|
Abstract : |
This paper presents a protocol for mutual authentication and key exchange based solely on passwords, requiring no other public or private participant-specific information to be stored. A major difficulty in designing these protocols is the problem of weak passwords, and the possibility of off-line dictionary attacks. We present a formal definition of security for passwordonly mutual authentication and key exchange, and prove that our protocol is secure against both passive and active adversarial attacks, including off-line dictionary attacks. This is the first proof of security for any mutual authentication and key exchange protocol based solely on passwords. In particular, we show that in the random-oracle model our protocol is as secure as RSA for mutual authentication and as secure as Decision Diffie-Hellman for key exchange. We also present a formal definition of resilience to server compromise for password-only mutual authentication and key exchange protocols, and we extend our protocol so that it is resilient to server compromise., |
