Title :
Security analysis of J-PAKE
Author_Institution :
Dept. of Inf., Univ. of Bergen, Bergen, Norway
Abstract :
J-PAKE is a Password-Authenticated Key Exchange protocol, proposed in 2008 and presented again in 2010 and 2011. It does not require any public key infrastructure but uses zero-knowledge proofs. J-PAKE has been submitted as a candidate for the IEEE P1363.2 standard for password-based public key cryptography, and included in OpenSSL and OpenSSH. Since December 2010, J-PAKE has been used in Mozilla Firefox web browser. In this paper, we show that J-PAKE is vulnerable to password compromise impersonation attack, replay attack, and unknown key-share attack. We also propose some improvements for thwarting replay and unknown key-share attacks.
Keywords :
authorisation; cryptographic protocols; public key cryptography; IEEE P1363.2 standard; J-PAKE; Mozilla Firefox Web browser; OpenSSH; OpenSSL; password compromise impersonation attack; password-authenticated key exchange protocol; password-based public key cryptography; replay attack; security analysis; unknown key-share attack; zero-knowledge proofs; Authentication; Browsers; Dictionaries; Protocols; Resilience; Servers;
Conference_Titel :
Computers and Communication (ISCC), 2014 IEEE Symposium on
Conference_Location :
Funchal
DOI :
10.1109/ISCC.2014.6912576
