Analysis of a Password Strengthening Technique and Its Practical Use

Abstract

Besides commonly used password strengthening techniques such as salting or repeated applications of a one-way function on the password, we account a less common procedure: the truncation of the output from a one-way function on the password. This technique is used in a Norwegian ATM and a similar method is part of an authentication protocol from Anderson and Lomas which makes use of collision-full hash functions. We depict a probabilistic bound on the probability of guessing the password in the Anderson-Lomas protocol and we propose some improvements on the protocol. Further, the improved protocol proves to be a good solution for a password based authentication between two devices that authenticate in the absence of a previously known secret or of a trusted third party. The protocol proves to have all the desired properties for this scenario.