Cryptology ePrint Archive: Report 2014/242

Zero-Knowledge Password Policy Checks and Verifier-Based PAKE

Franziskus Kiefer and Mark Manulis

Abstract: Zero-Knowledge Password Policy Checks (ZKPPC), introduced in this work, enable blind registration of client passwords at remote servers, i.e., client passwords are never transmitted to the servers. This eliminates the need for trusting servers to securely process and store client passwords. A ZKPPC protocol, executed as part of the registration procedure, allows clients to further prove compliance of chosen passwords with respect to password policies defined by the servers.

The main benefit of ZKPPC-based password registration is that it guarantees that registered passwords never appear in clear on the server side. At the end of the registration phase the server only receives and stores some verification information that can later be used for authentication in a suitable Verifier-based Password Authenticated Key Exchange (VPAKE) protocol.

We give general and concrete constructions of ZKPPC protocols and suitable VPAKE protocols for ASCII-based passwords and policies that are commonly used on the web. To this end we introduce a reversible mapping of ASCII characters to integers that can be used to preserve the structure of the password string and a new randomized password hashing scheme for ASCII-based passwords.

Category / Keywords: Password policies, password registration, authentication, verification, password hashing, ASCII passwords, verifier-based PAKE

Original Publication (with minor differences): Computer Security - ESORICS 2014 - 19th European Symposium on Research in Computer Security

Date: received 6 Apr 2014, last revised 13 Jan 2015

Contact author: f kiefer at surrey ac uk

Available format(s): PDF | BibTeX Citation

Note: updated password encoding with discussion on shift base

Version: 20150113:081044 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]