| 摘要 |
Systems, methods and software employ zero-knowledge password (ZKP) protocols to provide strong authentication using low-grade passwords that people can easily memorize. We describe protocols that enable multiple servers to verify a password, without providing any single server, client, or network attacker with the ability to validate guesses for the password off-line. Further improvements include removing dependency on a prior secure channel and client-stored keys or certificates, increasing performance without introducing new cryptographic assumptions, and better management of mistakes in password entry. To enroll, a user chooses a password and constructs a master key K composed of multiple shares. The master key may be used for a variety of purposes, such as encrypting the user's private keys and other sensitive data. A set of random values {y1, y2, . . . yN} is selected, and each share is computed as Ki=Pyi in a suitable finite group. Each yi value is distributed to the ith one of N servers. To authenticate, the client chooses a random secret x, and with each server, sends Px, retrieves mi=(Px)yi, and computes Ki=mi1/x. The client reconstructs K, performs a validation test on K, and uses K to decrypt a private digital signature key U. When the validation test succeeds, the client signs a message with U that contains Px and optionally other values sent by the client based on incorrect passwords mistakenly entered by the same user in attempting to authenticate. Each server verifies the signed message to authenticate the user, and to forgive the user for some reasonable number of mistakes. With knowledge of valid messages, mistakes and all, the server fine-tunes the accounting of bad access attempts. No single server knows K, P, or any of the Ki shares, and no server receives sufficient information to mount a dictionary attack on K or P. Password security is maintained in a very simple model, requiring no previously secured or server-authenticated channel between the client and any servers. This model further prevents risks inherent in systems where people must authenticate servers, but don't. Data protected by a small password, and no other keys, remains secret even against an enemy that compromises any, but not all, of two or more cooperating authentication servers. |
