A Simple Threshold Authenticated Key Exchange from Short Secrets
Lecture Notes in Computer Science
This paper brings the password-based authenticated key exchange (PAKE) problem closer to practice. It takes into account the presence of firewalls when clients communicate with authentication servers. An authentication server can indeed be seen as two distinct entities, namely a gateway (which is the direct interlocutor of the client) and a back-end server (which is the only one able to check the identity of the client). The goal in this setting is to achieve both transparency and security for
... he client. And to achieve these goals, the most appropriate choices seem to be to keep the client's password private -even from the back-end server-and to use threshold-based cryptography. In this paper, we present the Threshold Password-based Authenticated Key Exchange (GTPAKE) system: GTPAKE uses a pair of public/private keys and, unlike traditional threshold-based constructions, shares only the private key among the servers. The system does no require any certification -except during the registration and update of clients' passwords-since clients do not use the publickey to authenticate to the gateway. Clients only need to have their password in hand. In addition to client security, this paper also presents highly-desirable security properties such as server password protection against dishonest gateways and key privacy against curious authentication servers. i Gateway-oriented password-based key exchange. A gateway-oriented password-based key exchange is a three-party protocol among a client, a gateway, and an authentication server. The goal of protocol is to establish an implicitly authenticated session key between the client and the gateway with the help of the authentication server, where the authentication is done by means of a short password. In our model, the password is known to both the client and the authentication server, but not to the gateway. In fact, no long-term secrets are stored in the gateway. The authentication server, on the other hand, is assumed to know the password. While the communication channel between the gateway and the authentication server is assumed to be authenticated and private, the channel connecting the client to the gateway may be insecure and perhaps under the control of an adversary. The security goals of our gateway-oriented password-based key exchange model are also somewhat different from those of previous models for password-based schemes. In particular, we ask that the session key shared between the gateway and the client should remain private to the authentication server (see Section 2.2 for more details). Moreover, we also ask that the chances of the gateway learning some information on the password after multiple interactions with the server, perhaps concurrently, should be negligible. Protocol participants. The participants in a gateway-oriented password-based key exchange are the client C ∈ C, the gateway G ∈ G, and the authentication server S ∈ S. We denote by U the set of all participants (i.e., U = C ∪ G ∪ S) and by U a non-specific participant in U. Each client C ∈ C holds a password pw C . Each server S ∈ S holds a vector of passwords PW S = pw C C∈C with an entry for each client.