Download presentation

Presentation is loading. Please wait.

Published byKolby Downer Modified about 1 year ago

1
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 1 P submission: Password authentication using m ultiple servers David Jablon March 13, 2002

2
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 2 Password authentication using multiple servers [Jab2001] Author: David Jablon Presented at April 2001 RSA conference Published paper (Springer LNCS) Extends work of Ford & Kaliski 2000

3
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 3 Multi-server systems Ford & Kaliski, WETICE, June 2001 Multiple servers share responsibility to defend against password database crackingMultiple servers share responsibility to defend against password database cracking Ford & Kaliski, proceedings, Sep Prior server-authenticated channel not needed for password securityPrior server-authenticated channel not needed for password security

4
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 4 Q A = g 2 R A Q A = g 2 R A K 1 = Q B 2 R A K 1 = Q B 2 R A K 2 = Q B P K 2 = Q B P K = h( K 1, K 2 ) K = h( K 1, K 2 ) Alice “small” P Bob big y converts low-entropy secret P into big secret K uses prime order group (e.g. mod p) (P x ) y (P x ) y P x P x K = (P x y ) (1/ x) K = P y A neat trick

5
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 5 Alice P Bob 1 y 1 (P x ) y 1 (P x ) y 1 (P x ) y 2 (P x ) y 2 P x P x K 1 = P y 1 K 2 = P y 2 K m = h(K 1 || K 2 ) [Ford & Kaliski 2000] Bob 2 y 2 Do it twice

6
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 6 Alice uses K m as a master key to encrypt all kinds of stuff, with less fear of her stuff being cracked. the password “database” is split. all Bobs must collude to get a chance to crack it. Benefits of multiple servers

7
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 7 Main points of [Jab2001] paper Alice tests K m before using it in publicAlice tests K m before using it in public Alice signs P x to prove she’s realAlice signs P x to prove she’s real no server pre-auth (as in [FK2001b])no server pre-auth (as in [FK2001b]) Alice can use P = g 1 g 2 hash(Password)Alice can use P = g 1 g 2 hash(Password) to sleep better when o(x) << pto sleep better when o(x) << p forgiveness protocolforgiveness protocol better handling of errors in password entrybetter handling of errors in password entry

8
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 8 Alice P Bobs y 1 y 2 (P x ) y 1 (P x ) y 1 (P x ) y 2 (P x ) y 2 V = owf(K m ) V = owf(K m ) P x P x K m = h(P y 1 || P y 2 ) if owf(K m ) V, abort (don’t reveal f(K m )) Test K m before using

9
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 9 Alice P Bobs y 1 y 2 (P x ) y 1 (P x ) y 1 (P x ) y 2 (P x ) y 2 V = owf(K m ) V = owf(K m ) If no valid signature in time, log failure P x P x K m = h(P y 1 || P y 2 ) verify K m == V Priv Alice { P x } Priv Alice { P x } Sign {P x }

10
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 10 use group G of order q 2 160, p use group G of order q 2 160, p g 1 & g 2 not related by known exponents try g 1 =hash(“1”), g 2 =hash(“2”)g 1 & g 2 not related by known exponents try g 1 =hash(“1”), g 2 =hash(“2”) P = g 1 g 2 hash(Password)P = g 1 g 2 hash(Password) x, y in range [0, q]x, y in range [0, q] uses smaller group in case short exponents don’t work out so well for the group of order ~ (open question)uses smaller group in case short exponents don’t work out so well for the group of order ~ (open question) Compound base (1)

11
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 11 Since x, y are uniformly chosen random values in [1, o(G)], each value P x, P Y individually reveals zero informationSince x, y are uniformly chosen random values in [1, o(G)], each value P x, P Y individually reveals zero information Would be nice to have a proof that this construction doesn’t introduce other new problemsWould be nice to have a proof that this construction doesn’t introduce other new problems Compound base (2)

12
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 12 (g 1 g 2 hash(Password) ) x(g 1 g 2 hash(Password) ) x (g 1 g 2 hash(Password) ) y(g 1 g 2 hash(Password) ) y Password-in-exponent problem revisited

13
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 13 Forgiveness protocol Scene: Alice mistypes a few passwords P 1, P 2,..., P n, but finally gets P right. Alice signs & sends prior mistaken values Priv Alice { P 1 x 1, P 2 x 2,..., P n x n } to each Bob n.Alice signs & sends prior mistaken values Priv Alice { P 1 x 1, P 2 x 2,..., P n x n } to each Bob n. Each Bob n forgives Alice for a few mistakes, if she proves P in time.Each Bob n forgives Alice for a few mistakes, if she proves P in time. Mistakes not counted towards illegal login threshholds.Mistakes not counted towards illegal login threshholds.

14
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 14 Relevance to Variation of public-key retrieval schemeVariation of public-key retrieval scheme Composite P used in {DL,EC}REDP-2Composite P used in {DL,EC}REDP-2 Appears potentially useful for PKA SchemesAppears potentially useful for PKA Schemes Forgiveness protocolForgiveness protocol Fodder for an annex?Fodder for an annex?

15
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 15

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google