Encrypted key exchange: password-based protocols secure against dictionary attacks

doi:10.1109/RISP.1992.213269

Home
/
Papers
/
Encrypted key exchange: password-based protocols secure against dictionary attacks

Proceedings Article•DOI•

Encrypted key exchange: password-based protocols secure against dictionary attacks

Steven M. Bellovin¹, Michael Merritt¹•Institutions (1)

Bell Labs¹

04 May 1992-pp 72-84

TL;DR: A combination of asymmetric (public-key) and symmetric (secret- key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced.

read less

Abstract: Classic cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. A combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced. In particular, a protocol relying on the counter-intuitive motion of using a secret key to encrypt a public key is presented. Such protocols are secure against active attacks, and have the property that the password is protected against offline dictionary attacks. >

...read moreread less

Content maybe subject to copyright Report

Citations

PDF

Open Access

More filters

Patent•

Method for Accessing Service Resource Items That are For Use in a Telecommunications System

[...]

Colin Low Low¹, Andrew Franklin Seaborne¹, Nicolas Bouthors¹•Institutions (1)

Wilmington University¹

11 Dec 1996

TL;DR: In this paper, a mapping between telephone numbers and the URIs of associated service resource items is provided, which is used to retrieve the corresponding URI which is then used to access the desired service resource item.

...read moreread less

Abstract: Service resource items for use in call setup in a telephone system are held on servers that are connected to a computer network which is logically distinct from the telephone system infrastructure; this computer network may, for example, make use of the Internet. Each service item is locatable on the network at a corresponding URI and is associated with a particular telephone number. A mapping is provided between telephone numbers and the URIs of associated service resource items. When it is desired to access a service resource item associated with a particular telephone number, this mapping is used to retrieve the corresponding URI which is then used to access the desired service resource item.

...read moreread less

110 citations

Book Chapter•DOI•

Smooth Projective Hashing for Conditionally Extractable Commitments

[...]

Michel Abdalla¹, Céline Chevalier¹, David Pointcheval¹•Institutions (1)

École Normale Supérieure¹

19 Aug 2009

TL;DR: This paper addresses the problem of building smooth projective hash functions for more complex languages and shows how to build such functions for languages that can be described in terms of disjunctions and conjunctions of simpler languages for which smooth projectives hash functions are known to exist.

...read moreread less

Abstract: The notion of smooth projective hash functions was proposed by Cramer and Shoup and can be seen as special type of zero-knowledge proof system for a language. Though originally used as a means to build efficient chosen-ciphertext secure public-key encryption schemes, some variations of the Cramer-Shoup smooth projective hash functions also found applications in several other contexts, such as password-based authenticated key exchange and oblivious transfer. In this paper, we first address the problem of building smooth projective hash functions for more complex languages. More precisely, we show how to build such functions for languages that can be described in terms of disjunctions and conjunctions of simpler languages for which smooth projective hash functions are known to exist. Next, we illustrate how the use of smooth projective hash functions with more complex languages can be efficiently associated to extractable commitment schemes and avoid the need for zero-knowledge proofs. Finally, we explain how to apply these results to provide more efficient solutions to two well-known cryptographic problems: a public-key certification which guarantees the knowledge of the private key by the user without random oracles or zero-knowledge proofs and adaptive security for password-based authenticated key exchange protocols in the universal composability framework with erasures.

...read moreread less

109 citations

Cites background or methods from "Encrypted key exchange: password-ba..."

...The password-based setting was rst considered by Bellovin and Merritt [7] and followed by many proposals....
[...]
...In 1992, Bellovin and Merritt [7] suggested a method to authenticate a key exchange based on simple passwords, possibly drawn from a space so small that an adversary might enumerate o -line all possible values....
[...]
...In 2000, Bellare, Pointcheval, and Rogaway [5] as well as Boyko, MacKenzie, and Patel [10] proposed security models and proved variants of the Bellovin and Merritt protocol [7], under ideal assumptions, such as the random oracle model [6]....
[...]

