Two-server password-only authenticated key exchange

Typical protocols for password-based authentication assume a single server which stores all the information (e.g.), the password necessary to authenticate a user. Unfortunately, an inherent limitation of this approach (assuming low-entropy passwords are used) is that the user's password is exposed if this server is ever compromised. To address this issue, a number of schemes have been proposed in which a user's password information is shared among multiple servers, and these servers cooperate in a threshold manner when the user wants to authenticate. We show here a two-server protocol for this task assuming public parameters available to everyone in the system (as well as the adversary). Ours is the first provably-secure two-server protocol for the important password-only setting (in which the user need remember only a password, and not the servers' public keys), and is the first two-server protocol (in any setting) with a proof of security in the standard model.

[1]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[2]  Yehuda Lindell,et al.  Universally Composable Password-Based Key Exchange , 2005, EUROCRYPT.

[3]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[4]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..

[5]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[6]  Michael K. Reiter,et al.  Networked cryptographic devices resilient to capture , 2003, International Journal of Information Security.

[7]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[9]  Yehuda Lindell,et al.  Session-Key Generation Using Human Passwords Only , 2001, Journal of Cryptology.

[10]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[11]  Rafail Ostrovsky,et al.  Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords , 2001, EUROCRYPT.

[12]  Ari Juels,et al.  A New Two-Server Approach for Authentication with Short Secrets , 2003, USENIX Security Symposium.

[13]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1999 .

[14]  David Mazières,et al.  Proactive Two-Party Signatures for User Authentication , 2003, NDSS.

[15]  Michael Szydlo,et al.  Proofs for Two-Server Password Authentication , 2005, CT-RSA.

[16]  David P. Jablon Password Authentication Using Multiple Servers , 2001, CT-RSA.

[17]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[18]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[19]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[20]  Yehuda Lindell,et al.  A framework for password-based authenticated key exchange1 , 2006, TSEC.

[21]  Jerome H. Saltzer,et al.  Reducing risks from poorly chosen keys , 1989, SOSP '89.

[22]  Burton S. Kaliski,et al.  Server-assisted generation of a strong secret from a password , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[23]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[24]  Markus Jakobsson,et al.  Threshold Password-Authenticated Key Exchange , 2002, Journal of Cryptology.

[25]  Stefan Lucks,et al.  Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys , 1997, Security Protocols Workshop.

[26]  Maurizio Kliban Boyarsky,et al.  Public-key cryptography and password protocols: the multi-user case , 1999, CCS '99.

[27]  Niv Gilboa,et al.  Two Party RSA Key Generation , 1999, CRYPTO.

[28]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[29]  David P. Jablon Strong password-only authenticated key exchange , 1996, CCRV.

[30]  Rosario Gennaro,et al.  Provably secure threshold password-authenticated key exchange , 2006, J. Comput. Syst. Sci..

[31]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[32]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[33]  Michael K. Reiter,et al.  Two-party generation of DSA signatures , 2004, International Journal of Information Security.

[34]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[35]  Ronald Cramer,et al.  Modular Design of Secure yet Practical Cryptographic Protocols , 1997 .

[36]  Yehuda Lindell,et al.  A Framework for Password-Based Authenticated Key Exchange , 2003, EUROCRYPT.

[37]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[38]  Guang Gong,et al.  Password Based Key Exchange with Mutual Authentication , 2004, IACR Cryptol. ePrint Arch..

[39]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[40]  Philip Mac Kenzie An Efficient Two-Party Public Key Cryptosystem Secure against Adaptive Chosen Ciphertext Attack , 2003 .