ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Strong password-only authenticated key exchange
Full text PdfPdf (1.52 MB)
Source ACM SIGCOMM Computer Communication Review archive
Volume 26 ,  Issue 5  (October 1996) table of contents
Pages: 5 - 26  
Year of Publication: 1996
ISSN:0146-4833
Author
David P. Jablon  Integrity Sciences, Inc., Westboro, MA
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 22,   Downloads (12 Months): 135,   Citation Count: 40
Additional Information:

abstract   references   cited by   index terms  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/242896.242897
What is a DOI?

ABSTRACT

A new simple password exponential key exchange method (SPEKE) is described. It belongs to an exclusive class of methods which provide authentication and key establishment over an insecure channel using only a small password, without risk of offline dictionary attack. SPEKE and the closely-related Diffie-Hellman Encrypted Key Exchange (DH-EKE) are examined in light of both known and new attacks, along with sufficient preventive constraints. Although SPEKE and DH-EKE are similar, the constraints are different. The class of strong password-only methods is compared to other authentication schemes. Benefits, limitations, and tradeoffs between efficiency and security are discussed. These methods are important for several uses, including replacement of obsolete systems, and building hybrid two-factor systems where independent password-only and key-based methods can survive a single event of either key theft or password compromise.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
[And94] R. J. Anderson and T. M. A. Lomas, "Fortifying Key Negotiation Schemes with Poorly Chosen Passwords", Electronics Letters, v. 30, n. 13, June 23, 1994, pp. 1040-1041.
 
2
[Bel96] S. M. Bellovin, private communication.
 
3
Steven M. Bellovin , Michael Merritt, Encrypted Key Exchange: Password-Based Protocols SecureAgainst Dictionary Attacks, Proceedings of the 1992 IEEE Symposium on Security and Privacy, p.72, May 04-06, 1992
 
4
[BM93] S. M. Bellovin and M. Merritt, "An Attack on the Interlock Protocol When Used for Authentication", I.E.E.E. Transactions on Information Theory, v. 40, n. 1, January 1994, pp. 273-275.
 
5
[BM94] S. M. Bellovin and M. Merritt, "Augmented Encrypted Key Exchange: a Password-Based Protocol Secure Against Dictionary Attacks and Password File Compromise", AT&T Bell Laboratories (c. 1994).
 
6
[DH79] W. Diffie and M. E. Hellman, "Privacy and Authentication: An Introduction to Cryptography," Proceedings of the I.E.E.E., vol. 67, No. 3, pp. 397-427 (Mar. 1979).
 
7
Whitfield Diffie , Paul C. Van Oorschot , Michael J. Wiener, Authentication and authenticated key exchanges, Designs, Codes and Cryptography, v.2 n.2, p.107-125, June 1992  [doi>10.1007/BF00124891]
 
8
Carl M. Ellison, Establishing identity without certification authorities, Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, p.7-7, July 22-25, 1996, San Jose, California
 
9
[GLNS93] L. Gong, M. Lomas, R. Needham, & J. Saltzer, "Protecting Poorly Chosen Secrets from Guessing Attacks", I.E.E.E. Journal on Selected Areas in Communications, Vol. 11, No. 5, June 1993, pp. 648-656.
 
10
Li Gong, Optimal authentication protocols resistant to password guessing attacks, Proceedings of the 8th IEEE workshop on Computer Security Foundations, p.24, March 13-15, 1995
 
11
Barry Jaspan, Dual-workfactor encrypted key exchange: efficiently preventing password chaining and dictionary attacks, Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, p.5-5, July 22-25, 1996, San Jose, California
 
12
[McC90] K. McCurley, "The Discrete Logarithm Problem", Cryptology and Computational Number Theory, Proceedings of Symposia in Applied Mathematics, vol. 42, 1990, pp. 49-74.
 
13
[NIST94] National Institute of Standards and Technology, NIST FIPS PUB 186, "Digital Signature Standard", U.S. Department of Commerce, May 1994.
 
14
[PH78] Pohlig & Hellman, "An Improved Algorithm for Computing Logarithms over GF(p) and its Cryptographic Significance", I.E.E.E. Transactions on Information Theory, pp. 106-110, January 1978.
 
15
[Sch96] B. Schneier, "Applied Cryptography Second Edition", John Wiley & Sons, 1996.
16
Michael Steiner , Gene Tsudik , Michael Waidner, Refinement and extension of encrypted key exchange, ACM SIGOPS Operating Systems Review, v.29 n.3, p.22-30, July 1995  [doi>10.1145/206826.206834]
 
17
[TA91] J. Tardo & K. Alagappan, "SPX: Global authentication using public key certificates", Proceedings of I.E.E.E. Computer Society Symposium on Research in Security and Privacy, Oakland, pp. 232-244, May 1991.
 
