## Extended Password Key Exchange Protocols Immune to Dictionary Attack (1997)

Citations: | 37 - 0 self |

### BibTeX

@MISC{Jablon97extendedpassword,

author = {David P. Jablon},

title = { Extended Password Key Exchange Protocols Immune to Dictionary Attack},

year = {1997}

}

### Years of Citing Articles

### OpenURL

### Abstract

Strong password methods verify even small passwords over a network without additional stored keys or certificates with the user, and without fear of network dictionary attack. We describe a new extension to further limit exposure to theft of a stored password-verifier, and apply it to several protocols including the Simple Password Exponential Key Exchange (SPEKE). Alice proves knowledge of a password C to Bob, who has a stored verifier S, where S=g mod p. They perform a SPEKE exchange based on the shared secret S to derive ephemeral shared key K,. Bob chooses a random X and X sends g mod p. Alice computes K2=gxc mod p, and proves knowledge of {K,,K2/. Bob vervies this result to confirm that Alice knows C. Implementation issues are summarized, showing the potential for improved pe$ormance over Bellovin & Merritt's comparably strong Augmented-Encrypted Key Exchange. These methods make the password a strong independent factor in authentication, and are suitable for both Internet and intranet use.

### Citations

351 | Encrypted key exchange: Password-based protocols secure against dictionary attacks
- Bellovin, Merritt
- 1992
(Show Context)
Citation Context ...trong independent factor in authentication, and are suitable for both Internet and intranet use. Known methods that presume both parties share the same secret include: . EKE -- Encrypted Key Exchange =-=[BM92] . The &qu-=-ot;secret public key" methods [GLNS93] . SPEKE -- Simple Password Exponential Key Exchange [Jab96], and . OKE -- Open Key Exchange [Luc97]. Use of a one-way hashed password on both sides prevents... |

129 | Augmented encrypted key exchange: A password-based protocol secure against dictionary attacks and password file compromise
- Bellovin, Merritt
- 1993
(Show Context)
Citation Context ...ut a thief who steals the hashed password from the host can use it to masquerade as the user in the protocol. One solution to this problem is the Augmented Encrypted Key Exchange (A-EKE) described in =-=[BM93]-=-. In this method the host's verifier is a one-way function of the password, which is used to verify a proof that the user knows the password, and a thief cannot use the verifier directly to masquerade... |

113 | Protecting Poorly Chosen Secrets from Guessing Attacks
- Gong, Lomas, et al.
- 1993
(Show Context)
Citation Context ...n, and are suitable for both Internet and intranet use. Known methods that presume both parties share the same secret include: . EKE -- Encrypted Key Exchange [BM92] . The "secret public key"=-=; methods [GLNS93]-=- . SPEKE -- Simple Password Exponential Key Exchange [Jab96], and . OKE -- Open Key Exchange [Luc97]. Use of a one-way hashed password on both sides prevents the need for clear-text passwords on the h... |

99 | Fast Key Exchange with Elliptic Curve Systems
- Schroeppel, Orman, et al.
- 1995
(Show Context)
Citation Context ...a computation faster than exhaustive attack on K 2 . P(K 1 , K 2 ) can use an HMAC construction. The relative performance of different DH groups in optimized software implementations was described in =-=[SOO95]-=- as running about 6 to 7 times faster in elliptic curves than a traditional Z p * version of comparable security. For example, performing a DH exponentiation on a 25 MHz SPARC IPC (roughly equal to a ... |

59 | On Di e-Hellman key agreement with short exponents - Oorschot, Wiener - 1996 |

59 | Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys - Lucks - 1997 |

54 | Refinement and extension of encrypted key exchange
- Steiner, Tsudik, et al.
- 1995
(Show Context)
Citation Context ...imply knowledge of S. The difference between these protocols is in how the exchange is modified to incorporate S. 2.3. A-EKE Augmented-EKE has been described in [BM93, BM95], and further discussed in =-=[STW95]-=-. In this extended method, DH-EKE is used to negotiate a key K, based on shared knowledge of a secret verifier S, where S = h(C), a one-way function of the password C. In our discussion of extended me... |

41 | Theoretic Attacks on Secure Password Schemes - Patel, ”Number - 1997 |

36 | Optimal authentication protocols resistant to password guessing attacks
- Gong
- 1995
(Show Context)
Citation Context ...y exchange precludes this attack, since even a middleman with knowledge of S cannot negotiate the same key in two distinct sessions with Alice and Bob. The "optimal direct authentication protocol=-=" in [Gon95]-=- is also described in a form where both Alice and Bob contribute to the key. In this protocol, Alice chooses a random public key V A , and sends it along with k', her contribution, in a message symmet... |

34 | S.: Diffie–Hellman Oracles - Maurer, Wolf - 1996 |

14 | Dual-workfactor Encrypted Key Exchange: Efficiently Preventing Password Chaining and Dictionary Attacks - Jaspan - 1996 |

6 | Cryptographic protocol for remote authentication - Bellovin, Merritt - 1995 |

2 |
working group, "IEEE P1363 Working Draft -- Standards for Public-key Cryptography", This document is currently available at: http://stdsbbs.ieee.org/1363
- P1363
(Show Context)
Citation Context ...ral hundred bits to a thousand or two. For elliptic curve groups, it seems reasonable to allow the field size to be much smaller, due to the apparently increased difficulty of computing discrete logs =-=[P1363]-=-. There is also the issue of using short DH exponents, which has been covered in [vOW96, Jab96]. a dictionary attack is possible by a eavesdropper who could use knowledge of all possible values for K ... |

2 | Refinement and Extension of Encrypted Key Exchange", Operating Systems Review - Steiner, Tsudik, et al. - 1995 |

1 | Cryptographic Apparatus and Method", U.S. Patent #4,200,770, April 29 - Hellman, Diffie, et al. - 1980 |

1 | working group, "IEEE PI363 Working Draft -- Standards for Public-key Cryptography", This document is currently available at: http://stdsbbs.ieee.org/l363 [SO0951 - P1363 - 1995 |