## Password-authenticated key exchange based on RSA (2000)

Citations: | 46 - 8 self |

### BibTeX

@INPROCEEDINGS{Mackenzie00password-authenticatedkey,

author = {Philip Mackenzie and Sarvar Patel and Ram Swaminathan},

title = {Password-authenticated key exchange based on RSA},

booktitle = {},

year = {2000},

pages = {599--613},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. There have been many proposals in recent years for passwordauthenticated key exchange protocols.Many of these have been shown to be insecure, and the only ones that seemed likely to be proven secure (against active adversaries who may attempt to perform off-line dictionary attacks against the password) were based on the Diffie-Hellman problem.In fact, some protocols based on Diffie-Hellman have been recently proven secure in the random-oracle model.We examine how to design a provably-secure password-authenticated key exchange protocol based on RSA.We first look at the OKE and protected-OKE protocols (both RSA-based) and show that they are insecure.Then we show how to modify the OKE protocol to obtain a password-authenticated key exchange protocol that can be proven secure (in the random oracle model). The resulting protocol is very practical; in fact the basic protocol requires about the same amount of computation as the Diffie-Hellman-based protocols or the well-known ssh protocol.

### Citations

3067 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ... protocols. the authentication protocol (i.e., attempting to login). In SNAPI, we specifically show that if the adversary can do non-negligibly better than this trivial attack, then one can break RSA =-=[RSA78]-=-. We use the random-oracle model [BR93a] for our proofs. While a protocol having a security proof in the random-oracle model is certainly less desirable than a protocol having a proof in the standard ... |

2845 | New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...ly, some tradeoffs of security versus efficiency could be performed. Alternatively, the two parties could obtain perfect forward secrecy by computing the session key with a DiffieHellman key exchange =-=[DH76]-=- using, for instance, the m andsvalues. This, however, would require the Diffie-Hellman assumption for security, along with the RSA assumption. For simplicity, we will assume Alice uses the same encry... |

1394 | Random Oracles are Practical: A Paradigm for Designing Efficient
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...(i.e., attempting to login). In SNAPI, we specifically show that if the adversary can do non-negligibly better than this trivial attack, then one can break RSA [RSA78]. We use the random-oracle model =-=[BR93a]-=- for our proofs. While a protocol having a security proof in the random-oracle model is certainly less desirable than a protocol having a proof in the standard model (using standard cryptographic assu... |

486 | Entity Authentication and Key Distribution
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...Not99]) and Provably Secure Signatures [BR96]. For our proofs we use the security model for password-authenticated key exchange from [BMP00], in which the adversary totally controls the network, a la =-=[BR93b]-=-, and which is based on the multi-party simulatability paradigm as described in [Bea91,BCK98,Sho99]. In this paradigm, security is defined using an ideal system, which describes the service (of key ex... |

364 | Encrypted key exchange: password-based protocols secure against dictionary attacks
- Bellovin, Merrit
- 1992
(Show Context)
Citation Context ... above would be: how do Alice and Bob bootstrap a short secret into a secure strong secret? This problem, which we call password-authenticated key exchange, was first proposed in Bellovin and Merritt =-=[BM92]-=-. In that paper, the Encrypted Key Exchange (EKE) protocol was proposed as a solution. The problem has since been studied extensively [BM93,GLNS93,Gon95,Jab96,Jab97,Luc97,STW95,Wu98], but only two rec... |

334 | Authenticated key exchange secure against dictionary attacks
- Bellare, Pointcheval, et al.
- 2000
(Show Context)
Citation Context ...ecurity, and in fact, many of the previously-proposed protocols have been shown to be insecure [Ble99,Pat97]. Both of the protocols that were proven secure were based on Diffie-Hellman. Specifically, =-=[BPR00]-=- developed a clean and elegant protocol based on EKE and proved its security based on Computational Diffie-Hellman (CDH), using the random oracle and ideal symmetric encryption function assumptions. T... |

253 | The random oracle methodology, revisited
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ...proofs. While a protocol having a security proof in the random-oracle model is certainly less desirable than a protocol having a proof in the standard model (using standard cryptographic assumptions) =-=[CGH98]-=-, it is certainly preferable over a protocol which lacks any proof. Other techniques proven secure in the random-oracle model include Optimal Asymmetric Encryption Padding [BR94] (used in PKCS #1 v. 2... |