18
[vOW96] P. C. van Oorschot, M. J. Wiener, "On Diffie-Hellman Key Agreement with Short Exponents", Proceedings of Eurocrypt '96, Springer-Verlag, May 1996.

CITED BY  40
Secure password-based cipher suite for TLS, ACM Transactions on Information and System Security (TISSEC), v.4 n.2, p.134-157, May 2001
Shai Halevi , Hugo Krawczyk, Public-key cryptography and password protocols, Proceedings of the 5th ACM conference on Computer and communications security, p.122-131, November 02-05, 1998, San Francisco, California, United States
Shai Halevi , Hugo Krawczyk, Public-key cryptography and password protocols, ACM Transactions on Information and System Security (TISSEC), v.2 n.3, p.230-268, Aug. 1999
Yasuhiko Matsunaga , Ana Sanz Merino , Takashi Suzuki , Randy H. Katz, Secure authentication system for public WLAN roaming, Proceedings of the 1st ACM international workshop on Wireless mobile applications and services on WLAN hotspots, September 19-19, 2003, San Diego, CA, USA
Wei-Chi Ku, A hash-based strong-password authentication scheme without using smart cards, ACM SIGOPS Operating Systems Review, v.38 n.1, p.29-34, January 2004
Burton S. Kaliski, Jr., An unknown key-share attack on the MQV key agreement protocol, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.275-288, August 2001
Hung-Min Sun , Bing-Chang Chen , Tzonelih Hwang, Secure key agreement protocols for three-party against guessing attacks, Journal of Systems and Software, v.75 n.1-2, p.63-68, 15 February 2005
Her-Tyan Yeh , Hung-Min Sun, Password-based user authentication and key distribution protocols for client-server applications, Journal of Systems and Software, v.72 n.1, p.97-103, June 2004
Wei-Chi Ku , Hao-Chuan Tsai , Shuai-Min Chen, Two simple attacks on Lin-Shen-Hwang's strong-password authentication protocol, ACM SIGOPS Operating Systems Review, v.37 n.4, p.26-31, October 2003
Bruce Beckles , Von Welch , Jim Basney, Mechanisms for increasing the usability of grid security, International Journal of Human-Computer Studies, v.63 n.1-2, p.74-101, July 2005
Craig Gentry , Philip Mackenzie , Zulfikar Ramzan, Password authenticated key exchange using hidden smooth subgroups, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
Ya-Fen Chang , Chin-Chen Chang, A secure and efficient strong-password authentication protocol, ACM SIGOPS Operating Systems Review, v.38 n.3, p.79-90, July 2004
Chun-Li Lin , Hung-Min Sun , Tzonelih Hwang, Three-party encrypted key exchange: attacks and a solution, ACM SIGOPS Operating Systems Review, v.34 n.4, p.12-20, October 2000
Julie Thorpe , P. C. van Oorschot , Anil Somayaji, Pass-thoughts: authenticating with our minds, Proceedings of the 2005 workshop on New security paradigms, September 20-23, 2005, Lake Arrowhead, California
Ana Sanz Merino , Yasuhiko Matsunaga , Manish Shah , Takashi Suzuki , Randy H. Katz, Secure authentication system for public WLAN roaming, Mobile Networks and Applications, v.10 n.3, p.355-370, June 2005
Zhu Zhao , Zhongqi Dong , Yongge Wang, Security analysis of a password-based authentication protocol proposed to IEEE 1363, Theoretical Computer Science, v.352 n.1, p.280-287, 7 March 2006
Her-Tyan Yeh , Hung-Min Sun, Simple authenticated key agreement protocol resistant to password guessing attacks, ACM SIGOPS Operating Systems Review, v.36 n.4, p.14-22, October 2002
Cheng-Chi Lee , Li-Hua Li , Min-Shiang Hwang, A remote user authentication scheme using hash functions, ACM SIGOPS Operating Systems Review, v.36 n.4, p.23-29, October 2002
Marko Hölbl , Tatjana Welzer , Boštjan Brumen, Improvement of the Peyravian-Jeffries's user authentication protocol and password change protocol, Computer Communications, v.31 n.10, p.1945-1951, June, 2008
Xavier Boyen, Halting password puzzles: hard-to-break encryption from human-memorable keys, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
Paul C. Van Oorschot , Stuart Stubblebine, On countering online dictionary attacks with login histories and humans-in-the-loop, ACM Transactions on Information and System Security (TISSEC), v.9 n.3, p.235-258, August 2006
