Results 1-9 of 9.
((uid:50008849))

Bookmark and Share    
Full Text
See detailPROVABLE SECURITY ANALYSIS FOR THE PASSWORD AUTHENTICATED KEY EXCHANGE PROBLEM
Lopez Becerra, José Miguel UL

Doctoral thesis (2019)

Password-based Authenticated Key-Exchange (PAKE) protocols allow the establishment of secure communications despite a human-memorable password being the only secret that is previously shared between the ... [more ▼]

Password-based Authenticated Key-Exchange (PAKE) protocols allow the establishment of secure communications despite a human-memorable password being the only secret that is previously shared between the participants. After more than 25 years since the initial proposal, the PAKE problem remains an active area of research, probably due to the vast amount of passwords deployed on the internet as password-based still constitutes the most extensively used method for user authentication. In this thesis, we consider the computational complexity approach to improve the current understanding of the security provided by previously proposed PAKE protocols and their corresponding security models. We expect that this work contributes to the standardization, adoption and more efficient implementation of the considered protocols. Our first contribution is concerning forward secrecy for the SPAKE2 protocol of Abdalla and Pointcheval (CT-RSA 2005). We prove that the SPAKE2 protocol satisfies the so-called notion of weak forward secrecy. Furthermore, we demonstrate that the incorporation of key-confirmation codes in the original SPAKE2 results in a protocol that provably satisfies the stronger notion of perfect forward secrecy. As forward secrecy is an explicit requirement for cipher suites supported in the TLS handshake, we believe our results fill the gap in the literature and facilitate the adoption of SPAKE2 in the recently approved TLS 1.3. Our second contribution is regarding tight security reductions for EKE-based protocols. We present a security reduction for the PAK protocol instantiated over Gap Diffie-Hellman groups that is tighter than previously known reductions. We discuss the implications of our results for concrete security. Our proof is the first to show that the PAK protocol can provide meaningful security guarantees for values of the parameters typical in today's world. Finally, we study the relation between two well-known security models for PAKE protocols. Security models for PAKEs aim to capture the desired security properties that such protocols must satisfy when executed in the presence of an adversary. They are usually classified into i) indistinguishability-based (IND-based) or ii) simulation-based (SIM-based), however, controversy remains within the research community regarding what is the most appropriate security model that better reflects the capabilities that an adversary is supposed to have in real-world scenarios. Furthermore, the relation between these two security notions is unclear and mentioned as a gap in the literature. We prove that SIM-BMP security from Boyko et al. (EUROCRYPT 2000) implies IND-RoR security from Abdalla et al. (PKC 2005) and that IND-RoR security is equivalent to a slightly modified version of SIM-BMP security. We also investigate whether IND-RoR security implies (unmodified) SIM-BMP security. [less ▲]

Detailed reference viewed: 68 (18 UL)
Full Text
Peer Reviewed
See detailOn the Relation Between SIM and IND-RoR Security Models for PAKEs with Forward Secrecy
Lopez Becerra, José Miguel UL; Iovino, Vincenzo UL; Ostrev, Dimiter UL et al

in E-Business and Telecommunications - 2019 (2019)

Password-based Authenticated Key-Exchange (PAKE) protocols allow the establishment of secure communication entirely based on the knowledge of a shared password. Over the last two decades, we have ... [more ▼]

Password-based Authenticated Key-Exchange (PAKE) protocols allow the establishment of secure communication entirely based on the knowledge of a shared password. Over the last two decades, we have witnessed the debut of a number of prominent security models for PAKE protocols, whose aim is to capture the desired security properties that such protocols must satisfy when executed in the presence of an active adversary. These models are usually classified into (i) indistinguishability-based (IND-based) or (ii) simulation-based (SIM-based). However, the relation between these two security notions is unclear and mentioned as a gap in the literature. In this work, we prove that SIM-BMP security from Boyko et al. (EUROCRYPT 2000) implies IND-RoR security from Abdalla et al. (PKC 2005) and that IND-RoR security is equivalent to a slightly modified version of SIM-BMP security. We also investigate whether IND-RoR security implies (unmodified) SIM-BMP security. The results obtained also hold when forward secrecy is incorporated into the security models in question. [less ▲]