246 | Optimal Asymmetric Encryption
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...graphic assumptions) [CGH98], it is certainly preferable over a protocol which lacks any proof. Other techniques proven secure in the random-oracle model include Optimal Asymmetric Encryption Padding =-=[BR94]-=- (used in PKCS #1 v. 2 [Not99]) and Provably Secure Signatures [BR96]. For our proofs we use the security model for password-authenticated key exchange from [BMP00], in which the adversary totally con... |

228 | A modular Approach to the design and Analysis of Authentication and Key Exchange Protocols (extended abstract - Bellare, Canetti, et al. - 1998 |

181 | Secure Remote Password Protocol - Wu - 1998 |

169 | Strong Password-Only Authenticated Key Exchange - Jablon - 1996 |

138 | Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority - Beaver - 1991 |

116 | Protecting Poorly Chosen Secrets from Guessing Attacks - Lomas, Needham, et al. - 1993 |

108 | Public-key cryptography and password protocols
- Halevi, Krawczyk
- 1999
(Show Context)
Citation Context ...hus it would follow that the protocol is secure in the real system. Although it is not a password-only protocol, we do point out that the (oneway) authentication protocol given in Halevi and Krawczyk =-=[HK98]-=- is the first password-based authentication protocol to be formally proven secure, with standard security assumptions. The proof methods in this paper are significantly influenced by their techniques.... |

78 | On formal models for secure key exchange
- Shoup
- 1999
(Show Context)
Citation Context ...f information leakage has to be blocked. Details matter. 3 Model For our proofs, we use the model defined in [BMP00], which extends the formal notion of security for key exchange protocols from Shoup =-=[Sho99]-=- to passwordauthenticated key exchange. We assume the adversary totally controls the network, a la [BR93b]. Briefly, this model is defined using an ideal key exchange system, and a real system in whic... |

64 | A real-world analysis of Kerberos password security - Wu - 1999 |

62 | Open key exchange: how to defeat dictionary attacks without encrypting public keys
- Lucks
- 1997
(Show Context)
Citation Context ...m oracle assumption. 1.1 Overview of our results We study password-authenticated key exchange protocols based on RSA. We first look at the OKE (Open Key Exchange) and protected-OKE protocols of Lucks =-=[Luc97]-=-, since they are the first ones that were based on RSA and were claimed to have proofs of security. We show that in fact they are insecure. Then we show how to modify the OKE protocol to obtain a prot... |

57 | Refinement and extension of encrypted key exchange - Steiner, Tsudik, et al. - 1995 |

47 |
P.: The exact security of digital signatures-how to sign with RSA
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...col which lacks any proof. Other techniques proven secure in the random-oracle model include Optimal Asymmetric Encryption Padding [BR94] (used in PKCS #1 v. 2 [Not99]) and Provably Secure Signatures =-=[BR96]-=-. For our proofs we use the security model for password-authenticated key exchange from [BMP00], in which the adversary totally controls the network, a la [BR93b], and which is based on the multi-part... |

44 | theoretic attacks on secure password schemes - Patel, Number - 1997 |

42 |
The Random Oracle Methodology
- Canetti, Goldreich, et al.
(Show Context)
Citation Context ...r proofs. While a protocol having a securityproof in the random-oracle model is certainlyless desirable than a protocol having a proof in the standard model (using standard cryptographic assumptions) =-=[CGH98]-=-, it is certainly preferable over a protocol which lacks anyproof. Other techniques proven secure in the random-oracle model include Optimal Asymmetric Encryption Padding [BR94] (used in PKCS #1 v. 2 ... |

39 | Extended Password Key exchange Protocols Immune to Dictionary Attack - Jablon - 1997 |

38 | Optimal authentication protocols resistant to password guessing attacks - Gong - 1995 |

