Password-authenticated Key Exchange Research Articles

Password authenticated key exchange-based on Kyber for mobile devices.

In this article, a password-authenticated key exchange (PAKE) version of the National Institute of Standards and Technology (NIST) post-quantum cryptography (PQC) public-key encryption and key-establishment standard is constructed. We mainly focused on how the PAKE version of PQC standard Kyber with mobile compatibility can be obtained by using simple structured password components. In the design process, the conventional password-based authenticated key exchange (PAK) approach is updated under the module learning with errors (MLWE) assumptions to add password-based authentication. Thanks to the following PAK model, the proposed Kyber.PAKE provides explicit authentication and perfect forward secrecy (PFS). The resistance analysis against the password dictionary attack of Kyber.PAKE is examined by using random oracle model (ROM) assumptions. In the security analysis, the cumulative distribution function (CDF) Zipf (CDF-Zipf) model is also followed to provide realistic security examinations. According to the implementation results, Kyber.PAKE presents better run-time than lattice-based PAKE schemes with similar features, even if it contains complex key encapsulation mechanism (KEM) components. The comparison results show that the proposed PAKE scheme will come to the fore for the future security of mobile environments and other areas.

A new lattice-based password authenticated key exchange scheme with anonymity and reusable key.

In this article, we propose a novel bilateral generalization inhomogenous short integer solution (BiGISIS)-based password-authenticated key exchange (PAKE) scheme for post-quantum era security. The hardness assumption of the constructed PAKE is based on newly proposed hard lattice problem, BiGISIS. The main aim of this article is to provide a solution for the post-quantum secure PAKE scheme, which is one of the open problems in the literature. The proposed PAKE is the first BiGISIS-based PAKE that satisfies anonymity and reusable key features. The bilateral-pasteurization (BiP) approach is used to obtain the reusable key, and anonymity is achieved thanks to the additional identity components and hash functions. The reusable key structure reduces the time in the key generation, and anonymity prevents illegal user login attempts. The security analysis is done by following the real-or-random (RoR) model assumptions. As a result of security examinations, perfect forward secrecy (PFS) and integrity are satisfied, and the resistance against eavesdropping, manipulation-based attack (MBA), hash function simulation, impersonation, signal leakage attack (SLA), man-in-the-middle (MitM), known-key security (KKS), and offline password dictionary attack (PDA) is captured. According to the comparison analysis, the proposed PAKE is the first SLA-resistant lattice-based PAKE with reusable key and anonymity properties.

TtPAKE: Typo tolerance password-authenticated key exchange

Error tolerant password-authenticated key exchange (PAKE) allows a user to authenticate to a server using a password and agree on a session key with the server, provided that the password for authentication and the registered one are “close enough”. Recently, an ingenious error tolerant PAKE scheme (faPAKE) for generalized passwords (e.g., fingerprints) emerged. In this paper, inspired by the mechanism of faPAKE, we propose a typo tolerance password-authenticated key exchange scheme, dubbed ttPAKE, for ordinary passwords. In ttPAKE, we introduce double-layered secret sharing (DLSS) that splits a main secret into shares and further splits the shares into sub-shares. DLSS can be considered homomorphic to typo tolerance of a password and would be an effective approach to achieve typo tolerance of the password without direct operations on the password for security requirements. A table is built to associate DLSS with typo tolerance of the password. The password is converted into position information for DLSS to store the sub-shares in the table. The table is scrambled with random numbers, and hence the information of the password is concealed. Using DLSS, our scheme implicitly determines whether typos in a password for authentication is no more than a threshold, which accomplishes typo tolerance while protecting passwords. We demonstrate that ttPAKE is secure under the Universal Composability model with security proofs. The performance evaluation shows that ttPAKE is efficient in terms of computation, communication, and storage costs.

