Some remarks on protecting weak keys and poorly-chosen secrets from guessing attacks

Authentication and key distribution protocols that utilize weak secrets (such as passwords and PINs) are traditionally susceptible to guessing attacks whereby an adversary iterates through a relatively small key space and verifies the correct guess. Such attacks can be defeated by the use of public key encryption and careful protocol construction. In their recent work, Lomas et al, investigated this topic and developed a methodology for avoiding guessing attacks while incurring only moderate overhead. In this paper we discuss several issues concerning the proposed solution and suggest modifications that remove some of the constraints (such as synchronized time and state retention by the server) and result in simpler and more efficient protocols.