Skip to main content
SpringerLink
Log in

Software-Only Two-Factor Authentication Secure Against Active Servers

  • Conference paper
  • First Online:
Progress in Cryptology – AFRICACRYPT 2016 (AFRICACRYPT 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9646))

Included in the following conference series:

Abstract

In most password-based authentication protocols, the server owns a value, the so-called verifier, that depends on the registered password. This verifier is often a one-way function of the password. Despite this protection, an unauthorized person who gets access to the verifier can mount a brute-force attack to recover the password. If the entropy of the password is low, which is often the case in practice, such an attack might be successful. Motivated by the growing need to face databases compromises, we propose a two-factor password-based authentication protocol where no information about the password leak from the server’s side nor from the client’s side, and where the password is not sent to the server when the user authenticates. During the registration, a user gets a value, called the token, while the server records the verifier. Our security model ensures that brute-force attacks are impossible if the server is compromised. Moreover, only on-line attempts are possible if a token is stolen. The solutions that we describe fit well into scenarios where the token is stored on a mobile phone. We provide constructions, proven secure in the random-oracle model, under standard assumptions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: CCS 2006, pp. 390–399. ACM (2006)

    Google Scholar 

  2. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  3. Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: SP 1992, pp. 72–84. IEEE (1992)

    Google Scholar 

  4. Bellovin, S.M., Merritt, M.: Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise. In: Computer and Communications Security (CCS 1993), pp. 244–250. ACM (1993)

    Google Scholar 

  5. Benhamouda, F., Pointcheval, D.: Verifier-based password-authenticated key exchange: new models and constructions. IACR ePrint Archive, 2013/833 (2013)

    Google Scholar 

  6. Blazy, O., Chevalier, C., Vergnaud, D.: Mitigating server breaches in password-based authentication: secure and efficient solutions. In: CT-RSA 2016 (2016). to appear

    Google Scholar 

  7. Boyko, V., MacKenzie, P.D., Patel, S.: Provably Secure password-authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  8. Camenisch, J., Lehmann, A., Neven, G., Samelin, K.: Virtual smart cards: how to sign with a password and a server. IACR ePrint Archive, 2015/1101 (2015)

    Google Scholar 

  9. Chase, M., Lysyanskaya, A.: On signatures of knowledge. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 78–96. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  10. Duo Security two-factor authentication. https://www.duosecurity.com/

  11. ECRYPT II NoE. Yearly report on algorithms and keysizes. D.SPA.20 Rev. 1.0, ICT-2007-216676 ECRYPT II, 09/2012

    Google Scholar 

  12. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)

    Chapter  Google Scholar 

  13. Google Authenticator. http://code.google.com/p/google-authenticator/

  14. El Gamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985)

    Chapter  Google Scholar 

  15. Gennaro, R.: Faster and shorter password-authenticated key exchange. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 589–606. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  16. Gennaro, R., Lindell, Y.: A framework for password-based authenticated key exchange. ACM Trans. Inf. Syst. Secur. 9(2), 181–234 (2006)

    Article  MATH  Google Scholar 

  17. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)

    Article  MathSciNet  MATH  Google Scholar 

  18. Groce, A., Katz, J.: A new framework for efficient password-based authenticated key exchange. In: CCS 2010, pp. 516–525. ACM Press (2010)

    Google Scholar 

  19. Celestix HotPin. http://www.celestixworks.com/HOTPin.asp

  20. IEEE P1363.2. Password-based public-key cryptography working group

    Google Scholar 

  21. Jablon, D.P.: Extended password key exchange protocols immune to dictionary attacks. In: WET-ICE 1997, pp. 248–255. IEEE Computer Society (1997)

    Google Scholar 

  22. Jarecki, S., Krawczyk, H., Shirvanian, M.: Saxena device-enhanced password protocols with optimal online-offline protection. IACR Archive, 2015/1099 (2015)

    Google Scholar 

  23. Jiang, S., Gong, G.: Password based key exchange with mutual authentication. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 267–279. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  24. Katz, J., MacKenzie, P.D., Taban, G., Gligor, V.D.: Two-server password-only authenticated key exchange. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 1–16. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  25. Katz, J., MacKenzie, P.D., Taban, G., Gligor, V.D.: Two-server password-only authenticated key exchange. J. Comput. Syst. Sci. 78(2), 651–669 (2012)