Posted Content•

A Robust Integrity Reporting Protocol for Remote Attestation

[...]

Frederic Stumpf¹, Omid Tafreschi¹, P. Röder¹, Claudia Eckert¹•Institutions (1)

Technische Universität Darmstadt¹

01 Jan 2006-Research Papers in Economics

TL;DR: This paper describes this kind of attacks against protocols for remote attestation and presents a protocol for preventing masquerading attacks.

...read moreread less

Abstract: Trusted Computing Platforms provide the functionality of remote attestation, i.e. attesting the configuration and status of a system to a remote entity. Remote attestation hereby proves integrity and authenticity of system environments. This is crucial for policy enforcement, which in turn is needed in many usage scenarios, e.g., DRM. However, applying remote attestation solely allows masquerading attacks. These attacks are possible since the concept of remote attestation does not provide any means for establishing secured communication channels. In this paper we describe this kind of attacks against protocols for remote attestation and present a protocol for preventing masquerading attacks.

...read moreread less

108 citations

Cites methods from "Encrypted key exchange: password-ba..."

...In this section we discuss an integrity reporting protocol proposed by [9], which is based on the challenge-response authentication [12] and is used to validate the integrity of an attesting system....
[...]

Journal Article•DOI•

Efficient and secure authenticated key exchange using weak passwords

[...]

Jonathan Katz¹, Rafail Ostrovsky², Moti Yung³•Institutions (3)

University of Maryland, College Park¹, University of California, Los Angeles², Columbia University³

27 Nov 2009-Journal of the ACM

TL;DR: The authors' is the first protocol for password-only authentication that is both practical and provably-secure using standard cryptographic assumptions, and is remarkably efficient, requiring computation only 4 times greater than “classical” Diffie-Hellman key exchange that provides no authentication at all.

...read moreread less

Abstract: Mutual authentication and authenticated key exchange are fundamental techniques for enabling secure communication over public, insecure networks. It is well known how to design secure protocols for achieving these goals when parties share high-entropy cryptographic keys in advance of the authentication stage. Unfortunately, it is much more common for users to share weak, low-entropy passwords which furthermore may be chosen from a known space of possibilities (say, a dictionary of English words). In this case, the problem becomes much more difficult as one must ensure that protocols are immune to off-line dictionary attacks in which an adversary exhaustively enumerates all possible passwords in an attempt to determine the correct one.We propose a 3-round protocol for password-only authenticated key exchange, and provide a rigorous proof of security for our protocol based on the decisional Diffie-Hellman assumption. The protocol assumes only public parameters—specifically, a “common reference string”—which can be “hard-coded” into an implementation of the protocol; in particular, and in contrast to some previous work, our protocol does not require either party to pre-share a public key. The protocol is also remarkably efficient, requiring computation only (roughly) 4 times greater than “classical” Diffie-Hellman key exchange that provides no authentication at all. Ours is the first protocol for password-only authentication that is both practical and provably-secure using standard cryptographic assumptions.

...read moreread less

106 citations

Cites background from "Encrypted key exchange: password-ba..."

