Strengthening Password-Based Authentication Protocols Against Online Dictionary Attacks

Passwords are one of the most common cause of system break-ins, because the low entropy of passwords makes systems vulnerable to brute force guessing attacks (dictionary attacks). Existing Strong Password-based Authentication and Key Agreement (SPAKA) protocols protect passwords from passive (eavesdropping-offline dictionary) attacks, but not from active online dictionary attacks. This paper presents a simple scheme that strengthens password-based authentication protocols and helps prevent online dictionary attacks as well as many-to-many attacks common to 3-pass SPAKA protocols. The proposed scheme significantly increases the computational burden of an attacker trying to launch online dictionary attacks, while imposing negligible load on the legitimate clients as well as on the authentication server.

[1]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[2]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[3]  Jerome H. Saltzer,et al.  Reducing risks from poorly chosen keys , 1989, SOSP '89.

[4]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[6]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[7]  Eugene H. Spafford,et al.  Observing Reusable Password Choices , 1992 .

[8]  Eugene H. Spafford,et al.  OPUS: Preventing weak password choices , 1992, Comput. Secur..

[9]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[10]  David P. Jablon Strong password-only authenticated key exchange , 1996, CCRV.

[11]  Tatu Ylonen,et al.  SSH: secure login connections over the internet , 1996 .

[12]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[13]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[14]  David P. Jablon Extended password key exchange protocols immune to dictionary attack , 1997, Proceedings of IEEE 6th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[15]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[16]  Ari Juels,et al.  Client puzzles: A cryptographic defense against connection depletion , 1999 .

[17]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[18]  Mihir Bellare,et al.  The AuthA Protocol for Password-Based Authenticated Key Exchange , 2000 .

[19]  Pekka Nikander,et al.  DOS-Resistant Authentication with Client Puzzles , 2000, Security Protocols Workshop.

[20]  Tatsuaki Okamoto Advances in Cryptology — ASIACRYPT 2000 , 2000, Lecture Notes in Computer Science.

[21]  Taekyoung Kwon,et al.  Authentication and Key Agreement via Memorable Password , 2000, IACR Cryptol. ePrint Arch..

[22]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[23]  Taekyoung Kwon,et al.  Authentication and Key Agreement Via Memorable Passwords , 2001, NDSS.

[24]  Adam Stubblefield,et al.  Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[25]  Douglas R. Stinson,et al.  Advances in Cryptology — CRYPTO’ 93 , 2001, Lecture Notes in Computer Science.

[26]  Benny Pinkas,et al.  Securing passwords against dictionary attacks , 2002, CCS '02.

[27]  Michael K. Reiter,et al.  Defending against denial-of-service attacks with puzzle auctions , 2003, 2003 Symposium on Security and Privacy, 2003..

[28]  Taekyoung Kwon Practical Authenticated Key Agreement Using Passwords , 2004, ISC.