Results 1 - 10
of
190
Authenticated Key Exchange Secure Against Dictionary Attacks
, 2000
"... Password-based protocols for authenticated key exchange (AKE) are designed to work despite the use of passwords drawn from a space so small that an adversary might well enumerate, off line, all possible passwords. While several such protocols have been suggested, the underlying theory has been laggi ..."
Abstract
-
Cited by 402 (35 self)
- Add to MetaCart
Password-based protocols for authenticated key exchange (AKE) are designed to work despite the use of passwords drawn from a space so small that an adversary might well enumerate, off line, all possible passwords. While several such protocols have been suggested, the underlying theory has been lagging. We begin by defining a model for this problem, one rich enough to deal with password guessing, forward secrecy, server compromise, and loss of session keys. The one model can be used to define various goals. We take AKE (with "implicit" authentication) as the "basic" goal, and we give definitions for it, and for entity-authentication goals as well. Then we prove correctness for the idea at the center of the Encrypted Key-Exchange (EKE) protocol of Bellovin and Merritt: we prove security, in an ideal-cipher model, of the two-flow protocol at the core of EKE.
The secure remote password protocol
- In Proceedings of the 1998 Internet Society Network and Distributed System Security Symposium
, 1998
"... This paper presents a new password authentication and key-exchange protocol suitable for authenticating users and exchanging keys over an untrusted network. The new protocol resists dictionary attacks mounted by either passive or active network intruders, allowing, in principle, even weak passphrase ..."
Abstract
-
Cited by 212 (6 self)
- Add to MetaCart
(Show Context)
This paper presents a new password authentication and key-exchange protocol suitable for authenticating users and exchanging keys over an untrusted network. The new protocol resists dictionary attacks mounted by either passive or active network intruders, allowing, in principle, even weak passphrases to be used safely. It also o ers perfect forward secrecy, which protects past sessions and passwords against future compromises. Finally, user passwords are stored in a form that is not plaintext-equivalent to the password itself, so an attacker who captures the password database cannot use it directly to compromise security and gain immediate access to the host. This new protocol combines techniques of zero-knowledge proofs with asymmetric key exchange protocols and o ers signi cantly improved performance over comparably strong extended methods that resist stolen-veri er attacks such as Augmented EKE or B-SPEKE. 1
Public-Key Cryptography and Password Protocols
- ACM Transactions on Information and System Security
, 1999
"... We study protocols for strong authentication and key exchange in asymmetric scenarios where the authentication server possesses a pair of private and public keys while the client has only a weak human-memorizable password as its authentication key. We present and analyze several simple password p ..."
Abstract
-
Cited by 138 (6 self)
- Add to MetaCart
(Show Context)
We study protocols for strong authentication and key exchange in asymmetric scenarios where the authentication server possesses a pair of private and public keys while the client has only a weak human-memorizable password as its authentication key. We present and analyze several simple password protocols in this scenario, and show that the security of these protocols can be formally proven based on standard cryptographic assumptions. Remarkably, our analysis shows optimal resistance to off-line password guessing attacks under the choice of suitable public key encryption functions. In addition to user authentication, we enhance our protocols to provide two-way authentication, authenticated key exchange, defense against server's compromise, and user anonymity. We complement these results with a proof that public key techniques are unavoidable for password protocols that resist off-line guessing attacks. As a further contribution, we introduce the notion of public passwords that...
Guidelines for Writing RFC Text on Security Considerations
- BCP 72, RFC 3552
, 2003
"... This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet ..."
Abstract
-
Cited by 104 (2 self)
- Add to MetaCart
This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ‘‘work in progress.’’ To learn the current status of any Internet-Draft, please check the ‘‘1id-abstracts.txt’ ’ listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. This document provides guidelines to RFC authors on how to write a good Security Considerations section. 1.
A Framework for Password-Based Authenticated Key Exchange
- in Cryptology — Eurocrypt 2003, LNCS
, 2003
"... In this paper we present a general framework for password-based authenticated key exchange protocols, in the common reference string model. Our protocol is actually an abstraction of the key exchange protocol of Katz et al. and is based on the recently introduced notion of smooth projective hashi ..."
Abstract
-
Cited by 81 (2 self)
- Add to MetaCart
(Show Context)
In this paper we present a general framework for password-based authenticated key exchange protocols, in the common reference string model. Our protocol is actually an abstraction of the key exchange protocol of Katz et al. and is based on the recently introduced notion of smooth projective hashing by Cramer and Shoup. We gain a number of benefits from this abstraction. First, we obtain a modular protocol that can be described using just three highlevel cryptographic tools. This allows a simple and intuitive understanding of its security.
