We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJuan Moran
Modified over 2 years ago
1 Password-based authenticated key exchange Ravi Sandhu
© Ravi Sandhu, Variations Public-key cryptography must be used Public-key cryptography and password protocols, Shai Halevi and Hugo Krawczyk, ACM Transactions on Information and System Security (TISSEC), Volume 2, Issue 3 (August 1999), Pages: Two variations No public-key certificates (no PKI) Use public-key certificates (requires PKI)
© Ravi Sandhu, References Comprehensive and long list of references Principal reference for this lecture. S. M. Bellovin and M. Merritt, Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks, Proceedings of the I.E.E.E. Symposium on Research in Security and Privacy, Oakland, May This is not your grandmothers network login Jab96
© Ravi Sandhu, Broken approaches: use password directly (authentication only) Original Telnet - vulnerable to eavesdropping pwd ClientServer ClientServer challenge h(challenge,pwd) Challenge-Response
© Ravi Sandhu, Broken approaches: use hashed password (authentication only) ClientServer challenge h(challenge,f(pwd)) Challenge-Response Dont need to store cleartext password on the server Dictionary attack on f(pwd) stored at server remains a vulnerability
© Ravi Sandhu, Kerberos is vulnerable Client Authentication Server Ticket Granting Server (k TGS ) Server (k S ) Request T C,TGS T C,TGS, ENC k C (TGS, k C,TGS, …) T C,TGS, ENC k C,TGS (authenticator) ENC k C,TGS (k C,S, …) Communication under k C,S kSkS k TGS The trouble: k C is defined to be some one-way function of password!
© Ravi Sandhu, Patels classification (Pat97) Querying attacker Can initiate sessions with the server while pretending to be a legitimate client Eavesdropping attacker Can eavesdrop on legitimate runs of the protocol Active attacker Can intercept, drop, insert packets
© Ravi Sandhu, SSL (and SSH) solution (need PKI) pwd ClientServer Needs PKI Has its pitfalls Server-side SSL ClientServer
© Ravi Sandhu, Pre-EKE: use password directly (authentication and key exchange) User (pwd)Server (pwd) U ENC pwd (random) ENC random (challenge U ) ENC random (challenge U, challenge S ) ENC random (challenge S )
© Ravi Sandhu, EKE: DH version [BM92] User (pwd)Server (pwd) U, ENC pwd (g x ) ENC pwd (g y ), ENC k (challenge S ) ENC k (challenge U, challenge S ) ENC k (challenge U ) K = f(g xy )
© Ravi Sandhu, EKE: DH version [BM92] Potential problems [Patel, S&P97]: If an active attacker, instead of sending g and p in clear, chooses to send g d and p such that d is a small prime and d|(p-1). Then, (g dy ) (p-1)/d = 1 mod p. When the attacker receives the password encrypted ENC pwd (g y ), he tries to decrypt it with different candidate passwords and raises the decrypted number to (p-1)/d. If the result is not 1 then that password is rejected. Since (p-1)/d number out of p-1 number will be dth power residue, hence 1/d numbers on average will be congruent to 1 when raised to (p-1)/d. At each session the possible space of password is reduced to 1/d and the space of valid passwords will be narrowed to 1 at a logarithm rate (typically, logp). Avoidance: The success of the attack is due to the fact that g d is not a generator. To find a generator g it is necessary and sufficient to check that g (p-1)/m 1 mod p for all factors m of p-1.
