Skip to main content
Book cover

International Conference on Information Security

ISC 2016: Information Security pp 95–114Cite as

Blind Password Registration for Two-Server Password Authenticated Key Exchange and Secret Sharing Protocols

Part of the Lecture Notes in Computer Science book series (LNSC,volume 9866)

Abstract

Many organisations enforce policies on the length and formation of passwords to encourage selection of strong passwords and protect their multi-user systems. For Two-Server Password Authenticated Key Exchange (2PAKE) and Two-Server Password Authenticated Secret Sharing (2PASS) protocols, where the password chosen by the client is secretly shared between the two servers, the initial remote registration of policy-compliant passwords represents a major problem because none of the servers is supposed to know the password in clear.

We solve this problem by introducing Two-Server Blind Password Registration (2BPR) protocols that can be executed between a client and the two servers as part of the remote registration procedure.

2BPR protocols guarantee that secret shares sent to the servers belong to a password that matches their combined password policy and that the plain password remains hidden from any attacker that is in control of at most one server. We propose a security model for 2BPR protocols capturing the requirements of policy compliance for client passwords and their blindness against the servers. Our model extends the adversarial setting of 2PAKE/2PASS protocols to the registration phase and hence closes the gap in the formal treatment of such protocols. We construct an efficient 2BPR protocol for ASCII-based password policies, prove its security in the standard model, give a proof of concept implementation, and discuss its performance.

Keywords

  • Commitment Scheme
  • Policy Compliance
  • Compliance Check
  • Mutual Policy
  • Common Reference String

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-45871-7_7
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   64.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-45871-7
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   84.99
Price excludes VAT (USA)
Learn about institutional subscriptions
Fig. 1.

Notes

  1. 1.

    Note that using other encodings such as UTF-8 is possible but might influence performance due to a different size of possible characters.

References

  1. Akinyele, J.A., Garman, C., Miers, I., Pagano, M.W., Rushanan, M., Green, M., Rubin, A.D.: Charm: a framework for rapidly prototyping cryptosystems. J. Crypt. Eng. 3(2), 111–128 (2013)

    CrossRef  Google Scholar 

  2. Bagherzandi, A., Jarecki, S., Saxena, N., Lu, Y.: Password-protected secret sharing. In: CCS 2011, pp. 433–444. ACM (2011)

    Google Scholar 

  3. Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: IEEE S&P, pp. 538–552. IEEE Computer Society (2012)

    Google Scholar 

  4. Brainard, J.G., Juels, A., Kaliski, B., Szydlo, M.: A new two-server approach for authentication with short secrets. In: USENIX Security Symposium, USENIX Association (2003)

    Google Scholar 

  5. Camenisch, J., Lehmann, A., Lysyanskaya, A., Neven, G.: Memento: how to reconstruct your secrets from a single password in a hostile environment. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 256–275. Springer, Heidelberg (2014)

    CrossRef  Google Scholar 

  6. Camenisch, J., Lysyanskaya, A., Neven,G.: Practical yet universally composable two-server password-authenticated secret sharing. In: CCS 2012, pp. 525–536. ACM (2012)

    Google Scholar 

  7. Damgård, I.B.: Efficient concurrent zero-knowledge in the auxiliary string model. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 418–430. Springer, Heidelberg (2000)

    CrossRef  Google Scholar 

  8. Goodin, D., Hack of cupid media dating website exposes 42 million plaintext passwords. http://goo.gl/ImLE1C. Accessed 01 Apr 2015

  9. Dell’Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. In: INFOCOM, pp. 983–991. IEEE (2010)

    Google Scholar 

  10. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) protocol version 1.2. RFC 5246 (proposed standard), updated by RFCs 5746, 5878, 6176, 7465, August 2008

    Google Scholar 

  11. Dürmuth, M., Kranz, T.: On password guessing with GPUs and FPGAs. In: PASSWORDS 2014, pp. 19–38 (2014)

    Google Scholar 

  12. Ford, W., Kaliski, Jr. B.S.: Server-assisted generation of a strong secret from a password. In: WETICE, pp. 176–180. IEEE (2000)

