QUT ePrints

One-time-password-authenticated key exchange

Paterson, Kenneth G. & Stebila, Douglas (2010) One-time-password-authenticated key exchange. In Steinfeld, Ron & Hawkes, Philip (Eds.) Information Security and Privacy : Proceedings of the 15th Australasian Conference, ACISP 2010, Springer, Macquarie Graduate School of Management, Sydney.

[img] Full version (PDF 349kB)
Supplemental Material.
    [img] Camera Ready Version (PDF 364kB)
    Accepted Version.

      View at publisher

      Abstract

      To reduce the damage of phishing and spyware attacks, banks, governments, and other security-sensitive industries are deploying one-time password systems, where users have many passwords and use each password only once. If a single password is compromised, it can be only be used to impersonate the user once, limiting the damage caused. However, existing practical approaches to one-time passwords have been susceptible to sophisticated phishing attacks. ----------

      We give a formal security treatment of this important practical problem. We consider the use of one-time passwords in the context of password-authenticated key exchange (PAKE), which allows for mutual authentication, session key agreement, and resistance to phishing attacks. We describe a security model for the use of one-time passwords, explicitly considering the compromise of past (and future) one-time passwords, and show a general technique for building a secure one-time-PAKE protocol from any secure PAKE protocol. Our techniques also allow for the secure use of pseudorandomly generated and time-dependent passwords.

      Impact and interest:

      1 citations in Scopus
      Search Google Scholar™
      0 citations in Web of Science®

      Citation countsare sourced monthly from Scopus and Web of Science® citation databases.

      These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

      Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

      Full-text downloads:

      434 since deposited on 21 Apr 2010
      121 in the past twelve months

      Full-text downloadsdisplays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.

      ID Code: 31900
      Item Type: Conference Paper
      Additional Information: Springer Series: Lecture Notes in Computer Science
      Additional URLs:
      Keywords: one-time passwords, key exchange, protocols, cryptography
      ISBN: 9783642140808
      Subjects: Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > DATA FORMAT (080400) > Data Encryption (080402)
      Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > COMPUTER SOFTWARE (080300) > Computer System Security (080303)
      Divisions: Past > Institutes > Information Security Institute
      Copyright Owner: Copyright 2010 Springer
      Copyright Statement: This is the author-version of the work. Conference proceedings published, by Springer Verlag, will be available via Lecture Notes in Computer Science http://www.springer.de/comp/lncs/
      Deposited On: 22 Apr 2010 08:06
      Last Modified: 18 Jul 2014 15:13

      Export: EndNote | Dublin Core | BibTeX

      Repository Staff Only: item control page