    Article  MathSciNet  MATH  Google Scholar 

  26. Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  27. Katz, J., Ostrovsky, R., Yung, M.: Forward secrecy in password-only key exchange protocols. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 29–44. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  28. Katz, J., Ostrovsky, R., Yung, M.: Efficient and secure authenticated key exchange using weak passwords. J. ACM 57(1), 78–116 (2009)

    Article  MathSciNet  MATH  Google Scholar 

  29. Katz, J., Vaikuntanathan, V.: Round-optimal password-based authenticated key exchange. J. Cryptol. 26(4), 714–743 (2013)

    Article  MathSciNet  MATH  Google Scholar 

  30. Kiefer, F., Manulis, M.: Zero-knowledge password policy checks and verifier-based PAKE. In: Kutyłowski, M., Vaidya, J. (eds.) ICAIS 2014, Part II. LNCS, vol. 8713, pp. 295–312. Springer, Heidelberg (2014)

    Google Scholar 

  31. Lucks, S.: Open key exchange: how to defeat dictionary attacks without encrypting public keys. In: Christianson, B., Crispo, B., Lomas, M., Roe, M. (eds.) Security Protocols 1997. LNCS, vol. 1361. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  32. Okamoto, T., Pointcheval, D.: The Gap-problems: a new class of problems for the security of cryptographic schemes. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  33. Microsoft PhoneFactor. https://www.phonefactor.com/

  34. Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)

    Article  MATH  Google Scholar 

  35. Schnorr, C.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)

    Article  MathSciNet  MATH  Google Scholar 

  36. Scott, M.: Replacing username/password with software-only two-factor authentication. IACR IACR ePrint Archive, 2012/148 (2012)

    Google Scholar 

  37. Shirvanian, M., Jarecki, S., Saxena, N., Nathan, N.: Two-factor authentication resilient to server compromise using mix-bandwidth devices. In: Network and Distributed System Security - NDSS 2014. The Internet Society (2014)

    Google Scholar 

  38. Steiner, M., Tsudik, G., Waidner, M.: Refinement and extension of encrypted key exchange. Oper. Syst. Rev. 29(3), 22–30 (1995)

    Article  Google Scholar 

  39. Viet, D.Q., Yamamura, A., Tanaka, H.: Anonymous password-based authenticated key exchange. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 244–257. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  40. Wu, T.D.: The secure remote password protocol. In: Network and Distributed System Security - NDSS 1998. The Internet Society (1998)

    Google Scholar 

  41. Yang, Y., Zhou, J., Weng, J., Bao, F.: A new approach for anonymous password authentication. In: ACSAC 2009, pp. 199–208. IEEE Computer Society (2009)

    Google Scholar 

Download references

Acknowledgements

This work has been partially funded by the European FP7 EKSISTENZ (SEC-2013-607049) project. The opinions expressed in this document only represent the authors’ view. They reflect neither the view of the European Commission nor the view of their employer. The authors would like to thanks Rodolphe Hugel, Olivier Cipière and Victor Servant for useful discussions, and the anonymous reviewers for their valuable comments and suggestions.

Author information

Authors and Affiliations

  1. Morpho, Issy-les-moulineaux, France

    Julien Bringer, Hervé Chabanne & Roch Lescuyer

  2. Télécom ParisTech, Paris, France

    Hervé Chabanne

Authors
  1. Julien Bringer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hervé Chabanne
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Roch Lescuyer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Roch Lescuyer .

Editor information

Editors and Affiliations

  1. Ecole Normale Supérieure, Paris, France

    David Pointcheval

  2. University of Caen, Caen, France

    Abderrahmane Nitaj

  3. Al Akhawayn University in Ifrane, Ifrane, Morocco

    Tajjeeddine Rachidi

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Bringer, J., Chabanne, H., Lescuyer, R. (2016). Software-Only Two-Factor Authentication Secure Against Active Servers. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds) Progress in Cryptology – AFRICACRYPT 2016. AFRICACRYPT 2016. Lecture Notes in Computer Science(), vol 9646. Springer, Cham. https://doi.org/10.1007/978-3-319-31517-1_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-31517-1_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-31516-4

  • Online ISBN: 978-3-319-31517-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation