Secure Password-Based Protocol for Downloading a Private Key

Author(s): Radia Perlman , Charlie Kaufman

Download: Paper (PDF)

Date: 4 Feb 1999

Document Type: Reports

Additional Documents: Slides

Associated Event: NDSS Symposium 1999

Abstract:

We present protocols that allow a user Alice, knowing only her name and password, and not carrying a smart card, to “log in to the network” from a “generic” workstation, i.e., one that has all the necessary software installed, but none of the configuration information usually assumed to be known a priori in a security scheme, such as Alice’s public and pri- vate keys, her certificate, and the public keys of one or more CAs. By “logging in”, we mean the workstation retrieves this information on behalf of the user. This would be straightforward if Alice had a cryptographically strong password. We propose protocols that are secure even if Alice’s password is guessable. We concentrate on the initial retrieval of Alice’s private key from some server Bob on the network. We discuss various protocols for doing this that avoid off-line password guessing attacks by someone eaves- dropping or impersonating Alice or Bob. We discuss audit- able vs. unauditable on-line attacks, and present protocols that allow Bob to be stateless, avoid denial-of-service attacks, allow for salt, and are minimal in computation and number of messages.