Strong password-based authentication inTLS using the three-party group Diffie-Hellman protocol

International Journal of Security and Networks

Volumn 2, Issue 3-4, 2007, Pages 284-296

  Abdalla, Michel ^a   Bresson, Emmanuel ^b   Chevassut, Olivier ^c   Möller, Bodo ^d   Pointcheval, David ^a  

^a ECOLE NORMALE SUPÉRIEURE   (France)

^b CELAR   (France)

^c LAWRENCE BERKELEY NATIONAL LABORATORY   (United States)

^d RUHR UNIVERSITY BOCHUM   (Germany)

Author keywords

group Diffie Hellman key exchange; password authentication; TLS; transport layer security

Indexed keywords

EID: 79951638712     PISSN: 17478405     EISSN: 17478413     Source Type: Journal    
DOI: 10.1504/ijsn.2007.013181     Document Type: Article

References (53)

1. Abdalla, M., Bresson, E., Chevassut, O., Essiari, A., Möller, B. and Pointcheval, D. (2006a) ‘Simple open key exchange (SOKE) ciphersuites for password authentication in TLS’, Work in Progress, to be published as Internet Draft.
2. Abdalla, M., Bresson, E., Chevassut, O., Möller, B. and Pointcheval, D. (2006b) ‘Provably secure password-based authentication in TLS’, ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS’06), March, ACM Press, pp.35–45.
3. Abdalla, M., Chevassut, O. and Pointcheval, D. (2005) ‘One-time verifier-based encrypted key exchange’, in S. Vaudenay (Ed). PKC 2005, Volume 3386 of LNCS, January, Springer-Verlag, pp.47–64.
4. Abdalla, M., Fouque, P-A. and Pointcheval, D. (2005) ‘Password-based authenticated key exchange in the three-party setting’, in S. Vaudenay (Ed). PKC 2005, Volume 3386 of LNCS, January, Springer-Verlag, pp.65–84.
5. Abdalla, M. and Pointcheval, D. (2005) ‘Simple password-based encrypted key exchange protocols’, in A. Menezes (Ed). CT-RSA, volume 3376 of LNCS, February, Springer-Verlag, pp.191–208.
6. Bellare, M., Pointcheval, D. and Rogaway, P. (2000) ‘Authenticated key exchange secure against dictionary attacks’, in B. Preneel (Ed). EUROCRYPT 2000, Volume 1807 of LNCS, May, Springer-Verlag, pp.139–155.
7. Bellare, M. and Rogaway, P. (1993) ‘Random oracles are practical: a paradigm for designing efficient protocols’, ACM CCS 93, November, ACM Press, pp.62–73.
8. Bellare, M. and Rogaway, P. (2000) ‘The AuthA protocol for password-based authenticated key exchange’, Contributions to IEEE P1363, March.
9. Bellovin, S.M. and Merritt, M. (1992) ‘Encrypted key exchange: password-based protocols secure against dictionary attacks’, 1992 IEEE Symposium on Security and Privacy, May, IEEE Computer Society Press, pp.72–84.
10. Bellovin, S.M. and Merritt, M. (1993a) ‘Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise’, ACM CCS 93, November, ACM Press, pp.244–250.
11. Bellovin, S.M. and Merritt, M. (1993b) ‘Cryptographic protocol for secure communications’, US Patent #5,241,599, August, Available at: http://www.uspto.gov/.
12. Bellovin, S.M. and Merritt, M. (1994) ‘A cryptographic protocol for secure communications’, Australian Patent #648433B2, April, Available at: http://www.ipaustralia.gov.au/patents/.
13. Bellovin, S.M. and Merritt, M. (1995) ‘Cryptographic protocol for remote authentication’, US Patent #5,440,635, August, Available at: http://www.uspto.gov/.
14. Bellovin, S.M. and Merritt, M. (1997) ‘Protocol and apparatus for safe communication’, Japanese Patent #2599871B2B2, April, Available at: http://www.jpo.go.jp/index.htm.
