A novel software key container in on-line media services

Computers and Electrical Engineering 35 (2009) 370–375

Contents lists available at ScienceDirect

Computers and Electrical Engineering journal homepage: www.elsevier.com/locate/compeleceng

A novel software key container in on-line media services Neng-Wen Wang, Yueh-Min Huang * Department of Engineering Science, National Cheng Kung University, No. 1, Ta-Hsueh Road, Tainan 701, Taiwan, ROC

a r t i c l e

i n f o

Article history: Available online 15 August 2008 Keywords: IP right Encryption Decryption Key container Human-trapdoor function

a b s t r a c t Due to the explosive growth of the Internet and the pervasion of multimedia, protection of IP rights of digital content in transactions induces people’s concerns. For fee-based media services, data encryption may be the best solution for protection of the media. The encryption (decryption) keys placement may be a trivial but crucial issue for users. It is a significant issue that how to practically protect user’s key with the password-based cryptographic scheme and at different security levels. Nowadays, key container storing user’s key can be implemented by hardware or software-only. Unfortunately, the hardware key containers require expensive infrastructure; On the other hand, the software-only key containers are either insecure or impractical. Moreover, both of the hardware and software just store user’s key with the single security level. To solve these problems, we propose a novel software key container in on-line media services that can provide an adaptively secure and practical solution to protect user’s key. We use a human-trapdoor distortion function and symmetric cipher to protect user’s key in our key container so that it is computationally infeasible to break the system by using machine attack alone. The idea is to ensure that people must participate to verify each guessed password in the attack. User can adjust the security level of container according to the security requirement. Therefore, the attacker cannot succeed to extract user’s key within a reasonable time and budget. Ó 2008 Elsevier Ltd. All rights reserved.

1. Introduction The explosive growth of the network and the pervasion of multimedia have encouraged many flourishing media services on the Internet. However, the protection of IP rights of digital content in transactions induces people’s anxiety. Inexpensive tools with easy manipulation have deteriorated the circumstance. Current security requirements and copyright protection mechanisms need to work on-line. For media service systems in the Internet, user’s authentication is most essential in association with the access control of the media system. On some subscribed pay-media services in the Internet, additional data encryptions are also adopted in protection of the media. For decades, password has been the major means for user authentication on computer systems. Password-based authentication mechanism is the most extensively used authentication mechanism in the Internet and mobile communication systems. However, those weak passwords are prone to dictionary attacks. Nowadays, other alternative methods are possible for user authentication [1]. Some people use smart card and identification card to store their secret tokens [2]. Such methods usually need special sensing devices. Moreover, theft and counterfeit are serious threats to these systems. To have a token does not necessarily imply to possess a legitimate ownership. Other people may use biometric methods. Biometric methods identify individuals based on distinguishing human features [3,4]. Counterfeit and theft are generally more expensive than they are with other methods since these biometric features cannot be easily substituted. However, biometric methods generally require more costly and specialized hardware. * Corresponding author. Tel.: +886 6 275 7575x63336; fax: +886 6 276 6549. E-mail addresses: [email protected] (N.-W. Wang), [email protected] (Y.-M. Huang). 0045-7906/$ - see front matter Ó 2008 Elsevier Ltd. All rights reserved. doi:10.1016/j.compeleceng.2008.06.013

N.-W. Wang, Y.-M. Huang / Computers and Electrical Engineering 35 (2009) 370–375

371

Data encryption may be the best solution to protect on the media for fee-based services. It may be a trivial but crucial issue for the placement on encryption (decryption) keys. The user’s authentication can be automatically solved while the protected media are encrypted by keys. To use user’s password as the key may be the simplest way. However, it is vulnerable for the dictionary attack since users’ passwords are usually low entropy. Hardware smart card can securely store user’s key. It may be an excellent solution for key storage. Nevertheless, it requires expensive infrastructure. To solve those problems, we propose a novel software key container in on-line media services that can provide an adaptively secure and practical solution to protect user’s key. It can prevent both on-line and off-line attacks on public environments. Our scheme is both practical and effective with only a little bit cost of software. We use simple hash operation and symmetrical encryption system on user’s machine. If user’s machines are implemented by microprocessor-based system with some simple peripheral devices such as LCD and keypad, the software container can be also embedded easily. We also describe the security of our scheme in detail. The analysis indicates that our scheme significantly increases the ability to protect user’s secret key from disclosure.

