Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 1 P1363.2 submission: Password authentication using m ultiple servers David Jablon March 13,

Similar presentations


Presentation on theme: "Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 1 P1363.2 submission: Password authentication using m ultiple servers David Jablon March 13,"— Presentation transcript:

1 Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 1 P submission: Password authentication using m ultiple servers David Jablon March 13, 2002

2 Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 2 Password authentication using multiple servers [Jab2001]  Author: David Jablon  Presented at April 2001 RSA conference  Published paper (Springer LNCS)  Extends work of Ford & Kaliski 2000

3 Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 3 Multi-server systems  Ford & Kaliski, WETICE, June 2001 Multiple servers share responsibility to defend against password database crackingMultiple servers share responsibility to defend against password database cracking  Ford & Kaliski, proceedings, Sep Prior server-authenticated channel not needed for password securityPrior server-authenticated channel not needed for password security

4 Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 4 Q A = g 2 R A Q A = g 2 R A  K 1 = Q B 2 R A K 1 = Q B 2 R A K 2 = Q B P K 2 = Q B P K = h( K 1, K 2 ) K = h( K 1, K 2 ) Alice “small” P Bob big y converts low-entropy secret P into big secret K uses prime order group (e.g. mod p) (P x ) y  (P x ) y P x P x  K = (P x y ) (1/ x) K = P y A neat trick

5 Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 5 Alice P Bob 1 y 1 (P x ) y 1  (P x ) y 1 (P x ) y 2  (P x ) y 2 P x P x  K 1 = P y 1 K 2 = P y 2 K m = h(K 1 || K 2 ) [Ford & Kaliski 2000] Bob 2 y 2 Do it twice

6 Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 6  Alice uses K m as a master key to encrypt all kinds of stuff, with less fear of her stuff being cracked.  the password “database” is split.  all Bobs must collude to get a chance to crack it. Benefits of multiple servers

7 Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 7 Main points of [Jab2001] paper Alice tests K m before using it in publicAlice tests K m before using it in public Alice signs P x to prove she’s realAlice signs P x to prove she’s real no server pre-auth (as in [FK2001b])no server pre-auth (as in [FK2001b]) Alice can use P = g 1  g 2 hash(Password)Alice can use P = g 1  g 2 hash(Password) to sleep better when o(x) << pto sleep better when o(x) << p forgiveness protocolforgiveness protocol better handling of errors in password entrybetter handling of errors in password entry

8 Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 8 Alice P Bobs y 1 y 2 (P x ) y 1  (P x ) y 1 (P x ) y 2  (P x ) y 2 V = owf(K m )  V = owf(K m ) P x P x  K m = h(P y 1 || P y 2 ) if owf(K m )  V, abort (don’t reveal f(K m )) Test K m before using

9 Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 9 Alice P Bobs y 1 y 2 (P x ) y 1  (P x ) y 1 (P x ) y 2  (P x ) y 2 V = owf(K m )  V = owf(K m ) If no valid signature in time, log failure P x P x  K m = h(P y 1 || P y 2 ) verify K m == V Priv Alice { P x } Priv Alice { P x }  Sign {P x }

10 Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 10 use group G of order q  2 160, p  use group G of order q  2 160, p  g 1 & g 2 not related by known exponents try g 1 =hash(“1”), g 2 =hash(“2”)g 1 & g 2 not related by known exponents try g 1 =hash(“1”), g 2 =hash(“2”) P = g 1  g 2 hash(Password)P = g 1  g 2 hash(Password) x, y in range [0, q]x, y in range [0, q] uses smaller group in case short exponents don’t work out so well for the group of order ~ (open question)uses smaller group in case short exponents don’t work out so well for the group of order ~ (open question) Compound base (1)

11 Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 11 Since x, y are uniformly chosen random values in [1, o(G)], each value P x, P Y individually reveals zero informationSince x, y are uniformly chosen random values in [1, o(G)], each value P x, P Y individually reveals zero information Would be nice to have a proof that this construction doesn’t introduce other new problemsWould be nice to have a proof that this construction doesn’t introduce other new problems Compound base (2)

12 Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 12 (g 1  g 2 hash(Password) ) x(g 1  g 2 hash(Password) ) x (g 1  g 2 hash(Password) ) y(g 1  g 2 hash(Password) ) y Password-in-exponent problem revisited

13 Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 13 Forgiveness protocol Scene: Alice mistypes a few passwords P 1, P 2,..., P n, but finally gets P right. Alice signs & sends prior mistaken values Priv Alice { P 1 x 1, P 2 x 2,..., P n x n } to each Bob n.Alice signs & sends prior mistaken values Priv Alice { P 1 x 1, P 2 x 2,..., P n x n } to each Bob n. Each Bob n forgives Alice for a few mistakes, if she proves P in time.Each Bob n forgives Alice for a few mistakes, if she proves P in time. Mistakes not counted towards illegal login threshholds.Mistakes not counted towards illegal login threshholds.

14 Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 14 Relevance to Variation of public-key retrieval schemeVariation of public-key retrieval scheme Composite P used in {DL,EC}REDP-2Composite P used in {DL,EC}REDP-2 Appears potentially useful for PKA SchemesAppears potentially useful for PKA Schemes Forgiveness protocolForgiveness protocol Fodder for an annex?Fodder for an annex?

15 Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 15


Download ppt "Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 1 P1363.2 submission: Password authentication using m ultiple servers David Jablon March 13,"

Similar presentations


Ads by Google