Skip to main content
SpringerLink
Log in

One-Time-Password-Authenticated Key Exchange

  • Conference paper
Book cover Information Security and Privacy (ACISP 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6168))

Included in the following conference series:

Abstract

To reduce the damage of phishing and spyware attacks, banks, governments, and other security-sensitive industries are deploying one-time password systems, where users have many passwords and use each password only once. If a single password is compromised, it can be only be used to impersonate the user once, limiting the damage caused. However, existing practical approaches to one-time passwords have been susceptible to sophisticated phishing attacks.

We give a formal security treatment of this important practical problem. We consider the use of one-time passwords in the context of password-authenticated key exchange (PAKE), which allows for mutual authentication, session key agreement, and resistance to phishing attacks. We describe a security model for the use of one-time passwords, explicitly considering the compromise of past (and future) one-time passwords, and show a general technique for building a secure one-time-PAKE protocol from any secure PAKE protocol. Our techniques also allow for the secure use of pseudorandomly generated and time-dependent passwords.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abdalla, M., Chevassut, O., Pointcheval, D.: One-time verifier-based encrypted key exchange. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 47–64. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  2. Babbage, S., Catalano, D., Cid, C., Dunkelman, O., Gehrmann, C., Granboulan, L., Lange, T., Lenstra, A., Nguyen, P.Q., Paar, C., Pelzl, J., Pornin, T., Preneel, B., Rechberger, C., Rijmen, V., Robshaw, M., Rupp, A., Smart, N., Ward, M.: ECRYPT yearly report on algorithms and keysizes (2007–2008) (July 2008), http://www.ecrypt.eu.org/documents/D.SPA.28-1.1.pdf

  3. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  4. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proc. 1st ACM Conference on Computer and Communications Security (CCS), pp. 62–73. ACM, New York (1993)

    Chapter  Google Scholar 

  5. Bellovin, S.M., Merritt, M.: Encrypted key exchange: Password-based protocols secure against dictionary attacks. In: Proceedings of the 1992 IEEE Computer Society Conference on Research in Security and Privacy. IEEE, Los Alamitos (May 1992)

    Google Scholar 

  6. Bellovin, S.M., Merritt, M.: Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise. In: Proc. 1st ACM Conference on Computer and Communications Security (CCS), pp. 244–250. ACM, New York (1993)

    Chapter  Google Scholar 

  7. Blizzard Entertainment: Blizzard authenticator (2009), http://eu.blizzard.com/support/article.xml?locale=en_GB&articleId=28152

  8. Boyko, V., MacKenzie, P., Patel, S.: Provably secure Password-Authenticated Key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  9. Chevassut, O., Siebenlist, F., Helm, M.: Secure (one-time-) password authentication for the Globus toolkit. In: GlobusWorld Conference (February 2005), http://acs.lbl.gov/Projects/OPKeyX/Talks/GlobusWorld05/GlobusWorld05.html

  10. F-Secure: Weblog: More on international phishing (October 2005), http://www.f-secure.com/weblog/archives/00000689.html

  11. Fang, L., Meder, S., Chevassut, O., Siebenlist, F.: Secure password-based authenticated key exchange for web services. In: Proc. 2004 Workshop on Secure Web Service (SWS), pp. 9–15. ACM, New York (2004)

    Chapter  Google Scholar 

  12. Gentry, C., MacKenzie, P., Ramzan, Z.: PAK-Z+ contribution to the IEEE P1363-2000 study group for Future PKC Standards (August 2005), http://grouper.ieee.org/groups/1363/WorkingGroup/presentations/pakzplusv2.pdf ;

  13. Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. Journal of the ACM 33(4), 792–807 (1986)

    Article  MathSciNet  Google Scholar 

  14. Haller, N.: The S/KEY one-time password system. RFC 1760 (February 1995), http://www.ietf.org/rfc/rfc1760.txt

  15. Haller, N., Metz, C., Nesser II, P.J., Straw, M.: A one-time password system. RFC 2289 (February 1998), http://www.ietf.org/rfc/rfc2289.txt

  16. Kaufman, C.: Internet Key Exchange (IKEv2) protocol. RFC 4306 (2005), http://www.ietf.org/rfc/rfc4306.txt

  17. Kumar, S., Sing, A.: One time password in IKE version 2, non-EAP based (November 2008) (internet-Draft), http://tools.ietf.org/id/draft-sunabhi-otp-ikev2-03.txt

  18. MacKenzie, P.: The PAK suite: Protocols for password-authenticated key exchange. Tech. Rep. 2002-46, DIMACS Center, Rutgers University (2002), http://dimacs.rutgers.edu/TechnicalReports/abstracts/2002/2002-46.html

  19. Mobile-OTP Project: Mobile one time passwords, http://motp.sourceforge.net/

  20. Nationwide Building Society: Card reader security (May 2009), http://www.nationwide.co.uk/rca/

  21. Nordea Bank: Netbank security (2009), http://www.nordea.ee/Private+customers/E-channels++Netbank/Netbank/Netbank+Security/936612.html

  22. Paterson, K.G., Stebila, D.: One-time-password-authenticated key exchange (full version), http://eprint.iacr.org/2009/430

  23. Nystroem, M.: The EAP protected one-time password protocol (EAP-POTP). RFC 4793 (February 2007), http://www.ietf.org/rfc/rfc4793.txt

  24. Prigg, M.: The new credit card with keypad that promises to fight online fraud (November 2008) (The Daily Mail Online), http://www.dailymail.co.uk/sciencetech/article-1085642/The-new-credit-card-keypad-promises-fight-online-fraud.html?ITO=1490

  25. RSA Security Inc.: RSA SecurID (2009), http://www.rsa.com/node.aspx?id=1156

  26. Shoup, V.: On formal models for secure key exchange (version 4) (November 1999), http://shoup.net/papers/skey.pdf , earlier version appeared as Report RZ 3120, IBM Research (April 1999), http://www.zurich.ibm.com/security/publications/1999/Shoup99.ps.gz

  27. Stebila, D.: Classical Authenticated Key Exchange and Quantum Cryptography. Ph.D. thesis, University of Waterloo (2009), http://www.douglas.stebila.ca/research/papers/ste09/

Download references

Author information

Authors and Affiliations

  1. Information Security Group, Royal Holloway, University of London, Egham, Surrey, UK

    Kenneth G. Paterson

  2. Information Security Institute, Queensland University of Technology, Brisbane, Australia

    Douglas Stebila

Authors
  1. Kenneth G. Paterson
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Douglas Stebila
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computing, Macquarie University,, NSW 2109, North Ryde, Australia

    Ron Steinfeld

  2. Qualcomm Incorporated, Suite 301, Level 3, 77 King Street, NSW 2000, Sydney, Australia

    Philip Hawkes

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Paterson, K.G., Stebila, D. (2010). One-Time-Password-Authenticated Key Exchange. In: Steinfeld, R., Hawkes, P. (eds) Information Security and Privacy. ACISP 2010. Lecture Notes in Computer Science, vol 6168. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14081-5_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-14081-5_17

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-14080-8

  • Online ISBN: 978-3-642-14081-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation