One-time-password-authenticated key exchange
Paterson, Kenneth G. & Stebila, Douglas (2010) One-time-password-authenticated key exchange. In Steinfeld, Ron & Hawkes, Philip (Eds.) Information Security and Privacy : Proceedings of the 15th Australasian Conference, ACISP 2010, Springer, Macquarie Graduate School of Management, Sydney.
To reduce the damage of phishing and spyware attacks, banks, governments, and other security-sensitive industries are deploying one-time password systems, where users have many passwords and use each password only once. If a single password is compromised, it can be only be used to impersonate the user once, limiting the damage caused. However, existing practical approaches to one-time passwords have been susceptible to sophisticated phishing attacks. ----------
We give a formal security treatment of this important practical problem. We consider the use of one-time passwords in the context of password-authenticated key exchange (PAKE), which allows for mutual authentication, session key agreement, and resistance to phishing attacks. We describe a security model for the use of one-time passwords, explicitly considering the compromise of past (and future) one-time passwords, and show a general technique for building a secure one-time-PAKE protocol from any secure PAKE protocol. Our techniques also allow for the secure use of pseudorandomly generated and time-dependent passwords.
Impact and interest:
Citation counts are sourced monthly from and citation databases.
These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.
Citations counts from theindexing service can be viewed at the linked Google Scholar™ search.
Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.
|Item Type:||Conference Paper|
|Additional Information:||Springer Series: Lecture Notes in Computer Science|
|Keywords:||one-time passwords, key exchange, protocols, cryptography|
|Subjects:||Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > DATA FORMAT (080400) > Data Encryption (080402)
Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > COMPUTER SOFTWARE (080300) > Computer System Security (080303)
|Divisions:||Past > Institutes > Information Security Institute|
|Copyright Owner:||Copyright 2010 Springer|
|Copyright Statement:||This is the author-version of the work. Conference proceedings published, by Springer Verlag, will be available via Lecture Notes in Computer Science http://www.springer.de/comp/lncs/|
|Deposited On:||21 Apr 2010 22:06|
|Last Modified:||18 Jul 2014 05:13|
Repository Staff Only: item control page