Efficient protocols secure against guessing and replay attacks

To establish secure network communications, a common practice requires that users authenticate one another and establish a temporary session key based on their passwords. Since users often use passwords that are easy to remember, attackers can correctly guess the passwords simply by searching through a relatively small space of "weak" passwords. In this paper, we present a new set of efficient protocols that can establish secure communications while protecting passwords from any feasible guessing and replay attacks. Our protocols avoid the use of timestamps altogether and minimize the use of nonces (random numbers). We examine some common attacks to existing protocols, and show how our protocols can be secure against such attacks. Our protocols apply to both secure peer-to-peer and multicast communications.

[1]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[2]  Simon S. Lam,et al.  Authentification for Distributed Systems , 1992, Computer.

[3]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[4]  Don Davis,et al.  Network security via private-key certificates , 1990, OPSR.

[5]  Gene Tsudik,et al.  Some remarks on protecting weak keys and poorly-chosen secrets from guessing attacks , 1993, Proceedings of 1993 IEEE 12th Symposium on Reliable Distributed Systems.

[6]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..

[7]  Li Gong,et al.  Optimal authentification protocols resistant to password guessing attacks , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[8]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[9]  Li Gong,et al.  Lower bounds on messages and rounds for network authentication protocols , 1993, CCS '93.

[10]  Jeffrey I. Schiller,et al.  An Authentication Service for Open Network Systems. In , 1998 .

[11]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[12]  Edward Amoroso,et al.  A policy model for denial of service , 1990, [1990] Proceedings. The Computer Security Foundations Workshop III.

[13]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[14]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[15]  Russ Housley Encapsulation Security Protocol Design for Local Area Networks , 1989, LANSEC.