Strong password-based authentication in TLS using the three-party group Diffie?Hellman protocol

The internet has evolved into a very hostile ecosystem where 'phishing' attacks are common practice. This paper shows that the three-party group Diffie-Hellman key exchange can help protect against these attacks. We have developed password-based ciphersuites for the Transport Layer Security (TLS) protocol that are not only provably secure but also believed to be free from patent and licensing restrictions based on an analysis of relevant patents in the area.

[1]  Emmanuel Bresson,et al.  Group Diffie-Hellman Key Exchange Secure against Dictionary Attacks , 2002, ASIACRYPT.

[2]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  Olivier Chevassut,et al.  One-Time Verifier-Based Encrypted Key Exchange , 2005, Public Key Cryptography.

[4]  Dave Taylor,et al.  Using SRP for TLS Authentication , 2001 .

[5]  Michael Waidner,et al.  Secure password-based cipher suite for TLS , 2001, NDSS.

[6]  Bodo Möller,et al.  Provably secure password-based authentication in TLS , 2005, ASIACCS '06.

[7]  Serge Vaudenay,et al.  Password Interception in a SSL/TLS Channel , 2003, CRYPTO.

[8]  E. Bresson,et al.  Security Proofs for an Ecien t Password-Based Key Exchange , 2003 .

[9]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[10]  Emmanuel Bresson,et al.  Security proofs for an efficient password-based key exchange , 2003, CCS '03.

[11]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[12]  Emmanuel Bresson,et al.  New Security Results on Encrypted Key Exchange , 2003, Public Key Cryptography.

[13]  Mihir Bellare,et al.  The AuthA Protocol for Password-Based Authenticated Key Exchange , 2000 .

[14]  David P. Jablon Password Authentication Using Multiple Servers , 2001, CT-RSA.

[15]  Philip D. MacKenzie,et al.  More Efficient Password-Authenticated Key Exchange , 2001, CT-RSA.

[16]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[17]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[18]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[19]  Rafail Ostrovsky,et al.  Forward Secrecy in Password-Only Key Exchange Protocols , 2002, SCN.

[20]  Craig Gentry,et al.  Password authenticated key exchange using hidden smooth subgroups , 2005, CCS '05.

[21]  Taekyoung Kwon,et al.  Authentication and Key Agreement Via Memorable Passwords , 2001, NDSS.

[22]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange in the Three-Party Setting , 2005, Public Key Cryptography.

[23]  Yehuda Lindell,et al.  Session-Key Generation Using Human Passwords Only , 2001, Journal of Cryptology.

[24]  David Pointcheval,et al.  IPAKE: Isomorphisms for Password-Based Authenticated Key Exchange , 2004, CRYPTO.

[25]  David Pointcheval,et al.  Simple Password-Based Encrypted Key Exchange Protocols , 2005, CT-RSA.

[26]  Stefan Lucks,et al.  Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys , 1997, Security Protocols Workshop.

[27]  Yehuda Lindell,et al.  Universally Composable Password-Based Key Exchange , 2005, EUROCRYPT.

[28]  Emmanuel Bresson,et al.  Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions , 2002, EUROCRYPT.

[29]  Yehuda Lindell,et al.  A Framework for Password-Based Authenticated Key Exchange , 2003, EUROCRYPT.

[30]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[31]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[32]  Emmanuel Bresson,et al.  Provably Authenticated Group Diffie-Hellman Key Exchange - The Dynamic Case , 2001, ASIACRYPT.

[33]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[34]  Taekyoung Kwon,et al.  Authentication and Key Agreement via Memorable Password , 2000, IACR Cryptol. ePrint Arch..