Cryptanalysis of the Secure Sessions from Weak Secrets Protocols

The Short Secret Sharing Protocols (S3P), proposed by Roe et al in 1998 [13] and revised in 2003 [14], is a family of protocols that bootstrap secure session keys from weak secrets such as passwords. In this letter, we describe an attack against the RSA variants of the S3P protocols. The attacker can successfully masquerade as one of the participants, establish a new session, and gain knowledge of the session key. We present possible modifications to the protocol to prevent such an attack.

[1]  David P. Jablon Strong password-only authenticated key exchange , 1996, CCRV.

[2]  Colin Boyd,et al.  Protocols for Key Establishment and Authentication , 2003 .

[3]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[4]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  Taekyoung Kwon,et al.  Authentication and Key Agreement via Memorable Password , 2000, IACR Cryptol. ePrint Arch..

[6]  Li Gong,et al.  Optimal authentification protocols resistant to password guessing attacks , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[7]  V. Rich Personal communication , 1989, Nature.

[8]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[9]  Bruce Christianson,et al.  Secure Sessions from Weak Secrets , 2003, Security Protocols Workshop.

[10]  Ross Anderson,et al.  Fortifying key negotiation schemes with poorly chosen passwords , 1994 .

[11]  Pil Joong Lee,et al.  EPA: An Efficient Password-Based Protocal for Authenticated Key Exchange , 2003, ACISP.

[12]  Taekyoung Kwon,et al.  Authentication and Key Agreement Via Memorable Passwords , 2001, NDSS.

[13]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..