This paper presents a new password authentication and key-exchange protocol suitable for authenticating users and exchanging keys over an untrusted network. The new protocol resists dictionary attacks mounted by either passive or active network intruders, allowing, in principle, even weak passphrases to be used safely. It also o ers perfect forward secrecy, which protects past sessions and passwords against future compromises. Finally, user passwords are stored in a form that is not plaintext-equivalent to the password itself, so an attacker who captures the password database cannot use it directly to compromise security and gain immediate access to the host. This new protocol combines techniques of zero-knowledge proofs with asymmetric key exchange protocols and o ers signi cantly improved performance over comparably strong extended methods that resist stolen-veri er attacks such as Augmented EKE or B-SPEKE. 1

Active Networks promise greater #exibility than current networks, but threaten safety and securityby virtue of their programmability.

Users are typically authenticated by their passwords. Because people are known to choose convenient passwords, which tend to be easy to guess, authentication protocols have been developed that protect user passwords from guessing attacks. These proposed protocols, however, use more messages and rounds than those protocols that are not resistant to guessing attacks. This paper gives new protocols that are resistant to guessing attacks and also optimal in both messages and rounds, thus refuting the previous belief that protection against guessing attacks makes an authentication protocol inherently more expensive. 1 Introduction Identifying users is an indispensable element of computer security and, because auxiliary devices such as smart-card are not likely to be ubiquitous in the foreseeable future, users have to be authenticated through their passwords. (We do not discuss authentication methods based on physical or biological technologies. ) People are known to use poorly chosen passw...

The problem of password authentication over an insecure network when the user holds only a human-memorizable password has received much attention in the literature. The first rigorous treatment was provided by Halevi and Krawczyk, who studied off-line password guessing attacks in the scenario in which the authentication server possesses a pair of private and public keys. In this work we: ffl Show the inadequacy of both the HK formalization and protocol in the case where there is more than a single user: using a simple and realistic attack, we prove failure of the HK solution in the two-user case. ffl Propose a new definition of security for the multiuser case, expressed in terms of transcripts of the entire system, rather than individual protocol executions. ffl Suggest several ways of achieving this security against both static and dynamic adversaries. In a recent revision of their paper, Halevi and Krawczyk again attempted to handle the multi-user case. We expose a weakness in their revised definition. 1

this paper appeared as [Aiello et al. 2003]

This paper takes the pairing-based tripartite key agreement protocol of Joux and develops it to produce three-party key agreement protocols offering additional security properties. We present a number of tripartite, one round, authenticated protocols related to the MTI and MQV protocols. We also present pass-optimal authenticated and key confirmed tripartite protocols that generalise the station-to-station protocol.

A contract is a non-repudiable agreement on a given contract text, i.e., a contract can be used to prove agreement between its signatories to any verifier. A contract signing scheme is used to fairly compute a contract so that, even if one of the signatories misbehaves, either both or none of the signatories obtain a contract. Optimistic contract signing protocols use a third party to ensure fairness, but in such a way that the third party is not actively involved in the fault-less case. Since no satisfactory protocols without any third party exist, this seems to be the best one can hope for. We prove tight lower bounds on the message and round complexity of optimistic contract signing on synchronous and asynchronous networks, and present new and efficient protocols based on digital signatures which achieve provably optimal efficiency. Furthermore, we investigate what can be gained if the third party participates in the contract verification.

Cryptographic protocols for key establishment normally include some means to allow participants to ensure that a key is new and not replayed from an old protocol run. When the key is generated by a mutually trusted server this is usually achieved by sending with the key a quantity known to be new. A different general method for achieving freshness in this context is proposed. A number of specific example protocols are given which have some practical advantages over previous published protocols.

We describe JFK, a new key exchange protocol, primarily designed for use in the IP Security Architecture. It is simple, efficient, and secure; we sketch a proof of the latter property. JFK also has a number of novel engineering parameters that permit a variety of trade-offs, most notably the ability to balance the need for perfect forward secrecy against susceptibility to denial-of-service attacks. 1.

Micropayments refer to low-value financial transactions ranging from several pennies to a few dollars. A big portion of electronic commerce occurring in the Internet belong to the category of micropayments. The cost of micropayments should be kept as low as possible in order for the service provider (the merchant) to profit from the low-value transactions. We propose several protocols for micropayments in distributed systems. Our main goal is to reduce the charging cost by choosing a suitable security model, a charging model, and cryptographic algorithms; and by employing the properties unique to the information goods. Our protocols satisfy the requirements of a payment system and are "cheap" in terms of computation costs, communication costs, and key management costs. We select the debit model for designing our protocols and base our protocols on the private key cryptosystems. We show that the existing authentication protocols and systems can be extended to handle micropayments in dis...