A New Approach for Anonymous Password Authentication

Anonymous password authentication reinforces password authentication with the protection of user privacy. Considering the increasing concern of individual privacy nowadays, anonymous password authentication represents a promising privacy-preserving authentication primitive. However, anonymous password authentication in the standard setting has several inherent weaknesses, making its practicality questionable. In this paper, we propose a new and efficient approach for anonymous password authentication. Our approach assumes a different setting where users do not register their passwords to the server; rather, they use passwords to protect their authentication credentials. We present a concrete scheme, and get over a number of challenges in securing password-protected credentials against off-line guessing attacks. Our experimental results confirm that conventional anonymous password authentication does not scale well, while our new scheme demonstrates very good performance.

[1]  R. Sandhu,et al.  Password-Enabled PKI : Virtual Smartcards vs. Virtual Soft Tokens , 2002 .

[2]  Rafail Ostrovsky,et al.  Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords , 2001, EUROCRYPT.

[3]  Jan Camenisch,et al.  Efficient group signature schemes for large groups , 1997 .

[4]  Emmanuel Bresson,et al.  Security proofs for an efficient password-based key exchange , 2003, CCS '03.

[5]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..

[6]  Patrick Horster,et al.  Undetectable on-line password guessing attacks , 1995, OPSR.

[7]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[8]  David Pointcheval,et al.  Anonymous and Transparent Gateway-Based Password-Authenticated Key Exchange , 2008, CANS.

[9]  Min-Shiang Hwang,et al.  A new remote user authentication scheme using smart cards , 2000, IEEE Trans. Consumer Electron..

[10]  Douglas N. Hoover,et al.  Software smart cards via cryptographic camouflage , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[11]  SeongHan Shin,et al.  A Secure Construction for Threshold Anonymous Password-Authenticated Key Exchange , 2008, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[12]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[13]  Marc Joye,et al.  A Practical and Provably Secure Coalition-Resistant Group Signature Scheme , 2000, CRYPTO.

[14]  Eyal Kushilevitz,et al.  Private information retrieval , 1998, JACM.

[15]  Salil P. Vadhan,et al.  Simpler Session-Key Generation from Short Random Passwords , 2004, Journal of Cryptology.

[16]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[17]  Jing Yang,et al.  A New Anonymous Password-Based Authenticated Key Exchange Protocol , 2008, INDOCRYPT.

[18]  Burton S. Kaliski,et al.  Server-assisted generation of a strong secret from a password , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[19]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[20]  JanJinn-Ke,et al.  An Efficient and Practical Solution to Remote Authentication , 2002 .

[21]  Maurizio Kliban Boyarsky,et al.  Public-key cryptography and password protocols: the multi-user case , 1999, CCS '99.

[22]  Markus Jakobsson,et al.  Threshold Password-Authenticated Key Exchange , 2002, Journal of Cryptology.

[23]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[24]  Rafail Ostrovsky,et al.  Replication is not needed: single database, computationally-private information retrieval , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[25]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[26]  Radia J. Perlman,et al.  Secure Password-Based Protocol for Downloading a Private Key , 1999, NDSS.

[27]  Hung-Yu Chien,et al.  An Efficient and Practical Solution to Remote Authentication: Smart Card , 2002, Comput. Secur..

[28]  Ivan Damgård,et al.  An Integer Commitment Scheme based on Groups with Hidden Order , 2001, IACR Cryptol. ePrint Arch..

[29]  Hidema Tanaka,et al.  Anonymous Password-Based Authenticated Key Exchange , 2005, INDOCRYPT.

[30]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[31]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[32]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1998, CCS '98.

[33]  J.J. Tardo,et al.  SPX: global authentication using public key certificates , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.