Anonymous Password-Based Authenticated Key Exchange

Viet, Duong Quang; Yamamura, Akihiro; Tanaka, Hidema

doi:10.1007/11596219_20

Cited by 37 publications

(42 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Cui and Cao proposed an anonymous authentication and key exchange protocol based on ring signatures [26]. Viet et al proposed a password-based anonymous authentication key exchange protocol [36]. Yang and Zhang improved Viet et al's scheme with another anonymous password-based key exchange protocol [37].…”

Section: Related Workmentioning

confidence: 99%

Key Exchange with Anonymous Authentication Using DAA-SIGMA Protocol

Walker

2011

Trusted Systems

View full text Add to dashboard Cite

Abstract. Anonymous digital signatures such as Direct Anonymous Attestation (DAA) and group signatures have been a fundamental building block for anonymous entity authentication. In this paper, we show how to incorporate DAA schemes into a key exchange protocol between two entities to achieve anonymous authentication and to derive a shared key between them. We propose a modification to the SIGMA key exchange protocol used in the Internet Key Exchange (IKE) standards to support anonymous authentication using DAA. Our key exchange protocol can be also extended to support group signature schemes instead of DAA. We present a secure model for key exchange with anonymous authentication derived from the Canetti-Krawczyk key-exchange security model. We prove that our DAA-SIGMA protocol is secure under our security model.

show abstract

Section: Related Workmentioning

confidence: 99%

Key Exchange with Anonymous Authentication Using DAA-SIGMA Protocol

Walker

2011

Trusted Systems

View full text Add to dashboard Cite

show abstract

“…This information may reflect the client's life pattern and sometimes can be used for spam mails. For this problem, Viet et al, [25] proposed an anonymous PAKE (APAKE) protocol and its threshold construction † (t-outof-n APAKE) both of which simply combine a PAKE protocol [1] for generating secure channels with an Oblivious Transfer (OT) protocol [7], [24] for client's anonymity. The client anonymity is guaranteed against an outside adversary as well as a passive server, who follows the protocol honestly but it is curious about identity of the client involved with the protocol.…”

Section: Copyright C 2011 the Institute Of Electronics Information Amentioning

confidence: 99%

“…The client anonymity is guaranteed against an outside adversary as well as a passive server, who follows the protocol honestly but it is curious about identity of the client involved with the protocol. In [22], Shin et al, pointed out that the t-out-of-n APAKE protocol [25] is insecure against an outside adversary (i.e., doing off-line dictionary attacks). Also, they proposed an anonymous PAKE (TAP (t = 1)) protocol and its threshold (TAP (t > 1)) which are only based on the PAKE protocol [1], and showed that their protocols are secure against an outside adversary.…”

Section: Copyright C 2011 the Institute Of Electronics Information Amentioning

confidence: 99%

See 1 more Smart Citation

Threshold Anonymous Password-Authenticated Key Exchange Secure against Insider Attacks

Shin

Kobara

Imai

2011

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYAn anonymous password-authenticated key exchange (PAKE) protocol is designed to provide both password-only authentication and client anonymity against a semi-honest server, who honestly follows the protocol. In INDOCRYPT2008, Yang and Zhang [26] proposed a new anonymous PAKE (NAPAKE) protocol and its threshold (D-NAPAKE) which they claimed to be secure against insider attacks. In this paper, we first show that the D-NAPAKE protocol [26] is completely insecure against insider attacks unlike their claim. Specifically, only one legitimate client can freely impersonate any subgroup of clients (the threshold t > 1) to the server. After giving a security model that captures insider attacks, we propose a threshold anonymous PAKE (called, TAP + ) protocol which provides security against insider attacks. Moreover, we prove that the TAP + protocol has semantic security of session keys against active attacks as well as insider attacks under the computational Diffie-Hellman problem, and provides client anonymity against a semi-honest server, who honestly follows the protocol. Finally, several discussions are followed: 1) We also show another threshold anonymous PAKE protocol by applying our Rationale to the non-threshold anonymous PAKE (VEAP) protocol [23]; and 2) We give the efficiency comparison, security consideration and implementation issue of the TAP + protocol. key words: password-authenticated key exchange, passwords, on-line/offline dictionary attacks, anonymity, insider attacks, provable security

