## Strong password-only authenticated key exchange (1996)

Venue: | ACM Computer Communications Review |

Citations: | 164 - 0 self |

### BibTeX

@ARTICLE{Jablon96strongpassword-only,

author = {David P. Jablon and Westboro Ma},

title = {Strong password-only authenticated key exchange},

journal = {ACM Computer Communications Review},

year = {1996},

volume = {26},

pages = {5--26}

}

### Years of Citing Articles

### OpenURL

### Abstract

### Citations

351 | Encrypted key exchange: Password-based protocols secure against dictionary attacks
- Bellovin, Merritt
- 1992
(Show Context)
Citation Context ...That a small password can accomplish this alone goes against common wisdom. This is not your grandmother's network login. We compare SPEKE to the closely-related Diffie-Hellman Encrypted Key Exchange =-=[BM92]-=-, and review the potential threats and countermeasures in some detail. We show that previously-known and new attacks against both methods are thwarted when proper constraints are applied. These method... |

306 | An improved algorithm for computing logarithms over GF(p) and its cryptographic significance
- Pohlig, Hellman
- 1978
(Show Context)
Citation Context ... chosen prime modulus p is required to prevent easy shortcut solutions to the discrete log problem. When p-1 has a large prime factor q, it resists the Pohlig-Hellman discrete log attack described in =-=[PH78]-=-. A safe prime of the form p = 2q+1, is one accepted way to prevent such short-cuts. A recent analysis and survey of these issues can be found in [vOW96]. It is noted in [BM92] that if we assume that ... |

264 | Applied Cryptography, Second Edition - Schneier - 1996 |

129 | Augmented encrypted key exchange: A password-based protocol secure against dictionary attacks and password file compromise
- Bellovin, Merritt
- 1993
(Show Context)
Citation Context ...ic-key encryption are described in [BM92]. DH-EKE and SPEKE have an advantage over these in being extensible to allow the host to store a one-way hashed form of the password, in methods such as A-EKE =-=[BM94]-=-. In these extended methods, Bob uses the one-way hashed password to verify possession of the clear-text password by Alice. When using this type of extension, we make Alice compute the hashed form, an... |

113 | Protecting Poorly Chosen Secrets from Guessing Attacks
- Gong, Lomas, et al.
- 1993
(Show Context)
Citation Context ...ation of what they refer to as the Denning-Sacco Attack, where a stolen session key K is used to mount a dictionary attack on the password. The attack on the public-key flavor of EKE is also noted in =-=[GLNS93]-=-. [STW95] correctly points out that DH-EKE resists this attack (as does SPEKE). Resistance to this attack is closely related to perfect forward secrecy, which also isolates one kind of sensitive data ... |

89 |
Privacy and authentication: an introduction to cryptography
- Diffie, Hellman
- 1979
(Show Context)
Citation Context ...ttempts to find a strong password-only method. 3 Two strong password-only methods The two methods of strong password-only authentication described here are both based on a Diffie-Hellman key exchange =-=[DH79]-=-. A classic DH exchange permits two parties with no prior agreement to establish a shared secret session key. For reference, the classic DH exchange is shown in Appendix A. DH by itself does not provi... |

61 |
SPX: Global authentication using public key certificates
- Tardo, Alagappan
- 1991
(Show Context)
Citation Context ...n to a trusted host, and to obtain the user's safely stored credentials. This concept of remote storage of long-term credentials with a secure download has been used in the SPX authentication system. =-=[TA91]-=- Any device or system that uses these methods can be generic, in that it is not preprogrammed to speak only for a particular user, or to speak to any particular host. Alternative approaches using a pe... |

59 | On Di e-Hellman key agreement with short exponents
- Oorschot, Wiener
- 1996
(Show Context)
Citation Context ... time, we generate a session key for securing a subsequent authenticated session between the parties using the password. The desirability for integrated key exchange in authentication is discussed in =-=[vOW96]-=-. The basic idea is that separating the steps of authentication and key exchange creates opportunities for an attacker in the middle. Strong key exchange requires the participation of both parties, an... |