Detailed reference viewed: 76 (5 UL)
Full Text
Peer Reviewed
See detailAn offline dictionary attack against zkPAKE protocol
Lopez Becerra, José Miguel UL; Ryan, Peter UL; Sala, Petra UL et al

in An offline dictionary attack against zkPAKE protocol (2019)

Password Authenticated Key Exchange (PAKE) allows a user to establish a secure cryptographic key with a server, using only knowledge of a pre-shared password. One of the basic security require- ments of ... [more ▼]

Password Authenticated Key Exchange (PAKE) allows a user to establish a secure cryptographic key with a server, using only knowledge of a pre-shared password. One of the basic security require- ments of PAKE is to prevent o ine dictionary attacks. In this paper, we revisit zkPAKE, an augmented PAKE that has been recently proposed by Mochetti, Resende, and Aranha (SBSeg 2015). Our work shows that the zkPAKE protocol is prone to o ine password guess- ing attack, even in the presence of an adversary that has only eavesdrop- ping capabilities. Results of performance evaluation show that our attack is practical and e cient.Therefore, zkPAKE is insecure and should not be used as a password-authenticated key exchange mechanism. [less ▲]

Detailed reference viewed: 72 (6 UL)
Full Text
Peer Reviewed
See detailHoneyPAKEs
Lopez Becerra, José Miguel UL; Roenne, Peter UL; Ryan, Peter UL et al

in Security Protocols XXVI: Lecture Notes in Computer Science (2018, November 27)

We combine two security mechanisms: using a Password-based Authenticated Key Establishment (PAKE) protocol to protect the password for access control and the Honeywords construction of Juels and Rivest to ... [more ▼]

We combine two security mechanisms: using a Password-based Authenticated Key Establishment (PAKE) protocol to protect the password for access control and the Honeywords construction of Juels and Rivest to detect loss of password files. The resulting construction combines the properties of both mechanisms: ensuring that the password is intrinsically protected by the PAKE protocol during transmission and the Honeywords mechanisms for detecting attempts to exploit a compromised password file. Our constructions lead very naturally to two factor type protocols. An enhanced version of our protocol further provides protection against a compromised login server by ensuring that it does not learn the index to the true password. [less ▲]

Detailed reference viewed: 41 (8 UL)
Full Text
Peer Reviewed
See detailForward Secrecy for SPAKE2
Lopez Becerra, José Miguel UL; Ostrev, Dimiter UL; Skrobot, Marjan

in Baek, Joonsang; Willy, Susilo (Eds.) Provable Security (2018, October 25)

Currently, the Simple Password-Based Encrypted Key Exchange (SPAKE2) protocol of Abdalla and Pointcheval (CT-RSA 2005) is being considered by the IETF for standardization and integration in TLS 1.3 ... [more ▼]

Currently, the Simple Password-Based Encrypted Key Exchange (SPAKE2) protocol of Abdalla and Pointcheval (CT-RSA 2005) is being considered by the IETF for standardization and integration in TLS 1.3. Although it has been proven secure in the Find-then-Guess model of Bellare, Pointcheval and Rogaway (EUROCRYPT 2000), whether it satisfies some notion of forward secrecy remains an open question. In this work, we prove that the SPAKE2 protocol satisfies the so-called weak forward secrecy introduced by Krawczyk (CRYPTO 2005). Furthermore, we demonstrate that the incorporation of key-confirmation codes in SPAKE2 results in a protocol that provably satisfies the stronger notion of perfect forward secrecy. As forward secrecy is an explicit requirement for cipher suites supported in the TLS handshake, we believe this work could fill the gap in the literature and facilitate the adoption of SPAKE2 in the recently approved TLS 1.3. [less ▲]

Detailed reference viewed: 51 (13 UL)
Full Text
Peer Reviewed
See detailAn Offline Dictionary Attack Against zkPAKE Protocol
Lopez Becerra, José Miguel UL; Ryan, Peter UL; Sala, Petra UL et al

