Authenticated key exchange protocols resistant to password guessing attacks

A user-chosen password is not appropriate for a shared secret by which an authenticated key exchange protocol is operated. This is because users choose their passwords so that they can be easily memorised and can be typed using an alphabetic keyboard or a numeric keypad. Therefore, the password becomes a weak secret which is vulnerable to guessing attacks. However, users prefer to utilise the short easily memorised passwords. Several protocols, which are resistant to guessing attacks, have been developed to overcome this problem. However, they are inefficient in terms of the computation and communication costs. As a more practical solution, the authors propose new authenticated key exchange protocols by reducing the number of random numbers, cipher operations, and protocol steps. To achieve this goal, they deliberately use a one-time pad and a strong one-way hash function in their protocols.

[1]  Jerome H. Saltzer,et al.  Reducing risks from poorly chosen keys , 1989, SOSP '89.

[2]  Li Gong,et al.  Optimal authentification protocols resistant to password guessing attacks , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[3]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[4]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[5]  Owen Rees,et al.  Efficient and timely mutual authentication , 1987, OPSR.

[6]  Li Gong,et al.  Verifiable-text attacks in cryptographic protocols , 1990, Proceedings. IEEE INFOCOM '90: Ninth Annual Joint Conference of the IEEE Computer and Communications Societies@m_The Multiple Facets of Integration.

[7]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[8]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[9]  Patrick Horster,et al.  Undetectable on-line password guessing attacks , 1995, OPSR.

[10]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..