On the Security of Some Password-Based Key Agreement Schemes
In this paper we show that three potential security vulnerabilities exist in the strong password-only authenticated key exchange scheme due to Jablon. Two standardised schemes based on Jablon’s scheme, namely the first password-based key agreement mechanism in ISO/IEC FCD 11770-4 and the scheme BPKAS-SPEKE in IEEE P1363.2 also suffer from some of these security vulnerabilities. We further show that other password-based key agreement mechanisms, including those in ISO/IEC FCD 11770-4 and IEEE P1363.2, also suffer from these security vulnerabilities. Finally, we propose means to remove these security vulnerabilities.
KeywordsSecurity Vulnerability Protocol Execution Dictionary Attack Protocol Instance Online Dictionary Attack
Unable to display preview. Download preview PDF.
- 3.Jablon, D.: Extended Password Key Exchange Protocols Immune to Dictionary Attack. In: Proceedings of the WETICE 1997 Workshop on Enterprise Security, pp. 248–255 (1997)Google Scholar
- 6.International Organization for Standardization. ISO/IEC FCD 11770–4, Information technology — Security techniques — Key management — Part 4: Mechanisms based on weak secrets (2004)Google Scholar
- 7.Institute of Electrical and Electronics Engineers, Inc. IEEE P1363.2 draft D20, Standard Specifications for Password-Based Public-Key Cryptographic Techniques (2005)Google Scholar