Practical Anonymous Password Authentication and TLS with Anonymous Client Authentication

Anonymous authentication allows one to authenticate herself without revealing her identity, and becomes an important technique for constructing privacy-preserving Internet connections. Anonymous password authentication is highly desirable as it enables a client to authenticate herself by a human-memorable password while preserving her privacy. In this paper, we introduce a novel approach for designing anonymous password-authenticated key exchange (APAKE) protocols using algebraic message authentication codes (MACs), where an algebraic MAC wrapped by a password is used by a client for anonymous authentication, and a server issues algebraic MACs to clients and acts as the verifier of login protocols. Our APAKE construction is secure provided that the algebraic MAC is strongly existentially unforgeable under random message and chosen verification queries attack (suf-rmva), weak pseudorandom and tag-randomization simulatable, and has simulation-sound extractable non-interactive zero-knowledge proofs (SE-NIZKs). To design practical APAKE protocols, we instantiate an algebraic MAC based on the q-SDH assumption which satisfies all the required properties, and construct credential presentation algorithms for the MAC which have optimal efficiency for a randomize-then-prove paradigm. Based on the algebraic MAC, we instantiate a highly practical APAKE protocol and denote it by APAKE, which is much more efficient than the mechanisms specified by ISO/IEC 20009-4. An efficient revocation mechanism for APAKE is also proposed. We integrate APAKE into TLS to present an anonymous client authentication mode where clients holding passwords can authenticate themselves to a server anonymously. Our implementation with 128-bit security shows that the average connection time of APAKE-based ciphersuite is 2.8 ms. With APAKE integrated into the OpenSSL library and using an Apache web server on a 2-core desktop computer, we could serve 953 ECDHE-ECDSA-AES128-GCM-SHA256 HTTPS connections per second for a 10 KB payload. Compared to ECDSA-signed elliptic curve Diffie-Hellman ciphersuite with mutual authentication, this means a 0.27 KB increased handshake size and a 13% reduction in throughput.

[1]  Naomi B. Lefkovitz,et al.  Privacy Risk Management for Federal Information Systems , 2015 .

[2]  R. Jueneman,et al.  Message authentication , 1985, IEEE Communications Magazine.

[3]  Christian Paquin,et al.  U-Prove Cryptographic Specification V1.1 (Revision 3) , 2013 .

[4]  Yehuda Lindell,et al.  Anonymous Authentication , 2011, J. Priv. Confidentiality.

[5]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[6]  Jan Camenisch,et al.  Efficient group signature schemes for large groups , 1997 .

[7]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[8]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[9]  Vipul Gupta,et al.  Speeding up Secure Web Transactions Using Elliptic Curve Cryptography , 2004, NDSS.

[10]  Jan Camenisch,et al.  Composable and Modular Anonymous Credentials: Definitions and Practical Constructions , 2015, ASIACRYPT.

[11]  Rafail Ostrovsky,et al.  Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords , 2001, EUROCRYPT.

[12]  Marc Fischlin,et al.  Communication-Efficient Non-interactive Proofs of Knowledge with Online Extractors , 2005, CRYPTO.

[13]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[14]  Jian Weng,et al.  A New Approach for Anonymous Password Authentication , 2009, 2009 Annual Computer Security Applications Conference.

[15]  Melissa Chase,et al.  On Signatures of Knowledge , 2006, CRYPTO.

[16]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[17]  David Taylor,et al.  Using the Secure Remote Password (SRP) Protocol for TLS Authentication , 2007, RFC.

[18]  Michel Abdalla Password-Based Authenticated Key Exchange: An Overview , 2014, ProvSec.

[19]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[20]  Kai Rannenberg,et al.  Attribute-based Credentials for Trust: Identity in the Information Society , 2014 .

[21]  David Pointcheval,et al.  New Techniques for SPHFs and Efficient One-Round PAKE Protocols , 2013, IACR Cryptol. ePrint Arch..

[22]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[23]  Hidema Tanaka,et al.  Anonymous Password-Based Authenticated Key Exchange , 2005, INDOCRYPT.

[24]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange , 2012, Public Key Cryptography.

[25]  Moni Naor,et al.  Synthesizers and Their Application to the Parallel Construction of Pseudo-Random Functions , 1999, J. Comput. Syst. Sci..

[26]  Mihir Bellare,et al.  The AuthA Protocol for Password-Based Authenticated Key Exchange , 2000 .

[27]  Peter Kulchyski and , 2015 .

[28]  Claus-Peter Schnorr,et al.  Security of Blind Discrete Log Signatures against Interactive Attacks , 2001, ICICS.

[29]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[30]  Yevgeniy Dodis,et al.  A Verifiable Random Function with Short Proofs and Keys , 2005, Public Key Cryptography.

[31]  Ahmad-Reza Sadeghi,et al.  Anonymous Authentication with TLS and DAA , 2010, TRUST.

[32]  Jing Yang,et al.  A New Anonymous Password-Based Authenticated Key Exchange Protocol , 2008, INDOCRYPT.

[33]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[34]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[35]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[36]  Guevara Noubir,et al.  Authenticating Privately over Public Wi-Fi Hotspots , 2015, CCS.

[37]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[38]  S. Team,et al.  Specification of the Identity Mixer Cryptographic Library Version 2 . 3 . 0 * , 2022 .

[39]  Mihir Bellare,et al.  Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions , 2003, EUROCRYPT.

[40]  Marc Fischlin,et al.  Adaptive proofs of knowledge in the random oracle model , 2015, IET Inf. Secur..

[41]  Jens Groth,et al.  Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures , 2006, ASIACRYPT.

[42]  SeongHan Shin,et al.  Anonymous Password-Authenticated Key Exchange: New Construction and Its Extensions , 2010, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[43]  Craig Costello,et al.  Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem , 2015, 2015 IEEE Symposium on Security and Privacy.

[44]  Marc Fischlin,et al.  Adaptive Proofs of Knowledge in the Random Oracle Model , 2015, Public Key Cryptography.

[45]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[46]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[47]  Eike Kiltz,et al.  Message Authentication, Revisited , 2012, EUROCRYPT.

[48]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[49]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[50]  Melissa Chase,et al.  Algebraic MACs and Keyed-Verification Anonymous Credentials , 2014, CCS.

[51]  Jiangtao Li,et al.  Key Exchange with Anonymous Authentication Using DAA-SIGMA Protocol , 2010, INTRUST.

[52]  Nigel P. Smart The Exact Security of ECIES in the Generic Group Model , 2001, IMACC.

[53]  Wu Wu The AuthA Protocol for Password-Based Authenticated Key Exchange Contribution to IEEE P1363, and its study group looking at new projects , 2000 .

[54]  Yanjiang Yang,et al.  Towards practical anonymous password authentication , 2010, ACSAC '10.

[55]  Politika tudományok National Strategy for Trusted Identities in Cyberspace , 2011 .

[56]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[57]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[58]  Bruce Christianson,et al.  Anonymous Authentication , 2004, Security Protocols Workshop.

[59]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[60]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[61]  Ralf Küsters,et al.  SPRESSO: A Secure, Privacy-Respecting Single Sign-On System for the Web , 2015, CCS.