Abstract
Password-only authenticated key exchange (PAKE) protocols are designed to be secure even when users choose short, easilyguessed passwords. Security requires, in particular, that the protocol cannot be broken by an off-line dictionary attack in which an adversary enumerates all possible passwords in an attempt to determine the correct one based on previously-viewed transcripts. Recently, provably-secure protocols for PAKE were given in the idealized random oracle/ideal cipher models [2],[8],[19] and in the standard model based on general assumptions [11] or the DDH assumption [14].
The latter protocol (the KOY protocol ) is currently the only known practical solution based on standard assumptions. However, only a proof of basic security for this protocol has appeared. In the basic setting the adversary is assumed not to corrupt clients (thereby learning their passwords) or servers (thereby modifying the value of stored passwords). Simplifying and unifying previous work, we present a natural definition of security which incorporates the more challenging requirement of forward secrecy. We then demonstrate via an explicit attack that the KOY protocol as originally presented is not secure under this definition. This provides the first natural example showing that forward secrecy is a strictly stronger requirement for PAKE protocols. Finally, we present a slight modification of the KOY protocol which prevents the attack and — as the main technical contribution of this paper — rigorously prove that the modified protocol achieves forward secrecy.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
M. Bellare, R. Canetti, and H. Krawczyk. A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols. STOC’ 98.
M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated Key Exchange Secure Against Dictionary Attacks. Eurocrypt’ 00.
M. Bellare and P. Rogaway. Entity Authentication and Key Distribution. Crypto’ 93.
M. Bellare and P. Rogaway. Provably-Secure Session Key Distribution: the Three Party Case. STOC’ 95.
S.M. Bellovin and M. Merritt. Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. IEEE Symposium on Research in Security and Privacy, IEEE, 1992, pp. 72–84.
R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva, and M. Yung. Systematic Design of Two-Party Authentication Protocols. Crypto’ 91.
M. Boyarsky. Public-Key Cryptography and Password Protocols: The Multi-User Case. ACM CCCS’ 99.
V. Boyko, P. MacKenzie, and S. Patel. Provably-Secure Password-Authenticated Key Exchange Using Difie-Hellman. Eurocrypt’ 00.
W. Difie and M. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, 22(6): 644–654 (1976).
W. Difie, P. van Oorschot, and M. Wiener. Authentication and Authenticated Key Exchanges. Designs, Codes, and Cryptography, 2(2): 107–125 (1992).
O. Goldreich and Y. Lindell. Session-Key Generation Using Human Passwords Only. Crypto’ 01.
S. Halevi and H. Krawczyk. Public-Key Cryptography and Password Protocols. ACM Transactions on Information and System Security, 2(3): 230–268 (1999).
J. Katz. Efficient Cryptographic Protocols Preventing “Man-in-the-Middle” Attacks. PhD thesis, Columbia University, 2002.
J. Katz, R. Ostrovsky, and M. Yung. Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords. Eurocrypt’ 01.
T.M.A. Lomas, L. Gong, J.H. Saltzer, and R.M. Needham. Reducing Risks from Poorly-Chosen Keys. ACM Operating Systems Review, 23(5): 14–18 (1989).
P. MacKenzie. More Efficient Password-Authenticated Key Exchange. RSA’ 01.
P. MacKenzie. On the Security of the SPEKE Password-Authenticated Key-Exchange Protocol. Manuscript, 2001.
P. MacKenzie. Personal communication. April, 2002.
P. MacKenzie, S. Patel, and R. Swaminathan. Password-Authenticated Key Exchange Based on RSA. Asiacrypt’ 00.
V. Shoup. On Formal Models for Secure Key Exchange. Available at http://eprint.iacr.org/1999/012.
T. Wu. The Secure Remote Password Protocol. Proceedings of the Internet Society Symposium on Network and Distributed System Security, 1998, pp. 97–111.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Katz, J., Ostrovsky, R., Yung, M. (2003). Forward Secrecy in Password-Only Key Exchange Protocols. In: Cimato, S., Persiano, G., Galdi, C. (eds) Security in Communication Networks. SCN 2002. Lecture Notes in Computer Science, vol 2576. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36413-7_3
Download citation
DOI: https://doi.org/10.1007/3-540-36413-7_3
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00420-2
Online ISBN: 978-3-540-36413-9
eBook Packages: Springer Book Archive