2. The related works The standard PKCS #5 [5] provides a method of key storage that encrypts a plain-textual private key with a secret key derived from a password. This method is vulnerable for the dictionary attack since the plaintext is verifiable and users’ passwords are usually low entropy. Other methods following PKCS #5 also suffer from the dictionary attack. However, it is used extensively because of its convenience and low cost. A hardware smart card can securely store user’s key. However, it requires expensive infrastructure. In 1999, Hoover and Kausik [6] proposed a software smart card which applied a cryptographic camouflaged technique to protect a private key under some constrains. These constraints include that a signature must be encrypted; only asymmetric keys are protected; and a camouflaged private key must be used in a closed public-key infrastructure. Just as a hardware smart card, the software smart card can securely protect a private key at the same security level without the problem of expensive infrastructure. Nevertheless, it is impractical because of these constraints. For password-based authentication systems, Wang et al. [7] had divided them into two modes. The first mode is the simply password-transfer systems. The user simply submits his password to the server. For security reasons, the server (for examples, in most Unix-like systems) stores related password-verification data (PVD), which is generally derived by the hash function of user ID, password and salt. In the secure password-transfer approach, the password should be encrypted before it is submitted for security considerations. The communication channel can be set up by the Transport Layer Security Protocol (TLS) or it predecessor, Secure Socket Layer (SSL) protocol. This simply password-transfer system is notoriously vulnerable to the dictionary attack. The second mode is to show user’s possession of the password without sending it. The challenge/response authentication system belongs to this mode. However, it is still vulnerable to eavesdropping attacks. A new category of protocol paradigm following this path is called password-authentication key exchange (PAKE). The client authentication is fulfilled by establishing an authentication session key with the server. The session key cannot be set up if the client does not have the password or the server does not the related PVD. PAKE protocol realizes its security goals through the usage of public-key exchange techniques. The PAKE protocol operates on the basis of some facts. (1) a PAKE user possesses a password only; (2) user uses the client program to login the system by system parameters only (such as the g and q for Diffie-Hellman) and no secrets (say, a private key) are hard coded into it. Many significant researches in this category have been developed. Some protocols use the Diffie-Hellman key exchange algorithm. For example, the Encrypted Key Exchange (EKE) [13,14], Secure Password Exponential Key Exchange (SPEKE) [15,16], Simple Remote Password (SRP) [17], the PAK protocol [18] and the KOY01 protocol [19]. Other protocols use the RSA algorithm, such as the BPR00 protocol [20] and the SNAPI protocol [21]. Both the secure password-transfer approach and the PAKE approach thwart off-line dictionary attacks from the network very well. The secure password-transfer approach and most of the existing PAKE protocols use a single server to store users’ PVD. The exposure of server seems to be inevitable. If the attacker compromises the centralized server and steals the PVD, he could simply guess a password (from his dictionary), compute the corresponding PVD and verify the correctness of the password. To prevent the compromise of a single server, Wang et al. [7] employs multiple (say n) servers to store PVD. Among the multiple PVD servers a user’s PVD is shared and the shared PVD is never reconstructed during user authentication. The described system is intrusion-tolerant in the sense that compromising up to (t  1), 2 < t < n, where t is the threshold number. In the paper [8], Kwon has proposed ‘‘Virtual Software Tokens” to secure PKI roaming. Kwon uses the similar idea to run RSA algorithms with multiple servers. His basic is to hide a real ID and split a password as well as a private exponent over multiple servers. The multiple servers will generate signatures or decrypt messages via virtual software tokens. In this paper, we propose a novel software key container in on-line media services to meet user’s different security requirements. It can provide an adaptively secure and practical solution to protect user’s key. Unlike the usage of multiple servers in [7,8], we emphasize the enhancement of security on a single server. Our system is carried out in a single server. Accordingly, it will be more efficient without lots of overhead on the communication. In our implementation, we use a human-trapdoor function. The user’s private key is stored in its twisted form distorted by this function. This function is used to protect user’s key in our key container so that it is computationally infeasible to break the system by using machine attack alone. User can adjust the security level of container according to the security requirement. Therefore, the attacker cannot succeed to extract user’s key within a reasonable time and budget.

