An Offline Dictionary Attack against zkPAKE Protocol
نویسندگان
چکیده
Password Authenticated Key Exchange (PAKE) allows a user to establish a strong cryptographic key with a server, using only knowledge of a pre-shared password. One of the basic security requirements of PAKE is to prevent offline dictionary attacks. In this paper, we revisit zkPAKE, an augmented PAKE that has been recently proposed by Mochetti, Resende, and Aranha (SBSeg 2015). Our work shows that the zkPAKE protocol is prone to offline password guessing attack, even in the presence of an adversary that has only eavesdropping capabilities. Therefore, zkPAKE is insecure and should not be used as a key exchange mechanism.
منابع مشابه
Authenticated Key Exchange Protocol Secure against Offline Dictionary Attack and Server Compromise
This paper introduces a new scheme, called Augmented Password AKE (APAKE), for authenticated key exchange protocols. In APAKE, a password is represented by a pair of values that is randomly selected in a huge space. We present an APAKE protocol. The protocol is secure against the attacks including off-line dictionary attack and server compromise allowing for subsequent off-line dictionary attac...
متن کاملAn Offline Dictionary Attack against a Three-Party Key Exchange Protocol
Despite all the research efforts made so far, the design of protocols for password-authenticated key exchange (PAKE) still remains a non-trivial task. One of the major challenges in designing such protocols is to protect low-entropy passwords from the notorious dictionary attacks. In this work, we revisit Abdalla and Pointcheval’s three-party PAKE protocol presented in Financial Cryptography 20...
متن کاملEnhanced password-based key establishment protocol
In this paper we analyse a password-based authenticated key establishment protocol due to Laih, Ding and Huang, which enables a user to authenticate himself to a server and negotiate a shared session key. This protocol is also designed to guarantee that a human being is actually involved in an ongoing protocol execution. However we show that the protocol suffers from offline dictionary attacks....
متن کاملAn Enhanced Password-based Group Key Agreement Protocol with Constant Rounds
In PKC 2006, Abdalla et al. proposed a password-based group key exchange protocol with constant rounds and proved that protocol could resist the offline dictionary attacks in the random-oracle and ideal-cipher models. Then they proposed an open problem whether an adversary can test more than one password in the same session with online dictionary attack. To answer this question, they presented ...
متن کاملOn the security of a password-only authenticated three-party key exchange protocol
This note reports major previously unpublished security vulnerabilities in the password-only authenticated three-party key exchange protocol due to Lee and Hwang (Information Sciences, 180, 1702–1714, 2010): (1) the Lee-Hwang protocol is susceptible to a man-in-the-middle attack and thus fails to achieve implicit key authentication; (2) the protocol cannot protect clients’ passwords against an ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2017 شماره
صفحات -
تاریخ انتشار 2017