Efficient and Leakage-Resilient Authenticated Key Transport Protocol Based on RSA

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3531)


Let us consider the following situation: (1) a client, who communicates with a variety of servers, remembers only one password and has insecure devices with very-restricted computing power and built-in memory capacity; (2) the counterpart servers have enormous computing power, but they are not perfectly secure; (3) neither PKI (Public Key Infrastructures) nor TRM (Tamper-Resistant Modules) is available.

Our main goal of this paper is to provide its security against the leakage of stored secrets as well as to attain high efficiency on client’s side. For those, we propose an efficient and leakage-resilient RSA-based Authenticated Key Establishment (RSA-AKE) protocol suitable for the above situation whose authenticity is based on password and an additional stored secret. The RSA-AKE protocol is provably secure in the random oracle model where an adversary is given the stored secret of client and the RSA private key of server. In terms of computation costs, the client is required to compute only one modular exponentiation with an exponent e (e ≥ 3) in the protocol execution. We also show that the RSA-AKE protocol has several security properties and efficiency over the previous ones of their kinds.


Random Oracle Model Modular Exponentiation Protocol Execution Dictionary Attack Perfect Forward Secrecy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bellovin, S.M., Merritt, M.: Encrypted Key Exchange: Password-based Protocols Secure against Dictioinary Attacks. In: Proc. of IEEE Symposium on Security and Privacy, pp. 72–84. IEEE Computer Society, Los Alamitos (1992)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated Key Exchange Secure against Dictionary Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: Proc. of ACM CCS 19 93, pp. 62–73 (1993)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  5. 5.
    Bellare, M., Rogaway, P.: The Exact Security of Digital Signatures: How to Sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  6. 6.
    Catalano, D., Pointcheval, D., Pornin, T.: IPAKE: Isomorphisms for Passwordbased Authenticated Key Exchange. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 477–493. Springer, Heidelberg (2004), The full version is available at Google Scholar
  7. 7.
    Diffie, W., Hellman, M.: New Directions in Cryptography. In: IEEE Transactions on Information Theory IT-22(6), pp. 644–654 (1976)Google Scholar
  8. 8.
    Diffie, W., van Oorschot, P., Wiener, M.: Authentication and Authenticated Key Exchange. In: Proc. of Designs, Codes, and Cryptography, pp. 107–125 (1992)Google Scholar
  9. 9.
    Gong, L.: Optimal Authentication Protocols Resistant to Password Guessing Attacks. In: Proc. of IEEE Computer Security Foundation Workshop, pp. 24–29 (1995)Google Scholar
  10. 10.
    Frier, A., Karlton, P., Kocher, P.: The SSL 3.0 Protocol. Netscape Communication Corp. (1996), available at
  11. 11.
    Halevi, S., Krawczyk, H.: Public-Key Cryptography and Password Protocols (February 1999)Google Scholar
  12. 12.
    IETF (Internet Engineering Task Force). Secure Shell (secsh) Charter,
  13. 13.
    IETF (Internet Engineering Task Force). Transport Layer Security (tls) Charter,
  14. 14.
    Katz, J., Ostrovsky, R., Yung, M.: Forward Secrecy in Password-Only Key Exchange Protocols. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 29–44. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Lamos, M., Gong, L., Saltzer, J., Needham, R.: Reducing Risks from Poorly Chosen Keys. In: Proc. of the 12th ACM Symposium on Operating System Principles, ACM Operating Systems Review, pp. 14–18 (1989)Google Scholar
  16. 16.
    MacKenzie, P., Patel, S., Swaminathan, R.: Password-Authenticated Key Exchange Based on RSA. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 599–613. Springer, Heidelberg (2000), The full version is available at CrossRefGoogle Scholar
  17. 17.
    Phoenix Technologies Inc.: Research Papers on Strong Password Authentication, available at
  18. 18.
    Shamir, A.: How to Share a Secret. Proc. of Communications of the ACM 22(11), 612–613 (1979)zbMATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    Shoup, V.: On Formal Models for Secure Key Exchange. IBM Research Report RZ 3121 (1999)Google Scholar
  20. 20.
    Wilson, S.B., Johnson, D., Menezes, A.: Key Agreement Protocols and their Security Analysis. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, Springer, Heidelberg (1997)Google Scholar
  21. 21.
    Wu, T.: A Real-world Analysis of Kerberos Password Security. In: Proc. of Network and Distributed System Security Symposium (February 1999)Google Scholar
  22. 22.
    Zhang, M.: New Approaches to Password Authenticated Key Exchange based on RSA. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 230–244. Springer, Heidelberg (2004), Cryptology ePrint Archive, Report 2004/033, available at CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  1. 1.Institute of Industrial ScienceThe University of TokyoTokyoJapan

Personalised recommendations