372

N.-W. Wang, Y.-M. Huang / Computers and Electrical Engineering 35 (2009) 370–375

Fig. 1. An example of G(k, s).

3. Preliminary To thwart the machine’s attack, we use the human-trapdoor function in our scheme. We first give three definitions as follows: Definition 1. If a function Y satisfies both of the following two conditions, we say Y is a human-trapdoor function. (1) For any argument x in the domain of Y, it is easy to compute the corresponding value Y(x). (2) If Y(x) is given, it is computationally infeasible to extract x for machines; however, it is easy for a human being.

Definition 2. We define a new mapping function : Q  Q ? Q, where Q is a set of colorful pictures with a by b pixels. Each pixel of the picture Q has an integer color value within the interval [0, I], where I is the maximum color value. A pixel without color gives 0 as its color value. For any q 2 Q, q(i, j) denotes the color value of the (i, j) pixel of the picture q, where i 2 {1, 2, . . . , a}, and j 2 {1, 2, . . . , b}. For any q1, q2 2 Q, the mapping rule of the function  is: (1) q1  q2 = q1, when q1(i, j) – 0. (2) q1  q2 = q2, when q1(i, j) = 0. By applying the mapping to all pixels of the picture Q1 and Q2, we may associate two pictures into a new compound picture Q1  Q2 ? Q3. Obviously, Q1 is a foreground picture of Q3 and Q2 is a background picture of Q3. Definition 3. Let An is a set of n-character string whose characters are taken from the set: {62 alphanumeric characters and $, #} (the count of legal characters = 26). s is a number selected from Sc. Sc is a set of random number with c bits. By using the above definitions, we define a new human-trapdoor function G as follows: G(k, s) = D(k)  P(s), where k is a random string of An and s is a number selected from Sc. Both k and s are generated by the system. G function associates two pictures D and P. The function D can generate a distorted picture k0 of k so that people have the ability D1 to recognize original k from k0 but machines cannot. By input a random number s, the function P can generate a random picture. G(k, s) is a picture in which P(s) is a background and D(k) is a foreground. Since the function P can be implemented by the Random Art [11] and the function D can be implemented by CAPTCHA [10,12], G(k, s) is practically feasible. Yahoo has used a CAPTCHA test to avoid too many free accounts being applied by machine alone, yet its process does not protect the password. Pinkas and Sander [22] also used CAPTCHA to design a password-only authentication scheme; however, their method was used to thwart on-line dictionary attacks only. Yet, we use the function to protect user’s privacy key for both on-line and off-line dictionary attacks. The function of D, P, and  can be easily computed, therefore G(k, s) can be easily calculated for the given k and s. G(k, s) is defined as a human-trapdoor function for k. Fig. 1 demonstrates an example of G(k, s). The key ‘‘744BF” has been distorted by the function D as the foreground. 4. Proposed software key container in media services By using the functions defined in Section 3, we design the proposed key container: Epwkr(G(k, s)) to protect a user’s key k by a G-encrypted function, where E(D) is a symmetric encryption (decryption) and pwkr is a encrypting key. The symbol k is a concatenation, pw is a user’s password and r is a random number. For convenience, we denote H as human and M as machine respectively. 4.1. Protocol 4.1.1. Enrollment For security reason, the enrollment phase will be processed in an off-line manner on the server side or it may be on-line manipulated via a security channel (for example, TLS/SSL). When a user registers his private key k in the management server, he selects a password pw with his identifier ID to enter the system. The management server will pick up a random number s. The random number is used as the parameter of background. This random number is stored in the server for further verification in the login phase. The server will use G function to generate G(k, s). G(k, s) is a twisted picture of user’s private key as

