We present an authenticated session-key generation protocol in a model where
the legitimate parties share only a human-memorizable password. The security
guarantee holds with respect to probabilistic polynomial-time adversaries that
control the communication channel (between the parties), and may omit, insert
and modify messages at their choice. Loosely speaking, the effect of such an
adversary that controls $m$ instances of the protocol is comparable to an
on-line attack in which an adversary is only allowed to makes $O(m)$ queries of
the form ``is $w$ the password of Party A''. We stress that the result holds
also in case the passwords are selected at random from a small dictionary so
that it is feasible (for the adversary) to scan the entire directory.
Our contribution is a feasibility result and we show that assuming the
existence of trapdoor permutations, password-based authenticated session-key
generation is possible.