One-time-password-authenticated key exchange
Contribuinte(s) |
Steinfeld, Ron Hawkes, Philip |
---|---|
Data(s) |
19/04/2010
|
Resumo |
To reduce the damage of phishing and spyware attacks, banks, governments, and other security-sensitive industries are deploying one-time password systems, where users have many passwords and use each password only once. If a single password is compromised, it can be only be used to impersonate the user once, limiting the damage caused. However, existing practical approaches to one-time passwords have been susceptible to sophisticated phishing attacks. ---------- We give a formal security treatment of this important practical problem. We consider the use of one-time passwords in the context of password-authenticated key exchange (PAKE), which allows for mutual authentication, session key agreement, and resistance to phishing attacks. We describe a security model for the use of one-time passwords, explicitly considering the compromise of past (and future) one-time passwords, and show a general technique for building a secure one-time-PAKE protocol from any secure PAKE protocol. Our techniques also allow for the secure use of pseudorandomly generated and time-dependent passwords. |
Formato |
application/pdf application/pdf |
Identificador | |
Publicador |
Springer |
Relação |
http://eprints.qut.edu.au/31900/1/OTPAKfull.pdf http://eprints.qut.edu.au/31900/2/c31900.pdf http://web.science.mq.edu.au/conferences/acisp2010/ Paterson, Kenneth G. & Stebila, Douglas (2010) One-time-password-authenticated key exchange. In Steinfeld, Ron & Hawkes, Philip (Eds.) Information Security and Privacy : Proceedings of the 15th Australasian Conference, ACISP 2010, Springer, Macquarie Graduate School of Management, Sydney. |
Direitos |
Copyright 2010 Springer This is the author-version of the work. Conference proceedings published, by Springer Verlag, will be available via Lecture Notes in Computer Science http://www.springer.de/comp/lncs/ |
Fonte |
Information Security Institute |
Palavras-Chave | #080402 Data Encryption #080303 Computer System Security #one-time passwords #key exchange #protocols #cryptography |
Tipo |
Conference Paper |