Per-session security: Password-based cryptography revisited

G. Demay, P. Gazi, U. Maurer, B. Tackmann, Journal of Computer Security 27 (2019) 75–111.

Download
No fulltext has been uploaded. References only!

Journal Article | Published | English
Author
; ; ;
Department
Abstract
Cryptographic security is usually defined as a guarantee that holds except when a bad event with negligible probability occurs, and nothing is guaranteed in that bad case. However, in settings where such failure can happen with substantial probability, one needs to provide guarantees even for the bad case. A typical example is where a (possibly weak) password is used instead of a secure cryptographic key to protect a session, the bad event being that the adversary correctly guesses the password. In a situation with multiple such sessions, a per-session guarantee is desired: any session for which the password has not been guessed remains secure, independently of whether other sessions have been compromised. A new formalism for stating such gracefully degrading security guarantees is introduced and applied to analyze the examples of password-based message authentication and password-based encryption. While a natural per-message guarantee is achieved for authentication, the situation of password-based encryption is more delicate: a per-session confidentiality guarantee only holds against attackers for which the distribution of password-guessing effort over the sessions is known in advance. In contrast, for more general attackers without such a restriction, a strong, composable notion of security cannot be achieved.
Publishing Year
Date Published
2019-01-01
Journal Title
Journal of Computer Security
Volume
27
Issue
1
Page
75-111
ISSN
IST-REx-ID

Cite this

Demay G, Gazi P, Maurer U, Tackmann B. Per-session security: Password-based cryptography revisited. Journal of Computer Security. 2019;27(1):75-111. doi:10.3233/JCS-181131
Demay, G., Gazi, P., Maurer, U., & Tackmann, B. (2019). Per-session security: Password-based cryptography revisited. Journal of Computer Security, 27(1), 75–111. https://doi.org/10.3233/JCS-181131
Demay, Gregory, Peter Gazi, Ueli Maurer, and Bjorn Tackmann. “Per-Session Security: Password-Based Cryptography Revisited.” Journal of Computer Security 27, no. 1 (2019): 75–111. https://doi.org/10.3233/JCS-181131.
G. Demay, P. Gazi, U. Maurer, and B. Tackmann, “Per-session security: Password-based cryptography revisited,” Journal of Computer Security, vol. 27, no. 1, pp. 75–111, 2019.
Demay G, Gazi P, Maurer U, Tackmann B. 2019. Per-session security: Password-based cryptography revisited. Journal of Computer Security. 27(1), 75–111.
Demay, Gregory, et al. “Per-Session Security: Password-Based Cryptography Revisited.” Journal of Computer Security, vol. 27, no. 1, IOS Press, 2019, pp. 75–111, doi:10.3233/JCS-181131.

Export

Marked Publications

Open Data IST Research Explorer

Search this title in

Google Scholar