Security Proof for Password Authentication in TLS-Verifier-based Three-Party Group Diffie-Hellman Page: 2 of 8
This report is part of the collection entitled: Office of Scientific & Technical Information Technical Reports and was provided to Digital Library by the UNT Libraries Government Documents Department.
The following text was automatically extracted from the image on this page using optical character recognition software:
passwords are immediately lost. This is what happens in the pw-pw model that have been con-
sidered in [BM92,BPR00,BMP00,BCP03,BCP04,ABC+07]; where the server and client both share
In this paper we propose to instead consider the pw-f(pw) model, where the server stores the
image of the password under a one-way function f [BM93,ACP05,GMR06]. Now if an adversary
breaks into a server, it obtains only f(pw). If pw is well-selected, meaning not in a too small
dictionary, the adversary will be unable to recover efficiently pw. If it is a poor password, meaning
in a small dictionary, then the adversary can mount a dictionary attack and recover pw in the time
for a number of computations of f equal to the size of the dictionary, but at least this means it
has to work harder, slowing down the attack and giving the servers administrator time to react
appropriately and inform her clients 2. The pw-f(pw) model thus provides greater security in the
face of system compromise, particularly for those users savvy enough to choose good passwords,
but also to some extent for others, particularly if a salt is used and the break-ins are detected in a
reasonable amount of time. One refers as verifier-based the pw-f(pw) scenario.
Organization of the paper. The rest of this short paper is organized as follows. In Section 1 we
describe the cryptographic protocol and its integration in TLS. This is a necessary step toward an
implementation in an open-source cryptographic library such as OpenSSL. In Section 2, we show
that TLS-V3SOKE is provably secure under reasonable computation assumptions. We then finally
conclude the paper.
2 The Patent Issue
With the proliferation of internet applications and business, there is much more monetary value
associated with the corruption of passwords. Individuals and businesses compete in the internet
marketplace using traditional method in intellectual property protection: trade secret, copyright,
trademark, and patents. One difficulty in the area of password-based key exchange is the existence
of patents covering the two cases [ABC+07]. The seminal patent in the area of two party secure
communications is that of Steven M. Bellovin and Michael J. Merritt, "Cryptographic Protocol for
Secure Communications", which issued on August 31, 1993 as United States patent 5,241,599 (the
'599 patent), based on [BM92]. This patent discloses a method which permits computer users to
authenticate themselves to a computer system, with password-based authentication. A method was
devised that is believed to be practicable for two party secure communications without infringing
the '599 patent. This method has a pending United States patent application, which was published
by the United States Patent and Trademark Office as US-2005-0157874-A1 on July 21, 2005.
Similarly, the same Bellovin and Merritt were coinventors for "Cryptographic Protocol for
Remote Authentication" in United States patent 5,440,635 (the '635 patent) based on [BM93],
which issued on August 8, 1995. The '635 patent discloses a cryptographic communication system
that employs a combination of public and private key cryptography, allowing two players, who share
only a relatively insecure password, to bootstrap a computationally secure cryptographic system
over an insecure network. The '635 patent system is secure against active and passive attacks, and
has the property that the password is protected against offline "dictionary" attacks. This patent
tackles the issue of verifier-based password key exchange.
Although the '635 patent was only issued in the United States, it still remains an obstacle to
unfettered remote authentication. Therefore, an alternative protocol is proposed here that differs
2 The work the attacker must do can also be increased by making the function f slow to compute. We can make the
dictionary attack even harder by salting, where the server stores f(salt, pw), for some random salt that is public
but differs from user to user.
Here’s what’s next.
This report can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Report.
Chevassut, Olivier; Milner, Joseph & Pointcheval, David. Security Proof for Password Authentication in TLS-Verifier-based Three-Party Group Diffie-Hellman, report, April 21, 2008; Berkeley, California. (digital.library.unt.edu/ark:/67531/metadc900163/m1/2/: accessed December 13, 2018), University of North Texas Libraries, Digital Library, digital.library.unt.edu; crediting UNT Libraries Government Documents Department.