    Google Scholar 

  13. Furukawa, J.: Efficient and verifiable shuffling and shuffle-decryption. IEICE Trans. 88–A(1), 172–188 (2005)

    CrossRef  Google Scholar 

  14. Furukawa, J., Sako, K.: An efficient scheme for proving a shuffle. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 368–387. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  15. hashcat: hashcat - advanced password recovery. http://hashcat.net/. Accessed 01 Apr 2015

  16. Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  17. Jarecki, S., Kiayias, A., Krawczyk, H.: Round-optimal password-protected secret sharing and T-PAKE in the password-only model. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 233–253. Springer, Heidelberg (2014)

    Google Scholar 

  18. Jarecki, S., Lysyanskaya, A.: Adaptively secure threshold cryptography: introducing concurrency, removing erasures (extended abstract). In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 221. Springer, Heidelberg (2000)

    CrossRef  Google Scholar 

  19. Jin, H., Wong, D.S., Xu, Y.: An efficient password-only two-server authenticated key exchange system. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 44–56. Springer, Heidelberg (2007)

    CrossRef  Google Scholar 

  20. Katz, J., MacKenzie, P.D., Taban, G., Gligor, V.D.: Two-server password-only authenticated key exchange. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 1–16. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  21. Kiefer, F., Manulis, M.: Distributed smooth projective hashing and its application to two-server password authenticated key exchange. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 199–216. Springer, Heidelberg (2014)

    Google Scholar 

  22. Kiefer, F., Manulis, M.: Zero-knowledge password policy checks and verifier-based PAKE. In: Kutyłowski, M., Vaidya, J. (eds.) ICAIS 2014, Part II. LNCS, vol. 8713, pp. 295–312. Springer, Heidelberg (2014)

    Google Scholar 

  23. Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  24. Ma, J., Yang, W., Luo, M., Li, N.: A study of probabilistic password models. In: IEEE S&P, pp. 689–704 (2014)

    Google Scholar 

  25. MacKenzie, P.D., Shrimpton, T., Jakobsson, M.: Threshold password-authenticated key exchange. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 385–400. Springer, Heidelberg (2002)

    CrossRef  Google Scholar 

  26. Cubrilovic, N., Hack, R.: From bad to worse (2014). http://goo.gl/AF5ZDM. Accessed 01 Apr 2015

  27. NIST: National Institute of Standards and Technology. Recommended elliptic curves for federal government use (1999). http://goo.gl/M1q10h

  28. Openwall: John the Ripper password cracker. http://www.openwall.com/john/. Accessed 01 Apr 2015

  29. Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)

    Google Scholar 

  30. Pryvalov, I., Kate, A.: Introducing fault tolerance into threshold password-authenticated key exchange. Cryptology ePrint Archive, report 2014/247 (2014)

    Google Scholar 

  31. Reuters: Trove of Adobe user data found on web after breach: security firm (2014). http://goo.gl/IC4lu8. Accessed 01 Apr 2015

  32. Szydlo, M., Kaliski, B.: Proofs for two-server password authentication. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 227–244. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  33. Reuters, T.: Microsoft India store down after hackers take user data. http://goo.gl/T7puD1. Accessed 01 Apr 2015

  34. Yang, Y., Deng, R.H., Bao, F.: A practical password-based two-server authentication and key exchange system. IEEE Trans. Dependable Sec. Comput. 3(2), 105–114 (2006)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Mozilla, Berlin, Germany

    Franziskus Kiefer

  2. Department of Computer Science, Surrey Center for Cyber Security, University of Surrey, Guildford, UK

    Mark Manulis

Authors
  1. Franziskus Kiefer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mark Manulis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Franziskus Kiefer .

Editor information

Editors and Affiliations

  1. University of California , Davies, USA

    Matt Bishop

  2. University of Washington , Tacoma, Washington, USA

    Anderson C A Nascimento

Rights and permissions

Reprints and Permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Kiefer, F., Manulis, M. (2016). Blind Password Registration for Two-Server Password Authenticated Key Exchange and Secret Sharing Protocols. In: Bishop, M., Nascimento, A. (eds) Information Security. ISC 2016. Lecture Notes in Computer Science(), vol 9866. Springer, Cham. https://doi.org/10.1007/978-3-319-45871-7_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45871-7_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45870-0

  • Online ISBN: 978-3-319-45871-7

  • eBook Packages: Computer ScienceComputer Science (R0)