Two-Server Password-Only Authenticated Key Exchange

  • Jonathan Katz
  • Philip MacKenzie
  • Gelareh Taban
  • Virgil Gligor
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3531)


Typical protocols for password-based authentication assume a single server which stores all the information (e.g.), the password necessary to authenticate a user. Unfortunately, an inherent limitation of this approach (assuming low-entropy passwords are used) is that the user’s password is exposed if this server is ever compromised. To address this issue, a number of schemes have been proposed in which a user’s password information is shared among multiple servers, and these servers cooperate in a threshold manner when the user wants to authenticate.

We show here a two-server protocol for this task assuming public parameters available to everyone in the system (as well as the adversary). Ours is the first provably-secure two-server protocol for the important password-only setting (in which the user need remember only a password, and not the servers’ public keys), and is the first two-server protocol (in any setting) with a proof of security in the standard model.


Random Oracle Random Oracle Model Dictionary Attack Compute Protocol Common Reference String 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated Key Exchange Secure Against Dictionary Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: Proc. 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM, New York (1993)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Provably-Secure Session Key Distribution: the Three Party Case. In: 27th ACM Symposium on Theory of Computing (STOC), pp. 57–66. ACM, New York (1995)Google Scholar
  5. 5.
    Bellovin, S.M., Merritt, M.: Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In: IEEE Symposium on Research in Security and Privacy, pp. 72–84. IEEE, Los Alamitos (1992)CrossRefGoogle Scholar
  6. 6.
    Bellovin, S.M., Merritt, M.: Augmented Encrypted Key Exchange: a Password- Based Protocol Secure Against Dictionary Attacks and Password File Compromise. In: 1st ACM Conf. on Computer and Comm. Security, pp. 244–250. ACM, New York (1993)CrossRefGoogle Scholar
  7. 7.
    Boyarsky, M.: Public-Key Cryptography and Password Protocols: The Multi-User Case. In: 7th Ann. Conf. on Computer and Comm. Security, pp. 63–72. ACM, New York (1999)Google Scholar
  8. 8.
    Boyko, V., MacKenzie, P., Patel, S.: Provably-Secure Password-Authenticated Key Exchange Using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 156. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Brainard, J., Juels, A., Kaliski, B., Szydlo, M.: Nightingale: A New Two-Server Approach for Authentication with Short Secrets. In: 12th USENIX Security Symp., pp. 201–213 (2003)Google Scholar
  10. 10.
    Canetti, R., Goldreich, O., Halevi, S.: The Random Oracle Methodology, Revisited. J. ACM 51(4), 557–594 (2004)CrossRefMathSciNetzbMATHGoogle Scholar
  11. 11.
    Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally- Composable Password Authenticated Key Exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Cramer, R.: Modular Design of Secure Yet Practical Cryptographic Protocols. PhD Thesis, CWI and University of Amsterdam (1996)Google Scholar
  13. 13.
    Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)Google Scholar
  14. 14.
    Cramer, R., Shoup, V.: A Practical Public Key Cryptosystem Provably Secure Against Chosen Ciphertext Attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 13. Springer, Heidelberg (1998)Google Scholar
  15. 15.
    Diffie, W., Hellman, M.: New Directions in Cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Di Raimondo, M., Gennaro, R.: Provably Secure Threshold Password- Authenticated Key Exchange. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 507–523. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Dodis, Y., Krohn, M., Mazieres, D., Nicolosi, A.: Proactive Two-Party Signatures for User Authentication. In: NDSS 2003 (2003)Google Scholar
  18. 18.
    El Gamal, T.: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE Transactions on Information Theory 31, 469–472 (1985)zbMATHCrossRefGoogle Scholar
  19. 19.
    Ford, W., Kaliski, B.S.: Server-Assisted Generation of a Strong Secret from a Password. In: Proc. 5th IEEE Intl. Workshop on Enterprise Security (2000)Google Scholar
  20. 20.
    Gennaro, R., Lindell, Y.: A Framework for Password-Based Authenticated Key Exchange. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 524–543. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  21. 21.
    Gilboa, N.: Two-Party RSA Key Generation. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 116–129. Springer, Heidelberg (1999)Google Scholar
  22. 22.
    Goldreich, O., Lindell, Y.: Session-Key Generation Using Human Passwords Only. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 408–432. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  23. 23.
    Gong, L., Lomas, T.M.A., Needham, R.M., Saltzer, J.H.: Protecting Poorly- Chosen Secrets from Guessing Attacks. IEEE J. on Selected Areas in Communications 11(5), 648–656 (1993)CrossRefGoogle Scholar
  24. 24.
    Halevi, S., Krawczyk, H.: Public-Key Cryptography and Password Protocols. ACM Trans. Information and System Security 2(3), 230–268 (1999)CrossRefGoogle Scholar
  25. 25.
    Jablon, D.: Strong Password-Only Authenticated Key Exchange. ACM Computer Communications Review 26(5), 5–20 (1996)CrossRefGoogle Scholar
  26. 26.
    Jablon, D.: Password Authentication Using Multiple Servers. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 344–360. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  27. 27.
    Jiang, S., Gong, G.: Password Based Key Exchange With Mutual Authentication. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 267–279. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  28. 28.
    Katz, J., Ostrovsky, R., Yung, M.: Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  29. 29.
    Lomas, T.M.A., et al.: Reducing Risks from Poorly-Chosen Keys. ACM Operating Systems Review 23(5), 14–18 (1989)CrossRefGoogle Scholar
  30. 30.
    Lucks, S.: Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys. In: Christianson, B., Lomas, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 79–90. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  31. 31.
    MacKenzie, P., Patel, S., Swaminathan, R.: Password-Authenticated Key Exchange Based on RSA. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 599–613. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  32. 32.
    MacKenzie, P.: An Efficient Two-Party Public Key Cryptosystem Secure against Adaptive Chosen Ciphertext Attack. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 47–61. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  33. 33.
    MacKenzie, P., Reiter, M.: Networked Cryptographic Devices Resilient to Capture. IEEE Security and Privacy (2001)Google Scholar
  34. 34.
    MacKenzie, P., Reiter, M.: Two-Party Generation of DSA Signatures. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 137–154. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  35. 35.
    MacKenzie, P., Shrimpton, T., Jakobsson, M.: Threshold Password- Authenticated Key Exchange. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 385–400. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  36. 36.
    Shoup, V.: A Proposal for an ISO Standard for Public-Key Encryption, version 2.1. Draft (2001), Available at
  37. 37.
    Szydlo, M., Kaliski, B.: Proofs for Two-Server Password Authentication. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 227–244. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  38. 38.
    Wu, T.: The Secure Remote Password Protocol. In: Proc. Internet Society Symp. on Network and Distributed System Security, pp. 97–111 (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Jonathan Katz
    • 1
  • Philip MacKenzie
    • 2
  • Gelareh Taban
    • 3
  • Virgil Gligor
    • 3
  1. 1.Dept. of Computer ScienceUniversity of Maryland 
  2. 2.DoCoMo USA LabsUSA
  3. 3.Dept. of Electrical and Computer EngineeringUniversity of Maryland 

Personalised recommendations