Analysing Password Protocol Security Against Off-line Dictionary Attacks

Ricardo Corin; Jeroen Doumen; Sandro Etalle

doi:10.1016/j.entcs.2004.10.007

Analysing Password Protocol Security Against Off-line Dictionary Attacks

Ricardo Corin^*, Jeroen Doumen, Sandro Etalle

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

34 Citations (Scopus)

71 Downloads (Pure)

Abstract

We study the security of password protocols against off-line dictionary attacks. In addition to the standard adversary abilities, we also consider further cryptographic advantages given to the adversary when considering the password protocol being instantiated with particular encryption schemes. We work with the applied pi-calculus of Abadi and Fournet, in which the (new) adversary abilities are modelled as equations between terms. As case studies, we analyse the Encrypted Password Transmission (EPT) protocol of Halevi and Krawczyk, and the wellknown Encrypted Key (EKE) of Bellovin and Merritt. In the latter, we find an attack that arises when considering the ability of distinguishing ciphertexts from random noise. We propose a modification to EKE that prevents this attack.

Original language	English
Title of host publication	Proceedings of the 2nd International Workshop on Security Issues with Petri Nets and other Computational Models (WISP 2004)
Editors	Nadia Busi, Roberto Gorrieri, Fabio Martinelli
Place of Publication	Amsterdam
Publisher	Elsevier
Pages	47-63
Number of pages	17
DOIs	https://doi.org/10.1016/j.entcs.2004.10.007
Publication status	Published - Jun 2004
Event	2nd International Workshop on Security Issues with Petri Nets and other Computational Models, WISP 2004 - Bologna, Italy Duration: 26 Jun 2004 → 26 Jun 2004 Conference number: 2

Publication series

Name	Electronic Notes in Theoretical Computer Science
Publisher	Elsevier
Volume	121
ISSN (Print)	1571-0661

Workshop

Workshop	2nd International Workshop on Security Issues with Petri Nets and other Computational Models, WISP 2004
Abbreviated title	WISP
Country/Territory	Italy
City	Bologna
Period	26/06/04 → 26/06/04
Other	June 26, 2004

Keywords

SCS-Cybersecurity
Password protocols
Dictionary attacks
Verification
Pi calculus

Access to Document

10.1016/j.entcs.2004.10.007Licence: CC BY-NC-ND

Corin2005analysingFinal published version, 309 KBLicence: CC BY-NC-ND

34 Citations
1 Report

Analysing Password Protocol Security Against Off-line Dictionary Attacks
Corin, R., Doumen, J. & Etalle, S., Dec 2003, Enschede: Centre for Telematics and Information Technology (CTIT). 19 p. (CTIT Technical Reports; no. 2003-52)
Research output: Book/Report › Report › Professional

Open Access
File

Cite this

Corin, R., Doumen, J., & Etalle, S. (2004). Analysing Password Protocol Security Against Off-line Dictionary Attacks. In N. Busi, R. Gorrieri, & F. Martinelli (Eds.), Proceedings of the 2nd International Workshop on Security Issues with Petri Nets and other Computational Models (WISP 2004) (pp. 47-63). (Electronic Notes in Theoretical Computer Science; Vol. 121). Elsevier. https://doi.org/10.1016/j.entcs.2004.10.007

Corin, Ricardo ; Doumen, Jeroen ; Etalle, Sandro. / Analysing Password Protocol Security Against Off-line Dictionary Attacks. Proceedings of the 2nd International Workshop on Security Issues with Petri Nets and other Computational Models (WISP 2004). editor / Nadia Busi ; Roberto Gorrieri ; Fabio Martinelli. Amsterdam : Elsevier, 2004. pp. 47-63 (Electronic Notes in Theoretical Computer Science).

@inproceedings{e9e38df427f34fb9b9e1a28fe7b2a90c,

title = "Analysing Password Protocol Security Against Off-line Dictionary Attacks",

abstract = "We study the security of password protocols against off-line dictionary attacks. In addition to the standard adversary abilities, we also consider further cryptographic advantages given to the adversary when considering the password protocol being instantiated with particular encryption schemes. We work with the applied pi-calculus of Abadi and Fournet, in which the (new) adversary abilities are modelled as equations between terms. As case studies, we analyse the Encrypted Password Transmission (EPT) protocol of Halevi and Krawczyk, and the wellknown Encrypted Key (EKE) of Bellovin and Merritt. In the latter, we find an attack that arises when considering the ability of distinguishing ciphertexts from random noise. We propose a modification to EKE that prevents this attack.",

keywords = "SCS-Cybersecurity, Password protocols, Dictionary attacks, Verification, Pi calculus",

author = "Ricardo Corin and Jeroen Doumen and Sandro Etalle",

year = "2004",

month = jun,

doi = "10.1016/j.entcs.2004.10.007",

language = "English",

series = "Electronic Notes in Theoretical Computer Science",

publisher = "Elsevier",

pages = "47--63",

editor = "Nadia Busi and Roberto Gorrieri and Fabio Martinelli",

booktitle = "Proceedings of the 2nd International Workshop on Security Issues with Petri Nets and other Computational Models (WISP 2004)",

note = "2nd International Workshop on Security Issues with Petri Nets and other Computational Models, WISP 2004, WISP ; Conference date: 26-06-2004 Through 26-06-2004",

