Yaqing Song,Chunxiang Xu,Yuan Zhang,Shiyu Li

DOI: https://doi.org/10.1109/tifs.2023.3324326

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:We propose a protection mechanism for password-based credential databases maintained by service providers against leakage, dubbed PCDL. In PCDL, each authentication credential is derived from a user’s password and a salt, where a service provider employs a set of key servers to share the salt in a threshold way. With PCDL, an external adversary cannot derive any information about the underlying passwords from a compromised credential database, even if he can compromise some of the key servers. The most prominent manifestation of PCDL is transparency: integrating PCDL with existing password-based authentication schemes does not require users to perform any additional operation (and thereby does not change users’ interaction patterns), yet enhances the security guarantee significantly. PCDL serves as an independent component only deployed on the service provider side to harden the credential database. As such, PCDL is well compatible with existing password-based authentication schemes. We analyze the security of PCDL and conduct a performance evaluation, which shows that PCDL is secure and efficient.

computer science, theory & methods,engineering, electrical & electronic

Victor Boyko,Philip MacKenzie,Sarvar Patel

DOI: https://doi.org/10.1007/3-540-45539-6_12

2000-01-01

Abstract:When designing password-authenticated key exchange protocols (as opposed to key exchange protocols authenticated using crypto-graphically secure keys), one must not allow any information to be leaked that would allow verification of the password (a weak shared key), since an attacker who obtains this information may be able to run an off-line dictionary attack to determine the correct password. We present a new protocol called PAK which is the first Diffie-Hellman-based password-authenticated key exchange protocol to provide a formal proof of security (in the random oracle model) against both passive and active adversaries. In addition to the PAK protocol that provides mutual explicit authentication, we also show a more efficient protocol called PPK that is provably secure in the implicit-authentication model. We then extend PAK to a protocol called PAK-X, in which one side (the client) stores a plaintext version of the password, while the other side (the server) only stores a verifier for the password. We formally prove security of PAK-X, even when the server is compromised. Our formal model for password-authenticated key exchange is new, and may be of independent interest.

Yusuke Naito,Kazuki Yoneyama,Lei Wang,Kazuo Ohta

DOI: https://doi.org/10.1007/978-3-642-24316-5_20

2011-01-01

Abstract:In this paper, we clarify the security of practical cryptosystems with hash functions based on key derivation functions (KDFs). We use the indifferentiability framework in order to discuss the security because the indifferentiability from Random Oracle (and its variants) guarantees that cryptosystems remain secure even if Random Oracles (ROs) are instantiated with hash functions. Though previous works on the indifferentiability of Merkle-Damgard (MD) hash functions focus on stand-alone hash functions, there is no work which focuses on MD hash functions with KDFs. Many cryptosystems need longer output lengths of hash functions than stand-alone hash functions and KDFs are used to generate longer digests as specified in PKCS #1 v2.1 and IEEE P1363. Specifically, we obtain the following results. We denote the MD hash function using Stam's type-II compression function by MD-SCFII and MD-SCFII with KDFs by KDF-MD-SCFII.- Cryptosystems secure in the pub-RO model (FDH, PSS, Fiat-Shamir, and so on): Dodis et al. proposed the indifferentiability from pub-RO to prove the security of these cryptosystems using MD-SCFII while did not consider the KDF structures. So we propose a different framework, indifferentiability from privleak-RO. Using this framework and their result, we show that these cryptosystems using KDF-MD-SCFIIs are secure.- Encryption schemes secure in the RO model (OAEP, RSA-KEM, PSEC-KEM, ECIES-KEM and so on): The encryption schemes are secure in the "fixed inputl length" RO model because the input lengths of ROs from the encryption schemes are fixed. We show that this fact guarantees the security of the encryption schemes using KDF-MD-SCFII.