Poster (2018, June)

Password Authenticated Key Exchange (PAKE) allows a user to establish a strong cryptographic key with a server, using only knowledge of a pre-shared password. One of the basic security requirements of ... [more ▼]

Password Authenticated Key Exchange (PAKE) allows a user to establish a strong cryptographic key with a server, using only knowledge of a pre-shared password. One of the basic security requirements of PAKE is to prevent o ine dictionary attacks. In this paper, we revisit zkPAKE, an augmented PAKE that has been recently proposed by Mochetti, Resende, and Aranha (SBSeg 2015). Our work shows that the zkPAKE protocol is prone to o ine password guessing attack, even in the presence of an adversary that has only eavesdropping capabilities. Therefore, zkPAKE is insecure and should not be used as a password-authenticated key exchange mechanism [less ▲]

Detailed reference viewed: 87 (12 UL)
Full Text
Peer Reviewed
See detailTightly-Secure PAK(E)
Lopez Becerra, José Miguel UL; Iovino, Vincenzo UL; Ostrev, Dimiter UL et al

in Cryptology and Network Security (2017, December 02)

We present a security reduction for the PAK protocol instantiated over Gap Diffie-Hellman Groups that is tighter than previously known reductions. We discuss the implications of our results for concrete ... [more ▼]

We present a security reduction for the PAK protocol instantiated over Gap Diffie-Hellman Groups that is tighter than previously known reductions. We discuss the implications of our results for concrete security. Our proof is the first to show that the PAK protocol can provide meaningful security guarantees for values of the parameters typical in today’s world. [less ▲]

Detailed reference viewed: 164 (36 UL)
Full Text
See detailOn the Relation Between SIM and IND-RoR Security Models for PAKEs
Lopez Becerra, José Miguel UL; Iovino, Vincenzo UL; Skrobot, Marjan UL

Presentation (2017, March 09)

Security models for PAKE protocols aim to capture the desired security properties that such protocols must satisfy when executed in the presence of an active adversary. They are usually classified into i ... [more ▼]

Security models for PAKE protocols aim to capture the desired security properties that such protocols must satisfy when executed in the presence of an active adversary. They are usually classified into i) indistinguishability-based (IND-based) or ii) simulation-based (SIM-based). The relation between these two security notions is unclear and mentioned as a gap in the literature. In this work, we prove that the SIM-based model of Boyko, Mackenzie and Patel [EUROCRYPT00] and the IND-based model of Abdalla, Fouque and Pointcheval are equivalent, in the sense that a protocol proven secure in one model is also secure in the other model. [less ▲]

Detailed reference viewed: 52 (3 UL)
Full Text
Peer Reviewed
See detailOn the Relation Between SIM and IND-RoR Security Models for PAKEs
Lopez Becerra, José Miguel UL; Iovino, Vincenzo UL; Ostrev, Dimiter UL et al

in Proceedings of the International Conference on Security and Cryptography (2017)

Password-based Authenticated Key-Exchange (PAKE) protocols allow users, who need only to share a password, to compute a high-entropy shared session key despite passwords being taken from a dictionary ... [more ▼]

Password-based Authenticated Key-Exchange (PAKE) protocols allow users, who need only to share a password, to compute a high-entropy shared session key despite passwords being taken from a dictionary. Security models for PAKE protocols aim to capture the desired security properties that such protocols must satisfy when executed in the presence of an active adversary. They are usually classified into i) indistinguishability-based (IND-based) or ii) simulation-based (SIM-based). The relation between these two security notions is unclear and mentioned as a gap in the literature. In this work, we prove that SIM-BMP security from Boyko et al.~(EUROCRYPT 2000) implies IND-RoR security from Abdalla et al.~(PKC 2005) and that IND-RoR security implies a slightly modified version of SIM-BMP security. We also investigate whether IND-RoR security implies (unmodified) SIM-BMP security. [less ▲]

Detailed reference viewed: 119 (15 UL)