TBVPAKE: An efficient and provably secure verifier-based PAKE protocol for IoT applications

Password-authenticated key exchange (PAKE) is an important cryptographic primitive by which two parties are allowed to authenticate each other and establish a cryptographically strong key using a low-entropy password over an insecure channel. Therefore, it is suitable for access control and securing communications between low-cost Internet of Things (IoT) devices where sound security mechanism is difficult to be applied. This paper makes a contribution to securing IoT applications by presenting a secure, efficient and easy-to-implement verifier-based PAKE protocol, named as TBVPAKE (short for Two-Basis Verifier-based PAKE). It is secure against the off-line dictionary attack and server compromise attack, and supports the perfect forward secrecy. Under the widely accepted BPR security model, TBVPAKE is formally proved in this paper in the random oracle model by reducing its security to the Computational Diffie–Hellman (CDH) and Simultaneous Diffie–Hellman (SDH) security assumptions. In addition, we compare the new TBVPAKE with some other outstanding verifier-based PAKE protocols by instantiating them over a commonly used elliptic curve group, and the comparative analysis results definitely show that the new TBVPAKE offers better computational efficiency and ease of implementation. Therefore, the new TBVPAKE might be a better choice for securing IoT applications.

Efficient and Strong Symmetric Password Authenticated Key Exchange With Identity Privacy for IoT

Password authenticated key exchange (PAKE) allows two parties with a shared password to establish a session key. In order to provide secure and private communication between devices in an Internet of Things (IoT) environment, the PAKE protocol is considered one of the most common and promising security methods. However, many existing PAKE proposals still face challenges in security and efficiency. First, both the terminals of participants may suffer from the compromise attack and precomputation attack, which will lead to the leakage of password. Second, the majority of the existing schemes cannot guarantee participants’ identity privacy. Third, most PAKE protocols are not suitable for IoT devices with limited computing capability because of a large number of exponential and pairing operations. To address these issues, we propose a strong symmetric PAKE protocol for IoT devices, which only requires 3 exponentiations per party. The proposed scheme can protect both parties from compromise and precomputation attacks, in which the password file relies on the identity and random salt. What’s more, our protocol guarantees the identity privacy, that is, the transmitted record and password file will not reveal the identity information. We further present a new security model for our protocol, and prove that the proposed scheme is secure under this model. Finally, we show the practicality of our PAKE via experiments and efficiency analysis.

Guest Editorial: Selected papers from the 24th International Conference on Information Security and Cryptology (ICISC 2021)

Guest Editorial: Selected papers from the 24th International Conference on Information Security and Cryptology (ICISC 2021)

HPAKE: Honey Password-Authenticated Key Exchange for Fast and Safer Online Authentication

Password-only authentication is one of the most popular secure mechanisms for real-world online applications. But it easily suffers from a practical threat - password leakage, incurred by external and internal attackers. The external attacker may compromise the password file stored on the authentication server, and the insider may deliberately steal the passwords or inadvertently leak the passwords. So far, there are two main techniques to address the leakage: Augmented password-authentication key exchange (aPAKE) against insiders and honeyword technique for external attackers. But none of them can resist both attacks. To fill the gap, we propose the notion of <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">honey PAKE (HPAKE)</i> that allows the authentication server to detect the password leakage and achieve the security beyond the traditional bound of aPAKE. Further, we build an HPAKE construction on the top of the honeyword mechanism, honey encryption, and OPAQUE which is a standardized aPAKE. We formally analyze the security of our design, achieving the insider resistance and the password breach detection. We implement our design and deploy it in the real environment. The experimental results show that our protocol only costs 71.27 ms for one complete run, within 20.67 ms on computation and 50.6 ms on communication. This means our design is secure and practical for real-world applications.

“Password Authentication Key Exchange Protocol using Fish Tank Image based True Random Number Generator”

Abstract: We employ a straightforward configuration of a fish tank as the changeable environment, recording its photos over time, in order to limit the computational complexity. To create the initial seed, the image data is then submitted to a reduction method and hash function. In order to get true random numbers, we suggest a method for economically removing the true seed from the image data and applying it to a pseudo-random generator, in this case, a Linear Congruential Generator (LCG). The need for information security is increasing across a range of industries, and security concerns are receiving more and more attention as a result of the Internet's explosive growth in recent years. Any future value cannot be accurately anticipated based on the current set of values and random numbers are those that are a part of a sequence in which values are uniformly distributed over a defined set. A safe session key can be provided to a pair of users interacting over an unstable channel using password-based encrypted key exchange protocols, even if the top secret key or password they share is chosen at random from a tiny set of values. We offer two straightforward Bellovin and Merritt-based encrypted key exchange systems..

Classification and analysis of vulnerabilities of modern information systems from classical and quantum attacks

Recent advances in quantum technology and the potential that practical quantum computers may become a reality in the future have led to renewed interest in developing cryptographic technologies that are secure against conventional and quantum attacks. Currently, virtually all asymmetric cryptographic schemes in use are threatened by the potential development of powerful quantum computers. Post-quantum cryptography is one of main the ways to combat this threat. Its security is based on the complexity of mathematical problems that are currently considered unsolvable efficiently, even with the help of quantum computers. The security of information systems is ensured through protection against various threats that use system vulnerabilities. Security protocols are the building blocks of secure communication. They implement security mechanisms to provide security services. Security protocols are considered abstract when analyzed, but may have additional vulnerabilities in implementation. This work contains a holistic study of security protocols. Basics of security protocols, taxonomy of attacks on security protocols and their implementation are considered, as well as various methods and models of protocol security analysis. In particular, the differences between information-theoretic and computational security, computational and symbolic models are specified. In addition, an overview of the computational security models for Authenticated Key Exchange (AKE) and Password Authentication Key Exchange (PAKE) protocols is provided. The most important security models for the AKE and PAKE protocols were also described. With the emergence of new technologies that may have different security requirements, as well as with increased opportunities for competition, there is always a need to develop new protocols. Thus, the purpose of this article is to review, classify, analyze, and research the vulnerabilities of information systems from classical, quantum, and special attacks, performed taking into account the forecast regarding the possibilities of attacks on post-quantum cryptographic transformations; studying security assessment models for existing cryptographic protocols, as well as reviewing and benchmarking security models and providing suggestions for protection against existing potential attacks.

Efficient module learning with errors‐based post‐quantum password‐authenticated key exchange

Password-authenticated key exchange (PAKE) is a cryptographic primitive that can establish secure remote communications between the client and the server, especially with the advantage of amplifying memorable passwords into strong session keys. However, the arrival of the quantum computing era has brought new challenges to traditional PAKE protocols. Thus, designing an efficient post-quantum PAKE scheme becomes an open research question. In this paper, the authors construct a quantum-safe PAKE protocol, which is a horizontal extension of the password-authenticated key (PAK) protocol in the field of module lattices. Subsequently, the authors accompany the proposed protocol with a rigorous security proof in the random oracle model with two adaptions: applying the CDF-Zipf model to characterise the ability of the adversary and using the pairing with errors assumption to simplify the proof. Taking the flexibility of the module learning with errors (MLWE) problem, the authors elaborately select three parameter sets to meet different application scenarios. Specifically, the authors’ Recommended-PAKE implementation achieves 177-bit post-quantum security with a generous margin to cope with later improvement in cryptanalysis. The performance results indicate that the authors’ MLWE-PAKE is quite practical: compared with the latest Yang-PAK, the authors’ Recommended-PAK reduces the communication cost and the running time by 36.8% and 13.8%, respectively.

Further Analysis and Improvements of a Lattice-Based Anonymous PAKE Scheme

To improve the security of mobile networks in the postquantum era, Dabra <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">et al.</i> recently proposed a lattice-based anonymous password-authenticated key exchange (LBA-PAKE) protocol for mobile devices. Especially, LBA-PAKE is claimed to support the key reuse. However, we find that LBA-PAKE is still vulnerable to the signal leakage attack when the master key is reused. We propose two strategies to reduce the needed number of queries in our attack. Compared to the method of Bindel <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">et al.</i> , our method reduces the required queries by more than 75%. Our experiments show that breaking LBA-PAKE needs less than 2 min. Through analysis of why LBA-PAKE fails in their security proof, we further propose an improved protocol without incurring extra computation costs. The formal security analysis shows that our improved scheme supports all features of LBA-PAKE while thwarting the signal leakage attack. Moreover, the implementation of our improved protocol demonstrates its efficiency in mobile networks.

Post-Quantum Secure Password-Authenticated Key Exchange Based on Ouroboros

Password-authenticated key exchange (PAKE) protocols play an important role in cryptography. Most of PAKEs are based on the Diffie–Hellman key exchange protocols or RSA encryption schemes, but their security is threatened by quantum computers. In this study, we propose the first code-based PAKE protocol based on Ouroboros, which is a code-based key exchange protocol. Our scheme enjoys high efficiency and provides mutual explicit authentication, with a security reduction to decoding random quasi-cyclic codes in the random oracle model.

Password authentication key exchange based on key consensus for IoT security

Password authentication key exchange based on key consensus for IoT security

A Chosen Random Value Attack on WPA3 SAE Authentication Protocol

Simultaneous Authentication of Equals (SAE) is a password-authenticated key exchange protocol that is designed to replace the WPA2-PSK-based authentication. The SAE authenticated key exchange protocol supports the peer-to-peer authentication and is one of the major authentication mechanisms of the Authentication and Key Management Suite specified within Wi-Fi. The SAE authenticated key exchange protocol has been widely implemented in today’s Wi-Fi devices as part of major security feature upgrades and is regarded as the third generation of Wi-Fi Protected Access. This article presents a way of attacking the weaker randomness generation algorithm within the SAE protocols, which can lead to successful impersonation types of attacks. We also suggest some protocol amendments for protection. It is recommended that SAE implementations should be upgraded to ensure protection against these attacks.

A Chaotic-Map-Based Password-Authenticated Key Exchange Protocol for Telecare Medicine Information Systems

Telecare medicine information systems (TMISs) provide e-health services such that patients can access medical resources conveniently and doctors can prescribe treatments rapidly. Authentication is an essential security requirement in TMISs. In particular, the growth of password-based remote patient authenticated key exchange combining extended chaotic maps has enhanced the level of secure communications for TMISs. Recently, Lee suggested an improved random-number-based password-authenticated key exchange (PAKE) using extended chaotic maps and synchronized-clock-based PAKE using extended chaotic maps on Guo and Zhang and Xiao et al.’s PAKE. Unfortunately, we found that the nonce-based scheme of Lee is insecure against known session-specific temporary information and server spoofing attacks. To cope with the aforementioned defects, this study aims to provide a new secure PAKE based on extended chaotic maps with more security functionalities for TMISs. Additionally, we show that the proposed scheme for TMISs provides high security along with low communication cost, computational cost, and a variety of security features.

Improved Verifier-Based Three-Party Password-Authenticated Key Exchange Protocol from Ideal Lattices

With the advent of large-scale social networks, two communication users need to generate session keys with the help of a remote server to communicate securely. In the existing three-party authenticated key exchange (3PAKE) protocols, users’ passwords need to be stored on the server; it cannot resist the server disclosure attack. To solve this security problem, we propose a more efficient 3PAKE protocol based on the verification element by adopting a public-key cryptosystem and approximate smooth projection hash (ASPH) function on an ideal lattice. Using the structure of separating authentication from the server, the user can negotiate the session key only after two rounds of communication. The analysis results show that it can improve the efficiency of computation and communication and resist the server disclosure attack, quantum algorithm attack, and replay attack; moreover, it has session key privacy to the server. This protocol can meet the performance requirement of the current communication network.

Prudent Practices in Security Standardization

From June 2019 to March 2020, IETF conducted a selection process to choose password authenticated key exchange (PAKE) protocols for standardization. Similar standardization efforts were conducted before by IEEE (P1362.2) and ISO/IEC (11770–4). An important hallmark for this IETF selection process is its openness: anyone can nominate any candidate; all reviews are public; and all email discussions on the IETF mailing lists are archived and publicly readable. However, despite the openness, it is unclear whether this IETF selection process has presented a successful model. Several important questions that were raised during the selection process remained unaddressed even after the two winners (CPace and OPAQUE) were announced. We reflect on the IETF PAKE selection process as a case study, and summarize lessons in a set of principles with the hope of improving security standardization in the future.

Achieving password-hashing scheme over lattices

Password-based authentication is the dominant form of access control and is likely to keep its status in the foreseeable future. Password authenticated key exchange (PAKE) protocols enable two parties to exchange a session key during password-based authentication over an insecure channel. To resist password compromise at the server-side, passwords are recommended to be stored in a salted hash form. However, conventional password hashing functions (e.g., PBKDF2, bcrypt, and scrypt) only support PAKE protocols based on specific number-theoretic assumptions, which can only be proved secure in the random oracle model, and the communication rounds are generally high. Furthermore, they demand a large memory size, i.e., the output is of length łinebreak 32 bytes. To address these issues, several password hashing schemes based on discrete-logarithm assumptions, e.g., Benhamouda and Pointceva (IACR ePrint2013/833), Kiefer and Manulis (ESORICS14), and Pointcheval and Wang (ASIACCS17), have been proposed to be integrated with a smooth projective hash function (SPHF), but they are not secure in the coming quantum era and only can be proved security in the random oracle model. In this work, we focus on the question of how to design an efficient password hashing scheme that can be integrated into quantum-resistant SPHF-based PAKE while being secure in the standard model (but not the random oracle model). Following the research line of Kiefer and Manulis (ESORICS14), we design three new types of lattice-based password hashing schemes based on homomorphic commitment schemes with provable security in the standard model. We show that they can be efficiently integrated with SPHFs to obtain low-interactive PAKE protocols. Although the proposed scheme is not ready to be deployed in practice, it is an important step for the quantum-resistant password-based authentication and authenticated key exchange.

Blockchain-based cross-user data shared auditing

In cloud storage, public auditing is a more popular data integrity verification technique since it allows users to delegate auditing tasks to a fully trusted third-party auditor (TPA). However, it is difficult to find such a TPA in practical application. Besides, the centralised auditing model makes TPA have to bear burdensome work pressure, which limits the practicability of existing schemes. In this paper, we firstly proposed a blockchain-based generalised shared auditing mechanism BCSA in the cross-user scenario, which aims at achieving available public auditing with a non-fully trusted TPA, and reducing the user's auditing fees and TPA's work pressure by allowing data users to share their auditing procedure with others. Furthermore, we initialise a concrete construction BCSAD with Diffie–Hellman protocol for the cross-user auditing scenario with different data. Likewise, we also propose a novel construction BCSAI for the cross-user auditing scenario with identical data, which utilises a password-authenticated key exchange (PAKE) protocol to achieve shared auditing and ciphertext deduplication, reducing data storage and auditing fees for data users and alleviating service pressure on the cloud server and TPA. Security and performance analysis evaluate the practicability of the proposed scheme.

Two-factor Password-authenticated Key Exchange with End-to-end Security

We present a secure two-factor authentication (TFA) scheme based on the user’s possession of a password and a crypto-capable device. Security is “end-to-end” in the sense that the attacker can attack all parts of the system, including all communication links and any subset of parties (servers, devices, client terminals), can learn users’ passwords, and perform active and passive attacks, online and offline. In all cases the scheme provides the highest attainable security bounds given the set of compromised components. Our solution builds a TFA scheme using any Device-enhanced Password-authenticated Key Exchange (PAKE), defined by Jarecki et al., and any Short Authenticated String (SAS) Message Authentication, defined by Vaudenay. We show an efficient instantiation of this modular construction, which utilizes any password-based client-server authentication method, with or without reliance on public-key infrastructure. The security of the proposed scheme is proven in a formal model that we formulate as an extension of the traditional PAKE model. We also report on a prototype implementation of our schemes, including TLS-based and PKI-free variants, as well as several instantiations of the SAS mechanism, all demonstrating the practicality of our approach. Finally, we present a usability study evaluating the viability of our protocol contrasted with the traditional PIN-based TFA approach in terms of efficiency, potential for errors, user experience, and security perception of the underlying manual process.1