Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Breaking and fixing the Zero-knowledge password policy checks protocol by Kiefer and Manulis
KTH, School of Electrical Engineering and Computer Science (EECS).
2019 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE creditsStudent thesisAlternative title
Förstöra och förstärka protokollet för lösenordspolicykontroller med nollkunskap av Kiefer och Manulis (Swedish)
Abstract [en]

Zero-knowledge password policy checks (ZKPPC) were introduced in Kiefer and Manulis’ report from 2014. The protocol aimed to solve the longstanding issue with servers requiring clients to provide their password in plain text to ensure its strength. Their protocol was intended to eliminate the need for users to trust the server to store and handle passwords correctly while simultaneously allowing the server to know that the registered password was strong enough. This thesis has investigated the soundness of the protocol by Kiefer and Manulis and will present three new zero-day vulnerabilities discovered in the process. The vulnerabilities allow a dishonest user to prove adherence to the policy for invalid passwords. Additionally, the thesis presents our new Proof of Inequality which prevents one of these vulnerabilities, as well as an extension for an incomplete part of the protocol. The two remaining zero-day vulnerabilities are weaknesses in the protocol left for future research.

Abstract [sv]

Lösenordspolicykontroller med nollkunskap (Zero-knowledge password policy checks (ZKPPC)) introducerades i Kiefer och Manulis rapport från 2014. Protokollet syftade till att lösa det sedan länge aktuella problemet med servrar som kräver att klienter visar sina lösenord i klartext för att garantera att det är starkt nog. Deras protokoll var ämnat att eliminera behovet för användarna att lita på servern att lagra och hantera lösenord på rätt sätt samtidigt som servern kan veta att det registrerade lösenordet är tillräckligt starkt. Den här avhandlingen har undersökt vettigheten hos protokollet av Kiefer och Manulis och kommer presentera tre nya nolldagssvagheter som upptäcktes under arbetet. Utöver det presenterar den här avhandlingen vårt nya Olikhetsbevis som förebygger en av de här svagheterna, så väl som en utökning av en ofullständig del av protokollet. De två resterande nolldagssvagheterna är svagheter hos protokollet som lämnas för framtida forskning.

Place, publisher, year, edition, pages
2019.
Series
TRITA-EECS-EX ; 2019:23
National Category
Computer and Information Sciences
Identifiers
URN: urn:nbn:se:kth:diva-248431OAI: oai:DiVA.org:kth-248431DiVA, id: diva2:1305199
External cooperation
AxCrypt
Educational program
Master of Science in Engineering - Computer Science and Technology
Supervisors
Examiners
Available from: 2019-04-24 Created: 2019-04-16 Last updated: 2019-04-24Bibliographically approved

Open Access in DiVA

fulltext(654 kB)27 downloads
File information
File name FULLTEXT01.pdfFile size 654 kBChecksum SHA-512
70938b284c99f96f6ac1f5eed0e9021b289ef7878c2cd710230e3366034ce39ca156f5e92b88918125b48a2de2db2cccf8d1a05610f7c6bd5b673c2c6a1bd8bb
Type fulltextMimetype application/pdf

By organisation
School of Electrical Engineering and Computer Science (EECS)
Computer and Information Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 27 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 71 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf