Encrypted key exchange: password-based protocols secure against dictionary attacks
Citations
110 citations
109 citations
Cites background or methods from "Encrypted key exchange: password-ba..."
...The password-based setting was rst considered by Bellovin and Merritt [7] and followed by many proposals....
[...]
...In 1992, Bellovin and Merritt [7] suggested a method to authenticate a key exchange based on simple passwords, possibly drawn from a space so small that an adversary might enumerate o -line all possible values....
[...]
...In 2000, Bellare, Pointcheval, and Rogaway [5] as well as Boyko, MacKenzie, and Patel [10] proposed security models and proved variants of the Bellovin and Merritt protocol [7], under ideal assumptions, such as the random oracle model [6]....
[...]
108 citations
Cites methods from "Encrypted key exchange: password-ba..."
...In this section we discuss an integrity reporting protocol proposed by [9], which is based on the challenge-response authentication [12] and is used to validate the integrity of an attesting system....
[...]
106 citations
Cites background from "Encrypted key exchange: password-ba..."
...the attacks shown in Bellovin and Merritt [1992], Patel [1997], and MacKenzie et al. [2000]). Theoretical progress toward developing provably-secure solutions for the passwordbased setting has been slow, with the first formal models and proofs of security appearing only recently (see below). The problem is difficult in part because, as we have mentioned above, it requires “bootstrapping” from a weak shared secret to a strong one; furthermore, due to the strong adversarial model considered (cf. Sections 2.1 and 2.2), it is not even a priori clear that a solution is possible. Initial consideration of password-based authentication assumed a “hybrid” model in which the client stores the server’s public key in addition to sharing a password with the server. In this setting, Lomas et al. [1989] and Gong et al....
[...]
...the attacks shown in Bellovin and Merritt [1992], Patel [1997], and MacKenzie et al....
[...]
...the attacks shown in Bellovin and Merritt [1992], Patel [1997], and MacKenzie et al. [2000]). Theoretical progress toward developing provably-secure solutions for the passwordbased setting has been slow, with the first formal models and proofs of security appearing only recently (see below). The problem is difficult in part because, as we have mentioned above, it requires “bootstrapping” from a weak shared secret to a strong one; furthermore, due to the strong adversarial model considered (cf. Sections 2.1 and 2.2), it is not even a priori clear that a solution is possible. Initial consideration of password-based authentication assumed a “hybrid” model in which the client stores the server’s public key in addition to sharing a password with the server. In this setting, Lomas et al. [1989] and Gong et al. [1993] were the first to present authentication protocols with heuristic resistance to off-line dictionary attacks. Formal definitions and rigorous proofs of security in this setting were first given by Halevi and Krawczyk [1999]; see also Boyarsky [1999]. The above-described “hybrid” setting suffers from the disadvantage that the client must store the server’s public key (and if the client will need to authenticate to multiple servers, the client must store multiple public keys)....
[...]
...the attacks shown in Bellovin and Merritt [1992], Patel [1997], and MacKenzie et al. [2000]). Theoretical progress toward developing provably-secure solutions for the passwordbased setting has been slow, with the first formal models and proofs of security appearing only recently (see below). The problem is difficult in part because, as we have mentioned above, it requires “bootstrapping” from a weak shared secret to a strong one; furthermore, due to the strong adversarial model considered (cf. Sections 2.1 and 2.2), it is not even a priori clear that a solution is possible. Initial consideration of password-based authentication assumed a “hybrid” model in which the client stores the server’s public key in addition to sharing a password with the server. In this setting, Lomas et al. [1989] and Gong et al. [1993] were the first to present authentication protocols with heuristic resistance to off-line dictionary attacks. Formal definitions and rigorous proofs of security in this setting were first given by Halevi and Krawczyk [1999]; see also Boyarsky [1999]. The above-described “hybrid” setting suffers from the disadvantage that the client must store the server’s public key (and if the client will need to authenticate to multiple servers, the client must store multiple public keys). In some sense, this obviates the reason for considering password-based protocols in the first place: namely, that human users cannot remember or securely store long, high-entropy keys. This drawback has motivated research on password-only protocols in which the client needs to remember only a (short) password. Bellovin and Merritt [1992] were the first to consider this, more challenging, setting: they show a number of attacks that can arise, and introduce a set of protocols for so-called “encrypted key exchange” (EKE) that have formed the basis for much future work in this area [Bellovin and Merritt 1993; Gong 1995; Steiner et al....
[...]
...the attacks shown in Bellovin and Merritt [1992], Patel [1997], and MacKenzie et al. [2000]). Theoretical progress toward developing provably-secure solutions for the passwordbased setting has been slow, with the first formal models and proofs of security appearing only recently (see below). The problem is difficult in part because, as we have mentioned above, it requires “bootstrapping” from a weak shared secret to a strong one; furthermore, due to the strong adversarial model considered (cf. Sections 2.1 and 2.2), it is not even a priori clear that a solution is possible. Initial consideration of password-based authentication assumed a “hybrid” model in which the client stores the server’s public key in addition to sharing a password with the server. In this setting, Lomas et al. [1989] and Gong et al. [1993] were the first to present authentication protocols with heuristic resistance to off-line dictionary attacks....
[...]
106 citations
References
14,980 citations
"Encrypted key exchange: password-ba..." refers background or methods in this paper
...ElGamal’s algorithm is derived from the DiffieHellman exponential key exchange protocol[2]; accordingly, we will review the latter first....
[...]
...And even this risk is minimal if B performs certain checks to guard against easily-solvable choices: that β is indeed prime, that it is large enough (and hence not susceptible to precalculation of tables), that β − 1 have at least one large prime factor (to guard against Pohlig and Hellman’s algorithm[13]), and that α is a primitive root of GF (β)....
[...]
...The use given above for asymmetric encryption — simply using it to pass a key for a symmetric encryption system — is an example of what Diffie and Hellman[2] call a public key distribution system....
[...]
...It works especially well with exponential key exchange [2]....
[...]
14,659 citations
"Encrypted key exchange: password-ba..." refers methods in this paper
...Section 2 describes the asymmetric cryptosystem variant and implementations using RSA[ 3 ] and ElGamal[4]....
[...]
...We will use RSA[ 3 ] to illustrate the difficulties....
[...]
7,514 citations
2,351 citations
1,937 citations
"Encrypted key exchange: password-ba..." refers background in this paper
...Can such a random odd number less than a known n be distinguished from a valid public key e? Assume that p and q are chosen to be of the form 2p′ + 1 and 2q′ + 1, where p′ and q′ are primes, a choice that is recommended for other reasons [9]....
[...]