...the attacks shown in Bellovin and Merritt [1992], Patel [1997], and MacKenzie et al. [2000]). Theoretical progress toward developing provably-secure solutions for the passwordbased setting has been slow, with the first formal models and proofs of security appearing only recently (see below). The problem is difficult in part because, as we have mentioned above, it requires “bootstrapping” from a weak shared secret to a strong one; furthermore, due to the strong adversarial model considered (cf. Sections 2.1 and 2.2), it is not even a priori clear that a solution is possible. Initial consideration of password-based authentication assumed a “hybrid” model in which the client stores the server’s public key in addition to sharing a password with the server. In this setting, Lomas et al. [1989] and Gong et al....
[...]
...the attacks shown in Bellovin and Merritt [1992], Patel [1997], and MacKenzie et al....
[...]
...the attacks shown in Bellovin and Merritt [1992], Patel [1997], and MacKenzie et al. [2000]). Theoretical progress toward developing provably-secure solutions for the passwordbased setting has been slow, with the first formal models and proofs of security appearing only recently (see below). The problem is difficult in part because, as we have mentioned above, it requires “bootstrapping” from a weak shared secret to a strong one; furthermore, due to the strong adversarial model considered (cf. Sections 2.1 and 2.2), it is not even a priori clear that a solution is possible. Initial consideration of password-based authentication assumed a “hybrid” model in which the client stores the server’s public key in addition to sharing a password with the server. In this setting, Lomas et al. [1989] and Gong et al. [1993] were the first to present authentication protocols with heuristic resistance to off-line dictionary attacks. Formal definitions and rigorous proofs of security in this setting were first given by Halevi and Krawczyk [1999]; see also Boyarsky [1999]. The above-described “hybrid” setting suffers from the disadvantage that the client must store the server’s public key (and if the client will need to authenticate to multiple servers, the client must store multiple public keys)....
[...]
...the attacks shown in Bellovin and Merritt [1992], Patel [1997], and MacKenzie et al. [2000]). Theoretical progress toward developing provably-secure solutions for the passwordbased setting has been slow, with the first formal models and proofs of security appearing only recently (see below). The problem is difficult in part because, as we have mentioned above, it requires “bootstrapping” from a weak shared secret to a strong one; furthermore, due to the strong adversarial model considered (cf. Sections 2.1 and 2.2), it is not even a priori clear that a solution is possible. Initial consideration of password-based authentication assumed a “hybrid” model in which the client stores the server’s public key in addition to sharing a password with the server. In this setting, Lomas et al. [1989] and Gong et al. [1993] were the first to present authentication protocols with heuristic resistance to off-line dictionary attacks. Formal definitions and rigorous proofs of security in this setting were first given by Halevi and Krawczyk [1999]; see also Boyarsky [1999]. The above-described “hybrid” setting suffers from the disadvantage that the client must store the server’s public key (and if the client will need to authenticate to multiple servers, the client must store multiple public keys). In some sense, this obviates the reason for considering password-based protocols in the first place: namely, that human users cannot remember or securely store long, high-entropy keys. This drawback has motivated research on password-only protocols in which the client needs to remember only a (short) password. Bellovin and Merritt [1992] were the first to consider this, more challenging, setting: they show a number of attacks that can arise, and introduce a set of protocols for so-called “encrypted key exchange” (EKE) that have formed the basis for much future work in this area [Bellovin and Merritt 1993; Gong 1995; Steiner et al....
[...]
...the attacks shown in Bellovin and Merritt [1992], Patel [1997], and MacKenzie et al. [2000]). Theoretical progress toward developing provably-secure solutions for the passwordbased setting has been slow, with the first formal models and proofs of security appearing only recently (see below). The problem is difficult in part because, as we have mentioned above, it requires “bootstrapping” from a weak shared secret to a strong one; furthermore, due to the strong adversarial model considered (cf. Sections 2.1 and 2.2), it is not even a priori clear that a solution is possible. Initial consideration of password-based authentication assumed a “hybrid” model in which the client stores the server’s public key in addition to sharing a password with the server. In this setting, Lomas et al. [1989] and Gong et al. [1993] were the first to present authentication protocols with heuristic resistance to off-line dictionary attacks....
[...]

Journal Article•DOI•

Security improvement on an anonymous key agreement protocol based on chaotic maps

[...]

Kaiping Xue, Peilin Hong

01 Jul 2012-Communications in Nonlinear Science and Numerical Simulation

TL;DR: The proposed protocol overcomes the security flaws of Tseng et al.

...read moreread less

106 citations

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
…
21
22
23
24
25
26
27
…
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200

Collapse

References

PDF

Open Access

More filters

Journal Article•DOI•

New Directions in Cryptography

[...]

