Strong password-only authenticated key exchange

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback
Take a look at the new version of this page: [ beta version ]. Tell us what you think.

Strong password-only authenticated key exchange

Full text

Pdf (1.52 MB)

Source

ACM SIGCOMM Computer Communication Review archive
Volume 26 , Issue 5 (October 1996) table of contents

Pages: 5 - 26

Year of Publication: 1996

ISSN:0146-4833

Author

David P. Jablon

Integrity Sciences, Inc., Westboro, MA

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 10, Downloads (12 Months): 131, Citation Count: 44

Additional Information:

abstract references cited by index terms

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/242896.242897 What is a DOI?

ABSTRACT

A new simple password exponential key exchange method (SPEKE) is described. It belongs to an exclusive class of methods which provide authentication and key establishment over an insecure channel using only a small password, without risk of offline dictionary attack. SPEKE and the closely-related Diffie-Hellman Encrypted Key Exchange (DH-EKE) are examined in light of both known and new attacks, along with sufficient preventive constraints. Although SPEKE and DH-EKE are similar, the constraints are different. The class of strong password-only methods is compared to other authentication schemes. Benefits, limitations, and tradeoffs between efficiency and security are discussed. These methods are important for several uses, including replacement of obsolete systems, and building hybrid two-factor systems where independent password-only and key-based methods can survive a single event of either key theft or password compromise.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	[And94] R. J. Anderson and T. M. A. Lomas, "Fortifying Key Negotiation Schemes with Poorly Chosen Passwords", Electronics Letters, v. 30, n. 13, June 23, 1994, pp. 1040-1041.
	2	[Bel96] S. M. Bellovin, private communication.
	3	Steven M. Bellovin , Michael Merritt, Encrypted Key Exchange: Password-Based Protocols SecureAgainst Dictionary Attacks, Proceedings of the 1992 IEEE Symposium on Security and Privacy, p.72, May 04-06, 1992
	4	[BM93] S. M. Bellovin and M. Merritt, "An Attack on the Interlock Protocol When Used for Authentication", I.E.E.E. Transactions on Information Theory, v. 40, n. 1, January 1994, pp. 273-275.
	5	[BM94] S. M. Bellovin and M. Merritt, "Augmented Encrypted Key Exchange: a Password-Based Protocol Secure Against Dictionary Attacks and Password File Compromise", AT&T Bell Laboratories (c. 1994).
	6	[DH79] W. Diffie and M. E. Hellman, "Privacy and Authentication: An Introduction to Cryptography," Proceedings of the I.E.E.E., vol. 67, No. 3, pp. 397-427 (Mar. 1979).
	7	Whitfield Diffie , Paul C. Van Oorschot , Michael J. Wiener, Authentication and authenticated key exchanges, Designs, Codes and Cryptography, v.2 n.2, p.107-125, June 1992 [doi>10.1007/BF00124891]
	8	Carl M. Ellison, Establishing identity without certification authorities, Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, p.7-7, July 22-25, 1996, San Jose, California
	9	[GLNS93] L. Gong, M. Lomas, R. Needham, & J. Saltzer, "Protecting Poorly Chosen Secrets from Guessing Attacks", I.E.E.E. Journal on Selected Areas in Communications, Vol. 11, No. 5, June 1993, pp. 648-656.
	10	Li Gong, Optimal authentication protocols resistant to password guessing attacks, Proceedings of the 8th IEEE workshop on Computer Security Foundations, p.24, March 13-15, 1995
	11	Barry Jaspan, Dual-workfactor encrypted key exchange: efficiently preventing password chaining and dictionary attacks, Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, p.5-5, July 22-25, 1996, San Jose, California
	12	[McC90] K. McCurley, "The Discrete Logarithm Problem", Cryptology and Computational Number Theory, Proceedings of Symposia in Applied Mathematics, vol. 42, 1990, pp. 49-74.
	13	[NIST94] National Institute of Standards and Technology, NIST FIPS PUB 186, "Digital Signature Standard", U.S. Department of Commerce, May 1994.
	14	[PH78] Pohlig & Hellman, "An Improved Algorithm for Computing Logarithms over GF(p) and its Cryptographic Significance", I.E.E.E. Transactions on Information Theory, pp. 106-110, January 1978.
	15	[Sch96] B. Schneier, "Applied Cryptography Second Edition", John Wiley & Sons, 1996.
	16	Michael Steiner , Gene Tsudik , Michael Waidner, Refinement and extension of encrypted key exchange, ACM SIGOPS Operating Systems Review, v.29 n.3, p.22-30, July 1995 [doi>10.1145/206826.206834]
	17	[TA91] J. Tardo & K. Alagappan, "SPX: Global authentication using public key certificates", Proceedings of I.E.E.E. Computer Society Symposium on Research in Security and Privacy, Oakland, pp. 232-244, May 1991.
	18	[vOW96] P. C. van Oorschot, M. J. Wiener, "On Diffie-Hellman Key Agreement with Short Exponents", Proceedings of Eurocrypt '96, Springer-Verlag, May 1996.