N.-W. Wang, Y.-M. Huang / Computers and Electrical Engineering 35 (2009) 370–375

373

shown in Fig. 1. It is then encrypted by an encryption function. The encrypted function can selected from the symmetrical encryption function such as Triple DES or AES. The password cannot directly act as an encryption key for its short length. It is augmented by the system with the selected random number r. The system is then encrypted user’s secret into Epwkr(G(k, s)). This key container is also signed by the server and stored in the server side. User also acquires server’s public-key, which will be used in the later phase of user’s login. 4.1.2. User’s login After a user registered with the server system, he can login by entering his identifier ID and password pw in the client computer. When user logins to the client computer, the client computer will re-transmit user’s ID to server and request the server to send back user’s key container with its signature. After verifying on the signature of key container, the client system will perform the calculation: Dpwkr(Epwkr(G(k, s))). Then, it acquires G(k, s) and displays to user. User can resolve his privacy key k from the distorted G(k, s); moreover, the client system will encrypt user’s resolved k with his ID by server’s public-key pksvr and transmit {ID,pwkr, k} pksvr to server (random number s is not necessary since it had been stored in the server side). Thus, the server can decrypt and acquire user’s private key k and pwkr. The server will use these parameters to validate user’s key. It will perform the calculation: Epwkr(G(k, s)). If this calculation is equal to the user’s key container stored in the server, the validation is successful; otherwise, the login is rejected. (The server may count on the consecutive number of login. If too many failure times in the login, the server will close the connection.) Hereafter, the private key may be used to encrypt the following messages of communication or it may be used as the primary key to generate some session keys for the following communication sessions. An adversary with the aid of a machine may capture the key container and also try to attack against the system. However, the expenditure will soon frustrate him to give up his attack since G function is a hard AI problem [10]. The reason will be explained in the analysis sections. The selection of security parameters, security assumptions, the property and analysis of Epwkr(G(k, s)) are described as follows. 4.2. Selection of security parameters Let jXj denote the entropy (bits) of the set X. Bpw is a set of passwords that people select. Fm denotes a set of random numbers with m bits and m 2 {0, 1, 2, . . .}. Sc is a set of random numbers with c bits. To resist the brute force attack, the security parameters n (of An) and c must satisfy the inequality: jAnj + jScj = (6n + c) > 80. In the following analysis, we use the average attack space to define the strength of security. It is a simple way to compare different authentication techniques by looking at the number of trial-and-error attempts they impose on an attacker. For example, an attacker faced with a four-digit combination lock has 10 times as hard of a job as one faced with a three-digit lock. In order to compare how well these locks resist trial-and-error attacks and to compare their strength against the strength of others, we can estimate the number of guesses, on average, the attacker must make to find user’s secret. We call this metric the average attack space. To perform the attack on password, Klein [9,11] collected encrypted password files from numerous Unix systems, courtesy of friends and colleagues in the United States and the United Kingdom. This collection yielded approximately 15,000 different user account entries, each with its own password. Klein then constructed a set of password dictionaries and a set of mechanisms to systematically permute the dictionary into likely variations. Klein’s word selection strategies produced a basic dictionary of over 60,000 items. The list included names of people, places, fictional references, mythical references, specialized terms, biblical terms, words from Shakespeare, Yiddish, mnemonics, and so on. After applying strategies to permute the words in typical ways (capitalization, obvious substitutions, and transpositions) he produced a password space containing over 3.3 million possibilities. After systematically searching this space, Klein managed to crack 24.2% of all passwords in the collection of accounts. This yields the following average attack space: 3,300,000/ (2  0.242) = 223 average attack space. Klein’s attack space is much less than the space of brute force attack. For example, a general password of Unix-like system will contain eight characters at least. Each character may be selected from the same character set as in the selection of An: {62 alphanumeric characters, $, #} (the count of legal characters = 26). The average attack space of brute force will be (26)8/2 = 247. This attack space is much larger than Klein’s. Hence, Klein’s average attack space will be adopted in our analysis. 4.3. Security assumptions 1. When the cost of extracting a key of key container is equal to or larger than that of brute force attack of the key itself, we say the key container is secure. We assume that the brute force attack fails when the entropy of the searching space is larger than 80 bits. 2. The average number of guesses for finding the correct password is 223 according to Klein’s average attack space (for general Unix-like password) [9,11]. In order to evaluate the attacker’s expense, we also make the following assumptions. H must spend T second in recognizing whether each picture contains a random string of An or not. A human being gets C dollars in daily 8 h works on watching the decrypted pictures.

