Abstract. We present a novel approach to improving the security of passwords. In our approach, the legitimate user’s typing patterns (e.g., durations of keystrokes and latencies between keystrokes) are combined with the user’s password to generate a hardened password that is convincingly more secure than conventional passwords alone. In addition, our scheme automatically adapts to gradual changes in a user’s typing patterns while maintaining the same hardened password across multiple logins, for use in file encryption or other applications requiring a long-term secret key. Using empirical data and a prototype implementation of our scheme, we give evidence that our approach is viable in practice, in terms of ease of use, improved security, and performance.

Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein.

Abstract. There have been many proposals in recent years for passwordauthenticated key exchange protocols.Many of these have been shown to be insecure, and the only ones that seemed likely to be proven secure (against active adversaries who may attempt to perform off-line dictionary attacks against the password) were based on the Diffie-Hellman problem.In fact, some protocols based on Diffie-Hellman have been recently proven secure in the random-oracle model.We examine how to design a provably-secure password-authenticated key exchange protocol based on RSA.We first look at the OKE and protected-OKE protocols (both RSA-based) and show that they are insecure.Then we show how to modify the OKE protocol to obtain a password-authenticated key exchange protocol that can be proven secure (in the random oracle model). The resulting protocol is very practical; in fact the basic protocol requires about the same amount of computation as the Diffie-Hellman-based protocols or the well-known ssh protocol.

We present a simple technique by which a device that performs private key operations (signatures or decryptions) in networked applications, and whose local private key is activated with a password or PIN, can be immunized to offline dictionary attacks in case the device is captured. Our techniques do not assume tamper resistance of the device, but rather exploit the networked nature of the device, in that the device’s private key operations are pe formed using a simple interaction with a remote sewer: This sewer; however; is untrusted-its compromise does not reduce the securiv of the device’s private key unless the device is also captured-and need not have a prior relationship with the device. We further extend this approach with support for key disabling, by which the rightj‘ul owner of a stolen device can disable the device’s private key even if the attacker already knows the user’s password. 1.

In this paper we give a detailed formal description of the PAK password-authenticated key exchange protocol and some variants, and provide provide complete proofs of security which we believe are more straight-forward than the original proofs. We also show a new general method (called the Z-method) for making these protocols resilient to server-compromise, so as to not allow an attacker that obtains password verification data from a server to then impersonate a user. When this method is applied to PAK, we call the resulting protocol PAKZ. Finally, we discuss the current state-of-the-art in password-authenticated key exchange, with respect to both theory and practice.

This paper presents a new password authentication and key agreement protocol called AMP in a provable manner. The intrinsic problem with password authentication is a password, associated with each user, has low entropy so that (1) the password is hard to transmit securely over an insecure channel and (2) the password file is hard to protect. Our solution to this complex problem is the amplified password proof idea along with the amplified password file. A party commits the high entropy information and amplifies her password with that information in the amplified password proof. She never shows any information except that she knows it for her proof. Our amplified password proof idea is similar to the zero-knowledge proof in that sense. A server stores amplified verifiers in the amplified password file that is secure against a server file compromise and a dictionary attack. AMP mainly provides the passwordverifier based authentication and the Diffie-Hellman based key agreement, securely and efficiently. AMP is simple and actually the most efficient protocol among the related protocols. 1.

SSL is the de-facto standard today for securing end-to-end transport on the Internet. While the protocol itself seems rather secure, there are a number of risks that lurk in its use, e.g., in web banking. However, the adoption of password-based key-exchange protocols can overcome some of these problems. We propose the integration of such a protocol (DH-EKE) in the TLS protocol, the standardization of SSL by IETF. The resulting protocol provides secure mutual authentication and key establishment over an insecure channel. It does not have to resort to a PKI or keys and certicates stored on the users computer. Additionally, its integration in TLS is as minimal and non-intrusive as possible.

The paper is to address the following issues: 1) Although new password techniques have emerged, the use of proactive password checking is still a desirable method to improve systems security in the real world. 2) The state of the proactive password checking art will be surveyed, identifying its key rationale. In many cases, current proactive checking algorithms are designed to stop dictionary attacks, but fail to prevent some other weak passwords with low entropy. 3) A new approach designed to deal with these weak passwords by measuring entropy will be outlined, along with a simple example demonstrating how to achieve this.

Submission to IEEE P1363a A password authentication protocol called SNAPI is proposed for inclusion in the P1363a document. SNAPI provides mutual authentication between a client and server based solely on a password, and does not require the client to store any other information (except the code that runs the protocol). SNAPI is the rst protocol of this type that is provably secure against active adversaries (i.e., adversaries that can not only eavesdrop on communication, but also impersonate parties and replay messages), and in particular, does not reveal any information to active adversaries that would allow an o-line dictionary attack on the password. Security is proven in the random-oracle model and is based on the security of RSA. SNAPI also provides for key exchange (as secure as Di e-Hellman), allowing a secure session to be initiated. Avariant, SNAPI-X, is also proposed, in which the server stores a one-way function of the password, and does not allow anadversary who compromises the server to impersonate a client (without actually running a dictionary attack on the password le). The protocols described in this contribution are from the paper, Secure Network Authenti-cation with Password Identi cation [MS].

. We give the rst proof of security for the full Unix password hashing algorithm (rather than of a simplied variant). Our results show that it is very good at extracting almost all of the available strength from the underlying cryptographic primitive and provide good reason for condence in the Unix construction. 1 Introduction This paper examines the security of the Unix password hashing algorithm, the core of the Unix password authentication protocol [14]. Although the algorithm has been conjectured cryptographically secure, after two decades and deployment in millions of systems worldwide it still has not been proven to resist attack. In this paper, we provide the rst practical proof of security (under some reasonable cryptographic assumptions) for the Unix algorithm. The hashing algorithm is a fairly simple application of DES, perhaps the bestknown block cipher available to the public. Since DES has seen many man-years of analysis, in an ideal world we might hope for a pr...