---
_id: '5887'
abstract:
- lang: eng
text: 'Cryptographic security is usually defined as a guarantee that holds except
when a bad event with negligible probability occurs, and nothing is guaranteed
in that bad case. However, in settings where such failure can happen with substantial
probability, one needs to provide guarantees even for the bad case. A typical
example is where a (possibly weak) password is used instead of a secure cryptographic
key to protect a session, the bad event being that the adversary correctly guesses
the password. In a situation with multiple such sessions, a per-session guarantee
is desired: any session for which the password has not been guessed remains secure,
independently of whether other sessions have been compromised. A new formalism
for stating such gracefully degrading security guarantees is introduced and applied
to analyze the examples of password-based message authentication and password-based
encryption. While a natural per-message guarantee is achieved for authentication,
the situation of password-based encryption is more delicate: a per-session confidentiality
guarantee only holds against attackers for which the distribution of password-guessing
effort over the sessions is known in advance. In contrast, for more general attackers
without such a restriction, a strong, composable notion of security cannot be
achieved.'
article_processing_charge: No
article_type: original
author:
- first_name: Gregory
full_name: Demay, Gregory
last_name: Demay
- first_name: Peter
full_name: Gazi, Peter
id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
last_name: Gazi
- first_name: Ueli
full_name: Maurer, Ueli
last_name: Maurer
- first_name: Bjorn
full_name: Tackmann, Bjorn
last_name: Tackmann
citation:
ama: 'Demay G, Gazi P, Maurer U, Tackmann B. Per-session security: Password-based
cryptography revisited. Journal of Computer Security. 2019;27(1):75-111.
doi:10.3233/JCS-181131'
apa: 'Demay, G., Gazi, P., Maurer, U., & Tackmann, B. (2019). Per-session security:
Password-based cryptography revisited. Journal of Computer Security. IOS
Press. https://doi.org/10.3233/JCS-181131'
chicago: 'Demay, Gregory, Peter Gazi, Ueli Maurer, and Bjorn Tackmann. “Per-Session
Security: Password-Based Cryptography Revisited.” Journal of Computer Security.
IOS Press, 2019. https://doi.org/10.3233/JCS-181131.'
ieee: 'G. Demay, P. Gazi, U. Maurer, and B. Tackmann, “Per-session security: Password-based
cryptography revisited,” Journal of Computer Security, vol. 27, no. 1.
IOS Press, pp. 75–111, 2019.'
ista: 'Demay G, Gazi P, Maurer U, Tackmann B. 2019. Per-session security: Password-based
cryptography revisited. Journal of Computer Security. 27(1), 75–111.'
mla: 'Demay, Gregory, et al. “Per-Session Security: Password-Based Cryptography
Revisited.” Journal of Computer Security, vol. 27, no. 1, IOS Press, 2019,
pp. 75–111, doi:10.3233/JCS-181131.'
short: G. Demay, P. Gazi, U. Maurer, B. Tackmann, Journal of Computer Security 27
(2019) 75–111.
date_created: 2019-01-27T22:59:10Z
date_published: 2019-01-01T00:00:00Z
date_updated: 2021-01-12T08:05:08Z
day: '1'
department:
- _id: KrPi
doi: 10.3233/JCS-181131
ec_funded: 1
intvolume: ' 27'
issue: '1'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2016/166
month: '01'
oa: 1
oa_version: Preprint
page: 75-111
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Journal of Computer Security
publication_identifier:
issn:
- 0926227X
publication_status: published
publisher: IOS Press
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'Per-session security: Password-based cryptography revisited'
type: journal_article
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 27
year: '2019'
...