54 | Refinement and extension of encrypted key exchange
- Steiner, Tsudik, et al.
- 1995
(Show Context)
Citation Context ... theoretical importance. Other variations of the verification stage are possible. This stage is identical to that of the verification stage of DH-EKE [BM92], and variations such as those described in =-=[STW95]-=- using Q B instead of the random numbers C x in an minimal three-message refinement apply to SPEKE as well as to DH-EKE. More generally, verification of K can use any classical method, since K is cryp... |

44 | Establishing Identity Without Certification Authorities
- Ellison
- 1996
(Show Context)
Citation Context ...f which a brief historical account appears in [Sch96 pp. 54-55]. An attack on the Interlock Protocol for authentication is described in [BM93], and a recent attempt to patch this hole is described in =-=[Ell96]-=-. The Station-to-Station protocol described in [DvOW92] is interesting for the sake of comparison, although it depends on the deployment of private and public keys, in violation of our desired charact... |

36 | Optimal authentication protocols resistant to password guessing attacks
- Gong
- 1995
(Show Context)
Citation Context ...urther describes storedpublic -key-assisted protocols, and discusses guessing attacks, Kerberos login, the important concept of verifiable plaintext, which was originally introduced by these authors. =-=[Gon95]-=- describes an optimal 3-message version of the two-party secret-public-key protocol. [STW95] shows an optimal 3-message form of DH-EKE, which applies equally well to SPEKE. 4 Fortified Key Negotiation... |

25 | Fortifying key negotiation schemes with poorly chosen passwords - Anderson, Lomas - 1994 |

23 | The discrete logarithm problem, Cryptology and Computational - McCurley - 1990 |

14 |
An Attack on the Interlock Protocol When Used for Authentication
- Bellovin, Merritt
- 1994
(Show Context)
Citation Context ...ir and Rivest Interlock Protocol, as used by Davies and Price, of which a brief historical account appears in [Sch96 pp. 54-55]. An attack on the Interlock Protocol for authentication is described in =-=[BM93]-=-, and a recent attempt to patch this hole is described in [Ell96]. The Station-to-Station protocol described in [DvOW92] is interesting for the sake of comparison, although it depends on the deploymen... |

14 | Dual-workfactor Encrypted Key Exchange: Efficiently Preventing Password Chaining and Dictionary Attacks
- Jaspan
- 1996
(Show Context)
Citation Context ... significant, as is discussed ins4.4. 4 Analysis of SPEKE and DH-EKE In the original paper on EKE [BM92], there is some analysis of DH-EKE. Further work and refinement of EKE is presented in [STW95]. =-=[Jas96]-=- provides further details on a required constraint in the proper selection of the modulus p. [vOW96] describes a refinement in computing discrete-logs, and discusses the selection of the parameters fo... |

7 |
private communications
- Bellovin, Atkins
- 1999
(Show Context)
Citation Context ...th a huge prime p, where p-1 has a huge prime factor q. [BM92] use the traditional preference for g as a primitive root of p. In fact, g must be primitive to prevent a partition attack by an observer =-=[Bel96]-=-. A third party can do trial decryptions of E S (g R X mod p) using a dictionary of S i . If g is not primitive, a bad guess S i is confirmed by a primitive result. In general, the encrypted exponenti... |

6 |
Authentication and Authenticated Key Exchanges", Designs Codes and Cryptography
- Diffie, Oorschot, et al.
- 1992
(Show Context)
Citation Context ...to have a certified copy of his public key to verify the signature. Note that this may impose less of a key management problem than the dual-signature approach used in the Station-to-Station protocol =-=[DvOW92,s7]-=-. If Bob is a relatively secure site compared to Alice, his key may change only rarely. Further, if parameter generation is performed by a trusted authority at a secure central site, we might embed a ... |

4 | The discrete logarithm problem", Cryptology and Computational Number Theory - McCurley - 1990 |