University of Surrey

Test tubes in the lab Research in the ATI Dance Research

Blind Password Registration for Two-Server Password Authenticated Key Exchange and Secret Sharing Protocols

Kiefer, F and Manulis, M (2016) Blind Password Registration for Two-Server Password Authenticated Key Exchange and Secret Sharing Protocols In: The 19th Information Security Conference, 2016-09-07 - 2016-09-09, Honolulu, HI, USA.

[img]
Preview
Text
2ServerPolicies.pdf - Accepted version Manuscript
Available under License : See the attached licence file.

Download (655kB) | Preview
[img]
Preview
PDF (licence)
SRI_deposit_agreement.pdf
Available under License : See the attached licence file.

Download (33kB) | Preview

Abstract

Many organisations enforce policies on the length and formation of passwords to encourage selection of strong passwords and protect their multi-user systems. For Two-Server Password Authenticated Key Exchange (2PAKE) and Two-Server Password Authenticated Secret Sharing (2PASS) protocols, where the password chosen by the client is secretly shared between the two servers, the initial remote registration of policy-compliant passwords represents a major problem because none of the servers is supposed to know the password in clear. We solve this problem by introducing Two-Server Blind Password Registration (2BPR) protocols that can be executed between a client and the two servers as part of the remote registration procedure. 2BPR protocols guarantee that secret shares sent to the servers belong to a password that matches their combined password policy and that the plain password remains hidden from any attacker that is in control of at most one server. We propose a security model for 2BPR protocols capturing the requirements of policy compliance for client passwords and their blindness against the servers. Our model extends the adversarial setting of 2PAKE/2PASS protocols to the registration phase and hence closes the gap in the formal treatment of such protocols. We construct an efficient 2BPR protocol for ASCII-based password policies, prove its security in the standard model, give a proof of concept implementation, and discuss its performance.

Item Type: Conference or Workshop Item (Conference Paper)
Subjects : Computing Science
Divisions : Faculty of Engineering and Physical Sciences > Computing Science
Authors :
AuthorsEmailORCID
Kiefer, FUNSPECIFIEDUNSPECIFIED
Manulis, MUNSPECIFIEDUNSPECIFIED
Date : 2016
Copyright Disclaimer : The final publication is available at Springer via http://dx.doi.org/[insert DOI]
Contributors :
ContributionNameEmailORCID
UNSPECIFIEDSpringer, UNSPECIFIEDUNSPECIFIED
Related URLs :
Depositing User : Symplectic Elements
Date Deposited : 08 Jun 2016 15:58
Last Modified : 08 Jun 2016 15:58
URI: http://epubs.surrey.ac.uk/id/eprint/810984

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year


Information about this web site

© The University of Surrey, Guildford, Surrey, GU2 7XH, United Kingdom.
+44 (0)1483 300800