International Journal of Information Security

, Volume 9, Issue 6, pp 387–410 | Cite as

Password-authenticated key exchange based on RSA

  • Philip MacKenzie
  • Sarvar Patel
  • Ram Swaminathan
Special Issue Paper


There have been many proposals in recent years for password-authenticated key exchange protocols, i.e., protocols in which two parties who share only a short secret password perform a key exchange authenticated with the password. However, the only ones that have been proven secured against offline dictionary attacks were based on Diffie–Hellman key exchange. We examine how to design a secure password-authenticated key exchange protocol based on RSA. In this paper, we first look at the OKE and protected-OKE protocols (both RSA-based) and show that they are insecure. Then we show how to modify the OKE protocol to obtain a password-authenticated key exchange protocol that can be proven secure (in the random oracle model). This protocol is very practical; in fact, it requires about the same amount of computation as the Diffie–Hellman-based protocols. Finally, we present an augmented protocol that is resilient to server compromise, meaning (informally) that an attacker who compromises a server would not be able to impersonate a client, at least not without running an offline dictionary attack against that client’s password.


Passwords Mutual authentication Key exchange RSA 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bach E., Shallit J.: Algorithmic Number Theory: Volume 1 Efficient Algorithms. The MIT Press, Cambridge, Massachusetts (1996)zbMATHGoogle Scholar
  2. 2.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: EUROCRYPT 2000 (LNCS 1807), pp. 139–155 (2000)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM Conference on Computer and Communication Science (CCS) ’93, pp. 62–73 (1993)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: CRYPTO ’93 (LNCS 773), pp. 232–249 (1993)Google Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Provably secure session key distribution—the three party case. In: 27th ACM Symposium on the Theory of Computing (STOC), pp. 57–66 (1995)Google Scholar
  6. 6.
    Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 72–84 (1992)Google Scholar
  7. 7.
    Bellovin, S.M., Merritt, M.: Augumented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise. In: ACM Conference on Computer and Communication Science (CCS) ’93, pp. 244–250 (1993)Google Scholar
  8. 8.
    Bleichenbacher, D.: Personal Communication (1999)Google Scholar
  9. 9.
    Boyko, V., MacKenzie, P., Patel, S.: Provably-secure password authentication and key exchange using Diffie–Hellman. In: EUROCRYPT 2000 (LNCS 1807), pp. 156–171 (2000)Google Scholar
  10. 10.
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: 30th ACM Symposium on Theory of Computing (STOC), pp. 209–218 (1998)Google Scholar
  11. 11.
    Cramer, R., Shoup, V.: A practical public-key cryptosystem provably secure against adaptive chosen ciphertext attack. In: CRYPTO ’98 (LNCS 1462), pp. 13–25 (1998)Google Scholar
  12. 12.
    Diffie W., Hellman M.: New directions in cryptography. IEEE Trans. Info. Theory 22(6), 644–654 (1976)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: CRYPTO ’86 (LNCS 263), pp. 186–194 (1986)Google Scholar
  14. 14.
    Goldreich, O., Lindell, Y.: Session-key generation using human passwords only. In: CRYPTO 2001 (LNCS 2139), pp. 408–432 (2001)Google Scholar
  15. 15.
    Goldwasser S., Micali S., Rivest R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Gong L., Lomas T.M.A., Needham R.M., Saltzer J.H.: Protecting poorly chosen secrets from guessing attacks. IEEE J. Select. Areas Commun. 11(5), 648–656 (1993)CrossRefGoogle Scholar
  17. 17.
    Gong, L.: Optimal authentication protocols resistant to password guessing attacks. In: 8th IEEE Computer Security Foundations Workshop, pp. 24–29 (1995)Google Scholar
  18. 18.
    Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Eurocrypt ’88 (LNCS 330), pp. 123–128 (1988)Google Scholar
  19. 19.
    Halevi, S., Krawczyk, H.: Public-key cryptography and password protocols. In: 5th ACM Conference on Computer and Communications Security (CCS), pp. 122–131 (1998)Google Scholar
  20. 20.
    IEEE P1363 Annex D/Editorial Contribution 1c: Standard specifications for public-key cryptography (June 1998)Google Scholar
  21. 21.
    Jablon D.: Strong password-only authenticated key exchange. ACM Comput. Commun. Rev. 26(5), 5–20 (1996)CrossRefGoogle Scholar
  22. 22.
    Jablon, D.: Extended password key exchange protocols immune to dictionary attack. In: WETICE ’97 Workshop on Enterprise Security, pp. 248–255 (1997)Google Scholar
  23. 23.
    Katz, J., Ostrovsky, R., Yung, M.: Practical password-authenticated key exchange provably secure under standard assumptions. In: EUROCRYPT 2001 (LNCS 2045), pp. 475–494 (2001)Google Scholar
  24. 24.
    Kravitz, D.W.: Digital signature algorithm. U.S. Patent 5,231,668 (27 July 1993)Google Scholar
  25. 25.
    Lenstra H.W.: Divisors in residue classes. Math. Comput. 42, 331–340 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    Lenstra A.K., Verheul E.R.: Selecting cryptographic key sizes. J. Cryptol. 14(4), 255–293 (2001)zbMATHMathSciNetGoogle Scholar
  27. 27.
    Lucks, S.: Open key exchange: how to defeat dictionary attacks without encrypting public keys. In: Proceedings of the Workshop on Security Protocols (1997)Google Scholar
  28. 28.
    MacKenzie, P.: The PAK suite: protocols for password-authenticated key exchange. DIMACS Technical Report 2002-46 (2002)Google Scholar
  29. 29.
    MacKenzie P., Patel S., Swaminathan R.: Password-authenticated key exchange based on RSA. In: ASIACRYPT 2000 (LNCS 1976), pp. 599–613 (2000)Google Scholar
  30. 30.
    Patel, S.: Number theoretic attacks on secure password schemes. In: IEEE Symposium on Research in Security and Privacy, pp. 236–247 (1997)Google Scholar
  31. 31.
    Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: EUROCRYPT ’96 (LNCS 1070), pp. 387–398 (1996)Google Scholar
  32. 32.
    Roe, M., Christianson, B., Wheeler, D.: Secure sessions from weak secrets. Technical report, University of Cambridge and University of Hertfordshire (1998)Google Scholar
  33. 33.
    Rivest R., Shamir A., Adleman L.: A method for obtaining digital signature and public key cryptosystems. Commun. ACM 21, 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  34. 34.
    Shoup, V.: On formal models for secure key exchange. In: IBM Research Report RZ 3120 (1999)Google Scholar
  35. 35.
    Steiner M., Tsudik G., Waidner M.: Refinement and extension of encrypted key exchange. ACM Oper. Syst. Rev. 29, 22–30 (1995)CrossRefGoogle Scholar
  36. 36.
    Wu, T.: The secure remote password protocol. In: 1998 Internet Society Network and Distributed System Security Symposium (NDSS), pp. 97–111 (1998)Google Scholar

Copyright information

© Springer-Verlag 2010

Authors and Affiliations

  • Philip MacKenzie
    • 1
    • 2
  • Sarvar Patel
    • 1
    • 3
  • Ram Swaminathan
    • 1
    • 4
  1. 1.Bell LaboratoriesLucent TechnologiesMurrary HillUSA
  2. 2.Google, IncMountain ViewUSA
  3. 3.Google, IncNew YorkUSA
  4. 4.Hewlett-Packard LaboratoriesPalo AltoUSA

Personalised recommendations