Download presentation

Presentation is loading. Please wait.

Published byKolby Downer Modified over 3 years ago

1
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 1 P1363.2 submission: Password authentication using m ultiple servers David Jablon March 13, 2002

2
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 2 Password authentication using multiple servers [Jab2001] Author: David Jablon Presented at April 2001 RSA conference Published paper (Springer LNCS) Extends work of Ford & Kaliski 2000

3
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 3 Multi-server systems Ford & Kaliski, WETICE, June 2001 Multiple servers share responsibility to defend against password database crackingMultiple servers share responsibility to defend against password database cracking Ford & Kaliski, proceedings, Sep. 2001 Prior server-authenticated channel not needed for password securityPrior server-authenticated channel not needed for password security

4
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 4 Q A = g 2 R A Q A = g 2 R A K 1 = Q B 2 R A K 1 = Q B 2 R A K 2 = Q B P K 2 = Q B P K = h( K 1, K 2 ) K = h( K 1, K 2 ) Alice “small” P Bob big y converts low-entropy secret P into big secret K uses prime order group (e.g. mod p) (P x ) y (P x ) y P x P x K = (P x y ) (1/ x) K = P y A neat trick

5
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 5 Alice P Bob 1 y 1 (P x ) y 1 (P x ) y 1 (P x ) y 2 (P x ) y 2 P x P x K 1 = P y 1 K 2 = P y 2 K m = h(K 1 || K 2 ) [Ford & Kaliski 2000] Bob 2 y 2 Do it twice

6
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 6 Alice uses K m as a master key to encrypt all kinds of stuff, with less fear of her stuff being cracked. the password “database” is split. all Bobs must collude to get a chance to crack it. Benefits of multiple servers

7
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 7 Main points of [Jab2001] paper Alice tests K m before using it in publicAlice tests K m before using it in public Alice signs P x to prove she’s realAlice signs P x to prove she’s real no server pre-auth (as in [FK2001b])no server pre-auth (as in [FK2001b]) Alice can use P = g 1 g 2 hash(Password)Alice can use P = g 1 g 2 hash(Password) to sleep better when o(x) << pto sleep better when o(x) << p forgiveness protocolforgiveness protocol better handling of errors in password entrybetter handling of errors in password entry

8
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 8 Alice P Bobs y 1 y 2 (P x ) y 1 (P x ) y 1 (P x ) y 2 (P x ) y 2 V = owf(K m ) V = owf(K m ) P x P x K m = h(P y 1 || P y 2 ) if owf(K m ) V, abort (don’t reveal f(K m )) Test K m before using

9
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 9 Alice P Bobs y 1 y 2 (P x ) y 1 (P x ) y 1 (P x ) y 2 (P x ) y 2 V = owf(K m ) V = owf(K m ) If no valid signature in time, log failure P x P x K m = h(P y 1 || P y 2 ) verify K m == V Priv Alice { P x } Priv Alice { P x } Sign {P x }

10
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 10 use group G of order q 2 160, p 2 1000use group G of order q 2 160, p 2 1000 g 1 & g 2 not related by known exponents try g 1 =hash(“1”), g 2 =hash(“2”)g 1 & g 2 not related by known exponents try g 1 =hash(“1”), g 2 =hash(“2”) P = g 1 g 2 hash(Password)P = g 1 g 2 hash(Password) x, y in range [0, q]x, y in range [0, q] uses smaller group in case short exponents don’t work out so well for the group of order ~2 1000. (open question)uses smaller group in case short exponents don’t work out so well for the group of order ~2 1000. (open question) Compound base (1)

11
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 11 Since x, y are uniformly chosen random values in [1, o(G)], each value P x, P Y individually reveals zero informationSince x, y are uniformly chosen random values in [1, o(G)], each value P x, P Y individually reveals zero information Would be nice to have a proof that this construction doesn’t introduce other new problemsWould be nice to have a proof that this construction doesn’t introduce other new problems Compound base (2)

12
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 12 (g 1 g 2 hash(Password) ) x(g 1 g 2 hash(Password) ) x (g 1 g 2 hash(Password) ) y(g 1 g 2 hash(Password) ) y Password-in-exponent problem revisited

13
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 13 Forgiveness protocol Scene: Alice mistypes a few passwords P 1, P 2,..., P n, but finally gets P right. Alice signs & sends prior mistaken values Priv Alice { P 1 x 1, P 2 x 2,..., P n x n } to each Bob n.Alice signs & sends prior mistaken values Priv Alice { P 1 x 1, P 2 x 2,..., P n x n } to each Bob n. Each Bob n forgives Alice for a few mistakes, if she proves P in time.Each Bob n forgives Alice for a few mistakes, if she proves P in time. Mistakes not counted towards illegal login threshholds.Mistakes not counted towards illegal login threshholds.

14
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 14 Relevance to 1363.2 Variation of public-key retrieval schemeVariation of public-key retrieval scheme Composite P used in {DL,EC}REDP-2Composite P used in {DL,EC}REDP-2 Appears potentially useful for PKA SchemesAppears potentially useful for PKA Schemes Forgiveness protocolForgiveness protocol Fodder for an annex?Fodder for an annex?

15
Copyright © 2001 Integrity Sciences, Inc. Integrity Sciences 15

Similar presentations

OK

20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

© 2019 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google