Cryptology ePrint Archive: Report 2000/014
Authenticated Key Exchange Secure Against Dictionary Attacks
Mihir Bellare and David Pointcheval and Phillip Rogaway
Abstract: This paper gives definitions and results about password-based
protocols for authenticated key exchange (AKE), mutual authentication
MA), and the combination of these goals (AKE, MA).
Such protocols are designed to work despite interference by an active
adversary and despite the use of passwords drawn from a space so small
that an adversary might well enumerate, off line,
a user's password.
While several such password-based protocols have been suggested,
the underlying theory has been lagging, and
some of the protocols don't actually work.
This is an area strongly in need of foundations,
but definitions and theorems here can get overwhelmingly complex.
To help manage this complexity we begin by defining a model, one rich enough
to deal with password guessing, forward secrecy,
server compromise, and loss of session keys.
The one model can be used to
define various goals.
We take AKE (with implicit authentication---no one besides
your intended partner could possibly get the key, though he may or may
not actually get it) as the basic goal.
Then we prove that any secure
AKE protocol can be
embellished (in a simple and generic way)
to also provide for MA.
This approach turns out to be simpler than trying to
augment an MA protocol to also distribute a session key.
Next we prove correctness for the idea at the center
of the Encrypted Key-Exchange (EKE) protocol
of Bellovin and Merritt:
we prove (in an ideal-cipher model) that
the two-flow protocol at the core of EKE is
a secure AKE.
Combining with the result above we have a
simple 3-flow protocol for AKE,MA which is
proven secure against dictionary attack.
Category / Keywords: cryptographic protocols / session key exchange, authentication, dictionary
Publication Info: Appears in Proceedings of Eurocrypt 2000, Springer-Verlag, LNCS, ed. B. Preneel
Date: received 28 Apr 2000
Contact author: mihir at cs ucsd edu
Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation
Version: 20000428:224904 (All versions of this report)
Short URL: ia.cr/2000/014
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]