scispace - formally typeset
Search or ask a question
Proceedings ArticleDOI

Encrypted key exchange: password-based protocols secure against dictionary attacks

04 May 1992-pp 72-84
TL;DR: A combination of asymmetric (public-key) and symmetric (secret- key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced.
Abstract: Classic cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. A combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced. In particular, a protocol relying on the counter-intuitive motion of using a secret key to encrypt a public key is presented. Such protocols are secure against active attacks, and have the property that the password is protected against offline dictionary attacks. >

Content maybe subject to copyright    Report

Citations
More filters
Book ChapterDOI
20 Sep 2006
TL;DR: New protocols based on both passkeys and numeric comparison (short authenticated strings) are presented and security properties and group management for these protocols are discussed.
Abstract: A security association specifies the cryptographic keys and algorithms to be used for secure communication among the participants in the association. Key agreement in ad hoc scenarios, that is, without key management infrastructure is a challenging task, in particular, if the security association should involve a group of entities. In this paper, existing pairwise ad hoc key agreement protocols are extended for groups of arbitrary number of entities. New protocols based on both passkeys and numeric comparison (short authenticated strings) are presented. Also security properties and group management for these protocols are discussed.

37 citations

Posted Content
TL;DR: A new password-authenticated key exchange protocol, called PEKEP, which allows using both large and small prime numbers as RSA public exponent and is secure against the e-residue attack, a special type of off-line dictionary attack against RSA-based password- authenticated key exchange protocols.
Abstract: We investigate efficient protocols for password-authenticated key exchange based on the RSA public-key cryptosystem. To date, most of the published protocols for password-authenticated key exchange were based on Diffie-Hellman key exchange. It seems difficult to design efficient password-authenticated key exchange protocols using RSA and other public-key cryptographic techniques. In fact, many of the proposed protocols for password-authenticated key exchange based on RSA have been shown to be insecure; the only one that remains secure is the SNAPI protocol. Unfortunately, the SNAPI protocol has to use a prime public exponent e larger than the RSA modulus n. In this paper, we present a new password-authenticated key exchange protocol, called PEKEP, which allows using both large and small prime numbers as RSA public exponent. Based on number-theoretic techniques, we show that the new protocol is secure against the e-residue attack, a special type of off-line dictionary attack against RSA-based password-authenticated key exchange protocols. We also provide a formal security analysis of PEKEP under the RSA assumption and the random oracle model. On the basis of PEKEP, we present a computationally-efficient key exchange protocol to mitigate the burden on communication entities.

37 citations


Cites background or methods from "Encrypted key exchange: password-ba..."

  • ...[3℄ S. M. Bellovin and M. Merritt, Augmented en rypted key ex hange: A password-based pro-to ol se ure against di tionary atta ks and password le ompromise, Pro . of the 1st ACMConferen e on Computer and Communi ations Se urity, ACM, November 1993, pp. 244-250....

    [...]

  • ...In 1992, Bellovin and Merritt [5] showed that such paradoxical protocols did exist....

    [...]

  • ...This fosters the socalled e-residue attack as described in [5]....

    [...]

  • ...In fact, many of the proposed protocols for password-authenticated key exchange based on RSA have been shown to be insecure [5, 23, 21]; the only one that remains secure is the SNAPI protocol developed by Mackenzie, et al....

    [...]

  • ...In their original paper[2℄, Bellovin and Merritt investigated the feasibility of implementing EKE using three di erent typesof publi -key ryptographi te hniques: RSA, ElGamal, and DiÆe-Hellman key ex hange....

    [...]

Proceedings ArticleDOI
Xavier Boyen1
10 Mar 2009
TL;DR: The venerable question of access credentials management is revisited, and a user-centric comprehensive model is proposed to capture the possible threats posed by online and offline attackers, from the outside and the inside, against the security of both the plaintext and the password.
Abstract: We revisit the venerable question of access credentials management, which concerns the techniques that we, humans with limited memory, must employ to safeguard our various access keys and tokens in a connected world. Although many existing solutions can be employed to protect a long secret using a short password, those solutions typically require certain assumptions on the distribution of the secret and/or the password, and are helpful against only a subset of the possible attackers.After briefly reviewing a variety of approaches, we propose a user-centric comprehensive model to capture the possible threats posed by online and offline attackers, from the outside and the inside, against the security of both the plaintext and the password. We then propose a few very simple protocols, adapted from the Ford-Kaliski server-assisted password generator and the Boldyreva unique blind signature in particular, that provide the best protection against all kinds of threats, for all distributions of secrets. We also quantify the concrete security of our approach in terms of online and offline password guesses made by outsiders and insiders, in the random-oracle model.The main contribution of this paper lies not in the technical novelty of the proposed solution, but in the identification of the problem and its model. Our results have an immediate and practical application for the real world: they show how to implement single-sign-on stateless roaming authentication for the internet, in a ad-hoc user-driven fashion that requires no change to protocols or infrastructure.

37 citations


Cites background from "Encrypted key exchange: password-ba..."

