A Method for Making Password-Based Key Exchange Resilient to Server Compromise

@inproceedings{Gentry2006AMF,
  title={A Method for Making Password-Based Key Exchange Resilient to Server Compromise},
  author={Craig Gentry and Philip D. MacKenzie and Zulfikar Ramzan},
  booktitle={CRYPTO},
  year={2006}
}
This paper considers the problem of password-authenticated key exchange (PAKE) in a client-server setting, where the server authenticates using a stored password file, and it is desirable to maintain some degree of security even if the server is compromised. A PAKE scheme is said to be resilient to server compromise if an adversary who compromises the server must at least perform an offline dictionary attack to gain any advantage in impersonating a client. (Of course, offline dictionary attacks… Expand
Round-Reduced Modular Construction of Asymmetric Password-Authenticated Key Exchange
TLDR
Encrypted PAKE literature addresses the password-only setting, without assuming certified public keys, but it commonly does not address the asymmetric PAKE setting which is required for client-to-server authentication. Expand
Robust Authenticated Key Exchange Using Passwords and Identity-Based Signatures
TLDR
New authenticated key exchange AKE protocols from a combination of identity-based signature IBS and a password-based authentication allowing for a client to execute a convenient authentication by using only a human-memorable password and a server's identity are proposed. Expand
A Verifier-Based Password-Authenticated Key Exchange Using Tamper-Proof Hardware
TLDR
This paper transforms Katz–Vaikuntanathan one-round PAKE into two-round VPAKE so as to instill resilience to server compromises, and provides a formal definition of VPAke using tamper-proof hardware and security proof without random oracles. Expand
OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks
TLDR
Asymmetric PAKE (aPAKE) strengthens this notion for the more common client-server setting where the server stores a mapping of the password and security is required even upon server compromise, that is, the only allowed attack in this case is an (inevitable) offline exhaustive dictionary attack against individual user passwords. Expand
Strong Asymmetric PAKE based on Trapdoor CKEM
TLDR
Recently, Jarecki, Krawczyk, and Xu formalized a Universally Composable strong aPAKE (saPAKE) that requires the password hash to be salted so that the dictionary attack can only start after the server compromise leaks the salt and the salted hash. Expand
Two-factor Password-authenticated Key Exchange with End-to-end Security
TLDR
This work presents a secure two-factor authentication scheme based on the user’s possession of a password and a crypto-capable device, and shows an efficient instantiation of this modular construction, which utilizes any password-based client-server authentication method, with or without reliance on public-key infrastructure. Expand
Blind Password Registration for Verifier-based PAKE
TLDR
The Blind Password Registration protocol can directly be used to replace ZKPPC-based registration procedure for existing VPAKE protocols and it is shown that BPR protocols can be modelled and realised simpler and significantly faster without using them as a building block. Expand
Zero-Knowledge Password Policy Checks and Verifier-Based PAKE
TLDR
A reversible mapping of ASCII characters to integers that can be used to preserve the structure of the password string and a new randomized password hashing scheme for ASCII-based passwords are introduced. Expand
Verifier-Based Password-Authenticated Key Exchange: New Models and Constructions
TLDR
This paper formally defines some properties for the transform (password hashing) applied to the password for the storage on the server-side, and enhances the Bellare-Pointcheval-Rogaway game-based model for PAKE to VPAKE protocols, in such a way that it allows a VPAke protocol to be secure in the standard model. Expand
Separating Standard and Asymmetric Password-Authenticated Key Exchange
  • Julia Hesse
  • Computer Science
  • IACR Cryptol. ePrint Arch.
  • 2019
TLDR
It is proved that a strong assumption like a programmable random oracle is necessary to achieve security of asymmetric PAKE in the Universal Composability (UC) framework, and it is demonstrated that reliance on aprogrammablerandom oracle hinders construction of multi-party aPAKE protocols from 2-party protocols via UC composition. Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 70 REFERENCES
Threshold Password-Authenticated Key Exchange
TLDR
This paper proposes an efficient password-authenticated key exchange system involving a set of servers with known public keys, in which a certain threshold of servers must participate in the authentication of a user, and in which the compromise of any fewer than that threshold of server does not allow an attacker to perform an off-line dictionary attack. Expand
Provably Secure Threshold Password-Authenticated Key Exchange
TLDR
This work presents two protocols for threshold password authenticated key exchange, the first protocols which are provably secure in the standard model (i.e. no random oracles are used for the proof of security). Expand
Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman
TLDR
This work presents a new protocol called PAK, which is the first Diffie-Hellman-based password-authenticated key exchange protocol to provide a formal proof of security (in the random oracle model) against both passive and active adversaries. Expand
Two-Server Password-Only Authenticated Key Exchange
TLDR
This work shows here a two-server protocol for the important password-only setting (in which the user need remember only a password, and not the servers' public keys), and is the first provably-secure two- server protocol (in any setting) with a proof of security in the standard model. Expand
Server-assisted generation of a strong secret from a password
  • W. Ford, B. Kaliski
  • Computer Science
  • Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000)
  • 2000
TLDR
This work describes a credentials server model and supporting protocol that overcomes the vulnerability to exhaustive password guessing attack at the server, and provides for securely generating a strong secret from a weak secret (password) based on communications exchanges with two or more independent servers. Expand
Password Authentication Using Multiple Servers
TLDR
This work presents a multi-server roaming protocol in a simpler model without this need for a prior secure channel, which requires fewer security assumptions, improves performance with comparable cryptographic assumptions, and better handles human errors in password entry. Expand
Authenticated Key Exchange Secure against Dictionary Attacks
TLDR
Correctness for the idea at the center of the Encrypted Key-Exchange protocol of Bellovin and Merritt is proved: it is proved security, in an ideal-cipher model, of the two-flow protocol at the core of EKE. Expand
Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords
TLDR
This work shows an efficient, 3-round, password-authenticated key exchange protocol with human-memorable passwords which is provably secure under the Decisional Diffie-Hellman assumption, yet requires only (roughly) 8 times more computation than "standard" Diffie -Hellman key exchange (which provides no authentication at all). Expand
Extended password key exchange protocols immune to dictionary attack
  • David P. Jablon
  • Computer Science
  • Proceedings of IEEE 6th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises
  • 1997
TLDR
A new extension to further limit exposure to theft of a stored password-verifier is described, and it is applied to several protocols including the Simple Password Exponential Key Exchange (SPEKE). Expand
Authentication and Key Agreement Via Memorable Passwords
TLDR
This paper presents a new password authentication and key agreement protocol called AMP in a provable manner that provides the passwordverifier based authentication and the Diffie-Hellman based key agreement, securely and efficiently. Expand
...
1
2
3
4
5
...