374

N.-W. Wang, Y.-M. Huang / Computers and Electrical Engineering 35 (2009) 370–375

Property 1. It is computationally infeasible for M (Machine) alone to extract k from Epwkr(G(k, s)). Analysis: There are three possible attacks as follows: (Attack 1). M computes Gðk; sÞ0 ¼ Dpw0 kr0 ðEpwkr ðGðk; sÞÞÞ by using the guessed pw0 and r0 , and then extracts k from G(k, s)0 . Discussion: Even if M can correctly guess pw and r and then computes G(k, s) = Dpwkr(Epwkr(G(k, s))), it still cannot have G1(k, s) to get k because G is a human-trapdoor function; therefore the attack fails. 0 (Attack 2). M simultaneously guesses pw0 , r0 , k0 , and s0 and computes Epw0 kr0 ðGðk ; s0 ÞÞ, and then verifies whether 0 0 Epw0 kr0 ðGðk ; s ÞÞ equals Epwkr(G(k, s)) or not. Discussion: This attack will fail because the space of the four parameters (pw, r, k, and s) is much larger than 80 bits. (Attack 3). M computes a set ST = {G(k0 , s0 ) j for any k0 2 An, s0 2 Sc}. Afterward, M picks pw0 from Bpw and r0 from Fm and computes Gðk; sÞ0 ¼ Dpw0 kr0 ðEpwkr ðGðk; sÞÞÞ and then checks if G(k, s)0 matches with an element of the set ST. If a match is found, this attack is over; otherwise M eliminates pw0 from Bpw and r0 from Fm and repeats the above process. Discussion: The entropy of jSTj is larger than 80 bits according to the assumption (6n + c) > 80. It is not feasible for M to check if G(k, s)0 matches with an element of the set ST. According to the security assumption 1, this attack will fail. Property 2. It is computationally feasible for an attacker involving both M (Machine) and H (Human) to obtain a user’s key from Epwkr(G(k, s)). Nevertheless, he (she) needs to spend a lot of expenditure. He (she) needs a minimum expense of 145  2m working days to extract the user’s key k. T is the average time that a human being recognizes whether each decrypted picture contains a random string of An. Analysis: Since both of G(k, s)0 and G(k, s) are random pictures, M cannot verify the validity of the guessed pw0 and r0 by exploring the structure of Gðk; sÞ0 ¼ Dpw0 kr0 ðEpwkr ðGðk; sÞÞÞ. Accordingly, the entropy of password space cannot be decreased by M’s involving. If M computes Gðk; sÞ0 ¼ Dpw0 kr0 ðEpwkr ðGðk; sÞÞÞ by using guessed pw0 and r0 and then H recognizes the decrypted picture G(k, s)0 to see if a random string of An exists in the picture. If it is not discovered, M and H will repeat the above attempt by using a new pw00 and r00 till a random string of An is discovered in the decrypted picture. If a random string of An in G(k, s)0 is discovered, the user’s key k can be obtained, and then the attack is over. In this attack, H must be involved to recognize the decrypted picture in each guess. Since the decrypting time of computer is much less than the human recognizing time of picture, we will neglect the decrypting time of computer in the following analysis. The average attack space in guessing of r0 will be 2m1 and attack space in guessing password will be 223. Since H must expend T second to recognize whether each decrypted picture contains a random string of An, H needs totally spend 222+m  T seconds, on average. If T is equal to 1 s, the total time will be 222+m/(8  60  60) = 145  2m working days. It will approach to 9.5  106 working days if the system selects m = 