Adam Groce,Jonathan Katz

DOI: https://doi.org/10.1145/1866307.1866365

2010-01-01

Abstract:Protocols for password-based authenticated key exchange (PAKE) allow two users who share only a short, low-entropy password to agree on a cryptographically strong session key. The challenge in designing such protocols is that they must be immune to off-line dictionary attacks in which an eavesdropping adversary exhaustively enumerates the dictionary of likely passwords in an attempt to match a password to the set of observed transcripts. To date, few general frameworks for constructing PAKE protocols in the standard model are known. Here, we abstract and generalize a protocol by Jiang and Gong to give a new methodology for realizing PAKE without random oracles, in the common reference string model. In addition to giving a new approach to the problem, the resulting construction off ers several advantages over prior work. We also describe an extension of our protocol that is secure within the universal composability (UC) framework and, when instantiated using El Gamal encryption, is more efficient than a previous protocol of Canetti et al.

Baodong Qin,Shengli Liu,Tsz Hon Yuen,Robert H. Deng,Kefei Chen

DOI: https://doi.org/10.1007/978-3-662-46447-2_25

2015-01-01

Abstract:Related-Key Attacks (RKAs) allow an adversary to observe the outcomes of a cryptographic primitive under not only its original secret key e.g., s, but also a sequence of modified keys phi(s), where phi is specified by the adversary from a class Phi of so-called Related-Key Derivation (RKD) functions. This paper extends the notion of non-malleable Key Derivation Functions (nm-KDFs), introduced by Faust et al. (EUROCRYPT' 14), to continuous nm-KDFs. Continuous nm-KDFs have the ability to protect against any a-priori unbounded number of RKA queries, instead of just a single time tampering attack as in the definition of nm-KDFs. Informally, our continuous non-malleability captures the scenario where the adversary can tamper with the original secret key repeatedly and adaptively. We present a novel construction of continuous nm-KDF for any polynomials of bounded degree over a finite field. Essentially, our result can be extended to richer RKD function classes possessing properties of high output entropy and input-output collision resistance. The technical tool employed in the construction is the one-time lossy filter (Qin et al. ASIACRYPT' 13) which can be efficiently obtained under standard assumptions, e.g., DDH and DCR. We propose a framework for constructing Phi-RKA-secure IBE, PKE and signature schemes, using a continuous nm-KDF for the same Phi-class of RKD functions. Applying our construction of continuous nm-KDF to this framework, we obtain the first RKA-secure IBE, PKE and signature schemes for a class of polynomial RKD functions of bounded degree under standard assumptions. While previous constructions for the same class of RKD functions all rely on non-standard assumptions, e. g., d-extended DBDH assumption.

He Debiao,Chen Jianhua,Hu Jin

2010-01-01

Abstract:He Debiao, Chen Jianhua, Hu Jin School of Mathematics and Statistics, Wuhan University, Wuhan, Hubei 430072, China hedebiao@163.com Abstract: Recently, Abdalla et al. proposed a new gateway-oriented password-based authenticated key exchange (GPAKE) protocol among a client, a gateway, and an authentication server, where each client shares a human-memorable password with a trusted server so that they can resort to the server for authentication when want to establish a shared session key with the gateway. In the letter, we show that a malicious client of GPAKE is still able to gain information of password by performing an undetectable on-line password guessing attack and can not provide the implicit key confirmation. At last, we present a countermeasure to against the attack.

Lutong Chen,Kaiping Xue,Jian Li,Zhonghui Li,Nenghai Yu

DOI: https://doi.org/10.1109/mnet.2024.3396160

IF: 10.294

2024-01-01

IEEE Network

Abstract:Quantum Key Distribution (QKD) offers a novel approach to address the challenges posed by quantum computations in classical ciphers. Due to hardware limitations and the stochastic nature of QKD protocols, the secure key generation rate is currently constrained and subject to fluctuations. However, users expect a consistent supply of keys at a stable rate while maintaining a secure threshold. To address this issue, we present a Quantum Continuous and Secure Key Derivation Function named Q-CSKDF that utilizes QKD keys to produce stable, high-rate, but secure derivated keys. Our approach satisfies both security and rate requirements in a full-period and continuous perspective, with a dynamic derivation expansion ratio determined by users’ requirement of security level and key quantity and the amount of generated QKD keys. Extensive semi-physical experiments demonstrate Q-CSKDF’s capability to consistently generate high-rate derived keys while ensuring the desired level of security.

