Paper 2019/543

TMPS: Ticket-Mediated Password Strengthening

John Kelsey, Dana Dachman-Soled, Sweta Mishra, and Meltem Sonmez Turan

Abstract

We introduce the notion of Ticket-Mediated Password Strengthening (TMPS), a technique for allowing users to derive keys from passwords while imposing a strict limit on the number of guesses of their password any attacker can make, and strongly protecting the users' privacy. We describe the security requirements of TMPS, and then a set of efficient and practical protocols to implement a TMPS scheme, requiring only hash functions, CCA2-secure encryption, and blind signatures. We provide several variant protocols, including an offline symmetric-only protocol that uses a local trusted computing environment, and online variants that use group signatures or stronger trust assumptions instead of blind signatures. We formalize the security of our scheme by defining an ideal functionality in the Universal Composability (UC) framework, and by providing game-based definitions of security. We prove that our protocol realizes the ideal functionality in the random oracle model (ROM) under adaptive corruptions with erasures, and prove that security with respect to the ideal/real definition implies security with respect to the game-based definitions.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Keywords
password strengtheningpasswordcryptography
Contact author(s)
john kelsey @ nist gov
danadach @ ece umd edu
meltem turan @ nist gov
sweta mishra @ nist gov
History
2019-05-22: received
Short URL
https://ia.cr/2019/543
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2019/543,
      author = {John Kelsey and Dana Dachman-Soled and Sweta Mishra and Meltem Sonmez Turan},
      title = {{TMPS}: Ticket-Mediated Password Strengthening},
      howpublished = {Cryptology {ePrint} Archive, Paper 2019/543},
      year = {2019},
      url = {https://eprint.iacr.org/2019/543}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.