Two-Server Password-Only Authenticated Key Exchange

  • Jonathan Katz
  • Philip MacKenzie
  • Gelareh Taban
  • Virgil Gligor
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3531)


Typical protocols for password-based authentication assume a single server which stores all the information (e.g.), the password necessary to authenticate a user. Unfortunately, an inherent limitation of this approach (assuming low-entropy passwords are used) is that the user’s password is exposed if this server is ever compromised. To address this issue, a number of schemes have been proposed in which a user’s password information is shared among multiple servers, and these servers cooperate in a threshold manner when the user wants to authenticate.

We show here a two-server protocol for this task assuming public parameters available to everyone in the system (as well as the adversary). Ours is the first provably-secure two-server protocol for the important password-only setting (in which the user need remember only a password, and not the servers’ public keys), and is the first two-server protocol (in any setting) with a proof of security in the standard model.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated Key Exchange Secure Against Dictionary Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: Proc. 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM, New York (1993)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Provably-Secure Session Key Distribution: the Three Party Case. In: 27th ACM Symposium on Theory of Computing (STOC), pp. 57–66. ACM, New York (1995)Google Scholar
  5. 5.
    Bellovin, S.M., Merritt, M.: Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In: IEEE Symposium on Research in Security and Privacy, pp. 72–84. IEEE, Los Alamitos (1992)CrossRefGoogle Scholar
  6. 6.
    Bellovin, S.M., Merritt, M.: Augmented Encrypted Key Exchange: a Password- Based Protocol Secure Against Dictionary Attacks and Password File Compromise. In: 1st ACM Conf. on Computer and Comm. Security, pp. 244–250. ACM, New York (1993)CrossRefGoogle Scholar
  7. 7.
    Boyarsky, M.: Public-Key Cryptography and Password Protocols: The Multi-User Case. In: 7th Ann. Conf. on Computer and Comm. Security, pp. 63–72. ACM, New York (1999)Google Scholar
  8. 8.
    Boyko, V., MacKenzie, P., Patel, S.: Provably-Secure Password-Authenticated Key Exchange Using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 156. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Brainard, J., Juels, A., Kaliski, B., Szydlo, M.: Nightingale: A New Two-Server Approach for Authentication with Short Secrets. In: 12th USENIX Security Symp., pp. 201–213 (2003)Google Scholar
  10. 10.
    Canetti, R., Goldreich, O., Halevi, S.: The Random Oracle Methodology, Revisited. J. ACM 51(4), 557–594 (2004)CrossRefMathSciNetMATHGoogle Scholar
  11. 11.
    Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally- Composable Password Authenticated Key Exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Cramer, R.: Modular Design of Secure Yet Practical Cryptographic Protocols. PhD Thesis, CWI and University of Amsterdam (1996)Google Scholar
  13. 13.
    Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)Google Scholar
  14. 14.
    Cramer, R., Shoup, V.: A Practical Public Key Cryptosystem Provably Secure Against Chosen Ciphertext Attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 13. Springer, Heidelberg (1998)Google Scholar
  15. 15.
    Diffie, W., Hellman, M.: New Directions in Cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)MATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Di Raimondo, M., Gennaro, R.: Provably Secure Threshold Password- Authenticated Key Exchange. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 507–523. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Dodis, Y., Krohn, M., Mazieres, D., Nicolosi, A.: Proactive Two-Party Signatures for User Authentication. In: NDSS 2003 (2003)Google Scholar
  18. 18.
    El Gamal, T.: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE Transactions on Information Theory 31, 469–472 (1985)MATHCrossRefGoogle Scholar
  19. 19.
    Ford, W., Kaliski, B.S.: Server-Assisted Generation of a Strong Secret from a Password. In: Proc. 5th IEEE Intl. Workshop on Enterprise Security (2000)Google Scholar
  20. 20.
    Gennaro, R., Lindell, Y.: A Framework for Password-Based Authenticated Key Exchange. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 524–543. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  21. 21.
    Gilboa, N.: Two-Party RSA Key Generation. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 116–129. Springer, Heidelberg (1999)Google Scholar
  22. 22.
    Goldreich, O., Lindell, Y.: Session-Key Generation Using Human Passwords Only. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 408–432. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  23. 23.
    Gong, L., Lomas, T.M.A., Needham, R.M., Saltzer, J.H.: Protecting Poorly- Chosen Secrets from Guessing Attacks. IEEE J. on Selected Areas in Communications 11(5), 648–656 (1993)CrossRefGoogle Scholar
  24. 24.
    Halevi, S., Krawczyk, H.: Public-Key Cryptography and Password Protocols. ACM Trans. Information and System Security 2(3), 230–268 (1999)CrossRefGoogle Scholar
  25. 25.
    Jablon, D.: Strong Password-Only Authenticated Key Exchange. ACM Computer Communications Review 26(5), 5–20 (1996)CrossRefGoogle Scholar
  26. 26.
    Jablon, D.: Password Authentication Using Multiple Servers. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 344–360. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  27. 27.
    Jiang, S., Gong, G.: Password Based Key Exchange With Mutual Authentication. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 267–279. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  28. 28.
    Katz, J., Ostrovsky, R., Yung, M.: Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  29. 29.
    Lomas, T.M.A., et al.: Reducing Risks from Poorly-Chosen Keys. ACM Operating Systems Review 23(5), 14–18 (1989)CrossRefGoogle Scholar
  30. 30.
    Lucks, S.: Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys. In: Christianson, B., Lomas, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 79–90. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  31. 31.
    MacKenzie, P., Patel, S., Swaminathan, R.: Password-Authenticated Key Exchange Based on RSA. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 599–613. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  32. 32.
    MacKenzie, P.: An Efficient Two-Party Public Key Cryptosystem Secure against Adaptive Chosen Ciphertext Attack. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 47–61. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  33. 33.
    MacKenzie, P., Reiter, M.: Networked Cryptographic Devices Resilient to Capture. IEEE Security and Privacy (2001)Google Scholar
  34. 34.
    MacKenzie, P., Reiter, M.: Two-Party Generation of DSA Signatures. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 137–154. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  35. 35.
    MacKenzie, P., Shrimpton, T., Jakobsson, M.: Threshold Password- Authenticated Key Exchange. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 385–400. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  36. 36.
    Shoup, V.: A Proposal for an ISO Standard for Public-Key Encryption, version 2.1. Draft (2001), Available at
  37. 37.
    Szydlo, M., Kaliski, B.: Proofs for Two-Server Password Authentication. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 227–244. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  38. 38.
    Wu, T.: The Secure Remote Password Protocol. In: Proc. Internet Society Symp. on Network and Distributed System Security, pp. 97–111 (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Jonathan Katz
    • 1
  • Philip MacKenzie
    • 2
  • Gelareh Taban
    • 3
  • Virgil Gligor
    • 3
  1. 1.Dept. of Computer ScienceUniversity of Maryland 
  2. 2.DoCoMo USA LabsUSA
  3. 3.Dept. of Electrical and Computer EngineeringUniversity of Maryland 

Personalised recommendations