[en] Password Authenticated Key Exchange (PAKE) allows a
user to establish a strong cryptographic key with a server,
using only knowledge of a pre-shared password. One of the
basic security requirements of PAKE is to prevent o ine
dictionary attacks.
In this paper, we revisit zkPAKE, an augmented PAKE
that has been recently proposed by Mochetti, Resende, and
Aranha (SBSeg 2015). Our work shows that the zkPAKE
protocol is prone to o ine password guessing attack, even
in the presence of an adversary that has only eavesdropping
capabilities. Therefore, zkPAKE is insecure and should not
be used as a password-authenticated key exchange mechanism
Research center :
ULHPC - University of Luxembourg: High Performance Computing
Disciplines :
Computer science
Author, co-author :
LOPEZ BECERRA, José Miguel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
RYAN, Peter ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
SALA, Petra ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Skrobot, Marjan
External co-authors :
no
Language :
English
Title :
An Offline Dictionary Attack Against zkPAKE Protocol
Alternative titles :
[en] An Offline Dictionary Attack Against zkPAKE Protocol