15. Bellovin, S.M. and Merritt, M. (1998) ‘Cryptographic protocol for secure communications’, Canadian Patent #2076252C, August, Available at: http://patents1.ic.gc.ca/intro-e.html.
16. Bellovin, S.M. and Merritt, M. (2002) ‘A cryptographic protocol for secure communications’, European Patent #0535863B1, January, Available at: http://my.epoline.org/portal/public.
17. Boyko, V., MacKenzie, P.D. and Patel, S. (2000) ‘Provably secure password-authenticated key exchange using Diffie-Hellman’, in B. Preneel (Ed). EUROCRYPT2000, Volume 1807 of LNCS, May, Springer-Verlag, pp.156–171.
18. Bresson, E., Chevassut, O. and Pointcheval, D. (2001) ‘Provably authenticated group Diffie-Hellman key exchange – the dynamic case’, in C. Boyd (Ed). ASIACRYPT 2001, Volume 2248 of LNCS, December, Springer-Verlag, pp.290–309.
19. Bresson, E., Chevassut, O. and Pointcheval, D. (2002a) ‘Dynamic group Diffie-Hellman key exchange under standard assumptions’, in L.R. Knudsen (Ed). EUROCRYPT 2002, Volume 2332 of LNCS, April, Springer-Verlag, pp.321–336.
20. Bresson, E., Chevassut, O. and Pointcheval, D. (2002b) ‘Group Diffie-Hellman key exchange secure against dictionary attacks’, in Y. Zheng (Ed). ASIACRYPT 2002, Volume 2501 of LNCS, December, Springer-Verlag, pp.497–514.
21. Bresson, E., Chevassut, O. and Pointcheval, D. (2003) ‘Security proofs for an efficient password-based key exchange’, ACM CCS 03, October, ACM Press, pp.241–250.
22. Bresson, E., Chevassut, O. and Pointcheval, D. (2004a) ‘Cryptography for secure dynamic group communication’, US Patent Application 20050157874, 30 November, Available at: http://www.lbl.gov/Tech-Transfer/techs/lbnl1973.html.
23. Bresson, E., Chevassut, O. and Pointcheval, D. (2004b) ‘New security results on encrypted key exchange’, in F. Bao, R. Deng and J. Zhou (Eds). PKC 2004, Volume 2947 of LNCS, March, Springer-Verlag, pp.145–158.
24. Canetti, R., Halevi, S., Katz, J., Lindell, Y. and MacKenzie, P.D. (2005) ‘Universally composable password-based key exchange’, in R. Cramer (Ed). EUROCRYPT 2005, Volume 3494 of LNCS, May, Springer-Verlag, pp.404–421.
25. Canvel, B., Hiltgen, A.P., Vaudenay, S. and Vuagnoux, M. (2003) ‘Password interception in a SSL/TLS channel’, in D. Boneh (Ed). CRYPTO 2003, Volume 2729 of LNCS, August, Springer-Verlag, pp.583–599.
26. Catalano, D., Pointcheval, D. and Pornin, T. (2004) ‘IPAKE: isomorphisms for password-based authenticated key exchange’, in M. Franklin (Ed). CRYPTO 2004, Volume 3152 of LNCS, August, Springer-Verlag, pp.477–493.
27. Dierks, T. and Allen, C. (1999) RFC 2246 – The TLS Protocol Version 1.0, Internet Activities Board, January.
28. Diffie, W. and Hellman, M.E. (1978) ‘New directions in cryptography’, IEEE Transactions on Information Theory, Vol. 22, pp.644–654.
29. Gennaro, R. and Lindell, Y. (2003) ‘A framework for password-based authenticated key exchange’, in D. Biham (Ed). EUROCRYPT 2003, Volume 2656 of LNCS, May, Springer-Verlag, Available at: http://eprint.iacr.org/2003/032.ps.gz, pp.524–543.
30. Gentry, C., MacKenzie, P. and Ramzan, Z. (2005) ‘Opake: password authenticated key exchange based on the hidden smooth subgroup assumption’, ACM Computer and Communications Security, November.
31. Goldreich, O. and Lindell, Y. (2001) ‘Session-key generation using human passwords only’, in J. Kilian (Ed). CRYPTO 2001, Volume 2139 of LNCS, August, Springer-Verlag, Available at: http://eprint.iacr.org/2000/057, pp.408–432.
