Abstract
Due to the low entropy of human-memorable passwords, it is not easy to conduct password authenticated key agreement in a secure manner. Though there are many protocols achieving this goal, they may require a large amount of computation specifically in the augmented model which was contrived to resist server compromise. Our contribution in this paper is two fold. First, we propose a new practical password authenticated key agreement protocol that is efficient and generic in the augmented model. Our scheme is considered from the practical perspective (in terms of efficiency) and is provably secure under the Diffie-Hellman intractability assumptions in the random-oracle model. Our second contribution is more realistic and generic; a conceptually simple but novel password guessing attack which can be mounted on every three-pass password-based protocol unless care is taken in both the design and implementation phases. This is due to the server’s failure to synchronize multiple simultaneous requests. Experimental results and possible prevention methods are also discussed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)
Bellare, M., Rogaway, P.: Provably secure session key distribution-the three party case. In: ACM Symposium on the Theory of Computing, pp. 232–249 (1993)
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attack. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)
Bellare, M., Rogaway, P.: The AuthA protocol for password-based authenticated key exchange. Submission to the IEEE P1363.2 study group, available from http://www.cs.ucdavis.edu/~rogaway/papers/autha.ps
Bellovin, S., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: IEEE Symposium on Research in Security and Privacy, pp. 72–84 (1992)
Bellovin, S., Merritt, M.: Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password-file compromise. In: ACM Conference on Computer and Communications Securit, pp. 244–250 (1993)
Boyko, V., MacKenzie, P., Patel, S.: Provably secure password authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)
Bresson, E., Chevassut, O., Pointcheval, D.: Security proofs for an efficient password-based key exchange. In: ACM Conference on Computer Communications Security (2003)
Bresson, E., Chevassut, O., Pointcheval, D.: New security results on Encrypted Key Exchange. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 145–158. Springer, Heidelberg (2004)
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)
Diffie, W., van Oorschot, P., Wiener, M.: Authentication and authenticated key exchanges. Designs, Codes and Cryptography 2, 107–125 (1992)
Goldreich, O., Lindell, Y.: Session-key generation using human passwords only. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 408–432. Springer, Heidelberg (2001)
IEEE P1363.2, Standard specifications for password-based public key cryptographic techniques, available from http://grouper.ieee.org/groups/1363/ (December 2002)
ISO/IEC WD 11770-4, Information technology - Security techniques - Key management - Part 4: Mechanisms based on weak secrets, ISO/IEC JTC 1/SC 27 (November 2003)
Phoenix Technologies, Inc., Research Papers on Strong Password Authentication, available from http://www.integritysciences.com/links.html (2002)
Jablon, D.: Strong password-only authenticated key exchange. ACM Computer Communications Review 26(5), 5–26 (1996)
Jablon, D.: Extended password key exchange protocols. In: WETICE Workshop on Enterprise Security, pp. 248–255 (1997)
Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001)
Kobara, K., Imai, H.: Pretty-simple password-authenticated key-exchange protocol proven to be secure in the standard model. IEICE Trans. E85-A(10), 2229–2237 (2002)
Krawczyk, H.: SIGMA: The ‘SINGn-and-MAc’ approach to authenticated Diffie- Hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003)
Kwon, T.: Authentication and key agreement via memorable password. In: ISOC Network and Distributed System Security Symposium (February 2001)
Kwon, T.: Practical authenticated key agreement using passwords, Full version of this paper, available from http://dasan.sejong.ac.kr/~tkwon/amp.html
Lim, C., Lee, P.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997)
Lomas, M., Gong, L., Saltzer, J., Needham, R.: Reducing risks from poorly chosen keys. In: ACM Symposium on Operating System Principles, pp. 14–18 (1989)
MacKenzie, P.: More efficient password-authenticated key exchange. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 361–377. Springer, Heidelberg (2001)
MacKenzie, P.: The PAK suite: Protocols for Password-Authenticated Key Exchange. Submission to IEEE P1363.2 (April 2002)
Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of applied cryptography, pp. 517–518. CRC Press, Inc, Boca Raton (1997)
van Oorschot, P.C., Wiener, M.: On diffie-hellman key agreement with short exponents. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 332–343. Springer, Heidelberg (1996)
Perlman, R., Kaufman, C.: PDM: A new strong password-based protocol. In: USENIX Security Symposium, pp. 313–321 (2001)
Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)
Scott, M.: Personal communication (July 2001)
Wu, T.: Secure remote password protocol. In: ISOC Network and Distributed System Security Symposium (1998)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kwon, T. (2004). Practical Authenticated Key Agreement Using Passwords. In: Zhang, K., Zheng, Y. (eds) Information Security. ISC 2004. Lecture Notes in Computer Science, vol 3225. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30144-8_1
Download citation
DOI: https://doi.org/10.1007/978-3-540-30144-8_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23208-7
Online ISBN: 978-3-540-30144-8
eBook Packages: Springer Book Archive