We point out a subtle flaw in the protocols of HK and demonstrate a practical attack on them, resulting in a full password compromise. We give a definition of security of KE in our (and thus also in the HK) setting and discuss many related subtleties. We define and discuss protection against denial of access (DoA) attacks, which is not possible in any of the previous KE models that use passwords. Finally, we give a very simple and efficient protocol satisfying all our requirements.
Category / Keywords: foundations / password-based key exchange, hybrid model, long key Publication Info: Theory of Cryptography Conference 2006 Date: received 14 Feb 2006, last revised 23 Feb 2006 Contact author: vlad at cs utoronto ca Available formats: Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation Note: This is an extended version of the TCC 2006 publication with the same title. This version adds proofs of security and discussions on password updates and storing passords on the server. Version: 20060223:202318 (All versions of this report) Discussion forum: Show discussion | Start new discussion