Password-authenticated key exchange based on RSA

  • Authors:

  • Philip MacKenzie;Sarvar Patel;Ram Swaminathan

  • Affiliations:

  • Lucent Technologies, Bell Laboratories, 07974, Murrary Hill, NJ, USA and Google, Inc, 1600 Amphitheatre Parkway, Mountain View, CA, 94043, USA;Lucent Technologies, Bell Laboratories, 07974, Murrary Hill, NJ, USA and Google, Inc, 76 9th Ave, 10011, New York, NY, USA;Lucent Technologies, Bell Laboratories, 07974, Murrary Hill, NJ, USA and Hewlett-Packard Laboratories, 1501 Page Mill Road, 94304, Palo Alto, CA, USA

  • Venue:
  • International Journal of Information Security - Special Issue on Special Purpose Protocols;Guest Editor:Moti Yung
  • Year:
  • 2010

Quantified Score

Hi-index 0.00

Visualization

Abstract

There have been many proposals in recent years for password-authenticated key exchange protocols, i.e., protocols in which two parties who share only a short secret password perform a key exchange authenticated with the password. However, the only ones that have been proven secured against offline dictionary attacks were based on Diffie–Hellman key exchange. We examine how to design a secure password-authenticated key exchange protocol based on RSA. In this paper, we first look at the OKE and protected-OKE protocols (both RSA-based) and show that they are insecure. Then we show how to modify the OKE protocol to obtain a password-authenticated key exchange protocol that can be proven secure (in the random oracle model). This protocol is very practical; in fact, it requires about the same amount of computation as the Diffie–Hellman-based protocols. Finally, we present an augmented protocol that is resilient to server compromise, meaning (informally) that an attacker who compromises a server would not be able to impersonate a client, at least not without running an offline dictionary attack against that client’s password.