Password-Only Authenticated Three-Party Key Exchange with Provable Security in the Standard Model

Protocols for password-only authenticated key exchange (PAKE) in the three-party setting allow two clients registered with the same authentication server to derive a common secret key from their individual password shared with the server. Existing three-party PAKE protocols were proven secure under...

Descripción completa

Detalles Bibliográficos
Autores principales: Nam, Junghyun, Choo, Kim-Kwang Raymond, Kim, Junghwan, Kang, Hyun-Kyu, Kim, Jinsoo, Paik, Juryon, Won, Dongho
Formato: Online Artículo Texto
Lenguaje:English
Publicado: Hindawi Publishing Corporation 2014
Materias:
Research Article
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4009152/
https://www.ncbi.nlm.nih.gov/pubmed/24977229
http://dx.doi.org/10.1155/2014/825072
_version_ 1782479714551595008
author Nam, Junghyun
Choo, Kim-Kwang Raymond
Kim, Junghwan
Kang, Hyun-Kyu
Kim, Jinsoo
Paik, Juryon
Won, Dongho
author_facet Nam, Junghyun
Choo, Kim-Kwang Raymond
Kim, Junghwan
Kang, Hyun-Kyu
Kim, Jinsoo
Paik, Juryon
Won, Dongho
author_sort Nam, Junghyun
collection PubMed
description Protocols for password-only authenticated key exchange (PAKE) in the three-party setting allow two clients registered with the same authentication server to derive a common secret key from their individual password shared with the server. Existing three-party PAKE protocols were proven secure under the assumption of the existence of random oracles or in a model that does not consider insider attacks. Therefore, these protocols may turn out to be insecure when the random oracle is instantiated with a particular hash function or an insider attack is mounted against the partner client. The contribution of this paper is to present the first three-party PAKE protocol whose security is proven without any idealized assumptions in a model that captures insider attacks. The proof model we use is a variant of the indistinguishability-based model of Bellare, Pointcheval, and Rogaway (2000), which is one of the most widely accepted models for security analysis of password-based key exchange protocols. We demonstrated that our protocol achieves not only the typical indistinguishability-based security of session keys but also the password security against undetectable online dictionary attacks.
format Online
Article
Text
id pubmed-4009152
institution National Center for Biotechnology Information
language English
publishDate 2014
publisher Hindawi Publishing Corporation
record_format MEDLINE/PubMed
spelling pubmed-40091522014-06-29 Password-Only Authenticated Three-Party Key Exchange with Provable Security in the Standard Model Nam, Junghyun Choo, Kim-Kwang Raymond Kim, Junghwan Kang, Hyun-Kyu Kim, Jinsoo Paik, Juryon Won, Dongho ScientificWorldJournal Research Article Protocols for password-only authenticated key exchange (PAKE) in the three-party setting allow two clients registered with the same authentication server to derive a common secret key from their individual password shared with the server. Existing three-party PAKE protocols were proven secure under the assumption of the existence of random oracles or in a model that does not consider insider attacks. Therefore, these protocols may turn out to be insecure when the random oracle is instantiated with a particular hash function or an insider attack is mounted against the partner client. The contribution of this paper is to present the first three-party PAKE protocol whose security is proven without any idealized assumptions in a model that captures insider attacks. The proof model we use is a variant of the indistinguishability-based model of Bellare, Pointcheval, and Rogaway (2000), which is one of the most widely accepted models for security analysis of password-based key exchange protocols. We demonstrated that our protocol achieves not only the typical indistinguishability-based security of session keys but also the password security against undetectable online dictionary attacks. Hindawi Publishing Corporation 2014 2014-04-14 /pmc/articles/PMC4009152/ /pubmed/24977229 http://dx.doi.org/10.1155/2014/825072 Text en Copyright © 2014 Junghyun Nam et al. https://creativecommons.org/licenses/by/3.0/ This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
spellingShingle Research Article
Nam, Junghyun
Choo, Kim-Kwang Raymond
Kim, Junghwan
Kang, Hyun-Kyu
Kim, Jinsoo
Paik, Juryon
Won, Dongho
Password-Only Authenticated Three-Party Key Exchange with Provable Security in the Standard Model
title Password-Only Authenticated Three-Party Key Exchange with Provable Security in the Standard Model
title_full Password-Only Authenticated Three-Party Key Exchange with Provable Security in the Standard Model
title_fullStr Password-Only Authenticated Three-Party Key Exchange with Provable Security in the Standard Model
title_full_unstemmed Password-Only Authenticated Three-Party Key Exchange with Provable Security in the Standard Model
title_short Password-Only Authenticated Three-Party Key Exchange with Provable Security in the Standard Model
title_sort password-only authenticated three-party key exchange with provable security in the standard model
topic Research Article
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4009152/
https://www.ncbi.nlm.nih.gov/pubmed/24977229
http://dx.doi.org/10.1155/2014/825072
work_keys_str_mv AT namjunghyun passwordonlyauthenticatedthreepartykeyexchangewithprovablesecurityinthestandardmodel
AT chookimkwangraymond passwordonlyauthenticatedthreepartykeyexchangewithprovablesecurityinthestandardmodel
AT kimjunghwan passwordonlyauthenticatedthreepartykeyexchangewithprovablesecurityinthestandardmodel
AT kanghyunkyu passwordonlyauthenticatedthreepartykeyexchangewithprovablesecurityinthestandardmodel
AT kimjinsoo passwordonlyauthenticatedthreepartykeyexchangewithprovablesecurityinthestandardmodel
AT paikjuryon passwordonlyauthenticatedthreepartykeyexchangewithprovablesecurityinthestandardmodel
AT wondongho passwordonlyauthenticatedthreepartykeyexchangewithprovablesecurityinthestandardmodel

Ejemplares similares