Provably Secure Threshold Password-Authenticated Key Exchange
We present two protocols for threshold password authenticated key exchange. In this model, the password is not stored in a single authenticating server but rather shared among a set of n servers so that an adversary can learn the password only by breaking into t+1 of them. The protocols require n > 3t servers to work.
The goal is to protect the password against hackers attacks that can break into the authenticating server and steal password information. All known centralized password authentication schemes are susceptible to such an attack.
Ours are the first protocols which are provably secure in the standard model (i.e. no random oracles are used for the proof of security). Moreover our protocols are reasonably efficient and implementable in practice. In particular a goal of the design was to avoid costly zero-knowledge proofs to keep interaction to a minimum.
KeywordsSecret Sharing Random Oracle Dictionary Attack Password Authentication Malicious Adversary
- 1.M. Abe, Robust distributed multiplication without interaction. In CRYPTO’ 99, Springer LNCS 1666, pp. 130–147, 1999.Google Scholar
- 3.S. M. Bellovin and M. Merritt, Encrypted Key Exchange: Password based protocols secure against dictionary attacks. In 1992 IEEE Symposium on Research in Security and Privacy, IEEE Press, pp. 72–84, 1992.Google Scholar
- 4.M. Ben-Or, S. Goldwasser, and A. Wigderson, Completeness Theorems for Noncryptographic Fault-Tolerant Distributed Computations. In 20th Annual Symposium on the Theory of Computing, ACM Press, pp. 1–10, 1988.Google Scholar
- 7.R. Canetti, R. Gennaro, S. Jarecki, H. Krawczyk and T. Rabin, Adaptive Security for Threshold Cryptosystems. In CRYPTO’ 99, Springer LNCS 1666, pp. 98–115, 1999.Google Scholar
- 9.P. Feldman, A Practical Scheme for Non-Interactive Verifiable Secret Sharing. In 28th IEEE Symposium on Foundation of Computer Science (FOCS), IEEE, pp. 427–437, 1987.Google Scholar
- 10.W. Ford and B. Kaliski, Server-assisted generation of a strong secret from a password. In 5th IEEE International Workshop on Enterprise Security, 2000.Google Scholar
- 11.Y. Frankel, P. MacKenzie and M. Yung, Adaptively-Secure Distributed Public-Key Systems. In European Symposium on Algorithms (ESA’ 99), Springer LNCS 1643, pp. 4–27, 1999.Google Scholar
- 12.P. Gemmell, An Introduction to Threshold Cryptography. RSA Laboratories’ CRYPTOBYTES, vol. 2, n. 3, Winter 1997.Google Scholar
- 13.R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, The (in)security of distributed key generation in dlog-based cryptosystems. In EUROCRYPT’ 99, Springer LNCS 1592, pp. 295–310, 1999.Google Scholar
- 17.A. Herzberg, M. Jakobsson, S. Jarecki, H. Krawczyk, and M. Yung. Proactive public key and signature systems. In 4th ACM Conference on Computers and Communication Security, ACM Press, pp. 100–110, 1997.Google Scholar
- 18.A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung, Proactive secret sharing, or: How to cope with perpetual leakage. In CRYPTO’ 95, Springer LNCS 963, pp. 339–352, 1995.Google Scholar
- 20.D. P. Jablon, Password authentication using multiple servers. In RSA Security Conference 2001, Springer LNCS 2020, pp. 344–360, 2001.Google Scholar
- 21.M. Jakobsson, P. MacKenzie and T. Shrimpton, Threshold Password-Authenticated Key Exchange. In CRYPTO 2002, Springer LNCS 2442, pp. 385–400, 2002.Google Scholar
- 24.R. Ostrovsky and M. Yung, How to Withstand Mobile Virus Attacks. In 10th ACM Conference on Principles of Distributed Systems, ACM Press, pages 51–59, 1991.Google Scholar
- 25.T. Pedersen, Non-interactive and information-theoretic secure verifiable secret sharing. In CRYPTO’ 91, Springer LNCS 576, pp. 129–140, 1991.Google Scholar
- 26.T. Rabin, A simplified Approach to Threshold and Proactive RSA. In CRYPTO’ 98, Springer LNCS 1462, pp. 89–104, 1998.Google Scholar