Paper 2014/242

Zero-Knowledge Password Policy Checks and Verifier-Based PAKE

Franziskus Kiefer and Mark Manulis

Abstract

Zero-Knowledge Password Policy Checks (ZKPPC), introduced in this work, enable blind registration of client passwords at remote servers, i.e., client passwords are never transmitted to the servers. This eliminates the need for trusting servers to securely process and store client passwords. A ZKPPC protocol, executed as part of the registration procedure, allows clients to further prove compliance of chosen passwords with respect to password policies defined by the servers. The main benefit of ZKPPC-based password registration is that it guarantees that registered passwords never appear in clear on the server side. At the end of the registration phase the server only receives and stores some verification information that can later be used for authentication in a suitable Verifier-based Password Authenticated Key Exchange (VPAKE) protocol. We give general and concrete constructions of ZKPPC protocols and suitable VPAKE protocols for ASCII-based passwords and policies that are commonly used on the web. To this end we introduce a reversible mapping of ASCII characters to integers that can be used to preserve the structure of the password string and a new randomized password hashing scheme for ASCII-based passwords.

Note: updated password encoding with discussion on shift base

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Minor revision. Computer Security - ESORICS 2014 - 19th European Symposium on Research in Computer Security
Keywords
Password policiespassword registrationauthenticationverificationpassword hashingASCII passwordsverifier-based PAKE
Contact author(s)
f kiefer @ surrey ac uk
History
2015-01-13: last of 2 revisions
2014-04-18: received
See all versions
Short URL
https://ia.cr/2014/242
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2014/242,
      author = {Franziskus Kiefer and Mark Manulis},
      title = {Zero-Knowledge Password Policy Checks and Verifier-Based {PAKE}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2014/242},
      year = {2014},
      url = {https://eprint.iacr.org/2014/242}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.