Strong password-only authenticated key exchange
ACM SIGCOMM Computer Communication Review
Public-key cryptography and password protocols
CCS '98 Proceedings of the 5th ACM conference on Computer and communications security
Searching in an unknown environment: an optimal randomized algorithm for the cow-path problem
SODA '93 Proceedings of the fourth annual ACM-SIAM Symposium on Discrete algorithms
Securing passwords against dictionary attacks
Proceedings of the 9th ACM conference on Computer and communications security
Send Message into a Definite Future
ICICS '99 Proceedings of the Second International Conference on Information and Communication Security
Pricing via Processing or Combatting Junk Mail
CRYPTO '92 Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology
Visual Authentication and Identification
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
Encrypted Key Exchange: Password-Based Protocols SecureAgainst Dictionary Attacks
SP '92 Proceedings of the 1992 IEEE Symposium on Security and Privacy
Time-lock Puzzles and Timed-release Crypto
Time-lock Puzzles and Timed-release Crypto
Password Memorability and Security: Empirical Results
IEEE Security and Privacy
A convenient method for securely managing passwords
WWW '05 Proceedings of the 14th international conference on World Wide Web
Threshold Password-Authenticated Key Exchange
Journal of Cryptology
Using client puzzles to protect TLS
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Stronger password authentication using browser extensions
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
A future-adaptive password scheme
ATEC '99 Proceedings of the annual conference on USENIX Annual Technical Conference
Authenticated key exchange secure against dictionary attacks
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Universally composable password-based key exchange
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Rigorous bounds on cryptanalytic time/memory tradeoffs
CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology
Mitigating dictionary attacks on password-protected local storage
CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology
New Paradigms for Password Security
ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
Lest we remember: cold-boot attacks on encryption keys
Communications of the ACM - Security in the Browser
Hidden credential retrieval from a reusable password
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Kamouflage: loss-resistant password management
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Stronger difficulty notions for client puzzles and denial-of-service-resistant protocols
CT-RSA'11 Proceedings of the 11th international conference on Topics in cryptology: CT-RSA 2011
Tapas: design, implementation, and usability evaluation of a password manager
Proceedings of the 28th Annual Computer Security Applications Conference
Proceedings of the third ACM conference on Data and application security and privacy
| Hi-index | 0.01 |
We revisit the venerable question of "pure password"- based key derivation and encryption, and expose security weaknesses in current implementations that stem from structural flaws in Key Derivation Functions (KDF). We advocate a fresh redesign, named Halting KDF (HKDF), which we thoroughly motivate on these grounds: 1. By letting password owners choose the hash iteration count, we gain operational flexibility and eliminate the rapid obsolescence faced by many existing schemes. 2. By throwing a Halting-Problem wrench in the works of guessing that iteration count, we widen the security gap with any attacker to its theoretical optimum. 3. By parallelizing the key derivation, we let legitimate users exploit all the computational power they can muster, which in turn further raises the bar for attackers. HKDFs are practical and universal: they work with any password, any hardware, and a minor change to the user interface. As a demonstration, we offer real-world implementations for the TrueCrypt and GnuPG packages, and discuss their security benefits in concrete terms.