SaTC: CORE: Small: New Directions for Client-Server Password Authentication
Oregon State University, Corvallis OR
Investigators
Abstract
Passwords remain the most ubiquitous method for client-server authentication on the Internet, helping billions of people log in to their online accounts every day. The traditional approach to client-server password authentication is vulnerable to numerous attacks on the underlying public-key infrastructure, such as phishing attacks. In recent years, new cryptographic protocols that do not rely on the public-key infrastructure, such as asymmetric password-authenticated key exchange (aPAKE) and its strong variant (saPAKE), have been proposed and analyzed; these methods achieve better security, and are seeing increasing applications in real life. There remains a significant gap, however, between the theoretical security analyses of (s)aPAKE and its applications in the real world: in particular, the exact level of security for (s)aPAKE protocols currently deployed in practice is not sufficiently understood, and there is room for improvement on the efficiency of such protocols. This project aims to push the boundaries of both the construction and analysis of (s)aPAKE in the client-server setting, and bridge the gap between theory and practice. Specifically, the investigator presents new security analyses of existing real-world (s)aPAKE protocols, whose current analyses involve contrived security definitions and models that are not well understood. The new analyses consider to what extent these complications are justified, and whether these protocols achieve more standard security notions in stronger cryptographic models. In addition, the investigator studies new tools that can be used in the construction of (s)aPAKE protocols, to achieve better efficiency measured by the protocols' computational costs, communication costs, and round complexity. Finally, the investigator studies related primitives for client-server password authentication that are widely used in practice yet understudied in cryptography, such as two-factor authentication, and proposes new security models and constructions for these protocols. The project's main impacts are new technology that has broad applications in the protection of secret data in various settings, including the next generation of transport layer security. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
View original record on NSF Award Search →