  • ...First proposed by Bellovin and Merritt [4] under the name Encrypted Key Exchange (EKE), PAKE allows two parties sharing a short password to establish an authenticated secure channel across an adversarially controlled medium....

    [...]

  • ...First proposed by Bellovin and Merritt [4] under the name Encrypted Key Ex­change (EKE), PAKE allows two parties sharing a short password to establish an authenticated secure channel across an adversarially controlled medium....

    [...]

  • ...[5] Steven M. Bellovin and Michael Merritt....

    [...]

  • ...[4] Steven M. Bellovin and Michael Merritt....

    [...]

Book ChapterDOI
30 Nov 2003
TL;DR: In this paper, the authors review authenticated key establishment protocols from a different point of view, i.e., the relationship between information a client needs to possess (for authentication) and immunity to the respective leakage of stored secrets from a client side and a server side.
Abstract: Authenticated Key Establishment (AKE) protocols enable two entities, say a client (or a user) and a server, to share common session keys in an authentic way. In this paper, we review AKE protocols from a little bit different point of view, i.e. the relationship between information a client needs to possess (for authentication) and immunity to the respective leakage of stored secrets from a client side and a server side. Since the information leakage would be more conceivable than breaking down the underlying cryptosystems, it is desirable to enhance the immunity to the leakage. First and foremost, we categorize AKE protocols according to how much resilience against the leakage can be provided. Then, we propose new AKE protocols that have immunity to the leakage of stored secrets from a client and a server (or servers), respectively. And we extend our protocols to be possible for updating secret values registered in server(s) or password remembered by a client.

37 citations

Journal ArticleDOI
TL;DR: It is pointed out that the identity protection of Juang's protocol is computationally inefficient for the server and efficient identity protection is proposed in the second proposed protocol.

37 citations


Cites background from "Encrypted key exchange: password-ba..."

  • ...PAKE protocols can be categorized into two categories according to their security assumptions: (1) RSA based schemes [6,15,19,21], and (2) Diffie–Hellman based schemes [1,6,7]....

    [...]

  • ...Since Bellovin and Merritt proposed a Password-based Authenticated Key Exchange (PAKE) protocol secure against dictionary attacks in 1992 [6], lots of PAKE protocols have been proposed so far due to PAKE’s security and simplicity....

    [...]

References
More filters
Journal ArticleDOI
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.

14,980 citations


"Encrypted key exchange: password-ba..." refers background or methods in this paper

  • ...ElGamal’s algorithm is derived from the DiffieHellman exponential key exchange protocol[2]; accordingly, we will review the latter first....

    [...]

  • ...And even this risk is minimal if B performs certain checks to guard against easily-solvable choices: that β is indeed prime, that it is large enough (and hence not susceptible to precalculation of tables), that β − 1 have at least one large prime factor (to guard against Pohlig and Hellman’s algorithm[13]), and that α is a primitive root of GF (β)....

    [...]

  • ...The use given above for asymmetric encryption — simply using it to pass a key for a symmetric encryption system — is an example of what Diffie and Hellman[2] call a public key distribution system....

    [...]

  • ...It works especially well with exponential key exchange [2]....

    [...]

Journal ArticleDOI
TL;DR: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key.
Abstract: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n.

14,659 citations


"Encrypted key exchange: password-ba..." refers methods in this paper

  • ...Section 2 describes the asymmetric cryptosystem variant and implementations using RSA[ 3 ] and ElGamal[4]....

    [...]

  • ...We will use RSA[ 3 ] to illustrate the difficulties....

    [...]

Journal ArticleDOI
Taher Elgamal1
23 Aug 1985
TL;DR: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem that relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.

7,514 citations

Book ChapterDOI
Taher Elgamal1
19 Aug 1984
TL;DR: In this article, a new signature scheme is proposed together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem and the security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed together with an implementation of the Diffie - Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.

2,351 citations

Book
01 Jan 1982
TL;DR: The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks.
Abstract: From the Preface (See Front Matter for full Preface) Electronic computers have evolved from exiguous experimental enterprises in the 1940s to prolific practical data processing systems in the 1980s. As we have come to rely on these systems to process and store data, we have also come to wonder about their ability to protect valuable data. Data security is the science and study of methods of protecting data in computer and communication systems from unauthorized disclosure and modification. The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks. The book is for students and professionals seeking an introduction to these principles. There are many references for those who would like to study specific topics further. Data security has evolved rapidly since 1975. We have seen exciting developments in cryptography: public-key encryption, digital signatures, the Data Encryption Standard (DES), key safeguarding schemes, and key distribution protocols. We have developed techniques for verifying that programs do not leak confidential data, or transmit classified data to users with lower security clearances. We have found new controls for protecting data in statistical databases--and new methods of attacking these databases. We have come to a better understanding of the theoretical and practical limitations to security.

1,937 citations


"Encrypted key exchange: password-ba..." refers background in this paper

  • ...Can such a random odd number less than a known n be distinguished from a valid public key e? Assume that p and q are chosen to be of the form 2p′ + 1 and 2q′ + 1, where p′ and q′ are primes, a choice that is recommended for other reasons [9]....

    [...]