Authenticated Key Exchange Secure against Dictionary Attacks

  • Mihir Bellare
  • David Pointcheval
  • Phillip Rogaway
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1807)


Password-based protocols for authenticated key exchange (AKE) are designed to work despite the use of passwords drawn from a space so small that an adversary might well enumerate, off line, all possible passwords. While several such protocols have been suggested, the underlying theory has been lagging. We begin by defining a model for this problem, one rich enough to deal with password guessing, forward secrecy, server compromise, and loss of session keys. The one model can be used to define various goals. We take AKE (with “implicit” authentication) as the “basic” goal, and we give definitions for it, and for entity-authentication goals as well. Then we prove correctness for the idea at the center of the Encrypted Key-Exchange (EKE) protocol of Bellovin and Merritt: we prove security, in an ideal-cipher model, of the two-flow protocol at the core of EKE.


Forward Secrecy Test Query Dictionary Attack Corrupt Query Password Space 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Bellare, R. Canetti, and H. Krawczyk. A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols. Proc. of the 30th STOC. ACM Press, New York, 1998.Google Scholar
  2. 2.
    M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated Key Exchange Secure Against Dictionary Attacks. Full version of this paper, available from
  3. 3.
    M. Bellare and P. Rogaway. Entity Authentication and Key Distribution. CRYPTO’ 93, LNCS 773, pages 232–249. Springer-Verlag, Berlin, 1994.Google Scholar
  4. 4.
    M. Bellare and P. Rogaway. Provably Secure Session Key Distribution: the Three Party Case. Proc. of the 27th STOC. ACM Press, New York, 1995.Google Scholar
  5. 5.
    M. Bellare and P. Rogaway, work in progress.Google Scholar
  6. 6.
    S. Bellovin and M. Merritt. Encrypted Key Exchange: Password-Based Protocols Secure against Dictionary Attacks. Proc. of the Symposium on Security and Privacy, pages 72–84. IEEE, 1992.Google Scholar
  7. 7.
    S. Bellovin and M. Merritt. Augmented Encrypted Key Exchange: A Password-Based Protocol Secure against Dictionary Attacks and Password File Compromise. Proceedings of the 1st Annual Conference on Computer and Communications Security, ACM, 1993.Google Scholar
  8. 8.
    J. Black and P. Rogaway. Ciphers with Arbitrary Finite Domains. Manuscript, 2000.Google Scholar
  9. 9.
    M. Boyarsky. Public-Key Cryptography and Password Protocols: The Multi-User Case. Proceedings of the 6th Annual Conference on Computer and Communications Security, ACM, 1999.Google Scholar
  10. 10.
    V. Boyko, P. MacKenzie, and S. Patel. Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman. Eurocrypt 2000, LNCS 1807, pages 156–171. Springer-Verlag, Berlin, 2000.CrossRefGoogle Scholar
  11. 11.
    P. Buhler, T. Eirich, M. Steiner, and M. Waidner. Secure Password-Based Cipher Suite for TLS. Proceedings of Network and Distributed Systems Security Symposium. February 2000.Google Scholar
  12. 12.
    D. Denning and G. Sacco. Timestamps in Key Distribution Protocols. Communications of the ACM, 24, 1981, pp 533–536.CrossRefGoogle Scholar
  13. 13.
    L. Gong, M. Lomas, R. Needham, and J. Saltzer. Protecting Poorly Chosen Secrets from Guessing Attacks. IEEE Journal on Selected Areas in Communications, 11(5):648–656, June 1993.CrossRefGoogle Scholar
  14. 14.
    S. Halevi and H. Krawczyk. Public-Key Cryptography and Password Protocols. ACM Transactions on Information and System Security, Vol. 2, No. 3, pp. 230–268, August 1999. Earlier version in Proc. of the 5th CCS conference, ACM Press, New York, 1998.Google Scholar
  15. 15.
    D. Jablon. Strong Password-Only Authenticated Key Exchange. ACM Computer Communications Review, October 1996.Google Scholar
  16. 16.
    D. Jablon. Extended Password Key Exchange Protocols Immune to Dictionary Attacks. Proc. of WET-ICE’ 97, pp. 248–255. IEEE Computer Society, June 1997.Google Scholar
  17. 17.
    S. Lucks. Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys. Proc. of the Security Protocols Workshop, LNCS 1361. Springer-Verlag, Berlin, 1997.Google Scholar
  18. 18.
    P. MacKenzie and R. Swaminathan. Secure Authentication with a Short Secret. Manuscript. November 2, 1999. Earlier version as Secure Network Authentication with Password Identification. Submission to IEEE P1363a. August 1999. Available from
  19. 19.
    C. Rackoff, private communication, 1995.Google Scholar
  20. 20.
    V. Shoup. On Formal Models for Secure Key Exchange. Theory of Cryptography Library Record 99-12, and invited talk at ACM Computer and Communications Security conference, 1999.
  21. 21.
    M. Roe, B. Christianson, and D. Wheeler. Secure Sessions from Weak Secrets. Technical report from University of Cambridge and University of Hertfordshire. Manuscript, 1998.Google Scholar
  22. 22.
    T. Wu. The Secure Remote Password Protocol. Proceedings of the Internet Society Symposium on Network and Distributed System Security, pp. 97–111, 1998.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Mihir Bellare
    • 1
  • David Pointcheval
    • 2
  • Phillip Rogaway
    • 3
  1. 1.Dept. of Computer Science & EngineeringUniversity of California at San DiegoLa JollaUSA
  2. 2.Dépt. d’Informatique-CNRSÉcole Normale SupérieureParis Cedex 05France
  3. 3.Dept. of Computer ScienceUniversity of California at DavisDavisUSA

Personalised recommendations