A Real-World Analysis of Kerberos Password Security
, 1999
"... Kerberos is a distributed authentication system that many organizations use to handle domain-wide password security. Although it has been known for quite some time that Kerberos is vulnerable to brute-force password searches, there has so far been little analysis of the scope and extent of this vuln ..."
Abstract
-
Cited by 69 (0 self)
- Add to MetaCart
Kerberos is a distributed authentication system that many organizations use to handle domain-wide password security. Although it has been known for quite some time that Kerberos is vulnerable to brute-force password searches, there has so far been little analysis of the scope and extent of this vulnerability. This paper discusses the natureofthis weakness in detail and attempts to quantify the severity of the danger it poses to existing Kerberized installations. The results of a controlled experiment, in which a large number of passwords from a Kerberos realm were broken o#-line and subjected to analysis, will be presented. The author explores possible strategies for repairing this security hole, the most viable of which is the use of Kerberos V5 preauthentication coupled with a secure password authentication protocol such as SRP, SPEKE, or EKE. 1 Introduction Kerberos #18#, developed at MIT about ten years ago, was an authentication infrastructure designed to assure the security of ...
Networked Cryptographic Devices Resilient to Capture
- Preliminary version in IEEE Security and Privacy
, 2003
"... We present a simple technique by which a device that performs private key operations (signatures or decryptions) in networked applications, and whose local private key is activated with a password or PIN, can be immunized to offline dictionary attacks in case the device is captured. Our techniques d ..."
Abstract
-
Cited by 54 (13 self)
- Add to MetaCart
We present a simple technique by which a device that performs private key operations (signatures or decryptions) in networked applications, and whose local private key is activated with a password or PIN, can be immunized to offline dictionary attacks in case the device is captured. Our techniques do not assume tamper resistance of the device, but rather exploit the networked nature of the device, in that the device’s private key operations are pe formed using a simple interaction with a remote sewer: This sewer; however; is untrusted-its compromise does not reduce the securiv of the device’s private key unless the device is also captured-and need not have a prior relationship with the device. We further extend this approach with support for key disabling, by which the rightj‘ul owner of a stolen device can disable the device’s private key even if the attacker already knows the user’s password. 1.
Server-Assisted Generation of a Strong Secret from a Password
- In Proceedings of the IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises
, 2000
"... A roaming user, who accesses a network from different client terminals, can be supported by a credentials server that authenticates the user by password then assists in launching a secure environment for the user. However, traditional credentials server designs are vulnerable to exhaustive password ..."
Abstract
-
Cited by 54 (0 self)
- Add to MetaCart
A roaming user, who accesses a network from different client terminals, can be supported by a credentials server that authenticates the user by password then assists in launching a secure environment for the user. However, traditional credentials server designs are vulnerable to exhaustive password guessing attack at the server. We describe a new credentials server model and supporting protocol that overcomes that deficiency. The protocol provides for securely generating a strong secret from a weak secret (password), based on communications exchanges with two or more independent servers. The result can be leveraged in various ways, for example, the strong secret can be used to decrypt an encrypted private key or it can be used in strongly authenticating to an application server. The protocol has the properties that a would-be attacker cannot feasibly compute the strong secret and has only a limited opportunity to guess the password, even if he or she has access to all messages and has control over some, but not all, of the servers.
Authenticated ID-based key exchange and remote log-in with simple token and PIN number.
- IACR Cryptology ePrint Archive,
, 2002
"... ..."
(Show Context)
Password-authenticated key exchange based on RSA
, 2000
"... Abstract. There have been many proposals in recent years for passwordauthenticated key exchange protocols.Many of these have been shown to be insecure, and the only ones that seemed likely to be proven secure (against active adversaries who may attempt to perform off-line dictionary attacks against ..."
Abstract
-
Cited by 52 (10 self)
- Add to MetaCart
Abstract. There have been many proposals in recent years for passwordauthenticated key exchange protocols.Many of these have been shown to be insecure, and the only ones that seemed likely to be proven secure (against active adversaries who may attempt to perform off-line dictionary attacks against the password) were based on the Diffie-Hellman problem.In fact, some protocols based on Diffie-Hellman have been recently proven secure in the random-oracle model.We examine how to design a provably-secure password-authenticated key exchange protocol based on RSA.We first look at the OKE and protected-OKE protocols (both RSA-based) and show that they are insecure.Then we show how to modify the OKE protocol to obtain a password-authenticated key exchange protocol that can be proven secure (in the random oracle model). The resulting protocol is very practical; in fact the basic protocol requires about the same amount of computation as the Diffie-Hellman-based protocols or the well-known ssh protocol.