Whitfield Diffie¹, Martin E. Hellman¹•Institutions (1)

Stanford University¹

01 Nov 1976-IEEE Transactions on Information Theory

TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.

...read moreread less

Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.

...read moreread less

14,980 citations

"Encrypted key exchange: password-ba..." refers background or methods in this paper

...ElGamal’s algorithm is derived from the DiffieHellman exponential key exchange protocol[2]; accordingly, we will review the latter first....
[...]
...And even this risk is minimal if B performs certain checks to guard against easily-solvable choices: that β is indeed prime, that it is large enough (and hence not susceptible to precalculation of tables), that β − 1 have at least one large prime factor (to guard against Pohlig and Hellman’s algorithm[13]), and that α is a primitive root of GF (β)....
[...]
...The use given above for asymmetric encryption — simply using it to pass a key for a symmetric encryption system — is an example of what Diffie and Hellman[2] call a public key distribution system....
[...]
...It works especially well with exponential key exchange [2]....
[...]

Journal Article•DOI•

A method for obtaining digital signatures and public-key cryptosystems

[...]

Ronald L. Rivest¹, Adi Shamir¹, Leonard M. Adleman¹•Institutions (1)

Massachusetts Institute of Technology¹

01 Feb 1978-Communications of The ACM

TL;DR: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key.

...read moreread less

Abstract: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n.

...read moreread less

14,659 citations

"Encrypted key exchange: password-ba..." refers methods in this paper

...Section 2 describes the asymmetric cryptosystem variant and implementations using RSA[ 3 ] and ElGamal[4]....
[...]
...We will use RSA[ 3 ] to illustrate the difficulties....
[...]

Journal Article•DOI•

A public key cryptosystem and a signature scheme based on discrete logarithms

[...]

Taher Elgamal¹•Institutions (1)

Hewlett-Packard¹

23 Aug 1985

TL;DR: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem that relies on the difficulty of computing discrete logarithms over finite fields.

...read moreread less

Abstract: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.

...read moreread less

7,514 citations

Book Chapter•DOI•

A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms

[...]

Taher Elgamal¹•Institutions (1)

Hewlett-Packard¹

19 Aug 1984

TL;DR: In this article, a new signature scheme is proposed together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem and the security of both systems relies on the difficulty of computing discrete logarithms over finite fields.

...read moreread less

Abstract: A new signature scheme is proposed together with an implementation of the Diffie - Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.

...read moreread less

2,351 citations

Book•

Cryptography and data security

[...]

Dorothy E. Denning¹•Institutions (1)

Purdue University¹

01 Jan 1982

TL;DR: The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks.

...read moreread less

Abstract: From the Preface (See Front Matter for full Preface) Electronic computers have evolved from exiguous experimental enterprises in the 1940s to prolific practical data processing systems in the 1980s. As we have come to rely on these systems to process and store data, we have also come to wonder about their ability to protect valuable data. Data security is the science and study of methods of protecting data in computer and communication systems from unauthorized disclosure and modification. The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks. The book is for students and professionals seeking an introduction to these principles. There are many references for those who would like to study specific topics further. Data security has evolved rapidly since 1975. We have seen exciting developments in cryptography: public-key encryption, digital signatures, the Data Encryption Standard (DES), key safeguarding schemes, and key distribution protocols. We have developed techniques for verifying that programs do not leak confidential data, or transmit classified data to users with lower security clearances. We have found new controls for protecting data in statistical databases--and new methods of attacking these databases. We have come to a better understanding of the theoretical and practical limitations to security.

...read moreread less

1,937 citations

"Encrypted key exchange: password-ba..." refers background in this paper

...Can such a random odd number less than a known n be distinguished from a valid public key e? Assume that p and q are chosen to be of the form 2p′ + 1 and 2q′ + 1, where p′ and q′ are primes, a choice that is recommended for other reasons [9]....
[...]