Password-authenticated key exchange based on RSA

There have been many proposals in recent years for password-authenticated key exchange protocols, i.e., protocols in which two parties who share only a short secret password perform a key exchange authenticated with the password. However, the only ones that have been proven secured against offline dictionary attacks were based on Diffie–Hellman key exchange. We examine how to design a secure password-authenticated key exchange protocol based on RSA. In this paper, we first look at the OKE and protected-OKE protocols (both RSA-based) and show that they are insecure. Then we show how to modify the OKE protocol to obtain a password-authenticated key exchange protocol that can be proven secure (in the random oracle model). This protocol is very practical; in fact, it requires about the same amount of computation as the Diffie–Hellman-based protocols. Finally, we present an augmented protocol that is resilient to server compromise, meaning (informally) that an attacker who compromises a server would not be able to impersonate a client, at least not without running an offline dictionary attack against that client’s password.

[1]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[2]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1999 .

[3]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[4]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[5]  D. Hasan Jamak DIGITAL SIGNATURE ALGORITHM (DSA) , 2006 .

[6]  David P. Jablon Extended password key exchange protocols immune to dictionary attack , 1997, Proceedings of IEEE 6th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[7]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[8]  Li Gong,et al.  Optimal authentification protocols resistant to password guessing attacks , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[9]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[10]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Public Key Cryptography.

[11]  Donald Beaver,et al.  Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority , 2004, Journal of Cryptology.

[12]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[13]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[14]  David P. Jablon Strong password-only authenticated key exchange , 1996, CCRV.

[15]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[16]  Bruce Christianson,et al.  Secure Sessions from Weak Secrets , 2003, Security Protocols Workshop.

[17]  Stefan Lucks,et al.  Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys , 1997, Security Protocols Workshop.

[18]  Jean-Jacques Quisquater,et al.  A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory , 1988, EUROCRYPT.

[19]  Faculteit der Wiskunde en Natuurwetenschappen,et al.  Divisors in residue classes , 1983 .

[20]  Yehuda Lindell,et al.  Session-Key Generation Using Human Passwords Only , 2001, Journal of Cryptology.

[21]  Sarvar Patel,et al.  Password-Authenticated Key Exchange Based on RSA , 2000, ASIACRYPT.

[22]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[23]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[24]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..

[25]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[26]  Maurizio Kliban Boyarsky,et al.  Public-key cryptography and password protocols: the multi-user case , 1999, CCS '99.

[27]  Sarvar Patel,et al.  Number theoretic attacks on secure password schemes , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[28]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[29]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[30]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[31]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[32]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[33]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[34]  Thomas D. Wu A Real-World Analysis of Kerberos Password Security , 1999, NDSS.

[35]  Gene Tsudik,et al.  Refinement and extension of encrypted key exchange , 1995, OPSR.

[36]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[37]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[38]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[39]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.