Public-key cryptography and password protocols: the multi-user case

The problem of password authentication over an insecure network when the user holds only a human-memorizable password has received much attention in the literature. The first rigorous treatment was provided by Halevi and Krawczyk, who studied off-line password guessing attacks in the scenario in which the authentication server possesses a pair of private and public keys. In this work we:Show the inadequacy of both the HK formalization and protocol in the case where there is more than a single user: using a simple and realistic attack, we prove failure of the HK solution in the two-user case. Propose a new definition of security for the multi-user case, expressed in terms of transcripts of the entire system, rather than individual protocol executions. Suggest several ways of achieving this security against both static and dynamic adversaries. In a recent revision of their paper, Halevi and Krawczyk again attempted to handle the multi-user case. We expose a weakness in their revised definition.

[1]  Joe Kilian,et al.  Uses of randomness in algorithms and protocols , 1990 .

[2]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[3]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..

[4]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1999 .

[6]  Russell Impagliazzo,et al.  Limits on the provable consequences of one-way permutations , 1988, STOC '89.

[7]  Amit Sahai,et al.  Non-malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization , 1999, CRYPTO.

[8]  Ivan Damgård,et al.  New Generation of Secure and Practical RSA-Based Signatures , 1996, CRYPTO.

[9]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[10]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[11]  Moni Naor,et al.  Oblivious transfer and polynomial evaluation , 1999, STOC '99.

[12]  Joe Kilian,et al.  A general completeness theorem for two party games , 1991, STOC '91.

[13]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[14]  Mihir Bellare,et al.  Optimal Asymmetric Encryption-How to Encrypt with RSA , 1995 .

[15]  Stefan Lucks,et al.  Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys , 1997, Security Protocols Workshop.

[16]  Moni Naor,et al.  An Efficient Existentially Unforgeable Signature Scheme and Its Applications , 1994, Journal of Cryptology.

[17]  Michael Luby,et al.  Pseudorandomness and cryptographic applications , 1996, Princeton computer science notes.

[18]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1998, CCS '98.

[19]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[20]  Moni Naor,et al.  Adaptively secure multi-party computation , 1996, STOC '96.

[21]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[22]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[23]  Russell Impagliazzo,et al.  One-way functions are essential for complexity based cryptography , 1989, 30th Annual Symposium on Foundations of Computer Science.

[24]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[25]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.