Threshold Password-Authenticated Key Exchange
Abstract
In most password-authenticated key exchange systems there is a single server storing password verification data. To provide some resilience against server compromise, this data typically takes the form of a one-way function of the password (and possibly a salt, or other public values), rather than the password itself. However, if the server is compromised, this password verification data can be used to perform an offline dictionary attack on the user’s password. In this paper we propose an efficient password-authenticated key exchange system involving a set of servers, in which a certain threshold of servers must participate in the authentication of a user, and in which the compromise of any fewer than that threshold of servers does not allow an attacker to perform an offline dictionary attack. We prove our system is secure in the random oracle model under the Decision Diffie-Hellman assumption against an attacker that may eavesdrop on, insert, delete, or modify messages between the user and servers, and that compromises fewer than that threshold of servers.
Keywords
Random Oracle Random Oracle Model Public Share Test Query Dictionary AttackReferences
- 1.M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated key exchange secure against dictionary attacks. In EUROCRYPT 2000 (LNCS 1807), pp. 139–155, 2000.CrossRefGoogle Scholar
- 2.M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In 1st ACM Conference on Computer and Communications Security, pages 62–73, November 1993.Google Scholar
- 3.M. Bellare and P. Rogaway. Entity authentication and key distribution. In CRYPTO’ 93 (LNCS 773), pp. 232–249, 1993.Google Scholar
- 4.M. Bellare and P. Rogaway. Provably secure session key distribution-the three party case. In 27th ACM Symposium on the Theory of Computing, pp. 57–66, 1995.Google Scholar
- 5.M. Blum, P. Feldman and S. Micali. Non-interactive zero-knowledge and its applications. In 20th ACM Symposium on the Theory of Computing, pp. 103–112, 1988.Google Scholar
- 6.D. Boneh. The decision Diffie-Hellman problem. In Proceedings of the Third Algorithmic Number Theory Symposium (LNCS 1423), pp. 48–63, 1998.Google Scholar
- 7.C. Boyd. Digital multisignatures. In H. J. Beker and F. C. Piper, editors, Cryptography and Coding, pages 241–246. Clarendon Press, 1986.Google Scholar
- 8.V. Boyko, P. MacKenzie, and S. Patel. Provably secure password authentication and key exchange using Diffie-Hellman. In EUROCRYPT 2000 (LNCS 1807), pp. 156–171, 2000.CrossRefGoogle Scholar
- 9.R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology, revisited. In 30th ACM Symposium on the Theory of Computing, pp. 209–218, 1998.Google Scholar
- 10.R. Canetti, Y. Lindell, R. Ostrovsky, and A. Sahai. Universally Composable Twoparty Computation. In 34th ACM Symposium on the Theory of Computing, 2002.Google Scholar
- 11.Y. Desmedt and Y. Frankel. Threshold cryptosystems. In CRYPTO’ 89 (LNCS 435), pages 307–315, 1989.Google Scholar
- 12.A. De Santis, G. Di Crescenzo, R. Ostrovsky, G. Persiano and A. Sahai. Robust non-interactive zero knowledge. In CRYPTO 2001 (LNCS 2139), pp. 566–598, 2001.CrossRefGoogle Scholar
- 13.T. Dierks and C. Allen. The TLS protocol, version 1.0, IETF RFC 2246, January 1999.Google Scholar
- 14.W. Diffie and M. Hellman. New directions in cryptography. IEEE Trans. Info. Theory, 22(6):644–654, 1976.zbMATHCrossRefMathSciNetGoogle Scholar
- 15.T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithm. IEEE Trans. Info. Theory, 31:469–472, 1985.zbMATHCrossRefMathSciNetGoogle Scholar
- 16.P. Feldman. A Practical Scheme for Non-Interactive Verifiable Secret Sharing. In 28th IEEE Symp. on Foundations of Computer Science, pp. 427–437, 1987Google Scholar
- 17.W. Ford and B. S. Kaliski, Jr. Server-assisted generation of a strong secret from a password. In Proceedings of the 5 th IEEE International Workshop on Enterprise Security, 2000.Google Scholar
- 18.Y. Frankel, P. MacKenzie, and M. Yung. Adaptively-secure distributed threshold public key systems. In European Symposium on Algorithms (LNCS 1643), pp. 4–27, 1999.Google Scholar
- 19.R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. The (in)security of distributed key generation in dlog-based cryptosystems. In EUROCRYPT’ 99 (LNCS 1592), pp. 295–310, 1999.Google Scholar
- 20.R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust threshold DSS signatures. In EUROCRYPT’ 96 (LNCS 1070), pages 354–371, 1996.Google Scholar
- 21.O. Goldreich and Y. Lindell. Session-key generation using human passwords only. In CRYPTO 2001 (LNCS 2139), pp. 408–432, 2001.CrossRefGoogle Scholar
- 22.O. Goldreich, S. Micali, and A. Wigderson. How to Play any Mental Game — A Completeness Theorem for Protocols with Honest Majority. In 19th ACM Symposium on the Theory of Computing, pp. 218–229, 1987.Google Scholar
- 23.D. Jablon. Strong password-only authenticated key exchange. ACM Computer Communication Review, ACM SIGCOMM, 26(5):5–20, 1996.CrossRefGoogle Scholar
- 24.D. Jablon. Password authentication using multiple servers. In em RSA Conference 2001, Cryptographers’ Track (LNCS 2020), pp. 344–360, 2001.Google Scholar
- 25.J. Katz, R. Ostrovsky, and M. Yung. Efficient password-authenticated key exchange using human-memorable passwords. In EUROCRYPT 2001 (LNCS 2045), pp. 475–494, 2001.CrossRefGoogle Scholar
- 26.P. MacKenzie, S. Patel, and R. Swaminathan. Password authenticated key exchange based on RSA. In ASIACRYPT 2000, (LNCS 1976), pp. 599–613, 2000.CrossRefGoogle Scholar
- 27.M. Naor and M. Yung. Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. In 22nd ACM Symposium on the Theory of Computing, pp. 427–437, 1990.Google Scholar
- 29.T. Wu. The secure remote password protocol. In Proceedings of the 1998 Internet Society Network and Distributed System Security Symposium, pp. 97–111, 1998.Google Scholar