Abstract
Password-authenticated key exchange (PAKE) enables a user to authenticate to a server by proving the knowledge of the password without actually revealing their password to the server. PAKE protects user passwords from being revealed to an adversary who compromises the server (or a disgruntled employee). Existing PAKE protocols, however, do not allow even a small typographical mistake in the submitted password, such as accidentally adding a character at the beginning or at the end of the password. Logins are rejected for such password submissions; the user has to retype their password and reengage in the PAKE protocol with the server. Prior works have shown that users often make typographical mistakes while typing their passwords. Allowing users to log in with small typographical mistakes would improve the usability of passwords and help users log in faster. Towards this, we introduce tPAKE: a typo-tolerant PAKE, that allows users to authenticate (or exchange high-entropy keys) using a password while tolerating small typographical mistakes. tPAKEallows edit-distance-based errors, but only those that are frequently made by users. This benefits security, while still improving usability. We discuss the security considerations and challenges in designing tPAKE. We implement tPAKE and show that it is computationally feasible to be used in place of traditional PAKEs while providing improved usability. We also provide an extension to tPAKE, called adaptive-tPAKE, that will enable the server to allow a user to log in with their frequent mistakes (without ever learning those mistakes).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
It was originally designed for exchanging secret keys between two parties with knowledge of the same password over an untrusted network connection. Nonetheless, the same protocol can be used to protect passwords from being exposed to persistent adversaries who compromised the server as well. The later usage gained more interest over the years, especially as TLS can be used to exchange secrets.
- 2.
- 3.
- 4.
We assume the registration process is done in a secure manner.
- 5.
This problem is more formally known as cardinality private set intersection (PSI-CA) [15].
- 6.
The server might be able to use this information to find out the most frequently entered password among \((g_0, \ldots ,g_l)\). We can protect against such leakage by not sending the i, but that will require the server to try to decrypt \(ct'\) using every \(g_i\), which is inefficient.
- 7.
References
Flask documentation. https://flask.palletsprojects.com/en/1.1.x/
Requests. https://requests.readthedocs.io/
Sqlite. https://www.sqlite.org/
Twitter advising all 330 million users to change passwords after bug exposed them in plain text (2018). https://www.theverge.com/2018/5/3/17316684/twitter-password-bug-security-flaw-exposed-change-now
Cryptography.io documentation (2019). https://cryptography.io/
Abdalla, M., Pointcheval, D.: Simple password-based encrypted key exchange protocols. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 191–208. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_14
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_11
Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks (1992)
Biryukov, A., Dinu, D., Khovratovich, D.: Argon and Argon2: password hashing scheme. Technical report (2015)
Bonneau, J., Schechter, S.: Towards reliable storage of 56-bit secrets in human memory. In: 23rd USENIX Security Symposium (USENIX Security 2014). USENIX (2014)
Boyko, V., MacKenzie, P., Patel, S.: Provably secure password-authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_12
Chatterjee, R., Athalye, A., Akhawe, D., Juels, A., Ristenpart, T.: Password typos and how to correct them securely. In: IEEE Symposium on Security and Privacy (2016)
Chatterjee, R., Woodage, J., Pnueli, Y., Chowdhury, A., Ristenpart, T.: The typtop system: personalized typo-tolerant password checking. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 329–346. ACM (2017)
Chaum, D.: Blind signature system. In: Chaum, D. (ed.) Advances in Cryptology, p. 153. Springer, Boston (1984). https://doi.org/10.1007/978-1-4684-4730-9_14
De Cristofaro, E., Gasti, P., Tsudik, G.: Fast and private computation of cardinality of set intersection and union. In: Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 218–231. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-35404-5_17
Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_31
Dupont, P.-A., Hesse, J., Pointcheval, D., Reyzin, L., Yakoubov, S.: Fuzzy password-authenticated key exchange. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 393–424. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_13
Farashahi, R.R., Shparlinski, I.E., Voloch, J.F.: On hashing into elliptic curves. J. Math. Cryptol. 3(4), 353–360 (2009)
Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, pp. 657–666. ACM, New York (2007). https://doi.org/10.1145/1242572.1242661
Freedman, M.J., Ishai, Y., Pinkas, B., Reingold, O.: Keyword search and oblivious pseudorandom functions (2005)
Icart, T.: How to hash into elliptic curves. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 303–316. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_18
Keith, M., Shao, B., Steinbart, P.: A behavioral analysis of passphrase design and effectiveness. J. Assoc. Inf. Syst. 10(2), 2 (2009)
