Halting password puzzles: Hard-to-break encryption from human-memorable keys

16th USENIX Security Symposium

Volumn , Issue , 2007, Pages 119-134

  Boyen, Xavier ^a  

^a Voltage Security   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

AUTHENTICATION; OBSOLESCENCE; USER INTERFACES;

COMPUTATIONAL POWER; HALTING PROBLEMS; KEY DERIVATION FUNCTION; OPERATIONAL FLEXIBILITY; PASSWORD PUZZLES; REAL-WORLD IMPLEMENTATION; SECURITY WEAKNESS; STRUCTURAL FLAWS;

CRYPTOGRAPHY;

EID: 85071440512     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (43)

1. AESpipe - AES encrypting or decrypting pipe. http://loop-aes.sourceforge.net/.
2. BACK, A. Hashcash. Technical report, 1997. http://www.cypherspace.org/hashcash/.
3. BARKAN, E., BIHAM, E., AND SHAMIR, A. Rigorous bounds on cryptanalytic time/memory tradeoffs. In Advances in Cryptology—CRYPTO 2006.
4. BELLARE, M., POINTCHEVAL, D., AND ROGAWAY, P. Authenticated key exchange secure against dictionary attacks. In Advances in Cryptology—EUROCRYPT 2000.
5. BELLOVIN, S. M., AND MERRITT, M. Encrypted key exchange: Password-based protocols secure against dictionary attacks. In IEEE Symposium on Security and Privacy—SP 1992.
6. BROWN, D. R. L. Prompted user retrieval of secret entropy: The passmaze protocol. Cryptology ePrint Archive, Report 2005/434, 2005. http://eprint.iacr.org/.
7. CALLAS, J., DONNERHACKE, L., FINNEY, H., AND THAYER, R. OpenPGP message format. RFC 2440, November 1998. http://www.ietf.org/rfc/rfc2440.txt.
8. CANETTI, R., HALEVI, S., KATZ, J., LINDELL, Y., AND MACKENZIE, P. Universally composable password-based key exchange. In Advances in Cryptology—EUROCRYPT 2005.
9. CANETTI, R., HALEVI, S., AND STEINER, M. Mitigating dictionary attacks on password-protected local storage. In Advances in Cryptology—CRYPTO 2006. Full version: Cryptology ePrint Archive, Report 2006/276. http://eprint.iacr.org/.
10. CryptoCard. http://www.cryptocard.com/.
11. DEAN, D., AND STUBBLEFIELD, A. Using client puzzles to protect TLS. In USENIX Security Symposium—SECURITY 2001. http://www.usenix.org/events/sec01/full papers/dean/dean.pdf.
12. DigiPass. http://www.vasco.com/.
13. DWORK, C., GOLDBERG, A., AND NAOR, M. On memory-bound functions for fighting spam. In Advances in Cryptology—CRYPTO 2003.
14. DWORK, C., AND NAOR, M. Pricing via processing or combating junk mail. In Advances in Cryptology—CRYPTO 1992.
15. GnuPG - the GNU privacy guard. http://www.gnupg.org/.
16. HALDERMAN, J. A., WATERS, B., AND FELTEN, E. W. A convenient method for securely managing passwords. In Proceedings of WWW 2005.
17. HALEVI, S., AND KRAWCZYK, H. Public-key cryptography and password protocols. In ACM CCS 1998.
18. HELLMAN, M. E. A cryptanalytic time-memory trade-off. IEEE Trans. Information Theory 26, 4 (1980), 401–6.
19. IEEE P1363.2: Password-based public-key cryptography. http://grouper.ieee.org/groups/1363/.
20. JABLON, D. Strong password-only authenticated key exchange. Computer Communication Review (1996).
21. JUELS, A., AND BRAINARD, J. Client puzzles: A cryptographic defense against connection depletion attacks. In Proceedings of NDSS 1999.
22. KALISKI, B. PKCS #5: Password-based cryptography specification, version 2.0. RFC 2898, September 2000. http://www.ietf.org/rfc/rfc2898.txt.
23. KAO, M.-Y., REIF, J. H., AND TATE, S. R. Searching in an unknown environment: An optimal randomized algorithm for the cow-path problem. In ACM-SIAM Symposium on Discrete Algorithms—SODA 1993.
24. KRAWCZYK, H., BELLARE, M., AND CANETTI, R. HMAC: Keyed-hashing for message authentication. RFC 2104, February 1997. http://www.ietf.org/rfc/rfc2104.txt.
25. LAHERRERE, J., AND SORNETTE, D. Stretched exponential distributions in nature and economy:’fat tails’ with characteristic scales. European Physical Journals B2 (1998), 525–39. http://xxx.lanl.gov/abs/cond-mat/9801293.
26. LENSTRA, A. K., AND VERHEUL, E. R. Selecting cryptographic key sizes. Journal of Cryptology 14, 4 (2001), 255–93.
27. MACKENZIE, P., SHRIMPTON, T., AND JAKOBSSON, M. Threshold password-authenticated key exchange. Journal of Cryptology 19, 1 (2006), 27–66.
28. MAO, W. Send message into a definite future. In Proceedings of ICICS 1999.
29. NAOR, M., AND PINKAS, B. Visual authentication and identification. In Advances in Cryptology—CRYPTO 1997.
30. OECHSLIN, P. Making a faster cryptanalytical time-memory trade-off. In Advances in Cryptology—CRYPTO 2003.
31. PERLINE, R. Zipf’s law, the central limit theorem, and the random division of the unit interval. Physical Review E 54, 1 (1996), 220–3.
32. PINKAS, B., AND SANDER, T. Securing passwords against dictionary attacks. In ACM Conference on Computer and Communications Security—CCS 2002.
33. PROVOS, N., AND MAZIÈRES, D. A future-adaptable password scheme. In USENIX Technical Conference—FREENIX Track 1999. http://www.usenix.org/events/usenix99/provos/provos.pdf.
34. REED, W. J. The Pareto, Zipf and other power laws. Economics Letters 74, 1 (2001), 15–9.
35. RIVEST, R. L., SHAMIR, A., AND WAGNER, D. A. Time-lock puzzles and timed-release crypto. Technical report MIT-LCS-TR-684, MIT, 1985. http://www.lcs.mit.edu/publications/ pubs/pdf/MIT-LCS-TR-684.pdf.
36. ROSS, B., JACKSON, C., MIYAKE, N., BONEH, D., AND MITCHELL, J. C. Stronger password authentication using browser extensions. In USENIX Security Symposium—SECURITY 2005.
37. RSA-LABORATORIES. PKCS #5: Password-based encryption standard, version 1.5, November 1993. See also [22].
38. SecurID. http://www.rsasecurity.com/.
39. STUBBLEFIELD, A., AND SIMON, D. Inkblot authentication. Tech. report MSR-TR-2004-85, Microsoft Research, 1985.
40. TrueCrypt - free open-source on-the-fly disk encryption software. http://www.truecrypt.org/.
41. VIEGA, J., KOHNO, T., AND HOUSLEY, R. Patent-free, parallelizable MACing. Crypto Forum Research Group, December 2002. http://www1.ietf.org/mail-archive/web/ cfrg/current/msg00126.html.
42. VON AHN, L., BLUM, M., HOPPER, N., AND LANGFORD, J. CAPTCHA: Using hard AI problems for security. In Advances in Cryptology—CRYPTO 2003.
43. YAN, J., BLACKWELL, A., ANDERSON, R., AND GRANT, A. The memorability and security of passwords - some empirical results. IEEE Security and Privacy 2, 5 (2004), 25–31.