Blind Password Registration for Two-Server Password Authenticated Key Exchange and Secret Sharing Protocols

  • Franziskus Kiefer
  • Mark Manulis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9866)


Many organisations enforce policies on the length and formation of passwords to encourage selection of strong passwords and protect their multi-user systems. For Two-Server Password Authenticated Key Exchange (2PAKE) and Two-Server Password Authenticated Secret Sharing (2PASS) protocols, where the password chosen by the client is secretly shared between the two servers, the initial remote registration of policy-compliant passwords represents a major problem because none of the servers is supposed to know the password in clear.

We solve this problem by introducing Two-Server Blind Password Registration (2BPR) protocols that can be executed between a client and the two servers as part of the remote registration procedure.

2BPR protocols guarantee that secret shares sent to the servers belong to a password that matches their combined password policy and that the plain password remains hidden from any attacker that is in control of at most one server. We propose a security model for 2BPR protocols capturing the requirements of policy compliance for client passwords and their blindness against the servers. Our model extends the adversarial setting of 2PAKE/2PASS protocols to the registration phase and hence closes the gap in the formal treatment of such protocols. We construct an efficient 2BPR protocol for ASCII-based password policies, prove its security in the standard model, give a proof of concept implementation, and discuss its performance.


Commitment Scheme Policy Compliance Compliance Check Mutual Policy Common Reference String 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Akinyele, J.A., Garman, C., Miers, I., Pagano, M.W., Rushanan, M., Green, M., Rubin, A.D.: Charm: a framework for rapidly prototyping cryptosystems. J. Crypt. Eng. 3(2), 111–128 (2013)CrossRefGoogle Scholar
  2. 2.
    Bagherzandi, A., Jarecki, S., Saxena, N., Lu, Y.: Password-protected secret sharing. In: CCS 2011, pp. 433–444. ACM (2011)Google Scholar
  3. 3.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: IEEE S&P, pp. 538–552. IEEE Computer Society (2012)Google Scholar
  4. 4.
    Brainard, J.G., Juels, A., Kaliski, B., Szydlo, M.: A new two-server approach for authentication with short secrets. In: USENIX Security Symposium, USENIX Association (2003)Google Scholar
  5. 5.
    Camenisch, J., Lehmann, A., Lysyanskaya, A., Neven, G.: Memento: how to reconstruct your secrets from a single password in a hostile environment. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 256–275. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  6. 6.
    Camenisch, J., Lysyanskaya, A., Neven,G.: Practical yet universally composable two-server password-authenticated secret sharing. In: CCS 2012, pp. 525–536. ACM (2012)Google Scholar
  7. 7.
    Damgård, I.B.: Efficient concurrent zero-knowledge in the auxiliary string model. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 418–430. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
    Goodin, D., Hack of cupid media dating website exposes 42 million plaintext passwords. Accessed 01 Apr 2015
  9. 9.
    Dell’Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. In: INFOCOM, pp. 983–991. IEEE (2010)Google Scholar
  10. 10.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) protocol version 1.2. RFC 5246 (proposed standard), updated by RFCs 5746, 5878, 6176, 7465, August 2008Google Scholar
  11. 11.
    Dürmuth, M., Kranz, T.: On password guessing with GPUs and FPGAs. In: PASSWORDS 2014, pp. 19–38 (2014)Google Scholar
  12. 12.
    Ford, W., Kaliski, Jr. B.S.: Server-assisted generation of a strong secret from a password. In: WETICE, pp. 176–180. IEEE (2000)Google Scholar
  13. 13.
    Furukawa, J.: Efficient and verifiable shuffling and shuffle-decryption. IEICE Trans. 88–A(1), 172–188 (2005)CrossRefGoogle Scholar
  14. 14.
    Furukawa, J., Sako, K.: An efficient scheme for proving a shuffle. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 368–387. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    hashcat: hashcat - advanced password recovery. Accessed 01 Apr 2015
  16. 16.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  17. 17.
    Jarecki, S., Kiayias, A., Krawczyk, H.: Round-optimal password-protected secret sharing and T-PAKE in the password-only model. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 233–253. Springer, Heidelberg (2014)Google Scholar
  18. 18.
    Jarecki, S., Lysyanskaya, A.: Adaptively secure threshold cryptography: introducing concurrency, removing erasures (extended abstract). In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 221. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  19. 19.
    Jin, H., Wong, D.S., Xu, Y.: An efficient password-only two-server authenticated key exchange system. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 44–56. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    Katz, J., MacKenzie, P.D., Taban, G., Gligor, V.D.: Two-server password-only authenticated key exchange. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 1–16. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  21. 21.
    Kiefer, F., Manulis, M.: Distributed smooth projective hashing and its application to two-server password authenticated key exchange. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 199–216. Springer, Heidelberg (2014)Google Scholar
  22. 22.
    Kiefer, F., Manulis, M.: Zero-knowledge password policy checks and verifier-based PAKE. In: Kutyłowski, M., Vaidya, J. (eds.) ICAIS 2014, Part II. LNCS, vol. 8713, pp. 295–312. Springer, Heidelberg (2014)Google Scholar
  23. 23.
    Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  24. 24.
    Ma, J., Yang, W., Luo, M., Li, N.: A study of probabilistic password models. In: IEEE S&P, pp. 689–704 (2014)Google Scholar
  25. 25.
    MacKenzie, P.D., Shrimpton, T., Jakobsson, M.: Threshold password-authenticated key exchange. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 385–400. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  26. 26.
    Cubrilovic, N., Hack, R.: From bad to worse (2014). Accessed 01 Apr 2015
  27. 27.
    NIST: National Institute of Standards and Technology. Recommended elliptic curves for federal government use (1999).
  28. 28.
    Openwall: John the Ripper password cracker. Accessed 01 Apr 2015
  29. 29.
    Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)Google Scholar
  30. 30.
    Pryvalov, I., Kate, A.: Introducing fault tolerance into threshold password-authenticated key exchange. Cryptology ePrint Archive, report 2014/247 (2014)Google Scholar
  31. 31.
    Reuters: Trove of Adobe user data found on web after breach: security firm (2014). Accessed 01 Apr 2015
  32. 32.
    Szydlo, M., Kaliski, B.: Proofs for two-server password authentication. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 227–244. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  33. 33.
    Reuters, T.: Microsoft India store down after hackers take user data. Accessed 01 Apr 2015
  34. 34.
    Yang, Y., Deng, R.H., Bao, F.: A practical password-based two-server authentication and key exchange system. IEEE Trans. Dependable Sec. Comput. 3(2), 105–114 (2006)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.MozillaBerlinGermany
  2. 2.Department of Computer Science, Surrey Center for Cyber SecurityUniversity of SurreyGuildfordUK

Personalised recommendations