Shai Halevi,Hugo Krawczyk

DOI: https://doi.org/10.1145/322510.322514

1999-08-01

ACM Transactions on Information and System Security

Abstract:We study protocols for strong authentication and key exchange in asymmetric scenarios where the authentication server possesses ~a pair of private and public keys while the client has only a weak human-memorizable password as its authentication key. We present and analyze several simple password authentication protocols in this scenario, and show that the security of these protocols can be formally proven based on standard cryptographic assumptions. Remarkably, our analysis shows optimal resistance to off-line password guessing attacks under the choice of suitable public key encryption functions. In addition to user authentication, we describe ways to enhance these protocols to provide two-way authentication, authenticated key exchange, defense against server's compromise, and user anonymity. We complement these results with a proof that strongly indicates that public key techniques are unavoidable for password protocols that resist off-line guessing attacks. As a further contribution, we introduce the notion of public passwords that enables the use of the above protocols in situations where the client's machine does not have the means to validate the server's public key. Public passwords serve as "hand-held certificates" that the user can carry without the need for specal computing devices.

English Else

Junhan Yang,Tianjie Cao

2011-01-01

Journal of Computational Information Systems

Abstract:With advances in elliptic curve cryptography, Li et al. and Yoon et al. proposed two password-authenticated key exchange protocols without server's public key. They claimed to be secure against several possible attacks, securely update user passwords without a complicated process, and also provide explicit key authentication in the case of a session key agreement. Unfortunately, Li et al.'s protocol is vulnerable to off-line dictionary attack and man-in-the-middle attack. Meanwhile Yoon et al.'s protocol is subject to off-line dictionary attack and fails to provide backward secrecy. In this paper, we conduct a detailed analysis on the flaws and also propose a verifier-based password-authenticated key exchange protocol via elliptic curves which is secure against various known attacks. Copyright © 2011 Binary Information Press.

Jaryn Shen,Timothy T. Yuen,Kim-Kwang Raymond Choo,Qingkai Zeng

DOI: https://doi.org/10.1007/978-3-030-21548-4_28

2019-01-01

Abstract:Passwords are widely used in online services, such as electronic and mobile banking services, and may be complemented by other authentication mechanism(s) for example in two-factor or three-factor authentication systems. There are, however, a number of known limitations and risks associated with the use of passwords, such as man-in-the-middle (MitM) and offline guessing attacks. In this paper, we present AMOGAP, a novel text password-based user authentication mechanism, to defend against MitM and offline guessing attacks. In our approach, users can select easy-to-remember passwords, and AMOGAP converts currently-used salted and hashed password files into user tokens, whose security relies on the Decisional Diffie-Hellman (DDH) assumption, at the server end. In other words, we use a difficult problem in number theory (i.e., DDH problem), rather than a one-way hash function, to ensure security against offline password guessing attackers and MitM attackers. AMOGAP does not require any change in existing authentication process and infrastructure or incur additional costs at the server.

Hung-Min Sun,Her-Tyan Yeh

DOI: https://doi.org/10.1016/j.jcss.2006.03.005

IF: 1.043

2006-01-01

Journal of Computer and System Sciences

Abstract:In an open networking environment, a workstation usually needs to identify its legal users for providing its services. Kerberos provides an efficient approach whereby a trusted third-party authentication server is used to verify users' identities. However, Kerberos enforces the user to use strong cryptographic secret for user authentication, and hence is insecure from password guessing attacks if the user uses a weak password for convenience. In this paper, we focus on such an environment in which the users can use easy-to-remember passwords. In addition to password guessing attacks, perfect forward secrecy (PFS in short) is another important security consideration when designing an authentication and key distribution protocol. Based on the capability of protecting the client's password, the application server's secret key, and the authentication server's private key, we define seven classes of perfect forward secrecy and focus on protocols achieving class-1, class-3, and class-7 due to their hierarchical relations. Then, we propose three secure authentication and key distribution protocols to provide perfect forward secrecy of these three classes. All these protocols are efficient in protecting poorly-chosen passwords chosen by users from guessing attacks and replay attacks.

