The main benefit of ZKPPC-based password registration is that it guarantees that registered passwords never appear in clear on the server side. At the end of the registration phase the server only receives and stores some verification information that can later be used for authentication in a suitable Verifier-based Password Authenticated Key Exchange (VPAKE) protocol.
We give general and concrete constructions of ZKPPC protocols and suitable VPAKE protocols for ASCII-based passwords and policies that are commonly used on the web. To this end we introduce a reversible mapping of ASCII characters to integers that can be used to preserve the structure of the password string and a new randomized password hashing scheme for ASCII-based passwords.
Category / Keywords: Password policies, password registration, authentication, verification, password hashing, ASCII passwords, verifier-based PAKE Original Publication (with minor differences): Computer Security - ESORICS 2014 - 19th European Symposium on Research in Computer Security Date: received 6 Apr 2014, last revised 13 Jan 2015 Contact author: f kiefer at surrey ac uk Available format(s): PDF | BibTeX Citation Note: updated password encoding with discussion on shift base Version: 20150113:081044 (All versions of this report) Short URL: ia.cr/2014/242 Discussion forum: Show discussion | Start new discussion