, the communication flows between the trusted intermediary and the communication partners accomplish substantially concurrently the tasks of authenticating the identity of the trusted intermediary and the communication partners, as well as distribute a short-lived secret key to the communication partners which can be utilized by them in a particular communication session.
137 citations
01 Jan 2000
TL;DR: A new protocol called AMP, which allows the Di eHellman based key agreement and is actually superior to other related work in terms of e ciency and generalization features, is introduced.
Abstract: Human-memorable password authentication is not easy to provide over insecure networks due to the low entropy of the password. Such a password is typically vulnerable to dictionary attacks. A cryptographic protocol is the most promising solution to this problem. So far, numerous password authentication protocols have been proposed. Among them, A-EKE is a great landmark of veri er-based protocol and is followed by many distinguished protocols[7, 18, 34, 23, 9] such as SRP that is notable in its e ciency and SNAPI-X that is the rst provable approach of those protocols[34, 23]. Veri er-based protocols allow the asymmetric model in which a client possesses a password, while a server stores its veri er. Inspired by those works, this paper introduces a new protocol called AMP in a provable manner. It is the ultimate result of the author's AMP(Authentication and key agreement via Memorable Password) research project. AMP allows the Di eHellman based key agreement and is actually superior to other related work in terms of e ciency and generalization features. We give a rigorous comparison to them.
131 citations
TL;DR: This paper strengthens the security of the scheme by addressing untraceability property such that any third party over the communication channel cannot tell whether or not he has seen the same (unknown) smart card twice through the authentication sessions.
Abstract: By exploiting a smart card, this paper presents a robust and efficient password-authenticated key agreement scheme. This paper strengthens the security of the scheme by addressing untraceability property such that any third party over the communication channel cannot tell whether or not he has seen the same (unknown) smart card twice through the authentication sessions. The proposed remedy also prevents a kind of denial of service attack found in the original scheme. High performance and other good functionalities are preserved.
131 citations
References
More filters
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
14,980 citations
"Encrypted key exchange: password-ba..." refers background or methods in this paper
...ElGamal’s algorithm is derived from the DiffieHellman exponential key exchange protocol[2]; accordingly, we will review the latter first....
[...]
...And even this risk is minimal if B performs certain checks to guard against easily-solvable choices: that β is indeed prime, that it is large enough (and hence not susceptible to precalculation of tables), that β − 1 have at least one large prime factor (to guard against Pohlig and Hellman’s algorithm[13]), and that α is a primitive root of GF (β)....
[...]
...The use given above for asymmetric encryption — simply using it to pass a key for a symmetric encryption system — is an example of what Diffie and Hellman[2] call a public key distribution system....
[...]
...It works especially well with exponential key exchange [2]....
[...]
TL;DR: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key.
Abstract: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n.
14,659 citations
"Encrypted key exchange: password-ba..." refers methods in this paper
...Section 2 describes the asymmetric cryptosystem variant and implementations using RSA[ 3 ] and ElGamal[4]....
[...]
...We will use RSA[ 3 ] to illustrate the difficulties....
[...]
23 Aug 1985
TL;DR: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem that relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
7,514 citations
19 Aug 1984
TL;DR: In this article, a new signature scheme is proposed together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem and the security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed together with an implementation of the Diffie - Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
2,351 citations
Book•
01 Jan 1982TL;DR: The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks.
Abstract: From the Preface (See Front Matter for full Preface)
Electronic computers have evolved from exiguous experimental enterprises in the 1940s to prolific practical data processing systems in the 1980s. As we have come to rely on these systems to process and store data, we have also come to wonder about their ability to protect valuable data.
Data security is the science and study of methods of protecting data in computer and communication systems from unauthorized disclosure and modification. The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks. The book is for students and professionals seeking an introduction to these principles. There are many references for those who would like to study specific topics further.
Data security has evolved rapidly since 1975. We have seen exciting developments in cryptography: public-key encryption, digital signatures, the Data Encryption Standard (DES), key safeguarding schemes, and key distribution protocols. We have developed techniques for verifying that programs do not leak confidential data, or transmit classified data to users with lower security clearances. We have found new controls for protecting data in statistical databases--and new methods of attacking these databases. We have come to a better understanding of the theoretical and practical limitations to security.
1,937 citations
"Encrypted key exchange: password-ba..." refers background in this paper
...Can such a random odd number less than a known n be distinguished from a valid public key e? Assume that p and q are chosen to be of the form 2p′ + 1 and 2q′ + 1, where p′ and q′ are primes, a choice that is recommended for other reasons [9]....
[...]