Cem S. Sahin,Robert Lychev,Neal Wagner

DOI: https://doi.org/10.48550/arXiv.1512.05814

2015-12-18

Abstract:Although it is common for users to select bad passwords that can be easily cracked by attackers, password-based authentication remains the most widely-used method. To encourage users to select good passwords, enterprises often enforce policies. Such policies have been proven to be ineffectual in practice. Accurate assessment of a password's resistance to cracking attacks is still an unsolved problem, and our work addresses this challenge. Although the best way to determine how difficult it may be to crack a user-selected password is to check its resistance to cracking attacks employed by attackers in the wild, implementing such a strategy at an enterprise would be infeasible in practice. We first formalize the concepts of password complexity and strength with concrete definitions emphasizing their differences. Our framework captures human biases and many known techniques attackers use to recover stolen credentials in real life, such as brute-force attacks. Building on our definitions, we develop a general framework for calculating password complexity and strength that could be used in practice. Our approach is based on the key insight that an attacker's success at cracking a password must be defined by its available computational resources, time, function used to store that password, as well as the topology that bounds that attacker's search space based on that attacker's available inputs, transformations it can use to tweak and explore its inputs, and the path of exploration which can be based on the attacker's perceived probability of success. We also provide a general framework for assessing the accuracy of password complexity and strength estimators that can be used to compare other tools available in the wild.

Cryptography and Security

Baodong Qin,Shengli Liu,Zhengan Huang

DOI: https://doi.org/10.1007/978-3-642-39059-3_10

2013-01-01

Abstract:The Key-Dependent Message (KDM) security requires that an encryption scheme remains secure, even if an adversary has access to encryptions of messages that depend on the secret key. In a multi-user surrounding, a key-dependent message can be any polynomial-time function f(sk1, sk2,..., skn) in the secret keys of the users. The Key-Dependent Message Chosen-Ciphertext (KDM-CCA2) security can be similarly defined if the adversary is also allowed to query a decryption oracle. To date, KDM security has been obtained by a few constructions. But most of them are limited f(sk1, sk2,..., skn) to affine functions. As to KDM-CCA2 security, there are only two constructions available. However, neither of them has comparable key sizes and reasonable efficiency, compared to the traditional KDM-free but CCA2 secure public key encryption schemes. This article defines a new function ensemble, and shows how to obtain KDM-CCA2 security with respect to this new ensemble from the traditional Cramer-Shoup (CS) cryptosystem. To obtain KDM security, the CS system has to be tailored for encryption of key-dependent messages. We present an efficient instantiation of the Cramer-Shoup public-key encryption (CS-PKE) scheme over the subgroup of quadratic residues in ℤp*, where p is a safe prime, and prove the CS-PKE to be KDM-CCA2 secure with respect to the new function ensemble. We show that our proposed ensemble covers some affine functions, as well as other functions that are not contained in the affine ensemble. At the same time, the CS-PKE scheme with respect to our proposed function ensemble finds immediate application to anonymous credential systems. Compared to other KDM-CCA2 secure proposals, the CS scheme is the most practical one due to its short ciphertext size and computational efficiency. © 2013 Springer-Verlag.

