Provably Secure Password Reset Protocol: Model, Definition, and Construction

摘要

Many online services adopt a password-based user authentication system because of its usability. However, several problems have been pointed out on it, and one of the well-known problems is that a user forgets his/her password and cannot login the services. To solve this problem, most online services support a backup authentication mechanism with which a user can reset a password. However, negative facts about security have been reported for a popular backup authentication mechanism. In this paper, we consider a provable security treatment for a password reset protocol. First, we formalize a model and security definitions. We consider security against active adversaries that can mount man-in-the-middle attacks and concurrent attacks. Then we propose a generic construction of a password reset protocol secure under our definitions based on pseudorandom functions and public key encryption. In addition, we implement a prototype of our protocol to evaluate its efficiency.