Abstract
Passwords are one of the most common cause of system break-ins, because the low entropy of passwords makes systems vulnerable to brute force guessing attacks (dictionary attacks). Existing Strong Password-based Authentication and Key Agreement (SPAKA) protocols protect passwords from passive (eavesdropping-offline dictionary) attacks, but not from active online dictionary attacks. This paper presents a simple scheme that strengthens password-based authentication protocols and helps prevent online dictionary attacks as well as many-to-many attacks common to 3-pass SPAKA protocols. The proposed scheme significantly increases the computational burden of an attacker trying to launch online dictionary attacks, while imposing negligible load on the legitimate clients as well as on the authentication server.
This research is supported in part by the Intelligent Storage Consortium at Digital Technology Center (DISC), University of Minnesota.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Research papers on password-based cryptography, http://www.jablon.org/passwordlinks.html
Aura, T., Nikander, P., Leiwo, J.: DOS-resistant authentication with client puzzles. In: Christianson, B., et al. (eds.) Security Protocols 2000. LNCS, vol. 2133, p. 170. Springer, Heidelberg (2001)
Bellare, M., Namprempre, C.: Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 531. Springer, Heidelberg (2000)
Bellare, M., Rogaway, P.: The AuthA protocol for password-based authenticated key exchange. Submission to IEEE P1363.2 (2000)
Bellovin, S.M., Merritt, M.: Encrypted key exchange: Password-based protocols secure against dictionary attacks. In: IEEE Symposium on Security and Privacy (1992)
Boyko, V., MacKenzie, P.D., Patel, S.: Provably secure password-authenticated key exchange using diffie-hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 156. Springer, Heidelberg (2000)
Buxton, P.: Egg rails at password security. Netimperative(June 24, 2002)
CERT. TCP syn flooding and ip spoofing attack. CERT Advisory CA-96.21 (November 1996)
Dean, D., Stubblefield, A.: Using client puzzles to protect TLS. In: the 10th Annual USENIX Security Symposium (2001)
Denning, D., Sacco, G.: Timestamps in key distribution systems. Communications of the ACM (August 1981)
Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773. Springer, Heidelberg (1994)
IEEE P1363 Working Group. IEEE P1363-2: Standard specifications for passwordbased public key cryptographic techniques, http://grouper.ieee.org/groups/1363
Jablon, D.P.: Strong password-only authenticated key exchange. Computer Communication 26(5), 5–26 (1996)
Juels, A., Brainard, J.: Client puzzles: A cryptographic defense against connection depletion attacks. In: Network and Distributed System Security Symposium (1999)
Klein, D.V.: Foiling the cracker. – A survey of, and improvements to, password security. In: The second USENIX Workshop on Security (1990)
Knight, E., Hartley, C.: The password paradox. Business Security Advisor magazine (December 1998)
Kwon, T.: Authentication and key agreement via memorable password. In: Network and Distributed System Security Symposium (2001)
Kwon, T.: Practical authenticated key agreement using passwords. the 7th Information Security Conference, ISC (2004)
Lomas, T., Gong, L., Saltzer, J., Needhamn, R.: Reducing risks from poorly chosen keys. In: The twelfth ACM symposium on Operating systems principles, SOSP (1989)
Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (October 1996)
Morris, R.T., Thompson, K.: Password security: A case history. Communications of the ACM 22(11), 594–597 (1979)
Pinkas, B., Sander, T.: Securing passwords against dictionary attacks. In: The 9th ACM Conference on Computer and Communications Security (2002)
Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto. Technical Report LCS/TR-684, MIT (1996)
Spafford, E.: Observing reusable password choices. In: The 3rd UNIX Security Symposium (1992)
Transport Layer Security Working Group. SSL 3.0 specification, http://wp.netscape.com/eng/ssl3/
Wang, X., Reiter, M.K.: Defend against denial-of-service attacks with puzzle auctions. In: The IEEE Symposium on Security and Privacy (2003)
Wu, T.: The secure remote password protocol. In: Network and Distributed System Security Symposium (1998)
Wu, T.: The stanford SRP authentication project (February 2004), http://srp.stanford.edu
Ylonen, T.: SSH - secure login connections over the internet. In: The 6th USENIX Security Symposium (1996)
Scotland Yard and the case of the rent-a-zombies (July 2004), http://news.zdnet.com/2100-1009_22-5260154.html
Zombie PCs for Rent (September 2004), http://securitynews.weburb.dk/show.php3?item=InformationSecurity&p%5Bne%wsletterId%5D=609
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, P., Kim, Y., Kher, V., Kwon, T. (2005). Strengthening Password-Based Authentication Protocols Against Online Dictionary Attacks. In: Ioannidis, J., Keromytis, A., Yung, M. (eds) Applied Cryptography and Network Security. ACNS 2005. Lecture Notes in Computer Science, vol 3531. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11496137_2
Download citation
DOI: https://doi.org/10.1007/11496137_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26223-7
Online ISBN: 978-3-540-31542-1
eBook Packages: Computer ScienceComputer Science (R0)