Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords

Katz, Jonathan; Ostrovsky, Rafail; Yung, Moti

doi:10.1007/3-540-44987-6_29

Cited by 316 publications

(253 citation statements)

References 23 publications

Supporting

Mentioning

250

Contrasting

Unclassified

Order By: Relevance

“…The communication cost of each client is O(2n) bits, where n is the number of clients. If Abdalla et al's compiler employs KOY 2-PAKE protocol [46] and constructs the commitment scheme with Cramer-Shoup public key encryption scheme [35], their group PAKE protocol has 5 rounds. The communication cost of each user is O(6n) bits.…”

Section: Correctness Explicit Authentication Trust Model and Efficimentioning

confidence: 99%

See 1 more Smart Citation

ID-Based Group Password-Authenticated Key Exchange

Tso

Okamoto

2009

Advances in Information and Computer Security

View full text Add to dashboard Cite

Abstract-Password-authenticated key exchange (PAKE) protocols are designed to be secure even when the secret key used for authentication is a human-memorable password. In this paper, we consider PAKE protocols in the group scenario, in which a group of clients, each of them shares a password with an "honest but curious" server, intend to establish a common secret key (i.e., a group key) with the help of the server. In this setting, the key established is known to the clients only and no one else, including the server. Each client needs to remember passwords only while the server keeps passwords in addition to private keys related to his identity. Towards our goal, we present a compiler that transforms any group key exchange (KE) protocol secure against a passive eavesdropping to a group PAKE which is secure against an active adversary who controls all communication in the network. This compiler is built on any group KE protocol (e.g., the Burmester-Desmedt protocol), any identity-based encryption (IBE) scheme (e.g., Gentry's scheme), and any identity-based signature (IBS) scheme (e.g., Paterson-Schuldt scheme). It adds only two rounds and O(1) communication (per client) to the original group KE protocol. As long as the underlying group KE protocol, IBE scheme and an IBS scheme have provably security without random oracles, a group PAKE constructed by our compiler can be proven to be secure without random oracles.

show abstract

Section: Correctness Explicit Authentication Trust Model and Efficimentioning

confidence: 99%

“…We follow the methods of the security proofs given in [48,46] to prove the security of our compiler without random oracles. First of all, we provide a formal specification of the group PAKE protocol by specifying the initialization phase and the oracles to which the adversary has access, as shown in Fig.…”

Section: Proof Of Securitymentioning

confidence: 99%

ID-Based Group Password-Authenticated Key Exchange

Tso

Okamoto

2009

Advances in Information and Computer Security

View full text Add to dashboard Cite

show abstract

“…Recently, Abdalla et al proposed an original mask-generation function computed as the product of the message with a constant value raised to the power of the password [4]; this new mask generation function alleviates the need of a full-domain hash function in the group. Security researchers also provided constructions secured in the standard model based on general computational assumptions, the Decisional Diffie-Hellman assumption (using a variant of the Cramer-Shoup encryption scheme), or even strong computational assumptions; however, these construction are not efficient enough for practical use [20,22]. Engineers are now given a suite of secure protocols to choose from depending on their security requirements (ideal-cipher model vs. ideal-hash model) and the constraints of their software (one-flow or two-flows of the Diffie-Hellman key exchange are encrypted).…”

Section: Related Workmentioning

confidence: 99%

A security solution for IEEE 802.11's ad hoc mode: password-authentication and group Diffie Hellman key exchange

Bresson¹,

Chevassut²,

Pointcheval³

2007

IJWMC

View full text Add to dashboard Cite

The IEEE 802 standards ease the deployment of networking infrastructures and enable employers to access corporate networks while traveling. These standards provide two modes of communication called infrastructure and ad-hoc modes. A security solution for the IEEE 802.11's infrastructure mode took several years to reach maturity and firmware are still been upgraded, yet a solution for the ad-hoc mode needs to be specified. The present paper is a first attempt in this direction. It leverages the latest developments in the area of password-based authentication and (group) DiffieHellman key exchange to develop a provably-secure key-exchange protocol for IEEE 802.11's ad-hoc mode. The protocol allows users to securely join and leave the wireless group at time, accommodates either a single-shared password or pairwise-shared passwords among the group members, or at least with a central server; achieves security against dictionary attacks in the ideal-hash model (i.e. random-oracles). This is, to the best of our knowledge, the first such protocol to appear in the cryptographic literature.

show abstract

“…Specific instances of the Bellovin-Merritt protocols with security based on the random oracle model were provided in [3,4,7,10,18] starting in 2000. Finally, another protocol without random oracles were proposed in 2001 by Katz, Ostrovsky, and Yung [16]. All those protocols are however at least as expensive as the Diffie-Hellman protocol.…”

Section: Setting Up Secure Communicationsmentioning

confidence: 99%

On Bluetooth Repairing: Key Agreement Based on Symmetric-Key Cryptography

Vaudenay

2005

Information Security and Cryptology

View full text Add to dashboard Cite

Abstract. Despite many good (secure) key agreement protocols based on publickey cryptography exist, secure associations between two wireless devices are often established using symmetric-key cryptography for cost reasons. The consequence is that common daily used security protocols such as Bluetooth pairing are insecure in the sense that an adversary can easily extract the main private key from the protocol communications. Nevertheless, we show that a feature in the Bluetooth standard provides a pragmatic and costless protocol that can eventually repair privateless associations, thanks to mobility. This proves (in the random oracle model) the pragmatic security of the Bluetooth pairing protocol when repairing is used. Setting up Secure CommunicationsDigital communications are often secured by means of symmetric encryption and message authentication codes. This provided high throughput and security. However, setting up this channel requires agreeing on a private key with large entropy. Private key agreement between remote peers through insecure channel is a big challenge. A first (impractical) solution was proposed in 1975 by Merkle [19]. A solution was proposed by Diffie and Hellman in 1976 [12]. It works, provided that the two peers can communicate over an authenticated channel which protects the integrity of messages and that a standard computational problem (namely, the Diffie-Hellman problem) is hard.To authenticate messages of the Diffie-Hellman protocol is still expensive since those messages are pretty long (typically, a thousand bits, each) and that authentication is often manually done by human beings. Folklore solutions consist of shrinking this amount of information by means of a collision-resistant hash function and of authenticating only the digest of the protocol transcript. The amount of information to authenticate typically reduces to 160 bits. However, collision-resistant hash functions are threatened species these days due to collapses of MD5, RIPEMD, SHA, etc. [9,23,24,25,26]. Furthermore, 160 bits is still pretty large for human beings to authenticate. Another solution using shorter messages have been proposed by Pasini and Vaudenay [20] using

show abstract

Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords

Cited by 316 publications

References 23 publications

ID-Based Group Password-Authenticated Key Exchange

ID-Based Group Password-Authenticated Key Exchange

A security solution for IEEE 802.11's ad hoc mode: password-authentication and group Diffie Hellman key exchange

On Bluetooth Repairing: Key Agreement Based on Symmetric-Key Cryptography

Contact Info

Product

Resources

About