Password-based protocols for authenticated key exchange (AKE) are designed to work despite the use of passwords drawn from a space so small that an adversary might well enumerate, off line, all possible passwords. While several such protocols have been suggested, the underlying theory has been lagging. We begin by defining a model for this problem, one rich enough to deal with password guessing, forward secrecy, server compromise, and loss of session keys. The one model can be used to define various goals. We take AKE (with "implicit" authentication) as the "basic" goal, and we give definitions for it, and for entity-authentication goals as well. Then we prove correctness for the idea at the center of the Encrypted Key-Exchange (EKE) protocol of Bellovin and Merritt: we prove security, in an ideal-cipher model, of the two-flow protocol at the core of EKE.

We suggest a simple protocol, AuthA, for the problem of password-based authenticated key exchange (AKE). We assume the asymmetric trust model: the client A has a password pwa and the server B has a particular one-way function of this, pwb. Two ows of the protocol comprise a Di e-Hellman key exchange, using a group on which the Di e-Hellman problem is hard. At least one of these two ows is encrypted using the key pwb. Then an authentication tag, AuthA, is owed from the client to the server. This tag is just the hash of some values easily computable by both parties. The server checks the received tag prior to accepting the session key. The protocol just sketched provides security against dictionary attack, and it ensures forward secrecy and client-to-server authentication. Server-to-client authentication can be added cheaply, by owing a second authentication tag, AuthB, from server to client. Like mostwork in this area, our protocol springs from ideas of Bellovin and Merritt [BM92, BM93]. There has been a large body of other follow-on to this, including protocol suggestions

Abstract not found

This paper presents a new password authentication and key agreement protocol called AMP in a provable manner. The intrinsic problem with password authentication is a password, associated with each user, has low entropy so that (1) the password is hard to transmit securely over an insecure channel and (2) the password file is hard to protect. Our solution to this complex problem is the amplified password proof idea along with the amplified password file. A party commits the high entropy information and amplifies her password with that information in the amplified password proof. She never shows any information except that she knows it for her proof. Our amplified password proof idea is similar to the zero-knowledge proof in that sense. A server stores amplified verifiers in the amplified password file that is secure against a server file compromise and a dictionary attack. AMP mainly provides the passwordverifier based authentication and the Diffie-Hellman based key agreement, securely and efficiently. AMP is simple and actually the most efficient protocol among the related protocols. 1.

Abstract. Password-based key exchange schemes are designed to provide entities communicating over a public network, and sharing a (short) password only, with a session key (e.g, the key is used for data integrity and/or confidentiality). The focus of the present paper is on the analysis of very efficient schemes that have been proposed to the IEEE P1363 Standard working group on password-based authenticated key-exchange methods, but for which actual security was an open problem. We analyze the AuthA key exchange scheme and give a complete proof of its security. Our analysis shows that the AuthA protocol and its multiple modes of operation are provably secure under the computational Diffie-Hellman intractability assumption, in both the random-oracle and the ideal-cipher models. 1

Abstract. In this paper, we show how to design an efficient, provably secure password-based authenticated key exchange mechanism specifically for the TLS (Transport Layer Security) protocol. The goal is to provide a technique that allows users to employ (short) passwords to securely identify themselves to servers. As our main contribution, we describe a new password-based technique for user authentication in TLS, called Simple Open Key Exchange (SOKE). Loosely speaking, the SOKE ciphersuites are unauthenticated Diffie-Hellman ciphersuites in which the client’s Diffie-Hellman ephemeral public value is encrypted using a simple mask generation function. The mask is simply a constant value raised to the power of (a hash of) the password. The SOKE ciphersuites, in advantage over previous password-based authentication ciphersuites for TLS, combine the following features. First, SOKE has formal security arguments; the proof of security based on the computational Diffie-Hellman assumption is in the random oracle model, and holds for concurrent executions and for arbitrarily large password dictionaries. Second, SOKE is computationally efficient; in particular, it only needs operations in a sufficiently large prime-order subgroup for its Diffie-Hellman computations (no safe primes). Third, SOKE provides good protocol flexibility because the user identity and password are only

Three-party key-exchange protocols with password authentication --- clients share an easy-to-remember password with a trusted server only --- are very suitable for applications requiring secure communications between many light-weight clients (end users); it is simply impractical that every two clients share a common secret. In 1995, Steiner, Tsudik and Waidner proposed a realization of such a three-party protocol based on the Encrypted Key Exchange (EKE) protocols. However, their protocol was later demonstrated to be vulnerable to o#-line and undetectable on-line guessing attacks. In 2000, Lin, Sun and Hwang proposed a secure three-party protocol with server public-keys. However, the approach of using server public-keys is not always a satisfactory solution and is impractical for some environments. In this article, we propose a secure three-party EKE protocol without server public-keys.

This paper discusses an implementation of an authenticated key-exchange method (AuthA) rendered on message primitives defined in the WS-Trust and WS-SecureConversation specifications. This IEEE-specified cryptographic method is proven-secure for password-based authentication and key exchange, while the WS-Trust and WS-SecureConversation are emerging Web Services Security specifications that extend the standardized WS-Security specification. A prototype of the presented protocol is integrated in the WS-ResourceFramework-compliant Globus Toolkit V4. Further hardening of the implementation is expected to result in a version that will be shipped with future Globus Toolkit releases. This could help address the current unavailability of decent shared-secret-based authentication options in the Web Services and Grid world. Future work will also be dedicated to integrate One-Time-Password (OTP) features in the authentication protocol.

Password-based authentication is still the most widelyused authentication mechanism, largely because of the ease with which it can be understood by end users and implemented. In this paper, we propose a security infrastructure for grid applications, in which users are authenticated using passwords. Our infrastructure allows users to perform single sign-on based only on passwords, without requiring a public key infrastructure. Nevertheless, our infrastructure supports essential grid security services, such as mutual authentication and delegation, using public key cryptographic techniques. Moreover, hosting servers in our infrastructure are not required to have public key certificates, meaning mutual authentication and delegation of proxy credentials can be performed in a lightweight and efficient manner. 1

Man-in-the-middle attacks pose a serious threat to SSL/TLS based electronic commerce applications, such as Internet banking. In this paper, we argue that most deployed user authentication mechanisms fail to provide protection against this type of attack, even when they run on top of SSL/TLS. As a possible countermeasure, we introduce the notion of SSL/TLS session-aware user authentication, and present different possibilities for implementing it. More specifically, we start with a basic implementation that employs impersonal authentication tokens. Afterwards, we address extensions and enhancements and discuss possibilities for implementing SSL/TLS session-aware user authentication in software.