16. Even if the parameter m is degraded to 8, an attacker needs to spend an average of 3.7  104 working days on extracting a user’s key. If a human being H who works 8 h watching pictures gets a wage of C dollars. An attacker needs to spend at least $222+m  T  C/(8  60  60) = $145  2m  T  C dollars on extracting a user’s key from key container. If m = 16, C = 100 and T = 1, then an attacker needs to spend an average expense of $9.5  108 dollars extracting a user’s key from our key container whereas the user needs only 1 s to extract. Even if the parameter m is degraded to 8, an attacker needs to spend an average expense of $3.7  106 dollars on extracting a user’s key. According to the above analysis of Property 1, our container is secure to resist to the machine-only attack. The analysis of Property 2 shows that it may be computationally feasible if an attacker may involve both M and H to obtain a user’s key. Nevertheless, the time and the expenditure on extracting user’s key are large enough to thwart the attacker. The cost and time will hardly be cut down even if the processing power of computer can be promoted after some years. The major reason is that the human recognizing time in the picture cannot effectively be lessened after technical training. The security of our key container is adaptive. With the assistant of increasing the entropy (bits) of random number r, User can increase an attacker’s cost, but this will also increase the amount of user’s time to extract their own keys. How to decide the entropy of r depends on the cost of key container and the security requirement. According the above analysis, Even if the user selects a random number r with 8 bits only, an attacker involving both M and H will still need to spend 222+8/(8  60  60) = 37,000 working days. The time and the expenditure on extracting user’s key are large enough to frustrate the attacker’s attempt. 5. Conclusion For media service systems in the Internet, user’s authentication is most essential in association with the access control of the media system. On some subscribed pay-media services in the Internet, additional data encryptions are also adopted in protection of the media. The encryption (decryption) keys placement may be a trivial but crucial issue for users. It is a significant issue that how to practically protect user’s key at different security levels. We have proposed a novel and practical software key container in on-line media services. Our key container uses a human-trapdoor distortion function and symmetric cipher to protect user’s key so that it is computationally infeasible to break the system by using machine attack alone. The idea is to ensure that people must participate to verify each guessed password in the attack. User can adjust the security level of container according to the security requirement. Therefore, the attacker cannot succeed to extract user’s key within a reasonable time and budget. We use only simple hash operation and symmetrical encryption system on user’s machine. If user has only microprocessor-based system with some simple devices such as LCD and keypad, the software container can be also embedded easily. Our key container is a possible solution to the key storage, and it is very convenient, efficient and practical for user’s usage.

