Threshold password-authenticated key exchange (extended abstract) (original) (raw)
Related papers
Threshold password-authenticated key exchange
2002
Abstract. In most password-authenticated key exchange systems there is a single server storing password verification data. To provide some resilience against server compromise, this data typically takes the form of a one-way function of the password (and possibly a salt, or other public values), rather than the password itself. However, if the server is compromised, this password verification data can be used to perform an offline dictionary attack on the user’s password. In this paper we propose an efficient password-authenticated key exchange system involving a set of servers, in which a certain threshold of servers must participate in the authentication of a user, and in which the compromise of any fewer than that threshold of servers does not allow an attacker to perform an offline dictionary attack. We prove our system is secure in the random oracle model under the Decision Diffie-Hellman assumption against an attacker that may eavesdrop on, insert, delete, or modify messages b...
A Method for Making Password-Based Key Exchange Resilient to Server Compromise
2006
This paper considers the problem of password-authenticated key exchange (PAKE) in a client-server setting, where the server authenticates using a stored password file, and it is desirable to maintain some degree of security even if the server is compromised. A PAKE scheme is said to be resilient to server compromise if an adversary who compromises the server must at least perform an offline dictionary attack to gain any advantage in impersonating a client. (Of course, offline dictionary attacks should be infeasible in the absence of server compromise.) One can see that this is the best security possible, since by definition the password file has enough information to allow one to play the role of the server, and thus to verify passwords in an offline dictionary attack. While some previous PAKE schemes have been proven resilient to server compromise, there was no known general technique to take an arbitrary PAKE scheme and make it provably resilient to server compromise. This paper presents a practical technique for doing so which requires essentially one extra round of communication and one signature computation/ verification. We prove security in the universal composability framework by (1) defining a new functionality for PAKE with resilience to server compromise, (2) specifying a protocol combining this technique with a (basic) PAKE functionality, and (3) proving (in the random oracle model) that this protocol securely realizes the new functionality.
Lecture Notes in Computer Science, 2006
There has been much i n terest in password-authenticated keyexchange protocols which remain secure even when users choose passwords from a very small space of possible passwords say, a dictionary of English words. Under this assumption, one must be careful to design protocols which cannot be broken using o -line dictionary attacks in which a n a d v ersary enumerates all possible passwords in an attempt to determine the correct one. Many heuristic protocols have been proposed to solve this important problem. Only recently have formal validations of security namely, proofs in the idealized random oracle and ideal cipher models been given for speci c constructions 3, 10, 22 . Very recently, a construction based on general assumptions, secure in the standard model with human-memorable passwords, has been proposed by Goldreich and Lindell 17 . Their protocol requires no public parameters; unfortunately, it requires techniques from general multi-party computation which make it impractical. Thus, 17 only proves that solutions are possible in principal". The main question left open by their work was nding an e cient solution to this fundamental problem. We show an e cient, 3-round, password-authenticated key exchange protocol with human-memorable passwords which i s p r o v ably secure under the Decisional Di e-Hellman assumption, yet requires only roughly 8 times more computation than standard" Di e-Hellman key exchange 14 which provides no authentication at all. We assume public parameters available to all parties. We stress that we w ork in the standard model only, and do not require a random oracle" assumption. exchange underly most interactions taking place on the Internet. The importance of this primitive has been realized for some time by the security community see 11 for exhaustive references, followed by an increasing recognition that precise de nitions and formalization were needed. The rst formal treatments 4,6,2, 20,9,28,11 were in a model in which participants already share some cryptographically-strong information: either a secret key which can be used for encryption authentication of messages, or a public key which can be used for encryption signing of messages. The setting arising most often in practice | in which h uman users are only capable of storing human-memorable" passwords password-authenticated key exchange | remains much less studied, though many heuristic protocols exist. Indeed, only recently have formal de nitions of security for this setting appeared 3,10,22,17 .
Provably secure password-authenticated key exchange using Diffie-Hellman
Advances in CryptologyEurocrypt …, 2000
When designing password-authenticated key exchange protocols (as opposed to key exchange protocols authenticated using cryptographically secure keys), one must not allow any information to be leaked that would allow verification of the password (a weak shared key), since an attacker who obtains this information may be able to run an off-line dictionary attack to determine the correct password. We present a new protocol called PAK which is the first Diffie-Hellman-based passwordauthenticated key exchange protocol to provide a formal proof of security (in the random oracle model) against both passive and active adversaries. In addition to the PAK protocol that provides mutual explicit authentication, we also show a more efficient protocol called PPK that is provably secure in the implicit-authentication model. We then extend PAK to a protocol called PAK-X, in which one side (the client) stores a plaintext version of the password, while the other side (the server) only stores a verifier for the password. We formally prove security of PAK-X, even when the server is compromised. Our formal model for passwordauthenticated key exchange is new, and may be of independent interest.