© Ravi Sandhu, [BPR Eurocrypt2000] User (pwd)Server (pwd) U, ENC pwd (g x ) ENC pwd (g y ), H(k, 1) H(k,2) k = f(u,s, g x,g y,g xy ) k = H(k,0) sid = A, ENC pwd (g x ), B, ENC pwd (g y ) pid = B k = H(k,0) sid = A, ENC pwd (g x ), B, ENC pwd (g y ) pid = A k = f(u,s, g x,g y,g xy )
© Ravi Sandhu, [BPR Eurocrypt2000] [BM92] proved secure (in ROM and ICM) Theorem. Let q se, q re, q co, q ex, q or be integers and let q = q se + q re + q co + q ex + q or. Let Password be a finite set of size N and assume (|Ģ|) 1/2 /q N 1. Let PW be the associated LL-key generator as discussed above, SK be the associated session key space. Assume the weak corruption model. The Adv fs P,PW,SK (t,q se,q re,q co,q ex,q or ) <= q se /N + q se · q or Adv dh Ģ,g (t,q or ) + O(q 2 )/|Ģ| + O(1)/(|Ģ|) 1/2 Where t = t + O(q se +q or ).
© Ravi Sandhu, SPEKE: [Jablon, CCR96] User (pwd)Server (pwd) U, f(pwd) x ENC k (challenge U ) ENC k (challenge U, challenge S ) k = h(f(pwd) xy )) ENC k (challenge S ) f(pwd) y k = h(f(pwd) xy ))
© Ravi Sandhu, [ MacK01b ] In this paper we prove (in the random oracle model) that a certain instantiation of the SPEKE protocol that uses hashed passwords instead of non-hashed passwords is a secure password- authenticated key exchange protocol (using our relaxed definition) based on a new assumption, the Decision Inverted-Additive Diffie-Hellman assumption. Since this is a new security assumption, we investigate its security and relation to other assumptions; specifically we prove a lower bound for breaking this new assumption in the generic model, and we show that the computational version of this new assumption is equivalent to the Computational Diffie-Hellman assumption.
ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Peer-to-peer and agent-based computing Security in Distributed Systems.
Security - Authentication Protocols and Authorisation CS3517 Distributed Systems and Security Lecture 21.
Attacks on cryptography – Cyphertext, known pltext, chosen pltext, MITM, brute-force Types of ciphers – Mix of substitution and transposition – Monoalphabetic,
1 Security for Ad Hoc Network Routing. 2 Ad Hoc Networks Properties Mobile Wireless communication Medium to high bandwidth High variability of connection.
TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.
CNS2010handout 12 :: crypto protocols1 ELEC5616 computer and network security matt barrie
CNS2010lecture 6 :: key management1 ELEC5616 computer and network security matt barrie
Introduction to Protocols: Entity Authentication, Key Establishment, Integrity/Message Authentication, Confidentiality INFSCI 1075: Network Security –
Md. Kamrul Hasan Assistant Professor and Chairman Computer and Communication Engineering Dept. Network Security.
1 Hugo Krawczyk IBM Research HMQV: A High-Performance Secure * Diffie-Hellman Protocol * Proven secure (just in case you heard rumors to the contrary…)
Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
1 Identification Who are you? How do I know you are who you say you are?
Securing Passwords against Dictionary Attacks Benny Pinkas, Tomas Sander HP Labs (most work done at STAR Lab, Intertrust)
Chapter 6: Integrity and Security Domain Constraints Referential Integrity Assertions Triggers Security Authorization Authorization in SQL.
Authentication Nick Feamster CS 6262 Spring 2009.
An Introduction to Distributed Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Appendix A: Introduction to cryptographic.
U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP SIP Security Jonathan Rosenberg Chief Scientist.
Chapter 10 Implementing Electronic Commerce Security Gary Schneider, 2003.
1 Cryptography encryption authentication digital signatures one-way functions hash algorithms key generation, exchange and management.
Session Management in Web Applications Author: EUROSEC GmbH Chiffriertechnik & Sicherheit Tel: / 60850, © EUROSEC GmbH Chiffriertechnik.
June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #10-1 Chapter 10: Key Management Session and Interchange Keys Key Exchange.
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
CWSP Guide to Wireless Security Secure Wireless Authentication.
Network Security Protecting An Organizations Network.
1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
1 A Tutorial on Web Security for E-Commerce. 2 Web Concepts for E-Commerce Client/Server Applications Communication Channels TCP/IP.
© 2016 SlidePlayer.com Inc. All rights reserved.