N.-W. Wang, Y.-M. Huang / Computers and Electrical Engineering 35 (2009) 370–375

375

References [1] Tan DS, Keyani P, Czerwinski M. Spy-resistant keyboard: more secure password entry on public touch screen displays. In: Proceedings of OZCHI, 2005. p. 1–10. [2] Brostoff S, Sasse MA. Are Passfaces more usable than passwords? A field trial investigation. In: Proceedings of HCI on People and Computers XIV, 2000. p. 405–24. [3] Jain A, Hong L, Pankanti S. Biometric identification. Commun ACM 2000;43(2):90–8. [4] Pankanti H, Bolle MR, Jain A. Special issue on biometrics: the future of identification. Computer 2000;33(2):46–80. [5] PKCS # 5: Password-based encryption standard, RSA Laboratoris Technical Note, Version 1.5, November 1, 1993. . [6] Hoover D, Kausik B. Software smart cards via cryptographic camouflage. In: Proceedings of the IEEE symposium on security and privacy, 1999. p. 209– 15. [7] Wang X, Heydari MH, Lin H. An intrusion-tolerant password authentication system. In: Proceddings of the 19th annual computer security applications conference (ACSAC 2003). IEEE; 2003. [8] Kwon T. Virtual software tokens – a practical way to secure PKI roaming. InfraSec 2002, LNCS 2437. p. 288–302. [9] Laih CS, Ding L, Huang YM. Password-only authenticated key establishment protocol without public key cryptography. Electron Lett 2005;41(4):85–6. [10] Ahn LV, Blum M, Hopper NJ, Langford J. CAPTCHA: using hard AI problems for security. Eurocrypt 2003:294–311. [11] Smith RE. The strong password dilemma. CSI Computer Security Journal, 2002. . [12] Roman R, Zhou J, Lopez J. An anti-spam scheme using pre-challenges. Comput Commun 2006;29(15):2739–49. [13] Bellovin S, Merritt M. Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proceedings of the 1992 IEEE computer society symposium on research in security and privacy. p. 72–84. [14] Bellovin S, Merritt M. Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise. In: Proceedings of the 1st ACM conference on computer and communications security, 1993. p. 244–50. [15] Jablon D. Extended password key exchange protocols immune to dictionary attack. In: Proceedings of the 6th IEEE workshops on enabling technologies: infrastructure for collaborative enterprises, 1997. p. 248–55. [16] Jablon D. Strong password-only authenticated key exchange. ACM SIGCOMM Comput Commun Rev 1996;26(5):5–26. [17] Wu T. The secure remote password protocol. In: Proceedings of the 1998 network and distributed system security symposium, 1998. p. 97–111. [18] Boyko V, MacKenzie P, Patel S. Provably secure password-authenticated key exchange using Diffie-Hellman. In: Preneel B, editor. Advances in cryptology – EUROCRYPT 2000, LNCS 1807. Springer-Verlag; 2000. p. 156–71. [19] Katz J, Ostrovsky R, Yung M. Efficient password authenticated key exchange using human-memorable passwords. In: Pfitzann B, editor. Advances in cryptology – EUROCRYPT 2001, LNCS 2045. Springer-Verlag; 2001. p. 475–94. [20] Bellare M, Pointcheval D, Rogaway P. Authenticated key exchange secure against dictionary attacks. In: Preneel B, editor. Advances in cryptology – EUROCRYPT 2000, LNCS 1807. Springer-Verlag; 2000. p. 139–55. [21] MacKenzie P, Patel S, Swaminathan R. Password authenticated key exchange based on RSA. In: Okamoto T, editor. ASIACRYPT2000, LNCS 1976. Springer-Verlag; 2000. p. 599–613. [22] Pinkas B, Sander T. Securing passwords against dictionary attacks. In: Proceedings of the ACM computer and security conference (CCS), 2002. p. 161– 70.

Neng-Wen Wang received the BS degree in Electrical Engineering from Tatung University, Taiwan, ROC, in 1984, and the MS degree in Engineering Science from National Cheng Kung University, Taiwan, in 1992. He is currently a PhD candidate in Engineering Science of National Cheng Kung University. From 1985 to 1990, he was an Engineer on Computer System Design at Chung Shan Institute of Science and Technology (CSIST). Since 1992, he has been on the faculty of Kao-Yuan Institute of Technology. His research interests in information security, cryptography and network security.

Yueh-Min Huang was born in Taiwan, ROC, in 1960. He received the BS degree in Engineering Science from National ChengKung University, Taiwan, in 1982, and the MS and PhD degrees in Electrical Engineering from the University of Arizona, Tucson, USA., in 1988 and 1991, respectively. He joined the Department of Engineering Science, National Cheng-Kung University, as an Associate Professor in 1991 and became a Professor in 1999. He has been the chair of the Department of Engineering Science, National Cheng-Hung University from 2006. His research interests include multimedia communications, wireless networking, embedded systems, e-learning, and artificial intelligence. He is a Member of the IEEE, IEEE computational intelligence society, Taiwanese Association for Artificial Intelligence, and the Chinese Fuzzy Systems Association. He is in the editorial board of the Journal of Internet Technology, International Journal of Internet Protocol Technology, and International Journal of Ad Hoc and Ubiquitous Computing. He is the winner of the best paper award of the Computer Society of the Republic of China in 2003 and one of the winners of Acer Long-Term Prize in 1996, 1998, and 1999.