A Method for Making Password-Based Key Exchange Resilient to Server Compromise

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4117)


This paper considers the problem of password-authenticated key exchange (PAKE) in a client-server setting, where the server authenticates using a stored password file, and it is desirable to maintain some degree of security even if the server is compromised. A PAKE scheme is said to be resilient to server compromise if an adversary who compromises the server must at least perform an offline dictionary attack to gain any advantage in impersonating a client. (Of course, offline dictionary attacks should be infeasible in the absence of server compromise.) One can see that this is the best security possible, since by definition the password file has enough information to allow one to play the role of the server, and thus to verify passwords in an offline dictionary attack.

While some previous PAKE schemes have been proven resilient to server compromise, there was no known general technique to take an arbitrary PAKE scheme and make it provably resilient to server compromise. This paper presents a practical technique for doing so which requires essentially one extra round of communication and one signature computation/ verification. We prove security in the universal composability framework by (1) defining a new functionality for PAKE with resilience to server compromise, (2) specifying a protocol combining this technique with a (basic) PAKE functionality, and (3) proving (in the random oracle model) that this protocol securely realizes the new functionality.


Encryption Scheme Signature Scheme Random Oracle Random Oracle Model Dictionary Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abdalla, M., Pointcheval, D.: Simple password-based encrypted key exchange protocols. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 191–208. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Barak, B., Lindell, Y., Rabin, T.: Protocol initialization for the framework of universal composability. In: Cryptology ePrint Archive, Report 2004/006 (2004),
  3. 3.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: 1st ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  6. 6.
    Bellare, M., Boldyreva, A., Palacio, A.: An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 171–188. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  7. 7.
    Bellovin, S.M., Merritt, M.: Encrypted key exchange: Password-based protocols secure against dictionary attacks. In: IEEE Symp. on Research in Security and Privacy, pp. 72–84 (1992)Google Scholar
  8. 8.
    Bellovin, S.M., Merritt, M.: Augmented encrypted key exchange: A password-based protocol secure against dictionary attacks and password file compromise. In: 1st ACM Conf. on Computer and Communications Security, pp. 244–250 (1993)Google Scholar
  9. 9.
    Bleichenbacher, D.: Personal communicationGoogle Scholar
  10. 10.
    Boyko, V., MacKenzie, P.D., Patel, S.: Provably secure password-authenticated key exchange using diffie-hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  11. 11.
    Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols. In: Cryptology ePrint Archive, Report 2000/067 (2005),
  12. 12.
    Canetti, R., Goldreich, O., Halevi, S.: On the random-oracle methodology as applied to length-restricted signature schemes. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 40–57. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004)CrossRefMathSciNetzbMATHGoogle Scholar
  14. 14.
    Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Canetti, R., Rabin, T.: Universal Composition with Joint State. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    Di Raimondo, M., Gennaro, R.: Provably Secure Threshold Password Authenticated Key Exchange. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 507–523. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Ford, W., Kaliski Jr., B.S.: Server-assisted generation of a strong secret from a password. In: 5th IEEE International Workshop on Enterprise Security (2000)Google Scholar
  18. 18.
    Gennaro, R., Lindell, Y.: A Framework for Password-Based Authenticated Key Exchange. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 524–543. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  19. 19.
    Gentry, C., MacKenzie, P., Ramzan, Z.: Password Authenticated Key Exchange Using Hidden Smooth Subgroups. In: 12th ACM Conf. on Computer and Communications Security, pp. 299–309 (2005)Google Scholar
  20. 20.
    Goldreich, O., Lindell, Y.: Session-Key Generation Using Human Passwords Only. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 408–432. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  21. 21.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of Computing 17(2), 281–308 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  22. 22.
