Secure password-based cipher suite for TLS

Authors:
Affiliations:
Venue:
ACM Transactions on Information and System Security (TISSEC)
Year:
2001

Citing 22
Cited 12

Reducing risks from poorly chosen keys

SOSP '89 Proceedings of the twelfth ACM symposium on Operating systems principles
Random oracles are practical: a paradigm for designing efficient protocols

CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise

CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
The official PGP user's guide

The official PGP user's guide
Refinement and extension of encrypted key exchange

ACM SIGOPS Operating Systems Review
Provably secure session key distribution: the three party case

STOC '95 Proceedings of the twenty-seventh annual ACM symposium on Theory of computing
Strong password-only authenticated key exchange

ACM SIGCOMM Computer Communication Review
A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract)

STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
Public-key cryptography and password protocols

ACM Transactions on Information and System Security (TISSEC)
Password security: a case history

Communications of the ACM
Handbook of Applied Cryptography

Handbook of Applied Cryptography
On password-based authenticated key exchange using collisionful hash functions

ACISP '96 Proceedings of the First Australasian Conference on Information Security and Privacy
Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1

CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys

Proceedings of the 5th International Workshop on Security Protocols
A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp

CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
Extended Password Key Exchange Protocols Immune to Dictionary Attacks

WET-ICE '97 Proceedings of the 6th Workshop on Enabling Technologies on Infrastructure for Collaborative Enterprises
Encrypted Key Exchange: Password-Based Protocols SecureAgainst Dictionary Attacks

SP '92 Proceedings of the 1992 IEEE Symposium on Security and Privacy
Number theoretic attacks on secure password schemes

SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Analysis of the SSL 3.0 protocol

WOEC'96 Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2
WWW electronic commerce and java trojan horses

WOEC'96 Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2
Finite-state analysis of SSL 3.0

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Provably secure password-authenticated key exchange using Diffie-Hellman

EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques

Security proofs for an efficient password-based key exchange

Proceedings of the 10th ACM conference on Computer and communications security
Provably secure password-based authentication in TLS

ASIACCS '06 Proceedings of the 2006 ACM Symposium on Information, computer and communications security
Security analysis of a password-based authentication protocol proposed to IEEE 1363

Theoretical Computer Science
Strong password-based authentication in TLS using the three-party group Diffie Hellman protocol

International Journal of Security and Networks
Provably secure browser-based user-aware mutual authentication over TLS

Proceedings of the 2008 ACM symposium on Information, computer and communications security
Enhancing Security by Embedding Biometric Data in IP Header

SOFSEM '07 Proceedings of the 33rd conference on Current Trends in Theory and Practice of Computer Science
User-aware provably secure protocols for browser-based mutual authentication

International Journal of Applied Cryptography
SSL/TLS session-aware user authentication - Or how to effectively thwart the man-in-the-middle

Computer Communications
SSL/TLS session-aware user authentication using a GAA bootstrapped key

WISTP'11 Proceedings of the 5th IFIP WG 11.2 international conference on Information security theory and practice: security and privacy of mobile devices in wireless communication
IPBio: embedding biometric data in IP header for per-packet authentication

ISPA'06 Proceedings of the 2006 international conference on Frontiers of High Performance Computing and Networking
One-Time verifier-based encrypted key exchange

PKC'05 Proceedings of the 8th international conference on Theory and Practice in Public Key Cryptography
One-Round protocol for two-party verifier-based password-authenticated key exchange

CMS'06 Proceedings of the 10th IFIP TC-6 TC-11 international conference on Communications and Multimedia Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

SSL is the de facto standard today for securing end-to-end transport on the Internet. While the protocol itself seems rather secure, there are a number of risks that lurk in its use, for example, in web banking. However, the adoption of password-based key-exchange protocols can overcome some of these problems. We propose the integration of such a protocol (DH-EKE) in the TLS protocol, the standardization of SSL by IETF. The resulting protocol provides secure mutual authentication and key establishment over an insecure channel. It does not have to resort to a PKI or keys and certificates stored on the users computer. Additionally, its integration in TLS is as minimal and non-intrusive as possible.