}

Corin, R, Doumen, J & Etalle, S 2004, Analysing Password Protocol Security Against Off-line Dictionary Attacks. in N Busi, R Gorrieri & F Martinelli (eds), Proceedings of the 2nd International Workshop on Security Issues with Petri Nets and other Computational Models (WISP 2004). Electronic Notes in Theoretical Computer Science, vol. 121, Elsevier, Amsterdam, pp. 47-63, 2nd International Workshop on Security Issues with Petri Nets and other Computational Models, WISP 2004, Bologna, Italy, 26/06/04. https://doi.org/10.1016/j.entcs.2004.10.007

Analysing Password Protocol Security Against Off-line Dictionary Attacks. / Corin, Ricardo; Doumen, Jeroen; Etalle, Sandro.

Proceedings of the 2nd International Workshop on Security Issues with Petri Nets and other Computational Models (WISP 2004). ed. / Nadia Busi; Roberto Gorrieri; Fabio Martinelli. Amsterdam : Elsevier, 2004. p. 47-63 (Electronic Notes in Theoretical Computer Science; Vol. 121).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Analysing Password Protocol Security Against Off-line Dictionary Attacks

AU - Corin, Ricardo

AU - Doumen, Jeroen

AU - Etalle, Sandro

N1 - Conference code: 2

PY - 2004/6

Y1 - 2004/6

N2 - We study the security of password protocols against off-line dictionary attacks. In addition to the standard adversary abilities, we also consider further cryptographic advantages given to the adversary when considering the password protocol being instantiated with particular encryption schemes. We work with the applied pi-calculus of Abadi and Fournet, in which the (new) adversary abilities are modelled as equations between terms. As case studies, we analyse the Encrypted Password Transmission (EPT) protocol of Halevi and Krawczyk, and the wellknown Encrypted Key (EKE) of Bellovin and Merritt. In the latter, we find an attack that arises when considering the ability of distinguishing ciphertexts from random noise. We propose a modification to EKE that prevents this attack.

AB - We study the security of password protocols against off-line dictionary attacks. In addition to the standard adversary abilities, we also consider further cryptographic advantages given to the adversary when considering the password protocol being instantiated with particular encryption schemes. We work with the applied pi-calculus of Abadi and Fournet, in which the (new) adversary abilities are modelled as equations between terms. As case studies, we analyse the Encrypted Password Transmission (EPT) protocol of Halevi and Krawczyk, and the wellknown Encrypted Key (EKE) of Bellovin and Merritt. In the latter, we find an attack that arises when considering the ability of distinguishing ciphertexts from random noise. We propose a modification to EKE that prevents this attack.

KW - SCS-Cybersecurity

KW - Password protocols

KW - Dictionary attacks

KW - Verification

KW - Pi calculus

U2 - 10.1016/j.entcs.2004.10.007

DO - 10.1016/j.entcs.2004.10.007

M3 - Conference contribution

T3 - Electronic Notes in Theoretical Computer Science

SP - 47

EP - 63

BT - Proceedings of the 2nd International Workshop on Security Issues with Petri Nets and other Computational Models (WISP 2004)

A2 - Busi, Nadia

A2 - Gorrieri, Roberto

A2 - Martinelli, Fabio

PB - Elsevier

CY - Amsterdam

T2 - 2nd International Workshop on Security Issues with Petri Nets and other Computational Models, WISP 2004

Y2 - 26 June 2004 through 26 June 2004

ER -

Corin R, Doumen J, Etalle S. Analysing Password Protocol Security Against Off-line Dictionary Attacks. In Busi N, Gorrieri R, Martinelli F, editors, Proceedings of the 2nd International Workshop on Security Issues with Petri Nets and other Computational Models (WISP 2004). Amsterdam: Elsevier. 2004. p. 47-63. (Electronic Notes in Theoretical Computer Science). https://doi.org/10.1016/j.entcs.2004.10.007

Analysing Password Protocol Security Against Off-line Dictionary Attacks

Abstract

Publication series

Workshop

Keywords

Access to Document

Fingerprint

Research output

Analysing Password Protocol Security Against Off-line Dictionary Attacks

Cite this