37 |
Algorithmic Number Theory, Volume 1: Efficient Algorithms
- Bach, Shallit
- 1996
(Show Context)
Citation Context ...recover values up tos2 ands1 using some basic results from number theory by showing how to recoversi\Gamma2 fromsi\Gamma1 andsi . We make a note that we can efficiently find dth roots if djN \Gamma 1 =-=[BS96]-=-. We thus decryptsi = E( i\Gamma2 \Pi H 0 ( i\Gamma1 )) by solving for the three cubic roots ofsi . Then we multiply each root with (H 0 ( i\Gamma1 )) \Gamma1 to get three possible solutions forsi\Gam... |

31 | Public-key cryptography and password protocols: The multi-user case - Boyarsky |

20 |
Divisors in residue classes
- Lenstra
- 1984
(Show Context)
Citation Context ... by Bob. (An alternative requirement on e would be that e is a prime, esp N and (N mod e) 6 j N , since this can be checked in (probabilistic) polynomial time, and also implies that gcd(e; OE(N)) = 1 =-=[Len84]-=-.) Given these requirements on GE, we use the following assumption on RSA: RSA Security Assumption: Let ` be the security parameter. Let key generatorsGE define a family of RSA functions (i.e., (e; d;... |

13 | Secure sessions from weak secrets - Roe, Wheeler - 1998 |

12 |
Provably-Secure Password-Authenticated Key Exchange Using Diffie-Hellman
- Boyko, MacKenzie, et al.
- 2000
(Show Context)
Citation Context ...ean and elegant protocol based on EKE and proved its security based on Computational Diffie-Hellman (CDH), using the random oracle and ideal symmetric encryption function assumptions. The protocol in =-=[BMP00]-=- is similar, but with the proof of security based on Decisional Diffie-Hellman (DDH), using only the random oracle assumption. 1.1 Overview of our results We study password-authenticated key exchange ... |

9 |
Directions in Cryptography
- New
- 1976
(Show Context)
Citation Context ...bviously, some tradeoffs of securityversus efficiencycould be performed. Alternatively, the two parties could obtain perfect forward secrecybycomputing the session keywith a DiffieHellman keyexchange =-=[DH76]-=- using, for instance, the m and ยต values. This, however, would require the Diffie-Hellman assumption for security, along with the RSA assumption. For simplicity, we will assume Alice uses the same enc... |

3 | Beaver: Secure Multiparty Protocols and Zero Knowledge Proof Systems Tolerating a Faulty Minority - Donald - 1991 |

2 |
Annex D/Editorial Contribution 1c: Standard specifications for public-key cryptography
- P1363
- 1998
(Show Context)
Citation Context ... The choice of P , Q, and e is generally left to the implementation, although it is recommended that P and Q be random large primes with about the same bit length (about `=2 for security parameter `) =-=[IEE98]-=-, and for efficiency e is often chosen to be a small prime and with a small number of ones in its binary representation, such as 3, 17, or 65537. For the security of SNAPI, we make explicit requiremen... |

2 | Integrity sciences web site. http://www.IntegritySciences.com - Jablon |

2 |
P.Rogaway. Authenticated key exchange secure against dictionary attacks.In EUROCRYPT2000 [EUR00
- Bellare
(Show Context)
Citation Context ...curity, and in fact, many of the previously-proposed protocols have been shown to be insecure [Ble99, Pat97]. Both of the protocols that were proven secure were based on Diffie-Hellman. Specifically, =-=[BPR00]-=- developed a clean and elegant protocol based on EKE and proved its securitybased on Computational Diffie-Hellman (CDH), using the random oracle and ideal symmetric encryption function assumptions. Th... |

2 | password key exchange protocols immune to dictionary attacks - Extended - 1997 |

1 |
key exchange: How to defeat dictionary attacks without encrypting public keys.In
- Open
- 1997
(Show Context)
Citation Context ...ndom oracle assumption. 1.1 Overview of Our Results We studypassword-authenticated keyexchange protocols based on RSA. We first look at the OKE (Open KeyExchange) and protected-OKE protocols of Lucks =-=[Luc97]-=-, since theyare the first ones that were based on RSA and were claimed to have proofs of security. We show that in fact they are insecure. Then we show how to modifythe OKE protocol to obtain a protoc... |

1 | R.Swaminathan.Password-authenticated key exchange based on rsa.full version - MacKenzie |