Mario Di Raimondo , Rosario Gennaro, Provably secure threshold password-authenticated key exchange, Journal of Computer and System Sciences, v.72 n.6, p.978-1001, September 2006
Hung-Min Sun , Her-Tyan Yeh, Password-based authentication and key distribution protocols with perfect forward secrecy, Journal of Computer and System Sciences, v.72 n.6, p.1002-1011, September 2006
Rosario Gennaro , Yehuda Lindell, A framework for password-based authenticated key exchange1, ACM Transactions on Information and System Security (TISSEC), v.9 n.2, p.181-234, May 2006
Kyung-Ah Shim, Potential weaknesses of AuthA password-authenticated key agreement protocols, Computer Standards & Interfaces, v.29 n.5, p.580-583, July, 2007
Zhiguo Wan , Robert H. Deng , Feng Bao , Akkihebbal L. Ananda, Access control protocols with two-layer architecture for wireless networks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.3, p.655-670, February, 2007
Zhenchuan Chai , Zhenfu Cao , Rongxing Lu, Threshold password authentication against guessing attacks in Ad hoc networks, Ad Hoc Networks, v.5 n.7, p.1046-1054, September, 2007
Gregory V. Bard, Spelling-error tolerant, order-independent pass-phrases via the damerau-levenshtein string-edit distance metric, Proceedings of the fifth Australasian symposium on ACSW frontiers, January 30-February 02, 2007, Ballarat, Australia
Chun-Li Lin , Hung-Min Sun , Tzonelih Hwang, Efficient and practical DHEKE protocols, ACM SIGOPS Operating Systems Review, v.35 n.1, p.41-47, January 1, 2001
Radia Perlman , Charlie Kaufman, User-centric PKI, Proceedings of the 7th symposium on Identity and trust on the Internet, March 04-06, 2008, Gaithersburg, Maryland
Chin-Ling Chen , Chih-Cheng Chen , Ling-Chun Liu , Gwoboa Horng, A server-aided signature scheme for mobile commerce, Proceedings of the 2007 international conference on Wireless communications and mobile computing, August 12-16, 2007, Honolulu, Hawaii, USA
Yuh-Min Tseng, An Efficient Two-Party Identity-Based Key Exchange Protocol, Informatica, v.18 n.1, p.125-136, January 2007
Bin-Tsan Hsieh , Hung-Min Sun , Tzonelih Hwang, On the Security of Some Password Authentication Protocols, Informatica, v.14 n.2, p.195-204, April 2003
Chou-Chen Yang , Ting-Yi Chang , Min-Shiang Hwang, Security of Improvement on Methods for Protecting Password Transmission, Informatica, v.14 n.4, p.551-558, December 2003
Thulasi Goriparthi , Manik Lal Das , Ashutosh Saxena, An improved bilinear pairing based remote user authentication scheme, Computer Standards & Interfaces, v.31 n.1, p.181-185, January, 2009
Sławomir Grzonkowski , Wojciech Zaremba , Maciej Zaremba , Bill McDaniel, Extending web applications with a lightweight zero knowledge proof authentication, Proceedings of the 5th international conference on Soft computing as transdisciplinary science and technology, October 28-31, 2008, Cergy-Pontoise, France
Neng-Wen Wang , Yueh-Min Huang, A novel software key container in on-line media services, Computers and Electrical Engineering, v.35 n.2, p.370-375, March, 2009
Chin-Chen Chang , Shih-Chang Chang, The design of e-traveler's check with efficiency and mutual authentication, Proceedings of the 3rd International Conference on Ubiquitous Information Management and Communication, January 15-16, 2009, Suwon, Korea
Zhiguo Wan , Robert H. Deng , Feng Bao , Bart Preneel , Ming Gu, nPAKE+: a tree-based group password-authenticated key exchange protocol using different passwords, Journal of Computer Science and Technology, v.24 n.1, p.138-151, January 2009
Tian-Fu Lee , Jenn-Long Liu , Mei-Jiun Sung , Shiueng-Bien Yang , Chia-Mei Chen, Communication-efficient three-party protocols for authentication and key agreement, Computers & Mathematics with Applications, v.58 n.4, p.641-648, August, 2009

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  D. Software
  D.4 OPERATING SYSTEMS

  G. Mathematics of Computing
  G.2 DISCRETE MATHEMATICS

  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS


General Terms:
Design, Performance, Security, Theory


The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player