Skip to main content
SpringerLink
Log in

Practical Authenticated Key Agreement Using Passwords

  • Conference paper
Information Security (ISC 2004)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3225))

Included in the following conference series:

Abstract

Due to the low entropy of human-memorable passwords, it is not easy to conduct password authenticated key agreement in a secure manner. Though there are many protocols achieving this goal, they may require a large amount of computation specifically in the augmented model which was contrived to resist server compromise. Our contribution in this paper is two fold. First, we propose a new practical password authenticated key agreement protocol that is efficient and generic in the augmented model. Our scheme is considered from the practical perspective (in terms of efficiency) and is provably secure under the Diffie-Hellman intractability assumptions in the random-oracle model. Our second contribution is more realistic and generic; a conceptually simple but novel password guessing attack which can be mounted on every three-pass password-based protocol unless care is taken in both the design and implementation phases. This is due to the server’s failure to synchronize multiple simultaneous requests. Experimental results and possible prevention methods are also discussed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)

    Google Scholar 

  2. Bellare, M., Rogaway, P.: Provably secure session key distribution-the three party case. In: ACM Symposium on the Theory of Computing, pp. 232–249 (1993)

    Google Scholar 

  3. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attack. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  4. Bellare, M., Rogaway, P.: The AuthA protocol for password-based authenticated key exchange. Submission to the IEEE P1363.2 study group, available from http://www.cs.ucdavis.edu/~rogaway/papers/autha.ps

  5. Bellovin, S., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: IEEE Symposium on Research in Security and Privacy, pp. 72–84 (1992)

    Google Scholar 

  6. Bellovin, S., Merritt, M.: Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password-file compromise. In: ACM Conference on Computer and Communications Securit, pp. 244–250 (1993)

    Google Scholar 

  7. Boyko, V., MacKenzie, P., Patel, S.: Provably secure password authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  8. Bresson, E., Chevassut, O., Pointcheval, D.: Security proofs for an efficient password-based key exchange. In: ACM Conference on Computer Communications Security (2003)

    Google Scholar 

  9. Bresson, E., Chevassut, O., Pointcheval, D.: New security results on Encrypted Key Exchange. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 145–158. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  10. Diffie, W., Hellman, M.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)

    Article  MATH  MathSciNet  Google Scholar 

  11. Diffie, W., van Oorschot, P., Wiener, M.: Authentication and authenticated key exchanges. Designs, Codes and Cryptography 2, 107–125 (1992)

    Article  Google Scholar 

  12. Goldreich, O., Lindell, Y.: Session-key generation using human passwords only. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 408–432. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  13. IEEE P1363.2, Standard specifications for password-based public key cryptographic techniques, available from http://grouper.ieee.org/groups/1363/ (December 2002)

  14. ISO/IEC WD 11770-4, Information technology - Security techniques - Key management - Part 4: Mechanisms based on weak secrets, ISO/IEC JTC 1/SC 27 (November 2003)

    Google Scholar 

  15. Phoenix Technologies, Inc., Research Papers on Strong Password Authentication, available from http://www.integritysciences.com/links.html (2002)

  16. Jablon, D.: Strong password-only authenticated key exchange. ACM Computer Communications Review 26(5), 5–26 (1996)

    Article  Google Scholar 

  17. Jablon, D.: Extended password key exchange protocols. In: WETICE Workshop on Enterprise Security, pp. 248–255 (1997)

    Google Scholar 

  18. Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  19. Kobara, K., Imai, H.: Pretty-simple password-authenticated key-exchange protocol proven to be secure in the standard model. IEICE Trans. E85-A(10), 2229–2237 (2002)

    Google Scholar 

  20. Krawczyk, H.: SIGMA: The ‘SINGn-and-MAc’ approach to authenticated Diffie- Hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  21. Kwon, T.: Authentication and key agreement via memorable password. In: ISOC Network and Distributed System Security Symposium (February 2001)

    Google Scholar 

  22. Kwon, T.: Practical authenticated key agreement using passwords, Full version of this paper, available from http://dasan.sejong.ac.kr/~tkwon/amp.html

  23. Lim, C., Lee, P.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997)

    Google Scholar 

  24. Lomas, M., Gong, L., Saltzer, J., Needham, R.: Reducing risks from poorly chosen keys. In: ACM Symposium on Operating System Principles, pp. 14–18 (1989)

    Google Scholar 

  25. MacKenzie, P.: More efficient password-authenticated key exchange. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 361–377. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  26. MacKenzie, P.: The PAK suite: Protocols for Password-Authenticated Key Exchange. Submission to IEEE P1363.2 (April 2002)

    Google Scholar 

  27. Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of applied cryptography, pp. 517–518. CRC Press, Inc, Boca Raton (1997)

    MATH  Google Scholar 

  28. van Oorschot, P.C., Wiener, M.: On diffie-hellman key agreement with short exponents. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 332–343. Springer, Heidelberg (1996)

    Google Scholar 

  29. Perlman, R., Kaufman, C.: PDM: A new strong password-based protocol. In: USENIX Security Symposium, pp. 313–321 (2001)

    Google Scholar 

  30. Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)

    Google Scholar 

  31. Scott, M.: Personal communication (July 2001)

    Google Scholar 

  32. Wu, T.: Secure remote password protocol. In: ISOC Network and Distributed System Security Symposium (1998)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer Engineering, Sejong University, Seoul, 143-747, Korea

    Taekyoung Kwon

Authors
  1. Taekyoung Kwon
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute of psychology, Chinese Academy of Sciences, 100101, Beijing, P.R. China

    Kan Zhang

  2. Department of Software & Information Systems, The University of North Carolina at Charlotte, 9201 University City Blvd, 28223-0001, Charlotte, NC, USA

    Yuliang Zheng

Rights and permissions

Reprints and permissions

Copyright information

© 2004 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kwon, T. (2004). Practical Authenticated Key Agreement Using Passwords. In: Zhang, K., Zheng, Y. (eds) Information Security. ISC 2004. Lecture Notes in Computer Science, vol 3225. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30144-8_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-30144-8_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-23208-7

  • Online ISBN: 978-3-540-30144-8

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation