Abstract
In this paper we show that three potential security vulnerabilities exist in the strong password-only authenticated key exchange scheme due to Jablon. Two standardised schemes based on Jablon’s scheme, namely the first password-based key agreement mechanism in ISO/IEC FCD 11770-4 and the scheme BPKAS-SPEKE in IEEE P1363.2 also suffer from some of these security vulnerabilities. We further show that other password-based key agreement mechanisms, including those in ISO/IEC FCD 11770-4 and IEEE P1363.2, also suffer from these security vulnerabilities. Finally, we propose means to remove these security vulnerabilities.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Bellovin, S., Merritt, M.: Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In: SP 1992: Proceedings of the 1992 IEEE Symposium on Security and Privacy, pp. 72–84. IEEE Computer Society, Los Alamitos (1992)
Jablon, D.: Strong Password-Only Authenticated Key Exchange. Computer Communication Review 26, 5–26 (1996)
Jablon, D.: Extended Password Key Exchange Protocols Immune to Dictionary Attack. In: Proceedings of the WETICE 1997 Workshop on Enterprise Security, pp. 248–255 (1997)
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated Key Exchange Secure against Dictionary Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)
Abdalla, M., Chevassut, O., Pointcheval, D.: One-Time Verifier-Based Encrypted Key Exchange. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 47–64. Springer, Heidelberg (2005)
International Organization for Standardization. ISO/IEC FCD 11770–4, Information technology — Security techniques — Key management — Part 4: Mechanisms based on weak secrets (2004)
Institute of Electrical and Electronics Engineers, Inc. IEEE P1363.2 draft D20, Standard Specifications for Password-Based Public-Key Cryptographic Techniques (2005)
Lomas, T., Gong, L., Saltzer, J., Needham, R.: Reducing risks from poorly chosen keys. ACM SIGOPS Operating Systems Review 23, 14–18 (1989)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tang, Q., Mitchell, C.J. (2005). On the Security of Some Password-Based Key Agreement Schemes. In: Hao, Y., et al. Computational Intelligence and Security. CIS 2005. Lecture Notes in Computer Science(), vol 3802. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11596981_22
Download citation
DOI: https://doi.org/10.1007/11596981_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-30819-5
Online ISBN: 978-3-540-31598-8
eBook Packages: Computer ScienceComputer Science (R0)