A Secure Threshold Anonymous Password-Authenticated Key Exchange Protocol
Lecture Notes in Computer Science, 2007
At Indocrypt 2005, Viet et al., have proposed an anonymous password-authenticated key exchange (PAKE) protocol and its threshold construction both of which are designed for client's password-based authentication and anonymity against a passive server, who does not deviate the protocol. In this paper, we first point out that their threshold construction is completely insecure against off-line dictionary attacks. For the threshold t > 1, we propose a secure threshold anonymous PAKE (for short, TAP) protocol with the number of clients n upper-bounded, such that n ≤ 2 √ N − 1 − 1, where N is a dictionary size of passwords. We rigorously prove that the TAP protocol has semantic security of session keys in the random oracle model by showing the reduction to the computational Diffie-Hellman problem. In addition, the TAP protocol provides unconditional anonymity against a passive server. For the threshold t = 1, we propose an efficient anonymous PAKE protocol that significantly improves efficiency in terms of computation costs and communication bandwidth compared to the original (not threshold) anonymous PAKE protocol .
Pretty-Simple Password-Authenticated Key-Exchange Under Standard Assumptions
In this paper, we propose pretty simple password-authenticated key-exchange protocol which is based on the difficulty of solving DDH problem. It has the following advantages: (1) Both y1 and y2 in our protocol are independent and thus they can be pre-computed and can be sent independently. This speeds up the protocol. (2) Clients and servers can use almost the same algorithm. This reduces the implementation costs without accepting replay attacks and abuse of entities as oracles.
Authenticated Key Exchange Secure Against Dictionary Attacks
Password-based protocols for authenticated key exchange AKE are designed to work despite the use of passwords drawn from a space so small that an adversary might well enumerate, o line, all possible passwords. While several such protocols have been suggested, the underlying theory has been lagging. We begin by de ning a model for this problem, one rich enough to deal with password guessing, forward secrecy, server compromise, and loss of session keys. The one model can be used to de ne various goals. We take AKE with implicit" authentication as the basic" goal, and we give de nitions for it, and for entity-authentication goals as well. Then we prove correctness for the idea at the center of the Encrypted Key-Exchange EKE protocol of Bellovin and Merritt: we prove security, in an ideal-cipher model, of the two-ow protocol at the core of EKE. security analysis. This protocol problem has become quite popular, with further papers suggesting solutions including 7, 10, 11, 15 18,21, 22 . The reason for this interest is simple: password-guessing attacks are a common avenue for breaking into systems, and here is a domain where good cryptographic protocols can help. Contributions. Our rst goal was to nd an approach to help manage the complexity of de nitions and proofs in this domain. We start with the model and de nitions of Bellare and Rogaway 4 and modify or extend them appropriately. The model can be used to de ne the execution of authentication and keyexchange protocols in many di erent settings. We specify the model in pseudocode, not only in English, so as to provide succinct and unambiguous execution semantics. The model is used to de ne the ideas of proper partnering, freshness of session keys, and measures of security for authenticated key exchange, unilateral authentication, and mutual authentication. Some speci c features of our approach are: partnering via session IDs an old idea of Bellare, Petrank, Racko , and Rogaway|see Remark 1; a distinction between accepting a key and terminating; incorporation of a technical correction to 4 concerning Test queries this arose from a counter-example by Racko |see Remark 5; providing the adversary a separate capability to obtain honest protocol executions important to measure security against dictionary attacks; and providing the adversary corruption capabilities which enable a treatment of forward secrecy.
A Simple Threshold Authenticated Key Exchange from Short Secrets
Lecture Notes in Computer Science, 2005
This paper brings the password-based authenticated key exchange (PAKE) problem closer to practice. It takes into account the presence of firewalls when clients communicate with authentication servers. An authentication server can indeed be seen as two distinct entities, namely a gateway (which is the direct interlocutor of the client) and a back-end server (which is the only one able to check the identity of the client). The goal in this setting is to achieve both transparency and security for the client. And to achieve these goals, the most appropriate choices seem to be to keep the client's password private-even from the back-end server-and to use thresholdbased cryptography. In this paper, we present the Threshold Password-based Authenticated Key Exchange (GTPAKE) system: GTPAKE uses a pair of public/private keys and, unlike traditional threshold-based constructions, shares only the private key among the servers. The system does no require any certification-except during the registration and update of clients' passwords-since clients do not use the public-key to authenticate to the gateway. Clients only need to have their password in hand. In addition to client security, this paper also presents highly-desirable security properties such as server password protection against dishonest gateways and key privacy against curious authentication servers.
Pretty-simple password-authenticated key-exchange protocol proven to be secure in the standard model
IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences
In this paper, we propose pretty simple password-authenticated key-exchange protocol which is based on the difficulty of solving DDH problem. It has the following advantages: (1) Both y1 and y2 in our protocol are independent and thus they can be pre-computed and can be sent independently. This speeds up the protocol. (2) Clients and servers can use almost the same algorithm. This reduces the implementation costs without accepting replay attacks and abuse of entities as oracles.
Resist Dictionary Attacks Using Password Based Protocols For Authenticated Key Exchange
A parallel file system is a type of distributed file system that distributes file data across multiple servers and provides for concurrent access by multiple tasks of a parallel application. In many to many communications or multiple tasks, key establishments are a major problem in parallel file system. So we propose a variety of authenticated key exchange protocols that are designed to address the above issue. In this paper, we also study the password-based protocols for authenticated key exchange (AKE) to resist dictionary attacks. Password-based protocols for authenticated key exchange (AKE) are designed to work to resist the use of passwords drawn from a space so small that attacker might well specify, off line, all possible passwords. While many such protocols have been suggested, the elemental theory has been lagging. We commence by interpreting a model for this problem, to approach password guessing, forward secrecy, server compromise, and loss of session keys.