One-time-password-authenticated key exchange

Paterson, Kenneth G. & Stebila, Douglas (2010) One-time-password-authenticated key exchange. In Steinfeld, Ron & Hawkes, Philip (Eds.) Information Security and Privacy : Proceedings of the 15th Australasian Conference, ACISP 2010, Springer, Macquarie Graduate School of Management, Sydney.

[img] Full version (PDF 349kB)
Supplemental Material.
[img] Camera Ready Version (PDF 364kB)
Accepted Version.

View at publisher


To reduce the damage of phishing and spyware attacks, banks, governments, and other security-sensitive industries are deploying one-time password systems, where users have many passwords and use each password only once. If a single password is compromised, it can be only be used to impersonate the user once, limiting the damage caused. However, existing practical approaches to one-time passwords have been susceptible to sophisticated phishing attacks. ----------

We give a formal security treatment of this important practical problem. We consider the use of one-time passwords in the context of password-authenticated key exchange (PAKE), which allows for mutual authentication, session key agreement, and resistance to phishing attacks. We describe a security model for the use of one-time passwords, explicitly considering the compromise of past (and future) one-time passwords, and show a general technique for building a secure one-time-PAKE protocol from any secure PAKE protocol. Our techniques also allow for the secure use of pseudorandomly generated and time-dependent passwords.

Impact and interest:

2 citations in Scopus
Search Google Scholar™
3 citations in Web of Science®

Citation counts are sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

Full-text downloads:

520 since deposited on 21 Apr 2010
79 in the past twelve months

Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.

ID Code: 31900
Item Type: Conference Paper
Refereed: Yes
Additional Information: Springer Series: Lecture Notes in Computer Science
Additional URLs:
Keywords: one-time passwords, key exchange, protocols, cryptography
ISBN: 9783642140808
Subjects: Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > DATA FORMAT (080400) > Data Encryption (080402)
Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > COMPUTER SOFTWARE (080300) > Computer System Security (080303)
Divisions: Past > Institutes > Information Security Institute
Copyright Owner: Copyright 2010 Springer
Copyright Statement: This is the author-version of the work. Conference proceedings published, by Springer Verlag, will be available via Lecture Notes in Computer Science
Deposited On: 21 Apr 2010 22:06
Last Modified: 18 Jul 2014 05:13

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page