T.V. Laptyeva,S. Flach,K. Kladko

DOI: https://doi.org/10.1209/0295-5075/95/50007

2011-07-01

Abstract:Vulnerabilities related to weak passwords are a pressing global economic and security issue. We report a novel, simple, and effective approach to address the weak password problem. Building upon chaotic dynamics, criticality at phase transitions, CAPTCHA recognition, and computational round-off errors we design an algorithm that strengthens security of passwords. The core idea of our method is to split a long and secure password into two components. The first component is memorized by the user. The second component is transformed into a CAPTCHA image and then protected using evolution of a two-dimensional dynamical system close to a phase transition, in such a way that standard brute-force attacks become ineffective. We expect our approach to have wide applications for authentication and encryption technologies.

Cryptography and Security,Other Condensed Matter,Chaotic Dynamics

Jaryn Shen,Qingkai Zeng

DOI: https://doi.org/10.1504/ijics.2019.099434

2019-01-01

International Journal of Information and Computer Security

Abstract:This paper proposes to address online and offline attacks to passwords without increasing users' efforts in choosing and memorising their passwords. In CSPS, a password consists of two parts, a user-chosen short password and a server-generated long password. The short password should be memorised and secured by its user while the long password be encrypted and stored on the server side. To keep the secret key for protecting the long password secure, an additional sever is introduced to store the secret key and provide encryption/decryption services. On top of balloon, CSPS integrates expensive hash with secure encryption. It is mathematically proved that computationally unbounded attackers cannot succeed in offline dictionary or brute-force attacks or a combination of offline and online attacks. The criteria of security are established, which quantifies the security. To our best knowledge, CSPS is the first technique to make security quantifiable in password authentication mechanisms.

Ping Wang,Ding Wang,Xinyi Huang

DOI: https://doi.org/10.7544/issn1000-1239.2016.20160483

2016-01-01

Abstract:Identity authentication is the first line of defense for information systems ,and passwords are the most widely used authentication method .Though there are a number of issues in passwords regarding security and usability , and various alternative authentication methods have also been successively proposed , password‐based authentication will remain the dominant method in the foreseeable future due to its simplicity ,low cost and easiness to change .T hus ,this topic has attracted extensive interests from worldwide researchers ,and many important results have been revealed .This work begins with the introduction of users’ vulnerable behaviors and details the password characteristics ,distribution and reuse rate .Next we summarize the primary cracking algorithms that have appeared in the past 30 years , and classify them into groups in terms of the difference in dependence on what information is exploited by the attacker .Then ,we revisit the various statistical‐based evaluation metrics for measuring the strength of password distributions .Further ,we compare the state‐of‐the‐art password strength meters .Finally ,we summarize our results and outline some future research trends .

Chunguang Ma,Ding Wang,Sendong Zhao

DOI: https://doi.org/10.1002/dac.2468

2014-01-01

International Journal of Communication Systems

Abstract:Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. In this paper, we analyze two recent proposals in the area of password-based remote user authentication using smart cards. First, we point out that the scheme of Chen et al. cannot achieve all the claimed security goals and report its following flaws: (i) it is vulnerable to offline password guessing attack under their nontamper resistance assumption of the smart cards; and (ii) it fails to provide forward secrecy. Then, we analyze an efficient dynamic ID-based scheme without public-key operations introduced byWen and Li in 2012. This proposal attempts to overcome many of the well-known security and efficiency shortcomings of previous schemes and supports more functionalities than its counterparts. Nevertheless, Wen-Li's protocol is vulnerable to offline password guessing attack and denial of service attack, and fails to provide forward secrecy and to preserve user anonymity. Furthermore, with the security analysis of these two schemes and our previous protocol design experience, we put forward three general principles that are vital for designing secure smart-card-based password authentication schemes: (i) public-key techniques are indispensable to resist against offline password guessing attack and to preserve user anonymity under the nontamper resistance assumption of the smart card; (ii) there is an unavoidable trade-off when fulfilling the goals of local password update and resistance to smart card loss attack; and (iii) at least two exponentiation (respectively elliptic curve point multiplication) operations conducted on the server side are necessary for achieving forward secrecy. The cryptanalysis results discourage any practical use of the two investigated schemes and are important for security engineers to make their choices correctly, whereas the proposed three principles are valuable to protocol designers for advancing more robust schemes. Copyright (C) 2012 John Wiley & Sons, Ltd.