Keith, M., Shao, B., Steinbart, P.J.: The usability of passphrases for authentication: an empirical field study. Int. J. Hum. Comput. Stud. 65(1), 17–28 (2007)
Krebs, B.: Facebook stored hundreds of millions of user passwords in plain text for years (2020)
Kueltz, A.: Fastecdsa (2020). https://github.com/AntonKueltz/fastecdsa
Levenshtein, V.I.: Binary codes capable of correcting deletions, insertions, and reversals. In: Soviet Physics Doklady, vol. 10, pp. 707–710 (1966)
Lochter, M., Merkle, J.: Elliptic curve cryptography (ECC) Brainpool standard curves and curve generation, March 2010. https://tools.ietf.org/html/rfc5639
Mazurek, M.L., et al.: Measuring password guessability for an entire university. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 173–186. ACM (2013)
Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979). https://doi.org/10.1145/359168.359172
Percival, C., Josefsson, S.: The scrypt password-based key derivation function (2015)
Pinkas, B., Rosulek, M., Trieu, N., Yanai, A.: PSI from PaXoS: fast, malicious private set intersection. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 739–767. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_25
Provos, N., Mazieres, D.: Bcrypt algorithm. USENIX (1999)
Shay, R., et al.: Correct horse battery staple: exploring the usability of system-assigned passphrases. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, p. 7. ACM (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Typo Analysis and Generation
A Typo Analysis and Generation
Typo is handled in tPAKE by generating a preset number of typos from the password during registration, which will be used as the list of typos accepted by tPAKE during login. Therefore, it is crucial that the typos generated would coincide with typos that users will make for tPAKE to be useful, so we analyzed typos data that was collected [12, 13] and compiled a list of typo generation functions that can be implemented with tPAKE.
The type of typo generation functions implemented can greatly affect the effectiveness of tPAKE, thus, typo analysis is done on collected user data to determine suitable typo generation function (typo-gen). We found that 41.00% of all typos are within 1 edit distance. We analyzed different types of typos that users tend to make by categorizing typos into 4 types, insertion, deletion, substitution, and transposition. Insertion refers to adding a character at a position in the string. Deletion means removing a character from the string. Substitution refers to replacing a character in the string with another character. Transposition is done by swapping the location of 2 existing characters in the string. Out of all typos, insertion makes up of around 30%, whereas deletion and substitution make up of 17 and 28% respectively of all the typos within 1 edit. Contrary to our expectation, however, transposition makes up only a small fraction of the typos. Only around 4% of all typos fixed is from transposition operation.
The substitution of characters with its shift-modified counterpart is the most common type of substitution typos, especially at the first character where the character tends to be capitalized. We use swc-l-1 typo-generator to handle this type of typos. We found swc-l-1 can tolerate 2.47% of all typos. While other substitution typos (non-shift substitution) and insertion typos (typos that can be generated from substitution) are common, it is difficult to identify a consistent pattern to formulate a typo-gen. Transposition typos on the other hand are few and far between, which makes it ineffective to have a typo-gen for this type of typos. swc-all is typo-gen that switches all the characters in a string to its shift-modified counterpart. swc-all proves to be effective in typo generation and is able to account for 10.97% of all the typos. Other common typo-gen are function handling different variations of deletion typos that are both common and easy to program for which make them great candidates for typo generation functions. The 10 typo generation functions included in Fig. 8 account for 20.86% of all typos being made, in other words, 48.21% of all typos within one edit distance.
Similar to tPAKE, our adaptive-tPAKE protocol will only accept and cache typos that are within 1 edit away from the correct password. One advantage that Adaptive-tPAKE has over tPAKE is that it doesn’t need to preemptively predict during registration what type of typos the user would make in the future, which means that it could account for typos that tPAKE could not, for instance, insertion typos that make up a significant portion of all typos. Furthermore, adaptive-tPAKE would adapt to password input habit that is unique to each user that our typo analysis could not capture.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Pongmorrakot, T., Chatterjee, R. (2020). tPAKE: Typo-Tolerant Password-Authenticated Key Exchange. In: Batina, L., Picek, S., Mondal, M. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2020. Lecture Notes in Computer Science(), vol 12586. Springer, Cham. https://doi.org/10.1007/978-3-030-66626-2_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-66626-2_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-66625-5
Online ISBN: 978-3-030-66626-2
eBook Packages: Computer ScienceComputer Science (R0)