CITED BY 45

	Secure password-based cipher suite for TLS, ACM Transactions on Information and System Security (TISSEC), v.4 n.2, p.134-157, May 2001
	Shai Halevi , Hugo Krawczyk, Public-key cryptography and password protocols, Proceedings of the 5th ACM conference on Computer and communications security, p.122-131, November 02-05, 1998, San Francisco, California, United States
	Shai Halevi , Hugo Krawczyk, Public-key cryptography and password protocols, ACM Transactions on Information and System Security (TISSEC), v.2 n.3, p.230-268, Aug. 1999
	Yasuhiko Matsunaga , Ana Sanz Merino , Takashi Suzuki , Randy H. Katz, Secure authentication system for public WLAN roaming, Proceedings of the 1st ACM international workshop on Wireless mobile applications and services on WLAN hotspots, September 19-19, 2003, San Diego, CA, USA
	Wei-Chi Ku, A hash-based strong-password authentication scheme without using smart cards, ACM SIGOPS Operating Systems Review, v.38 n.1, p.29-34, January 2004
	Burton S. Kaliski, Jr., An unknown key-share attack on the MQV key agreement protocol, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.275-288, August 2001
	Hung-Min Sun , Bing-Chang Chen , Tzonelih Hwang, Secure key agreement protocols for three-party against guessing attacks, Journal of Systems and Software, v.75 n.1-2, p.63-68, 15 February 2005
	Her-Tyan Yeh , Hung-Min Sun, Password-based user authentication and key distribution protocols for client-server applications, Journal of Systems and Software, v.72 n.1, p.97-103, June 2004
	Wei-Chi Ku , Hao-Chuan Tsai , Shuai-Min Chen, Two simple attacks on Lin-Shen-Hwang's strong-password authentication protocol, ACM SIGOPS Operating Systems Review, v.37 n.4, p.26-31, October 2003
	Bruce Beckles , Von Welch , Jim Basney, Mechanisms for increasing the usability of grid security, International Journal of Human-Computer Studies, v.63 n.1-2, p.74-101, July 2005
	Craig Gentry , Philip Mackenzie , Zulfikar Ramzan, Password authenticated key exchange using hidden smooth subgroups, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
	Ya-Fen Chang , Chin-Chen Chang, A secure and efficient strong-password authentication protocol, ACM SIGOPS Operating Systems Review, v.38 n.3, p.79-90, July 2004
	Chun-Li Lin , Hung-Min Sun , Tzonelih Hwang, Three-party encrypted key exchange: attacks and a solution, ACM SIGOPS Operating Systems Review, v.34 n.4, p.12-20, October 2000
	Julie Thorpe , P. C. van Oorschot , Anil Somayaji, Pass-thoughts: authenticating with our minds, Proceedings of the 2005 workshop on New security paradigms, September 20-23, 2005, Lake Arrowhead, California
	Ana Sanz Merino , Yasuhiko Matsunaga , Manish Shah , Takashi Suzuki , Randy H. Katz, Secure authentication system for public WLAN roaming, Mobile Networks and Applications, v.10 n.3, p.355-370, June 2005
	Zhu Zhao , Zhongqi Dong , Yongge Wang, Security analysis of a password-based authentication protocol proposed to IEEE 1363, Theoretical Computer Science, v.352 n.1, p.280-287, 7 March 2006
	Her-Tyan Yeh , Hung-Min Sun, Simple authenticated key agreement protocol resistant to password guessing attacks, ACM SIGOPS Operating Systems Review, v.36 n.4, p.14-22, October 2002
	Cheng-Chi Lee , Li-Hua Li , Min-Shiang Hwang, A remote user authentication scheme using hash functions, ACM SIGOPS Operating Systems Review, v.36 n.4, p.23-29, October 2002
	Marko Hölbl , Tatjana Welzer , Boštjan Brumen, Improvement of the Peyravian-Jeffries's user authentication protocol and password change protocol, Computer Communications, v.31 n.10, p.1945-1951, June, 2008
	Xavier Boyen, Halting password puzzles: hard-to-break encryption from human-memorable keys, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
	Paul C. Van Oorschot , Stuart Stubblebine, On countering online dictionary attacks with login histories and humans-in-the-loop, ACM Transactions on Information and System Security (TISSEC), v.9 n.3, p.235-258, August 2006
	Mario Di Raimondo , Rosario Gennaro, Provably secure threshold password-authenticated key exchange, Journal of Computer and System Sciences, v.72 n.6, p.978-1001, September 2006
	Hung-Min Sun , Her-Tyan Yeh, Password-based authentication and key distribution protocols with perfect forward secrecy, Journal of Computer and System Sciences, v.72 n.6, p.1002-1011, September 2006