Ding Wang,Ping Wang

DOI: https://doi.org/10.1007/978-3-319-27659-5_16

2015-01-01

Abstract:The design of secure and efficient smart-card-based password authentication schemes remains a challenging problem today despite two decades of intensive research in the security community, and the current crux lies in how to achieve truly two-factor security even if the smart cards can be tampered. In this paper, we analyze two recent proposals, namely, Hsieh-Leu’s scheme and Wang’s PSCAV scheme. We show that, under their non-tamper-resistance assumption of the smart cards, both schemes are still prone to offline dictionary attack, in which an attacker can obtain the victim’s password when getting temporary access to the victim’s smart card. This indicates that compromising a single factor (i.e., the smart card) of these two schemes leads to the downfall of both factors (i.e., both the smart card and the password), thereby invalidating their claim of preserving two-factor security. Remarkably, our attack on the latter protocol, which is not captured in Wang’s original protocol security model, reveals a new attacking scenario and gives rise to the strongest adversary model so far. In addition, we make the first attempt to explain why smart cards, instead of common cheap storage devices (e.g., USB sticks), are preferred in most two-factor authentication schemes for security-critical applications.

Shifeng Sun,Dawu Gu,Man Ho Au,Shuai Han,Yu Yu,Joseph K. Liu

DOI: https://doi.org/10.1007/978-3-030-21568-2_24

2019-01-01

Abstract:We revisit the problem of constructing public key encryption (PKE) secure against both key-leakage and tampering attacks. First, we present an enhanced security against both kinds of attacks, namely strong leakage and tamper-resilient chosen-ciphertext (sLTR-CCA) security, which imposes only minimal restrictions on the adversary's queries and thus captures the capability of the adversary in a more reasonable way. Then, we propose a generic paradigm achieving this security on the basis of a refined hash proof system (HPS) called public-key-malleable HPS. The paradigm can not only tolerate a large amount of bounded key-leakage, but also resist an arbitrary polynomial of restricted tampering attacks, even depending on the challenge phase. Moreover, the paradigm with slight adaptations can also be proven sLTR-CCA secure with respect to subexponentially hard auxiliary-input leakage. In addition, we instantiate our paradigm under certain standard number-theoretic assumptions, and thus, to our best knowledge, obtain the first efficient PKE schemes possessing the strong bounded/auxiliary-input leakage and tamper-resilient chosen-ciphertext security in the standard model.

Shuai Han,Shengli Liu,Lin Lyu

DOI: https://doi.org/10.1155/2017/2148534

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:KDM[F]-CCA security of public-key encryption (PKE) ensures the privacy of key-dependent messages f(sk) which are closely related to the secret key sk, where f∈F, even if the adversary is allowed to make decryption queries. In this paper, we study the design of KDM-CCA secure PKE. To this end, we develop a new primitive named Auxiliary-Input Authenticated Encryption (AIAE). For AIAE, we introduce two related-key attack (RKA) security notions, including IND-RKA and weak-INT-RKA. We present a generic construction of AIAE from tag-based hash proof system (HPS) and one-time secure authenticated encryption (AE) and give an instantiation of AIAE under the Decisional Diffie-Hellman (DDH) assumption. Using AIAE as an essential building block, we give two constructions of efficient KDM-CCA secure PKE based on the DDH and the Decisional Composite Residuosity (DCR) assumptions. Specifically, (i) our first PKE construction is the first one achieving KDM[Faff]-CCA security for the set of affine functions and compactness of ciphertexts simultaneously. (ii) Our second PKE construction is the first one achieving KDM[Fpolyd]-CCA security for the set of polynomial functions and almost compactness of ciphertexts simultaneously. Our PKE constructions are very efficient; in particular, they are pairing-free and NIZK-free.