Abstract
There have been many proposals in recent years for password-authenticated key exchange protocols, i.e., protocols in which two parties who share only a short secret password perform a key exchange authenticated with the password. However, the only ones that have been proven secured against offline dictionary attacks were based on Diffie–Hellman key exchange. We examine how to design a secure password-authenticated key exchange protocol based on RSA. In this paper, we first look at the OKE and protected-OKE protocols (both RSA-based) and show that they are insecure. Then we show how to modify the OKE protocol to obtain a password-authenticated key exchange protocol that can be proven secure (in the random oracle model). This protocol is very practical; in fact, it requires about the same amount of computation as the Diffie–Hellman-based protocols. Finally, we present an augmented protocol that is resilient to server compromise, meaning (informally) that an attacker who compromises a server would not be able to impersonate a client, at least not without running an offline dictionary attack against that client’s password.
Similar content being viewed by others
References
Bach E., Shallit J.: Algorithmic Number Theory: Volume 1 Efficient Algorithms. The MIT Press, Cambridge, Massachusetts (1996)
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: EUROCRYPT 2000 (LNCS 1807), pp. 139–155 (2000)
Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM Conference on Computer and Communication Science (CCS) ’93, pp. 62–73 (1993)
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: CRYPTO ’93 (LNCS 773), pp. 232–249 (1993)
Bellare, M., Rogaway, P.: Provably secure session key distribution—the three party case. In: 27th ACM Symposium on the Theory of Computing (STOC), pp. 57–66 (1995)
Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 72–84 (1992)
Bellovin, S.M., Merritt, M.: Augumented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise. In: ACM Conference on Computer and Communication Science (CCS) ’93, pp. 244–250 (1993)
Bleichenbacher, D.: Personal Communication (1999)
Boyko, V., MacKenzie, P., Patel, S.: Provably-secure password authentication and key exchange using Diffie–Hellman. In: EUROCRYPT 2000 (LNCS 1807), pp. 156–171 (2000)
Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: 30th ACM Symposium on Theory of Computing (STOC), pp. 209–218 (1998)
Cramer, R., Shoup, V.: A practical public-key cryptosystem provably secure against adaptive chosen ciphertext attack. In: CRYPTO ’98 (LNCS 1462), pp. 13–25 (1998)
Diffie W., Hellman M.: New directions in cryptography. IEEE Trans. Info. Theory 22(6), 644–654 (1976)
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: CRYPTO ’86 (LNCS 263), pp. 186–194 (1986)
Goldreich, O., Lindell, Y.: Session-key generation using human passwords only. In: CRYPTO 2001 (LNCS 2139), pp. 408–432 (2001)
Goldwasser S., Micali S., Rivest R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)
Gong L., Lomas T.M.A., Needham R.M., Saltzer J.H.: Protecting poorly chosen secrets from guessing attacks. IEEE J. Select. Areas Commun. 11(5), 648–656 (1993)
Gong, L.: Optimal authentication protocols resistant to password guessing attacks. In: 8th IEEE Computer Security Foundations Workshop, pp. 24–29 (1995)
Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Eurocrypt ’88 (LNCS 330), pp. 123–128 (1988)
Halevi, S., Krawczyk, H.: Public-key cryptography and password protocols. In: 5th ACM Conference on Computer and Communications Security (CCS), pp. 122–131 (1998)
IEEE P1363 Annex D/Editorial Contribution 1c: Standard specifications for public-key cryptography (June 1998)
Jablon D.: Strong password-only authenticated key exchange. ACM Comput. Commun. Rev. 26(5), 5–20 (1996)
Jablon, D.: Extended password key exchange protocols immune to dictionary attack. In: WETICE ’97 Workshop on Enterprise Security, pp. 248–255 (1997)
Katz, J., Ostrovsky, R., Yung, M.: Practical password-authenticated key exchange provably secure under standard assumptions. In: EUROCRYPT 2001 (LNCS 2045), pp. 475–494 (2001)
Kravitz, D.W.: Digital signature algorithm. U.S. Patent 5,231,668 (27 July 1993)
Lenstra H.W.: Divisors in residue classes. Math. Comput. 42, 331–340 (1984)
Lenstra A.K., Verheul E.R.: Selecting cryptographic key sizes. J. Cryptol. 14(4), 255–293 (2001)
Lucks, S.: Open key exchange: how to defeat dictionary attacks without encrypting public keys. In: Proceedings of the Workshop on Security Protocols (1997)
MacKenzie, P.: The PAK suite: protocols for password-authenticated key exchange. DIMACS Technical Report 2002-46 (2002)
MacKenzie P., Patel S., Swaminathan R.: Password-authenticated key exchange based on RSA. In: ASIACRYPT 2000 (LNCS 1976), pp. 599–613 (2000)
Patel, S.: Number theoretic attacks on secure password schemes. In: IEEE Symposium on Research in Security and Privacy, pp. 236–247 (1997)
Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: EUROCRYPT ’96 (LNCS 1070), pp. 387–398 (1996)
Roe, M., Christianson, B., Wheeler, D.: Secure sessions from weak secrets. Technical report, University of Cambridge and University of Hertfordshire (1998)
Rivest R., Shamir A., Adleman L.: A method for obtaining digital signature and public key cryptosystems. Commun. ACM 21, 120–126 (1978)
Shoup, V.: On formal models for secure key exchange. In: IBM Research Report RZ 3120 (1999)
Steiner M., Tsudik G., Waidner M.: Refinement and extension of encrypted key exchange. ACM Oper. Syst. Rev. 29, 22–30 (1995)
Wu, T.: The secure remote password protocol. In: 1998 Internet Society Network and Distributed System Security Symposium (NDSS), pp. 97–111 (1998)
Author information
Authors and Affiliations
Corresponding author
Additional information
An earlier version of this paper appeared in Asiacrypt 2000.
Rights and permissions
About this article
Cite this article
MacKenzie, P., Patel, S. & Swaminathan, R. Password-authenticated key exchange based on RSA. Int. J. Inf. Secur. 9, 387–410 (2010). https://doi.org/10.1007/s10207-010-0120-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-010-0120-3