Prompted User Retrieval of Secret Entropy: The Passmaze Protocol

A prompting protocol permits users to securely retrieve secrets with greater entropy than passwords. The retrieved user secrets can have enough entropy to be used to derive cryptographic keys

Blind Password Registration for Verifier-based PAKE

We propose Blind Password Registration (BPR), a new class of cryptographic protocols that is instrumental for secure registration of client passwords at remote servers with additional protection against unwitting password disclosures on the server side that may occur due to the lack of the state-of-the-art password protection mechanisms implemented by the server or due to common server-compromise attacks. The dictionary attack resistance property of BPR protocols guarantees that the only information available to the server during and after the execution of the protocol cannot be used to reveal the client password without performing an offline dictionary attack on a password verifier (e.g. salted hash value) that is stored by the server at the end of the protocol. In particular, at no point in time the server is supposed to work with plain passwords. Our BPR model allows servers to enforce password policies and the requirement on the client to obey them during the execution of the BPR protocol is covered by the policy compliance property. We construct an efficient BPR protocol in the standard model for ASCII-based password policies using some techniques underlying the recently introduced Zero-Knowledge Password Policy Checks (ZKPPC). However, we do not rely on the full power of costly ZKPPC proofs and in fact show that BPR protocols can be modelled and realised simpler and significantly faster (as supported by our implementation) without using them as a building block. Our BPR protocol can directly be used to replace ZKPPC-based registration procedure for existing VPAKE protocols

Anonymous and Transparent Gateway-based Password-Authenticated Key Exchange

The original publication is available at www.springerlink.comInternational audienceIn Asiacrypt 2005, Abdalla et al. put forward the notion of gateway-based password- authenticated key exchange (GPAKE) protocol, which allows clients and gateways to establish a common session key with the help of an authentication server. In addition to the semantic security of the session key, their solution also provided additional security properties such as password pro- tection with respect to malicious gateways and key privacy with respect to curious authentication servers. In this paper, we further pursue this line of research and present a new and stronger se- curity model for GPAKE schemes, combining all above-mentioned security properties. In addition to allowing a security proof for all these security properties, the new security model has also other advantages over the previous one such as taking into account user corruptions. After describing the new security model, we then present a new variant of the GPAKE scheme of Abdalla et al. with similar efficiency. Like the original scheme, the new scheme is also transparent in that it does not differ significantly from a classical 2-PAKE scheme from the point of view of a client. Finally, we also show how to add client anonymity with respect to the server to the basic GPAKE scheme by using private information retrieval protocols

Public-Key Encryption Indistinguishable Under Plaintext-Checkable Attacks

Indistinguishability under chosen-ciphertext attack (INDCCA) is now considered the de facto security notion for public-key encryption. However, this sometimes offers a stronger security guarantee than what is needed. In this paper, we consider a weaker security notion, termed indistinguishability under plaintext-checking attacks (INDPCA), in which the adversary has only access to an oracle indicating whether or not a given ciphertext encrypts a given message. After formalizing this notion, we design a new public-key encryption scheme satisfying it. The new scheme is a variant of the Cramer-Shoup encryption scheme with shorter ciphertexts. Its security is also based on the plain Decisional Diffie-Hellman (DDH) assumption. Additionally, the algebraic properties of the new scheme allow proving plaintext knowledge using Groth-Sahai non-interactive zero-knowledge proofs or smooth projective hash functions. Finally, as a concrete application, we show that, for many password-based authenticated key exchange (PAKE) schemes in the Bellare-Pointcheval-Rogaway security model, we can safely replace the underlying INDCCA encryption schemes with our new INDPCA one. By doing so, we reduce the overall communication complexity of these protocols and obtain the most efficient PAKE schemes to date based on plain DDH

Perfect Forward Security of SPAKE2

SPAKE2 is a balanced password-authenticated key exchange (PAKE) protocol, proposed by Abdalla and Pointcheval at CTRSA 2005. Due to its simplicity and efficiency, SPAKE2 is one of the balanced PAKE candidates currently under consideration for standardization by the CFRG, together with SPEKE, CPace, and J-PAKE. In this paper, we show that SPAKE2 achieves perfect forward security in the random-oracle model under the Gap Diffie-Hellman assumption. Unlike prior results, which either did not consider forward security or only proved a weak form of it, our results guarantee the security of the derived keys even for sessions that were created with the active involvement of the attacker, as long as the parties involved in the protocol are not corrupted when these sessions take place. Finally, our proofs also demonstrate that SPAKE2 is flexible with respect to the generation of its global parameters M and N. This includes the cases where M is a uniform group element and M=N or the case where M and N are chosen as the output of a random oracle