show abstract

“…At Indocrypt 2005, Viet et al, [22] have proposed an anonymous password-authenticated key exchange (PAKE) protocol and its threshold construction both of which are designed for client's password-based authentication and anonymity against a passive server, who does not deviate the protocol. In this paper, we first point out that their threshold construction is completely insecure against off-line dictionary attacks.…”

mentioning

confidence: 99%

A Secure Threshold Anonymous Password-Authenticated Key Exchange Protocol

Shin

Kobara

Imai

Advances in Information and Computer Security

View full text Add to dashboard Cite

Abstract. At Indocrypt 2005, Viet et al., [22] have proposed an anonymous password-authenticated key exchange (PAKE) protocol and its threshold construction both of which are designed for client's password-based authentication and anonymity against a passive server, who does not deviate the protocol. In this paper, we first point out that their threshold construction is completely insecure against off-line dictionary attacks. For the threshold t > 1, we propose a secure threshold anonymous PAKE (for short, TAP) protocol with the number of clients n upper-bounded, such that n ≤ 2 √ N − 1 − 1, where N is a dictionary size of passwords. We rigorously prove that the TAP protocol has semantic security of session keys in the random oracle model by showing the reduction to the computational Diffie-Hellman problem. In addition, the TAP protocol provides unconditional anonymity against a passive server. For the threshold t = 1, we propose an efficient anonymous PAKE protocol that significantly improves efficiency in terms of computation costs and communication bandwidth compared to the original (not threshold) anonymous PAKE protocol [22].Key words: password authentication, key exchange, PAKE, anonymity, provable security At Indocrypt 2008, Yang and Zhang [25] have shown two attacks on the TAP (threshold t ≥ 2) protocol, and then proposed the NAPAKE (i.e., t = 1) and D-NAPAKE (i.e., t ≥ 2) protocols. Here, we add some comments on their paper [25]. PrefaceAbout two attacks on the TAP (t ≥ 2) protocol. In [25], they showed two insider attacks on legitimate clients in the TAP (t ≥ 2) protocol. However, we proved AKE security and unilateral authentication of the TAP (t ≥ 2) protocol against an adversary A / ∈ {C 1 , · · · , C n , S} where C = {C 1 , · · · , C n } is a set of all clients and S is the server (see the security model in Section 4). Of course, we agree that considering insider attacks and finding a solution are one of the research directions in cryptography. In Appendix B, we give a simple countermeasure for the TAP (t ≥ 2) protocol against the two attacks (i.e., impersonation attack and off-line dictionary attack). In fact, we considered keyword search as an application of the TAP (t ≥ 2) protocol and, in such applications, the off-line dictionary attack of legitimate clients is not possible because each share doesn't need to be transmitted to other parties.The D-NAPAKE protocol is not threshold anonymous PAKE! In Appendix C, we show an attack on the D-NAPAKE (i.e., t ≥ 2) protocol of [25] where only one legitimate client can impersonate any subgroup of clients to the server. That actually means that the D-NAPAKE (t ≥ 2) protocol is NOT a threshold anonymous PAKE protocol unlike the author's claim. This is the full version of [20].

show abstract

Anonymous Password-Based Authenticated Key Exchange

Cited by 37 publications

References 15 publications

Key Exchange with Anonymous Authentication Using DAA-SIGMA Protocol

Key Exchange with Anonymous Authentication Using DAA-SIGMA Protocol

Threshold Anonymous Password-Authenticated Key Exchange Secure against Insider Attacks

A Secure Threshold Anonymous Password-Authenticated Key Exchange Protocol

Contact Info

Product

Resources

About