	Rosario Gennaro , Yehuda Lindell, A framework for password-based authenticated key exchange¹, ACM Transactions on Information and System Security (TISSEC), v.9 n.2, p.181-234, May 2006
	Kyung-Ah Shim, Potential weaknesses of AuthA password-authenticated key agreement protocols, Computer Standards & Interfaces, v.29 n.5, p.580-583, July, 2007
	Zhiguo Wan , Robert H. Deng , Feng Bao , Akkihebbal L. Ananda, Access control protocols with two-layer architecture for wireless networks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.3, p.655-670, February, 2007
	Zhenchuan Chai , Zhenfu Cao , Rongxing Lu, Threshold password authentication against guessing attacks in Ad hoc networks, Ad Hoc Networks, v.5 n.7, p.1046-1054, September, 2007
	Gregory V. Bard, Spelling-error tolerant, order-independent pass-phrases via the damerau-levenshtein string-edit distance metric, Proceedings of the fifth Australasian symposium on ACSW frontiers, January 30-February 02, 2007, Ballarat, Australia
	Chun-Li Lin , Hung-Min Sun , Tzonelih Hwang, Efficient and practical DHEKE protocols, ACM SIGOPS Operating Systems Review, v.35 n.1, p.41-47, January 1, 2001
	Radia Perlman , Charlie Kaufman, User-centric PKI, Proceedings of the 7th symposium on Identity and trust on the Internet, March 04-06, 2008, Gaithersburg, Maryland
	Chin-Ling Chen , Chih-Cheng Chen , Ling-Chun Liu , Gwoboa Horng, A server-aided signature scheme for mobile commerce, Proceedings of the 2007 international conference on Wireless communications and mobile computing, August 12-16, 2007, Honolulu, Hawaii, USA
	Yuh-Min Tseng, An Efficient Two-Party Identity-Based Key Exchange Protocol, Informatica, v.18 n.1, p.125-136, January 2007
	Bin-Tsan Hsieh , Hung-Min Sun , Tzonelih Hwang, On the Security of Some Password Authentication Protocols, Informatica, v.14 n.2, p.195-204, April 2003
	Chou-Chen Yang , Ting-Yi Chang , Min-Shiang Hwang, Security of Improvement on Methods for Protecting Password Transmission, Informatica, v.14 n.4, p.551-558, December 2003
	Thulasi Goriparthi , Manik Lal Das , Ashutosh Saxena, An improved bilinear pairing based remote user authentication scheme, Computer Standards & Interfaces, v.31 n.1, p.181-185, January, 2009
	Sławomir Grzonkowski , Wojciech Zaremba , Maciej Zaremba , Bill McDaniel, Extending web applications with a lightweight zero knowledge proof authentication, Proceedings of the 5th international conference on Soft computing as transdisciplinary science and technology, October 28-31, 2008, Cergy-Pontoise, France
	Neng-Wen Wang , Yueh-Min Huang, A novel software key container in on-line media services, Computers and Electrical Engineering, v.35 n.2, p.370-375, March, 2009
	Chin-Chen Chang , Shih-Chang Chang, The design of e-traveler's check with efficiency and mutual authentication, Proceedings of the 3rd International Conference on Ubiquitous Information Management and Communication, January 15-16, 2009, Suwon, Korea
	Zhiguo Wan , Robert H. Deng , Feng Bao , Bart Preneel , Ming Gu, nPAKE⁺: a tree-based group password-authenticated key exchange protocol using different passwords, Journal of Computer Science and Technology, v.24 n.1, p.138-151, January 2009
	Tian-Fu Lee , Jenn-Long Liu , Mei-Jiun Sung , Shiueng-Bien Yang , Chia-Mei Chen, Communication-efficient three-party protocols for authentication and key agreement, Computers & Mathematics with Applications, v.58 n.4, p.641-648, August, 2009
	Her-Tyan Yeh , Hung-Min Sun, Password authenticated key exchange protocols among diverse network domains, Computers and Electrical Engineering, v.31 n.3, p.175-189, May, 2005
	Mohammad Peyravian , Clark Jeffries, Secure remote user access over insecure networks, Computer Communications, v.29 n.5, p.660-667, March, 2006
	Sebastian Gajek , Hans Löhr , Ahmad-Reza Sadeghi , Marcel Winandy, TruWallet: trustworthy and migratable wallet-based web authentication, Proceedings of the 2009 ACM workshop on Scalable trusted computing, November 13-13, 2009, Chicago, Illinois, USA
	Ya-Fen Chang , Chin-Chen Chang , Jen-Ho Yang, An efficient password authenticated key exchange protocol for imbalanced wireless networks, Computer Standards & Interfaces, v.27 n.3, p.313-322, March, 2005
	Ting-Yi Chang , Wei-Pang Yang , Min-Shiang Hwang, Simple authenticated key agreement and protected password change protocol, Computers & Mathematics with Applications, v.49 n.5-6, p.703-714, April, 2005