Efficient and secure authenticated key exchange using weak passwords

Mutual authentication and authenticated key exchange are fundamental techniques for enabling secure communication over public, insecure networks. It is well known how to design secure protocols for achieving these goals when parties share high-entropy cryptographic keys in advance of the authentication stage. Unfortunately, it is much more common for users to share weak, low-entropy passwords which furthermore may be chosen from a known space of possibilities (say, a dictionary of English words). In this case, the problem becomes much more difficult as one must ensure that protocols are immune to off-line dictionary attacks in which an adversary exhaustively enumerates all possible passwords in an attempt to determine the correct one. We propose a 3-round protocol for password-only authenticated key exchange, and provide a rigorous proof of security for our protocol based on the decisional Diffie-Hellman assumption. The protocol assumes only public parameters—specifically, a “common reference string”—which can be “hard-coded” into an implementation of the protocol; in particular, and in contrast to some previous work, our protocol does not require either party to pre-share a public key. The protocol is also remarkably efficient, requiring computation only (roughly) 4 times greater than “classical” Diffie-Hellman key exchange that provides no authentication at all. Ours is the first protocol for password-only authentication that is both practical and provably-secure using standard cryptographic assumptions.

[1]  Ivan Damgård,et al.  Collision Free Hash Functions and Public Key Signature Schemes , 1987, EUROCRYPT.

[2]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[3]  Radia J. Perlman,et al.  Network security - private communication in a public world , 2002, Prentice Hall series in computer networking and distributed systems.

[4]  Jonathan Katz,et al.  Two-server password-only authenticated key exchange , 2005, J. Comput. Syst. Sci..

[5]  KatzJonathan,et al.  Efficient and secure authenticated key exchange using weak passwords , 2009 .

[6]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[7]  Yehuda Lindell,et al.  A Framework for Password-Based Authenticated Key Exchange , 2003, EUROCRYPT.

[8]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[9]  Moti Yung,et al.  Systematic Design of Two-Party Authentication Protocols , 1991, CRYPTO.

[10]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[11]  Moti Yung,et al.  Systematic Design of a Family of Attack-Resistant Authentication Protocols , 1993, IEEE J. Sel. Areas Commun..

[12]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[13]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[14]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[15]  Jonathan Katz,et al.  Efficient cryptographic protocols preventing man-in-the-middle attacks , 2002 .

[16]  Silvio Micali,et al.  On-line/off-line digital signatures , 1996, Journal of Cryptology.

[17]  Stefan Lucks,et al.  Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys , 1997, Security Protocols Workshop.

[18]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[19]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[20]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[21]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[22]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[23]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[24]  David P. Jablon Strong password-only authenticated key exchange , 1996, CCRV.

[25]  Li Gong,et al.  Optimal authentification protocols resistant to password guessing attacks , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[26]  Sarvar Patel,et al.  Password-authenticated key exchange based on RSA , 2000, International Journal of Information Security.

[27]  Yehuda Lindell,et al.  Universally Composable Password-Based Key Exchange , 2005, EUROCRYPT.

[28]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[29]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[30]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[31]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..

[32]  Eugene H. Spafford,et al.  Observing Reusable Password Choices , 1992 .

[33]  Victor Boyko,et al.  On all-or-nothing transforms and password-authenticated key exchange protocols , 2000 .

[34]  Rafail Ostrovsky,et al.  Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords , 2001, EUROCRYPT.

[35]  Rafail Ostrovsky,et al.  Efficient and Non-interactive Non-malleable Commitment , 2001, EUROCRYPT.

[36]  Jonathan Katz,et al.  Introduction to Modern Cryptography: Principles and Protocols , 2007 .

[37]  Sarvar Patel,et al.  Password-Authenticated Key Exchange Based on RSA , 2000, ASIACRYPT.

[38]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[39]  Maurizio Kliban Boyarsky,et al.  Public-key cryptography and password protocols: the multi-user case , 1999, CCS '99.

[40]  Yehuda Lindell,et al.  Session-Key Generation Using Human Passwords Only , 2001, Journal of Cryptology.

[41]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[42]  Rafail Ostrovsky,et al.  Forward Secrecy in Password-Only Key Exchange Protocols , 2002, SCN.

[43]  Thomas D. Wu A Real-World Analysis of Kerberos Password Security , 1999, NDSS.

[44]  Gene Tsudik,et al.  Refinement and extension of encrypted key exchange , 1995, OPSR.

[45]  Yehuda Lindell,et al.  A framework for password-based authenticated key exchange1 , 2006, TSEC.

[46]  Jerome H. Saltzer,et al.  Reducing risks from poorly chosen keys , 1989, SOSP '89.

[47]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1998, CCS '98.

[48]  Rosario Gennaro,et al.  Provably secure threshold password-authenticated key exchange , 2003, J. Comput. Syst. Sci..

[49]  Salil P. Vadhan,et al.  Simpler Session-Key Generation from Short Random Passwords , 2004, Journal of Cryptology.

[50]  Sarvar Patel,et al.  Number theoretic attacks on secure password schemes , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[51]  Yehuda Lindell,et al.  Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series) , 2007 .

[52]  David P. Jablon Extended password key exchange protocols immune to dictionary attack , 1997, Proceedings of IEEE 6th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[53]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[54]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[55]  Guang Gong,et al.  Password Based Key Exchange with Mutual Authentication , 2004, IACR Cryptol. ePrint Arch..

[56]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[57]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[58]  Rosario Gennaro,et al.  Faster and Shorter Password-Authenticated Key Exchange , 2008, TCC.

[59]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1999 .

[60]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.