Security analysis of a password-based authentication protocol proposed to IEEE 1363

@article{Zhao2006SecurityAO,
  title={Security analysis of a password-based authentication protocol proposed to IEEE 1363},
  author={Zhu Zhao and Zhongqi Dong and Yongge Wang},
  journal={ArXiv},
  year={2006},
  volume={abs/1207.5442}
}

J-PAKE: Authenticated Key Exchange without PKI

  • F. HaoP. Ryan
  • Computer Science, Mathematics
    Trans. Comput. Sci.
  • 2010
TLDR
This paper demonstrates how to effectively integrate the ZKP into the protocol design and meanwhile achieve good efficiency, and presents a new PAKE solution called J-PAKE, which has comparable computational efficiency to the EKE and SPEKE schemes with clear advantages on security.

Password Authenticated Key Exchange by Juggling

  • F. HaoP. Ryan
  • Computer Science, Mathematics
    Security Protocols Workshop
  • 2008
TLDR
The J-PAKE protocol achieves mutual authentication in two steps: first, two parties send ephemeral public keys to each other; second, they encrypt the shared password by juggling the public keys in a verifiable way, and is zero-knowledge as it reveals nothing except one-bit information: whether the supplied passwords at two sides are the same.

Offline Dictionary Attack on Password Authentication Schemes Using Smart Cards

TLDR
It is shown that, under their non-tamper-resistance assumption of the smart cards, both schemes are still prone to offline dictionary attack, which indicates that compromising a single factor i.e., the smart card of these two schemes leads to the downfall of both factors, thereby invalidating their claim of preserving two-factor security.

Robust Smart Card based Password Authentication Scheme against Smart Card Security Breach ⋆

TLDR
It is demonstrated that PSCAV still cannot achieve the claimed security goals and is vulnerable to an offline password guessing attack and other attacks in the Type III security mode, while PSCAb has several practical pitfalls and is proven to be secure in the random oracle model.

SoK: Password-Authenticated Key Exchange -- Theory, Practice, Standardization and Real-World Lessons

TLDR
A thorough and systematic review of the field, a summary of the state-of-the-art, a taxonomy to categorize existing protocols, and a comparative analysis of protocol performance using representative schemes from each taxonomy category are provided.

Computing Science Password Authenticated Key Exchange by Juggling Password Authenticated Key Exchange by Juggling Bibliographical Details Password Authenticated Key Exchange by Juggling

  • P. Ryan
  • Computer Science, Mathematics
  • 2008
TLDR
The protocol, Password Authenticated Key Exchange by Juggling (J-PAKE), achieves mutual authentication in two steps: first, two parties send ephemeral public keys to each other; second, they encrypt the shared password by juggling the public keys in a verifiable way.

Provable Secured Hash Password Authentication

TLDR
This work developed an improved secure hash function, whose security is directly related to the syndrome decoding problem from the theory of error-correcting codes, which deters password phishing since the password received at a phishing site is not useful at any other domain.

An Efficient Identity Based Authentication Protocol by Using Password

TLDR
This paper presents a simple scheme that strengthens password-based authentication protocols and helps prevent dictionary attacks, replay attacks and man in the middle attacks etc.

Provable Secured Hash Password Authentication

The techniques such as secured socket layer (SSL) with client-side certificates are well known in the security research community, most commercial web sites rely on a relatively weak form of password

References

SHOWING 1-10 OF 28 REFERENCES

Authenticated Key Exchange Secure against Dictionary Attacks

TLDR
Correctness for the idea at the center of the Encrypted Key-Exchange protocol of Bellovin and Merritt is proved: it is proved security, in an ideal-cipher model, of the two-flow protocol at the core of EKE.

Security proofs for an efficient password-based key exchange

TLDR
The analysis of very efficient schemes that have been proposed to the IEEE P1363 Standard working group on password-based authenticated key-exchange methods shows that the AuthA protocol and its multiple modes of operations are provably secure under the computational Diffie-Hellman intractability assumption.

Number theoretic attacks on secure password schemes

  • Sarvar Patel
  • Computer Science, Mathematics
    Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097)
  • 1997
TLDR
It is shown how randomized confounders cannot protect Direct Authentication Protocol and Secret Public Key Protocol versions of a secure password scheme from attacks, and why these attacks are possible against seemingly secure protocols and what is necessary to make secure protocols.

Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman

TLDR
This work presents a new protocol called PAK, which is the first Diffie-Hellman-based password-authenticated key exchange protocol to provide a formal proof of security (in the random oracle model) against both passive and active adversaries.

The AuthA Protocol for Password-Based Authenticated Key Exchange

TLDR
A simple protocol AuthA for the problem of password based authenticated key exchange AKE that provides security against dictionary attack and it ensures for ward secrecy and client to server authentication.

Strong password-only authenticated key exchange

A new simple password exponential key exchange method (SPEKE) is described. It belongs to an exclusive class of methods which provide authentication and key establishment over an insecure channel

Secure password-based cipher suite for TLS

TLDR
This work proposes the integration of a password-based key-exchange protocol (DH-EKE) in the TLS protocol, the standardization of SSL by IETF, and the resulting protocol provides secure mutual authentication and key establishment over an insecure channel.

A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp

TLDR
This paper presents a key recovery attack on various discrete log-based schemes working in a prime order subgroup that may reveal part of, or the whole secret key in most Diffie-Hellman-type key exchange protocols and some applications of ElGamal encryption and signature schemes.

The Secure Remote Password Protocol

TLDR
This new protocol combines techniques of zero-knowledge proofs with asymmetric key exchange protocols and has significantly improved performance over comparably strong extended methods that resist stolen-veri er attacks such as Augmented EKE or B-SPEKE.

Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys

  • S. Lucks
  • Computer Science, Mathematics
    Security Protocols Workshop
  • 1997
TLDR
Bellovin and Merritt proposed “encrypted key exchange” (EKE) protocols, to frustrate key-guessing attacks, which requires the use of asymmetric cryptosystems and is based on encrypting the public key, using a symmetric cipher.