32. Jablon, D. (2002) ‘Cryptographic methods for remote authentication’, US Patent #6,226,383, January, Available at: http://www.uspto.gov/.
33. Jablon, D.P. (2001) ‘Password authentication using multiple servers’, in D. Naccache (Ed). CT-RSA 2001, Volume 202 of LNCS, April, Springer-Verlag, pp.344–360.
34. Katz, J., Ostrovsky, R. and Yung, M. (2002) ‘Forward secrecy in password-only key exchange protocols’, in S. Cimato, C. Galdi and G. Persiano (Eds). SCN 02, Volume 2576 of LNCS, September, Springer-Verlag, pp.29–44.
35. Kwon, T. (2001) ‘Authentication and key agreement via memorable password’, Network and Distributed System Security (NDSS) Symposium, February.
36. Lucks, S. (1997) ‘Open key exchange: how to defeat dictionary attacks without encrypting public keys’, Workshop on Security Protocols, École Normale Supérieure.
37. MacKenzie, P.D. (2001) ‘More efficientpassword-authenticated key exchange’, in D. Naccache (Ed). CT-RSA 2001, Volume 2020 of LNCS, April, Springer-Verlag, pp.361–377.
38. MacKenzie, P.D. (2002) ‘The PAK suite: protocols for password-authenticated key exchange’, Technical Report 2002-46, DIMACS.
39. MacKenzie, P.D., Patel, S. and Swaminathan, R. (2000) ‘Password-authenticated key exchange based on RSA’, in T. Okamoto (Ed). ASIACRYPT 2000, Volume 1976 ofLNCS, December, Springer-Verlag, pp.599–613.
40. National Institute of Standards and Technology (NIST) (2006) Digital Signature Standard. Draft FIPS 186-3, March.
41. Rivest, R.L., Shamir, A. and Adleman, L.M. (1978) ‘A method for obtaining digital signature and public-key cryptosystems’, Communications of the ACM, Vol. 21, No. 2, pp.120–126.
42. Steiner, M., Buhler, P., Eirich, T. and Waidner, M. (2001) ‘Secure password-based cipher suite for TLS’, ACM Transactions on Information and System Security, Vol. 4, No. 2, pp.134–157.
43. Sun Microsystems (2000) ‘Sun Microsystems contributed elliptic curve cryptographic algorithms to open source projects’, September, Available at: http://research.sun.com/projects/crypto/, http://www.sun.com/cddl/.
44. Taylor, D., Wu, T., Mavroyanopoulos, N. and Perrin, T. (2004) ‘Using SRP for TLS authentication’, IETF Internet Draft, TLS Working Group, 19 August.
45. Wu, T. (1998) ‘The secure remote password protocol’, Network and Distributed System Security (NDSS) Symposium, March.
46. Wu, T.J. (2003) ‘System and method for securely logging onto a remotely located computer’, US Patent #6,539,479, March, Available at: http://www.uspto.gov/, http://stanfordtech.stanford.edu/4DCGI/docket?docket=97-006.
47. The Globus Alliance, http://www.globus.org/.
48. Open Source Initiative, http://www.opensource.org/.
49. Source code for the SRP protocol, http://srp.stanford.edu/download.html.
50. Patches enabling SRP ciphersuites in TLS and SSH, http://srp.stanford.edu/links.html.
51. The Licence Agreement Form for SRP, http://otl.stanford.edu/pdf/97006.pdf.
52. The Bellovin and Merritt US patent, for example has a duration of 17 years from the date of issuance which was 1993, thus it would expire 31 August 2010. US patent law has since changed to have a patent term of 20 years from the date of filing.
53. For Bresson et al. (2004a), no patent application was filed outside of the USA.