Software-Only Two-Factor Authentication Secure Against Active Servers

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9646)


In most password-based authentication protocols, the server owns a value, the so-called verifier, that depends on the registered password. This verifier is often a one-way function of the password. Despite this protection, an unauthorized person who gets access to the verifier can mount a brute-force attack to recover the password. If the entropy of the password is low, which is often the case in practice, such an attack might be successful. Motivated by the growing need to face databases compromises, we propose a two-factor password-based authentication protocol where no information about the password leak from the server’s side nor from the client’s side, and where the password is not sent to the server when the user authenticates. During the registration, a user gets a value, called the token, while the server records the verifier. Our security model ensures that brute-force attacks are impossible if the server is compromised. Moreover, only on-line attempts are possible if a token is stolen. The solutions that we describe fit well into scenarios where the token is stored on a mobile phone. We provide constructions, proven secure in the random-oracle model, under standard assumptions.


Authentication Protocol Random Oracle Security Parameter Commitment Scheme Homomorphic Encryption 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work has been partially funded by the European FP7 EKSISTENZ (SEC-2013-607049) project. The opinions expressed in this document only represent the authors’ view. They reflect neither the view of the European Commission nor the view of their employer. The authors would like to thanks Rodolphe Hugel, Olivier Cipière and Victor Servant for useful discussions, and the anonymous reviewers for their valuable comments and suggestions.


  1. 1.
    Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: CCS 2006, pp. 390–399. ACM (2006)Google Scholar
  2. 2.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: SP 1992, pp. 72–84. IEEE (1992)Google Scholar
  4. 4.
    Bellovin, S.M., Merritt, M.: Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise. In: Computer and Communications Security (CCS 1993), pp. 244–250. ACM (1993)Google Scholar
  5. 5.
    Benhamouda, F., Pointcheval, D.: Verifier-based password-authenticated key exchange: new models and constructions. IACR ePrint Archive, 2013/833 (2013)Google Scholar
  6. 6.
    Blazy, O., Chevalier, C., Vergnaud, D.: Mitigating server breaches in password-based authentication: secure and efficient solutions. In: CT-RSA 2016 (2016). to appearGoogle Scholar
  7. 7.
    Boyko, V., MacKenzie, P.D., Patel, S.: Provably Secure password-authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
    Camenisch, J., Lehmann, A., Neven, G., Samelin, K.: Virtual smart cards: how to sign with a password and a server. IACR ePrint Archive, 2015/1101 (2015)Google Scholar
  9. 9.
    Chase, M., Lysyanskaya, A.: On signatures of knowledge. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 78–96. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Duo Security two-factor authentication.
  11. 11.
    ECRYPT II NoE. Yearly report on algorithms and keysizes. D.SPA.20 Rev. 1.0, ICT-2007-216676 ECRYPT II, 09/2012Google Scholar
  12. 12.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)CrossRefGoogle Scholar
  13. 13.
  14. 14.
    El Gamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  15. 15.
    Gennaro, R.: Faster and shorter password-authenticated key exchange. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 589–606. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    Gennaro, R., Lindell, Y.: A framework for password-based authenticated key exchange. ACM Trans. Inf. Syst. Secur. 9(2), 181–234 (2006)CrossRefMATHGoogle Scholar
  17. 17.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)MathSciNetCrossRefMATHGoogle Scholar
  18. 18.
    Groce, A., Katz, J.: A new framework for efficient password-based authenticated key exchange. In: CCS 2010, pp. 516–525. ACM Press (2010)Google Scholar
  19. 19.
  20. 20.
    IEEE P1363.2. Password-based public-key cryptography working groupGoogle Scholar
  21. 21.
    Jablon, D.P.: Extended password key exchange protocols immune to dictionary attacks. In: WET-ICE 1997, pp. 248–255. IEEE Computer Society (1997)Google Scholar
  22. 22.
    Jarecki, S., Krawczyk, H., Shirvanian, M.: Saxena device-enhanced password protocols with optimal online-offline protection. IACR Archive, 2015/1099 (2015)Google Scholar
  23. 23.
    Jiang, S., Gong, G.: Password based key exchange with mutual authentication. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 267–279. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  24. 24.
    Katz, J., MacKenzie, P.D., Taban, G., Gligor, V.D.: Two-server password-only authenticated key exchange. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 1–16. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Katz, J., MacKenzie, P.D., Taban, G., Gligor, V.D.: Two-server password-only authenticated key exchange. J. Comput. Syst. Sci. 78(2), 651–669 (2012)MathSciNetCrossRefMATHGoogle Scholar
  26. 26.
    Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  27. 27.
    Katz, J., Ostrovsky, R., Yung, M.: Forward secrecy in password-only key exchange protocols. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 29–44. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  28. 28.
    Katz, J., Ostrovsky, R., Yung, M.: Efficient and secure authenticated key exchange using weak passwords. J. ACM 57(1), 78–116 (2009)MathSciNetCrossRefMATHGoogle Scholar
  29. 29.
    Katz, J., Vaikuntanathan, V.: Round-optimal password-based authenticated key exchange. J. Cryptol. 26(4), 714–743 (2013)MathSciNetCrossRefMATHGoogle Scholar
  30. 30.
    Kiefer, F., Manulis, M.: Zero-knowledge password policy checks and verifier-based PAKE. In: Kutyłowski, M., Vaidya, J. (eds.) ICAIS 2014, Part II. LNCS, vol. 8713, pp. 295–312. Springer, Heidelberg (2014)Google Scholar
  31. 31.
    Lucks, S.: Open key exchange: how to defeat dictionary attacks without encrypting public keys. In: Christianson, B., Crispo, B., Lomas, M., Roe, M. (eds.) Security Protocols 1997. LNCS, vol. 1361. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  32. 32.
    Okamoto, T., Pointcheval, D.: The Gap-problems: a new class of problems for the security of cryptographic schemes. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  33. 33.
    Microsoft PhoneFactor.
  34. 34.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)CrossRefMATHGoogle Scholar
  35. 35.
    Schnorr, C.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)MathSciNetCrossRefMATHGoogle Scholar
  36. 36.
    Scott, M.: Replacing username/password with software-only two-factor authentication. IACR IACR ePrint Archive, 2012/148 (2012)Google Scholar
  37. 37.
    Shirvanian, M., Jarecki, S., Saxena, N., Nathan, N.: Two-factor authentication resilient to server compromise using mix-bandwidth devices. In: Network and Distributed System Security - NDSS 2014. The Internet Society (2014)Google Scholar
  38. 38.
    Steiner, M., Tsudik, G., Waidner, M.: Refinement and extension of encrypted key exchange. Oper. Syst. Rev. 29(3), 22–30 (1995)CrossRefGoogle Scholar
  39. 39.
    Viet, D.Q., Yamamura, A., Tanaka, H.: Anonymous password-based authenticated key exchange. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 244–257. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  40. 40.
    Wu, T.D.: The secure remote password protocol. In: Network and Distributed System Security - NDSS 1998. The Internet Society (1998)Google Scholar
  41. 41.
    Yang, Y., Zhou, J., Weng, J., Bao, F.: A new approach for anonymous password authentication. In: ACSAC 2009, pp. 199–208. IEEE Computer Society (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Julien Bringer
    • 1
  • Hervé Chabanne
    • 1
    • 2
  • Roch Lescuyer
    • 1
  1. 1.MorphoIssy-les-moulineauxFrance
  2. 2.Télécom ParisTechParisFrance

Personalised recommendations