One-time-password-authenticated key exchange (full version)

To reduce the damage of phishing and spyware attacks, banks, governments, and other security-sensitive industries are deploying one-time password systems, where users have many passwords and use each password only once. If a single password is compromised, it can be only be used to impersonate the user once, limiting the damage caused. However, existing practical approaches to one-time passwords have been susceptible to sophisticated phishing attacks. We give a formal security treatment of this important practical problem. We consider the use of one-time passwords in the context of password-authenticated key exchange (PAKE), which allows for mutual authentication, session key agreement, and resistance to phishing attacks. We describe a security model for the use of one-time passwords, explicitly considering the compromise of past (and future) one-time passwords, and show a general technique for building a secure one-time-PAKE protocol from any secure PAKE protocol. Our techniques also allow for the secure use of pseudorandomly generated and time-dependent passwords.

[1]  Douglas Stebila,et al.  Classical Authenticated Key Exchange and Quantum Cryptography , 2009 .

[2]  Neil Haller,et al.  The S/KEY One-Time Password System , 1995, RFC.

[3]  Sunil Kumar,et al.  One time Password in IKE version 2 (non-EAP based) , 2008 .

[4]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[5]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  Olivier Chevassut,et al.  One-Time Verifier-Based Encrypted Key Exchange , 2005, Public Key Cryptography.

[7]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[8]  Vincent Rijmen,et al.  ECRYPT yearly report on algorithms and keysizes , 2009 .

[9]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[10]  Olivier Chevassut,et al.  Secure password-based authenticated key exchange for web services , 2004, SWS '04.

[11]  Magnus Nyström The EAP Protected One-Time Password Protocol (EAP-POTP) , 2007, RFC.

[12]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[13]  Mohamed Omar Rayes,et al.  One-Time Password , 2011, Encyclopedia of Cryptography and Security.

[14]  Craig Metz,et al.  A One-Time Password System , 1996, RFC.

[15]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[16]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[17]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[18]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..