Browse > Article

Password-Based Authentication Protocol for Remote Access using Public Key Cryptography  

최은정 (연세대학교 컴퓨터공학과)
김찬오 (연세대학교 컴퓨터공학과)
송주석 (연세대학교 컴퓨터공학과)
Publication Information
Journal of KIISE:Information Networking / v.30, no.1, 2003 , pp. 75-81 More about this Journal
Abstract
User authentication, including confidentiality, integrity over untrusted networks, is an important part of security for systems that allow remote access. Using human-memorable Password for remote user authentication is not easy due to the low entropy of the password, which constrained by the memory of the user. This paper presents a new password authentication and key agreement protocol suitable for authenticating users and exchanging keys over an insecure channel. The new protocol resists the dictionary attack and offers perfect forward secrecy, which means that revealing the password to an attacher does not help him obtain the session keys of past sessions against future compromises. Additionally user passwords are stored in a form that is not plaintext-equivalent to the password itself, so an attacker who captures the password database cannot use it directly to compromise security and gain immediate access to the server. It does not have to resort to a PKI or trusted third party such as a key server or arbitrator So no keys and certificates stored on the users computer. Further desirable properties are to minimize setup time by keeping the number of flows and the computation time. This is very useful in application which secure password authentication is required such as home banking through web, SSL, SET, IPSEC, telnet, ftp, and user mobile situation.
Keywords
Public-Key Cryptography; Password; Authentication; Dictionary Attack; Discrete Logarithm Problem; Diffie-Hellman Key Exchange;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Barry Jaspan, 'Dual workfactor Encrypted Key Exchange: Efficiently Preventing Password Chaining and Dictionary Attacks,' Sixth USENIX UNIX Security Symposium, July 1996
2 Steven M. Bellovin, Michael Merritt, 'Augmented Encrypted Key and Exchange : a Password-Based Protocol Secure Against Dictionary Attacks Password File Compromise,' ACM Conference on Computer and Communications Security, 1993   DOI
3 Thomas Wu, 'The Secure Remote Password Protocol,' 1998 Internet Society Network and Distributed System Security Symposium, San Diego, March 1998, pp.97-98
4 S.M.Bellovin and M.Merritt, 'Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attack,' Proceedings of the I.E.E.E. Symposium on Research in Security and Privacy, Oakland, May 1992   DOI
5 Shai Halevi, Hugo Krawczyk, 'public-key cryptography and password protocols,' ACM Transactions on Information and System Security, Vol.2, No.3, August 1999, pp. 230-268   DOI
6 B. Schneier, 'Applied Cryptography, 2nd Edition,' John Wiley & Sons, 1995, pp.52-55
7 Thomas Wu, 'The Secure Remote Password Protocol,' in Proceedings of the 1998 Internet Society Network and Distributed System Security Symposium, San Diego, CA, March 1998, pp.97-111
8 W. Stalling, 'Cryptography and Network Security,' Prentice-Hall, 1999, pp.303-311
9 Peter Buhler and Thomas Eirich, 'Secure Password Based Cipher Suite for TLS,' Proc. of the Symposium on Network and Distributed Systems Security Symposium, February 2000
10 David Jablon, 'Public Key Methods for Shared Secret Authentication,' RSA '98 Crypto Track Talk, January 14, 1998, http://www.integritysciences.com/rsa98/sld034.html