    Goldwasser, S., Tauman Kalai, Y.: On the (In)security of the Fiat-Shamir Paradigm. In: 44th IEEE Symp. on Foundations of Computer Science (FOCS), pp. 102–115 (2003)Google Scholar
  23. 23.
    Gong, L.: Optimal authentication protocols resistant to password guessing attacks. In: 8th IEEE Computer Security Foundations Workshop, pp. 24–29 (1995)Google Scholar
  24. 24.
    Gong, L., Lomas, T.M.A., Needham, R.M., Saltzer, J.H.: Protecting poorly chosen secrets from guessing attacks. IEEE Journal on Selected Areas in Communications 11(5), 648–656 (1993)CrossRefGoogle Scholar
  25. 25.
    IEEE Standard 1363-2000, Standard specifications for public key cryptography (2000)Google Scholar
  26. 26.
    Jablon, D.: Strong password-only authenticated key exchange. ACM Computer Communication Review, ACM SIGCOMM 26(5), 5–20 (1996)CrossRefGoogle Scholar
  27. 27.
    Jablon, D.: Extended password key exchange protocols immune to dictionary attack. In: WETICE 1997 Workshop on Enterprise Security (1997)Google Scholar
  28. 28.
    Jablon Password, D.: authentication using multiple servers. In: Proc. RSA Conference, Cryptographer’s Track (2001)Google Scholar
  29. 29.
    Jiang, S., Gong, G.: Password based key exchange with mutual authentication. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 267–279. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  30. 30.
    Katz, J., MacKenzie, P.D., Taban, G., Gligor, V.D.: Two-Server Password-Only Authenticated Key Exchange. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 1–16. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  31. 31.
    Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  32. 32.
    Kaufmann, C., Perlman, R.: A New Strong Password-Based Protocol. In: 10th Usenix Security Symposium (2001)Google Scholar
  33. 33.
    Kwon, T.: Authentication and Key Agreement via Memorable Passwords. In: Internet Society Network and Distributed System Security Symposium (NDSS) (2001)Google Scholar
  34. 34.
    Lucks, S.: Open key exchange: How to defeat dictionary attacks without encrypting public keys. In: Christianson, B., Lomas, M. (eds.) Security Protocols 1997. LNCS, vol. 1361. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  35. 35.
    MacKenzie, P.: More Efficient Password-Authenticated Key Exchange. In: RSA Conference, Cryptographers Track, pp. 361–377 (2001)Google Scholar
  36. 36.
    MacKenzie, P.: The PAK suite: Protocols for password-authenticated key exchange. DIMACS Technical Report 2002-46 (October 2002)Google Scholar
  37. 37.
    MacKenzie, P.D., Patel, S., Swaminathan, R.: Password-authenticated key exchange based on RSA. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 599–613. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  38. 38.
    MacKenzie, P., Shrimpton, T., Jakobsson, M.: Threshold Password-Authenticated Key Exchange. J. Cryptology 19(1), 27–66 (2006)zbMATHCrossRefMathSciNetGoogle Scholar
  39. 39.
    Maurer, U.M., Renner, R.S., Holenstein, C.: Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  40. 40.
    Narayanan, A., Shmatikov, V.: Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff. In: ACM Conf. on Computer and Communications Security (CCS), pp. 364–372 (2005)Google Scholar
  41. 41.
    National Institute of Standards and Technology (NIST). Announcing the Secure Hash Standard, FIPS 180-1, U.S. Department of Commerce (April 1995)Google Scholar
  42. 42.
    Nguyen, M.-H., Vadhan, S.P.: Simpler Session-Key Generation from Short Random Passwords. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 428–445. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  43. 43.
    Nielsen, J.B.: Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  44. 44.
    Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  45. 45.
    Patel, S.: Number theoretic attacks on secure password schemes. In: IEEE Symposium on Research in Security and Privacy, pp. 236–247 (1997)Google Scholar
  46. 46.
    Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996)Google Scholar
  47. 47.
    Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)Google Scholar
  48. 48.
    Steiner, M., Tsudik, G., Waidner, M.: Refinement and extension of encrypted key exchange. ACM Operating System Review 29, 22–30 (1995)CrossRefGoogle Scholar
  49. 49.
    Wu, T.: The secure remote password protocol. In: Internet Society Network and Distributed System Security Symposium (NDSS), pp. 97–111 (1998)Google Scholar
  50. 50.
    Wu, T.: A real-world analysis of Kerberos password security. In: Internet Society Network and Distributed System Security Symposium (NDSS) (February 1999)Google Scholar
  51. 51.
    Zhang, M.: New Approaches to Password Authenticated Key Exchange Based on RSA. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 230–244. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  1. 1.Stanford UniversityPalo AltoUSA
  2. 2.Google, Inc.Mountain ViewUSA
  3. 3.Symantec, Inc.Redwood CityUSA

Personalised recommendations