OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks

@inproceedings{Jarecki2018OPAQUEAA,
  title={OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks},
  author={Stanislaw Jarecki and Hugo Krawczyk and Jiayu Xu},
  booktitle={IACR Cryptol. ePrint Arch.},
  year={2018}
}
Password-Authenticated Key Exchange (PAKE) protocols allow two parties that only share a password to establish a shared key in a way that is immune to offline attacks. Asymmetric PAKE (aPAKE) strengthens this notion for the more common client-server setting where the server stores a mapping of the password and security is required even upon server compromise, that is, the only allowed attack in this case is an (inevitable) offline exhaustive dictionary attack against individual user passwords… Expand
Strong Asymmetric PAKE based on Trapdoor CKEM
TLDR
Recently, Jarecki, Krawczyk, and Xu formalized a Universally Composable strong aPAKE (saPAKE) that requires the password hash to be salted so that the dictionary attack can only start after the server compromise leaks the salt and the salted hash. Expand
Round-Reduced Modular Construction of Asymmetric Password-Authenticated Key Exchange
TLDR
Encrypted PAKE literature addresses the password-only setting, without assuming certified public keys, but it commonly does not address the asymmetric PAKE setting which is required for client-to-server authentication. Expand
CRISP: Compromise Resilient Identity-based Symmetric PAKE
TLDR
This work proposes a novel notion called “Identity-based PAKE” (iPAKE) that is resilient to the compromise of one or more parties, formalizes iPAKE and siPAKE notions in the Universally Composable (UC) framework and proves CRISP’s UC-security in the Generic Group Model (GGM) and shows that each offline password guess requires at least one pairing operation. Expand
Separating Standard and Asymmetric Password-Authenticated Key Exchange
  • Julia Hesse
  • Computer Science
  • IACR Cryptol. ePrint Arch.
  • 2019
TLDR
It is proved that a strong assumption like a programmable random oracle is necessary to achieve security of asymmetric PAKE in the Universal Composability (UC) framework, and it is demonstrated that reliance on aprogrammablerandom oracle hinders construction of multi-party aPAKE protocols from 2-party protocols via UC composition. Expand
PARASITE: PAssword Recovery Attack against Srp Implementations in ThE wild
TLDR
This paper identifies the security of the SRP implementation inside the OpenSSL library and identifies that this implementation is vulnerable to offline dictionary attacks, and exploits a call for a function computing modular exponentiation of big numbers in OpenSSL to exploit this vulnerability. Expand
An Offline Dictionary Attack against zkPAKE Protocol
TLDR
It is shown that the zkPAKE protocol is prone to offline password guessing attack, even in the presence of an adversary that has only eavesdropping capabilities, and should not be used as a password-authenticated key exchange mechanism. Expand
Separating Symmetric and Asymmetric Password-Authenticated Key Exchange
TLDR
It is proved that a strong assumption like a programmable random oracle is necessary to achieve security of asymmetric PAKE in the Universal Composability (UC) framework and usefulness is demonstrated by proving that the \(\varOmega \)-method proposed by Gentry et al satisfies the authors' new security notion for asymmetricPAKE. Expand
KHAPE: Asymmetric PAKE from Key-Hiding Key Exchange
TLDR
KHAPE is presented, a variant of OPAQUE that does not require the use of an OPRF to achieve aPAKE security, resulting in improved resilience and near-optimal computational performance. Expand
Distributed Single Password Protocol Framework
TLDR
A framework for distributed single passwords protocols (DiSPP) is introduced that analyzes existing protocols, improves upon them regarding novel constructions and distributed schemes, and allows exploiting alternative cryptographic primitives to obtain secure distributed single password protocols with various trade-offs. Expand
CHIP and CRISP: Compromise Resilient Identity-based Symmetric PAKEs
Password Authenticated Key Exchange (PAKE) protocols allow parties to establish a shared key based only on the knowledge of a low entropy password. In this work, we propose a novel notion calledExpand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 52 REFERENCES
Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman
TLDR
This work presents a new protocol called PAK, which is the first Diffie-Hellman-based password-authenticated key exchange protocol to provide a formal proof of security (in the random oracle model) against both passive and active adversaries. Expand
Augmented Password-Authenticated Key Exchange (AugPAKE)
TLDR
The AugPAKE protocol is not only provably secure in the random oracle model but also the most efficient over the previous augmented PAKE protocols (SRP and AMP). Expand
Password-authenticated key exchange based on RSA
TLDR
This paper examines how to design a secure password-authenticated key exchange protocol based on RSA and presents an augmented protocol that is resilient to server compromise, meaning (informally) that an attacker who compromises a server would not be able to impersonate a client, at least not without running an offline dictionary attack against that client’s password. Expand
Public-key cryptography and password protocols
TLDR
This work presents and analyze several simple password authentication protocols, and shows optimal resistance to off-line password guessing attacks under the choice of suitable public key encryption functions, and introduces the notion of public passwords that enables the use of the above protocols in situations where the client's machine does not have the means to validate the server's public key. Expand
Authenticated Key Exchange Secure against Dictionary Attacks
TLDR
Correctness for the idea at the center of the Encrypted Key-Exchange protocol of Bellovin and Merritt is proved: it is proved security, in an ideal-cipher model, of the two-flow protocol at the core of EKE. Expand
A Method for Making Password-Based Key Exchange Resilient to Server Compromise
TLDR
Security in the universal composability framework is proved by defining a new functionality for PAKE with resilience to server compromise, specifying a protocol combining this technique with a (basic) PAKE functionality, and proving that this protocol securely realizes the new functionality. Expand
Round-Optimal Password-Protected Secret Sharing and T-PAKE in the Password-Only Model
TLDR
A Password-Protected Secret Sharing scheme with parameters (t,n) that is secure against offline password attacks by an attacker controlling up to t servers but allows the attacker an advantage proportional to the fraction of dictionary passwords tested in on-line interactions with the user and servers. Expand
Encrypted key exchange: password-based protocols secure against dictionary attacks
  • S. Bellovin, Michael Merritt
  • Computer Science
  • Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy
  • 1992
TLDR
A combination of asymmetric (public-key) and symmetric (secret- key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced. Expand
Verifier-Based Password-Authenticated Key Exchange: New Models and Constructions
TLDR
This paper formally defines some properties for the transform (password hashing) applied to the password for the storage on the server-side, and enhances the Bellare-Pointcheval-Rogaway game-based model for PAKE to VPAKE protocols, in such a way that it allows a VPAke protocol to be secure in the standard model. Expand
Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise
TLDR
Two ways to accomplish EKE augmented so that hosts do not store cleartext passwords are shown, one using digital signatures and one that relies on a family of commutative one-way functions. Expand
...
1
2
3
4
5
...