Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Password-based authenticated key exchange Ravi Sandhu.

Published byJuan Moran Modified over 10 years ago

Similar presentations

Presentation on theme: "1 Password-based authenticated key exchange Ravi Sandhu."— Presentation transcript:

1 1 Password-based authenticated key exchange Ravi Sandhu

2 © Ravi Sandhu, 2002 2 Variations Public-key cryptography must be used Public-key cryptography and password protocols, Shai Halevi and Hugo Krawczyk, ACM Transactions on Information and System Security (TISSEC), Volume 2, Issue 3 (August 1999), Pages: 230 - 268 Two variations No public-key certificates (no PKI) Use public-key certificates (requires PKI)

3 © Ravi Sandhu, 2002 3 References http://www.integritysciences.com/links.html Comprehensive and long list of references Principal reference for this lecture. S. M. Bellovin and M. Merritt, Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks, Proceedings of the I.E.E.E. Symposium on Research in Security and Privacy, Oakland, May 1992. This is not your grandmothers network login Jab96

4 © Ravi Sandhu, 2002 4 Broken approaches: use password directly (authentication only) Original Telnet - vulnerable to eavesdropping pwd ClientServer ClientServer challenge h(challenge,pwd) Challenge-Response

5 © Ravi Sandhu, 2002 5 Broken approaches: use hashed password (authentication only) ClientServer challenge h(challenge,f(pwd)) Challenge-Response Dont need to store cleartext password on the server Dictionary attack on f(pwd) stored at server remains a vulnerability

6 © Ravi Sandhu, 2002 6 Kerberos is vulnerable Client Authentication Server Ticket Granting Server (k TGS ) Server (k S ) Request T C,TGS T C,TGS, ENC k C (TGS, k C,TGS, …) T C,TGS, ENC k C,TGS (authenticator) ENC k C,TGS (k C,S, …) Communication under k C,S kSkS k TGS The trouble: k C is defined to be some one-way function of password!

7 © Ravi Sandhu, 2002 7 Patels classification (Pat97) Querying attacker Can initiate sessions with the server while pretending to be a legitimate client Eavesdropping attacker Can eavesdrop on legitimate runs of the protocol Active attacker Can intercept, drop, insert packets

8 © Ravi Sandhu, 2002 8 SSL (and SSH) solution (need PKI) pwd ClientServer Needs PKI Has its pitfalls Server-side SSL ClientServer

9 © Ravi Sandhu, 2002 9 Pre-EKE: use password directly (authentication and key exchange) User (pwd)Server (pwd) U ENC pwd (random) ENC random (challenge U ) ENC random (challenge U, challenge S ) ENC random (challenge S )

10 © Ravi Sandhu, 2002 10 EKE: DH version [BM92] User (pwd)Server (pwd) U, ENC pwd (g x ) ENC pwd (g y ), ENC k (challenge S ) ENC k (challenge U, challenge S ) ENC k (challenge U ) K = f(g xy )

11 © Ravi Sandhu, 2002 11 EKE: DH version [BM92] Potential problems [Patel, S&P97]: If an active attacker, instead of sending g and p in clear, chooses to send g d and p such that d is a small prime and d|(p-1). Then, (g dy ) (p-1)/d = 1 mod p. When the attacker receives the password encrypted ENC pwd (g y ), he tries to decrypt it with different candidate passwords and raises the decrypted number to (p-1)/d. If the result is not 1 then that password is rejected. Since (p-1)/d number out of p-1 number will be dth power residue, hence 1/d numbers on average will be congruent to 1 when raised to (p-1)/d. At each session the possible space of password is reduced to 1/d and the space of valid passwords will be narrowed to 1 at a logarithm rate (typically, logp). Avoidance: The success of the attack is due to the fact that g d is not a generator. To find a generator g it is necessary and sufficient to check that g (p-1)/m 1 mod p for all factors m of p-1.

12 © Ravi Sandhu, 2002 12 [BPR Eurocrypt2000] User (pwd)Server (pwd) U, ENC pwd (g x ) ENC pwd (g y ), H(k, 1) H(k,2) k = f(u,s, g x,g y,g xy ) k = H(k,0) sid = A, ENC pwd (g x ), B, ENC pwd (g y ) pid = B k = H(k,0) sid = A, ENC pwd (g x ), B, ENC pwd (g y ) pid = A k = f(u,s, g x,g y,g xy )

13 © Ravi Sandhu, 2002 13 [BPR Eurocrypt2000] [BM92] proved secure (in ROM and ICM) Theorem. Let q se, q re, q co, q ex, q or be integers and let q = q se + q re + q co + q ex + q or. Let Password be a finite set of size N and assume (|Ģ|) 1/2 /q N 1. Let PW be the associated LL-key generator as discussed above, SK be the associated session key space. Assume the weak corruption model. The Adv fs P,PW,SK (t,q se,q re,q co,q ex,q or ) <= q se /N + q se · q or Adv dh Ģ,g (t,q or ) + O(q 2 )/|Ģ| + O(1)/(|Ģ|) 1/2 Where t = t + O(q se +q or ).

14 © Ravi Sandhu, 2002 14 SPEKE: [Jablon, CCR96] User (pwd)Server (pwd) U, f(pwd) x ENC k (challenge U ) ENC k (challenge U, challenge S ) k = h(f(pwd) xy )) ENC k (challenge S ) f(pwd) y k = h(f(pwd) xy ))

15 © Ravi Sandhu, 2002 15 [ MacK01b ] In this paper we prove (in the random oracle model) that a certain instantiation of the SPEKE protocol that uses hashed passwords instead of non-hashed passwords is a secure password- authenticated key exchange protocol (using our relaxed definition) based on a new assumption, the Decision Inverted-Additive Diffie-Hellman assumption. Since this is a new security assumption, we investigate its security and relation to other assumptions; specifically we prove a lower bound for breaking this new assumption in the generic model, and we show that the computational version of this new assumption is equivalent to the Computational Diffie-Hellman assumption.

Download ppt "1 Password-based authenticated key exchange Ravi Sandhu."

Similar presentations

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.
ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.

ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –

Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
KERBEROS LtCdr Samit Mehra (05IT 6018).

KERBEROS LtCdr Samit Mehra (05IT 6018).
Authentication Applications

Authentication Applications
1 Authentication Applications Ola Flygt Växjö University, Sweden +46 470 70 86 49.

1 Authentication Applications Ola Flygt Växjö University, Sweden
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
SCSC 455 Computer Security

SCSC 455 Computer Security
1 Kerberos Revised: June 21, 2006, Version 2 Team 2 Members John Casarella Dave Fronckowiak Larry Immohr Linda Liu Sandy Westcott.

1 Kerberos Revised: June 21, 2006, Version 2 Team 2 Members John Casarella Dave Fronckowiak Larry Immohr Linda Liu Sandy Westcott.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.

Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Password-based Credentials Download Protocols Radia Perlman

Password-based Credentials Download Protocols Radia Perlman

Similar presentations

Ads by Google