nach oben

Erschienen in:

2016 | OriginalPaper | Buchkapitel

Software-Only Two-Factor Authentication Secure Against Active Servers

verfasst von : Julien Bringer, Hervé Chabanne, Roch Lescuyer

Erschienen in: Progress in Cryptology – AFRICACRYPT 2016

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

In most password-based authentication protocols, the server owns a value, the so-called verifier, that depends on the registered password. This verifier is often a one-way function of the password. Despite this protection, an unauthorized person who gets access to the verifier can mount a brute-force attack to recover the password. If the entropy of the password is low, which is often the case in practice, such an attack might be successful. Motivated by the growing need to face databases compromises, we propose a two-factor password-based authentication protocol where no information about the password leak from the server’s side nor from the client’s side, and where the password is not sent to the server when the user authenticates. During the registration, a user gets a value, called the token, while the server records the verifier. Our security model ensures that brute-force attacks are impossible if the server is compromised. Moreover, only on-line attempts are possible if a token is stolen. The solutions that we describe fit well into scenarios where the token is stored on a mobile phone. We provide constructions, proven secure in the random-oracle model, under standard assumptions.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Certificate Validation in Secure Computation and Its Use in Verifiable Linear Programming

Nächstes Kapitel Attribute-Based Fully Homomorphic Encryption with a Bounded Number of Inputs

Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: CCS 2006, pp. 390–399. ACM (2006)

Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRef

Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: SP 1992, pp. 72–84. IEEE (1992)

Bellovin, S.M., Merritt, M.: Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise. In: Computer and Communications Security (CCS 1993), pp. 244–250. ACM (1993)

Benhamouda, F., Pointcheval, D.: Verifier-based password-authenticated key exchange: new models and constructions. IACR ePrint Archive, 2013/833 (2013)

Blazy, O., Chevalier, C., Vergnaud, D.: Mitigating server breaches in password-based authentication: secure and efficient solutions. In: CT-RSA 2016 (2016). to appear

Boyko, V., MacKenzie, P.D., Patel, S.: Provably Secure password-authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)CrossRef

Camenisch, J., Lehmann, A., Neven, G., Samelin, K.: Virtual smart cards: how to sign with a password and a server. IACR ePrint Archive, 2015/1101 (2015)

Chase, M., Lysyanskaya, A.: On signatures of knowledge. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 78–96. Springer, Heidelberg (2006)CrossRef

10.

Duo Security two-factor authentication. https://www.duosecurity.com/

11.

ECRYPT II NoE. Yearly report on algorithms and keysizes. D.SPA.20 Rev. 1.0, ICT-2007-216676 ECRYPT II, 09/2012

12.

Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)CrossRef

13.

Google Authenticator. http://code.google.com/p/google-authenticator/

14.

El Gamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985)CrossRef

15.

Gennaro, R.: Faster and shorter password-authenticated key exchange. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 589–606. Springer, Heidelberg (2008)CrossRef

16.

Gennaro, R., Lindell, Y.: A framework for password-based authenticated key exchange. ACM Trans. Inf. Syst. Secur. 9(2), 181–234 (2006)CrossRefMATH

17.

Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)MathSciNetCrossRefMATH

18.

Groce, A., Katz, J.: A new framework for efficient password-based authenticated key exchange. In: CCS 2010, pp. 516–525. ACM Press (2010)

19.

Celestix HotPin. http://www.celestixworks.com/HOTPin.asp

20.

IEEE P1363.2. Password-based public-key cryptography working group

21.

Jablon, D.P.: Extended password key exchange protocols immune to dictionary attacks. In: WET-ICE 1997, pp. 248–255. IEEE Computer Society (1997)

22.

Jarecki, S., Krawczyk, H., Shirvanian, M.: Saxena device-enhanced password protocols with optimal online-offline protection. IACR Archive, 2015/1099 (2015)

23.

Jiang, S., Gong, G.: Password based key exchange with mutual authentication. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 267–279. Springer, Heidelberg (2004)CrossRef

24.

Katz, J., MacKenzie, P.D., Taban, G., Gligor, V.D.: Two-server password-only authenticated key exchange. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 1–16. Springer, Heidelberg (2005)CrossRef

25.

Katz, J., MacKenzie, P.D., Taban, G., Gligor, V.D.: Two-server password-only authenticated key exchange. J. Comput. Syst. Sci. 78(2), 651–669 (2012)MathSciNetCrossRefMATH

26.

Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001)CrossRef

27.

Katz, J., Ostrovsky, R., Yung, M.: Forward secrecy in password-only key exchange protocols. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 29–44. Springer, Heidelberg (2003)CrossRef

28.

Katz, J., Ostrovsky, R., Yung, M.: Efficient and secure authenticated key exchange using weak passwords. J. ACM 57(1), 78–116 (2009)MathSciNetCrossRefMATH

29.

Katz, J., Vaikuntanathan, V.: Round-optimal password-based authenticated key exchange. J. Cryptol. 26(4), 714–743 (2013)MathSciNetCrossRefMATH

30.

Kiefer, F., Manulis, M.: Zero-knowledge password policy checks and verifier-based PAKE. In: Kutyłowski, M., Vaidya, J. (eds.) ICAIS 2014, Part II. LNCS, vol. 8713, pp. 295–312. Springer, Heidelberg (2014)

31.

Lucks, S.: Open key exchange: how to defeat dictionary attacks without encrypting public keys. In: Christianson, B., Crispo, B., Lomas, M., Roe, M. (eds.) Security Protocols 1997. LNCS, vol. 1361. Springer, Heidelberg (1998)CrossRef

32.

Okamoto, T., Pointcheval, D.: The Gap-problems: a new class of problems for the security of cryptographic schemes. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992. Springer, Heidelberg (2001)CrossRef

33.

Microsoft PhoneFactor. https://www.phonefactor.com/

34.

Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)CrossRefMATH

35.

Schnorr, C.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)MathSciNetCrossRefMATH

36.

Scott, M.: Replacing username/password with software-only two-factor authentication. IACR IACR ePrint Archive, 2012/148 (2012)

37.

Shirvanian, M., Jarecki, S., Saxena, N., Nathan, N.: Two-factor authentication resilient to server compromise using mix-bandwidth devices. In: Network and Distributed System Security - NDSS 2014. The Internet Society (2014)

38.

Steiner, M., Tsudik, G., Waidner, M.: Refinement and extension of encrypted key exchange. Oper. Syst. Rev. 29(3), 22–30 (1995)CrossRef

39.

Viet, D.Q., Yamamura, A., Tanaka, H.: Anonymous password-based authenticated key exchange. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 244–257. Springer, Heidelberg (2005)CrossRef

40.

Wu, T.D.: The secure remote password protocol. In: Network and Distributed System Security - NDSS 1998. The Internet Society (1998)

41.

Yang, Y., Zhou, J., Weng, J., Bao, F.: A new approach for anonymous password authentication. In: ACSAC 2009, pp. 199–208. IEEE Computer Society (2009)

Titel: Software-Only Two-Factor Authentication Secure Against Active Servers
verfasst von: Julien Bringer
Hervé Chabanne
Roch Lescuyer
Verlag: Springer International Publishing
Buch: Progress in Cryptology – AFRICACRYPT 2016
Print ISBN: 978-3-319-31516-4

Electronic ISBN: 978-3-319-31517-1

Copyright-Jahr: 2016
DOI: https://doi.org/10.1007/978-3-319-31517-1_15

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"