Encrypted key exchange: password-based protocols secure against dictionary attacks

Bellovin, Steven M.; Merritt, Michael

doi:10.1109/risp.1992.213269

Cited by 922 publications

(755 citation statements)

References 13 publications

Supporting

Mentioning

749

Contrasting

Unclassified

Order By: Relevance

“…The problem of off-line attacks in password-authenticated protocols was first noted by Bellovin and Merritt [7], followed by a flurry of work in the security community providing additional solutions with heuristic arguments for their security (see [11] for exhaustive references). More recently, two formal models for password-authenticated key exchange have been proposed: one by Bellare, Pointcheval, and Rogaway [3], based on [4,6] with extensions suggested by [21]; and a second by Boyko, MacKenzie, and Patel [10], following [2] with extensions given in [28].…”

Section: Previous Workmentioning

confidence: 99%

Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords

Katz

Ostrovsky²,

Yung

2001

Lecture Notes in Computer Science

316

248

View full text Add to dashboard Cite

Abstract. There has been much interest in password-authenticated keyexchange protocols which remain secure even when users choose passwords from a very small space of possible passwords (say, a dictionary of English words). Under this assumption, one must be careful to design protocols which cannot be broken using off-line dictionary attacks in which an adversary enumerates all possible passwords in an attempt to determine the correct one. Many heuristic protocols have been proposed to solve this important problem. Only recently have formal validations of security (namely, proofs in the idealized random oracle and ideal cipher models) been given for specific constructions [3,10,22].Very recently, a construction based on general assumptions, secure in the standard model with human-memorable passwords, has been proposed by Goldreich and Lindell [17]. Their protocol requires no public parameters; unfortunately, it requires techniques from general multi-party computation which make it impractical. Thus, [17] We show an efficient, 3-round, password-authenticated key exchange protocol with human-memorable passwords which is provably secure under the Decisional Diffie-Hellman assumption, yet requires only (roughly) 8 times more computation than "standard" Diffie-Hellman key exchange [14] (which provides no authentication at all). We assume public parameters available to all parties. We stress that we work in the standard model only, and do not require a "random oracle" assumption.

show abstract

Section: Previous Workmentioning

confidence: 99%

Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords

Katz

Ostrovsky²,

Yung

2001

Lecture Notes in Computer Science

316

248

View full text Add to dashboard Cite

show abstract

“…The first protocol suggested for password-based session-key generation was by Bellovin and Merritt [5]. This work was very influential and became the basis for much future work in this area [6,34,24,27,31,35].…”

Section: Comparison To Prior Workmentioning

confidence: 99%

“…This work was very influential and became the basis for much future work in this area [6,34,24,27,31,35]. However, these protocols have not been proven secure and their conjectured security is based on mere heuristic arguments.…”

Section: Comparison To Prior Workmentioning

confidence: 99%

Session-Key Generation Using Human Passwords Only

Goldreich

Lindell

2001

Advances in Cryptology — CRYPTO 2001

160

127

View full text Add to dashboard Cite

Abstract. We present session-key generation protocols in a model where the legitimate parties share only a human-memorizable password. The security guarantee holds with respect to probabilistic polynomial-time adversaries that control the communication channel (between the parties), and may omit, insert and modify messages at their choice. Loosely speaking, the effect of such an adversary that attacks an execution of our protocol is comparable to an attack in which an adversary is only allowed to make a constant number of queries of the form "is w the password of Party A". We stress that the result holds also in case the passwords are selected at random from a small dictionary so that it is feasible (for the adversary) to scan the entire directory. We note that prior to our result, it was not clear whether or not such protocols were attainable without the use of random oracles or additional setup assumptions.

show abstract

“…Protocols for two-party Diffie-Hellman key exchange [18] have been proposed and refined for over a decade. The seminal work in this area is the Encrypted Key Exchange (EKE) protocol proposed by Bellovin and Merritt in the early 90's [7,8]. Security researchers, however, were only recently able to come up with formal arguments to support the security of the complete suite of EKE protocols [4,1,2,11,13,14,23,24].…”

Section: Related Workmentioning

confidence: 99%

A security solution for IEEE 802.11's ad hoc mode: password-authentication and group Diffie Hellman key exchange

Bresson¹,

Chevassut²,

Pointcheval³

2007

IJWMC

View full text Add to dashboard Cite

The IEEE 802 standards ease the deployment of networking infrastructures and enable employers to access corporate networks while traveling. These standards provide two modes of communication called infrastructure and ad-hoc modes. A security solution for the IEEE 802.11's infrastructure mode took several years to reach maturity and firmware are still been upgraded, yet a solution for the ad-hoc mode needs to be specified. The present paper is a first attempt in this direction. It leverages the latest developments in the area of password-based authentication and (group) DiffieHellman key exchange to develop a provably-secure key-exchange protocol for IEEE 802.11's ad-hoc mode. The protocol allows users to securely join and leave the wireless group at time, accommodates either a single-shared password or pairwise-shared passwords among the group members, or at least with a central server; achieves security against dictionary attacks in the ideal-hash model (i.e. random-oracles). This is, to the best of our knowledge, the first such protocol to appear in the cryptographic literature.

show abstract

Encrypted key exchange: password-based protocols secure against dictionary attacks

Cited by 922 publications

References 13 publications

Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords

Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords

Session-Key Generation Using Human Passwords Only

A security solution for IEEE 802.11's ad hoc mode: password-authentication and group Diffie Hellman key exchange

Contact Info

Product

Resources

About