|
Abstract : |
We suggest a simple protocol, AuthA, for the problem of password-based authenticated key exchange (AKE). We assume the asymmetric trust model: the client A has a password pwa and the server B has a particular one-way function of this, pwb. Two flows of the protocol comprise a Diffie-Hellman key exchange, using a group on which the Diffie-Hellman problem is hard. At least one of these two flows is encrypted using the key pwb. Then an authentication tag, AuthA, is flowed from the client to the server. This tag is just the hash of some values easily computable by both parties. The server checks the received tag prior to accepting the session key. The protocol just sketched provides security against dictionary attack, and it ensures forward secrecy and client-to-server authentication. Server-to-client authentication can be added cheaply, by flowing a second authentication tag, AuthB, from server to client. Like most work in this area, our protocol springs from ideas of Bellovin and Merritt [BM92, BM93]. There has been a large body of other follow-on to this, including protocol suggestions, |
