Download presentation

Presentation is loading. Please wait.

Published byJuan Moran Modified over 3 years ago

1
1 Password-based authenticated key exchange Ravi Sandhu

2
© Ravi Sandhu, 2002 2 Variations Public-key cryptography must be used Public-key cryptography and password protocols, Shai Halevi and Hugo Krawczyk, ACM Transactions on Information and System Security (TISSEC), Volume 2, Issue 3 (August 1999), Pages: 230 - 268 Two variations No public-key certificates (no PKI) Use public-key certificates (requires PKI)

3
© Ravi Sandhu, 2002 3 References http://www.integritysciences.com/links.html Comprehensive and long list of references Principal reference for this lecture. S. M. Bellovin and M. Merritt, Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks, Proceedings of the I.E.E.E. Symposium on Research in Security and Privacy, Oakland, May 1992. This is not your grandmothers network login Jab96

4
© Ravi Sandhu, 2002 4 Broken approaches: use password directly (authentication only) Original Telnet - vulnerable to eavesdropping pwd ClientServer ClientServer challenge h(challenge,pwd) Challenge-Response

5
© Ravi Sandhu, 2002 5 Broken approaches: use hashed password (authentication only) ClientServer challenge h(challenge,f(pwd)) Challenge-Response Dont need to store cleartext password on the server Dictionary attack on f(pwd) stored at server remains a vulnerability

6
© Ravi Sandhu, 2002 6 Kerberos is vulnerable Client Authentication Server Ticket Granting Server (k TGS ) Server (k S ) Request T C,TGS T C,TGS, ENC k C (TGS, k C,TGS, …) T C,TGS, ENC k C,TGS (authenticator) ENC k C,TGS (k C,S, …) Communication under k C,S kSkS k TGS The trouble: k C is defined to be some one-way function of password!

7
© Ravi Sandhu, 2002 7 Patels classification (Pat97) Querying attacker Can initiate sessions with the server while pretending to be a legitimate client Eavesdropping attacker Can eavesdrop on legitimate runs of the protocol Active attacker Can intercept, drop, insert packets

8
© Ravi Sandhu, 2002 8 SSL (and SSH) solution (need PKI) pwd ClientServer Needs PKI Has its pitfalls Server-side SSL ClientServer

9
© Ravi Sandhu, 2002 9 Pre-EKE: use password directly (authentication and key exchange) User (pwd)Server (pwd) U ENC pwd (random) ENC random (challenge U ) ENC random (challenge U, challenge S ) ENC random (challenge S )

10
© Ravi Sandhu, 2002 10 EKE: DH version [BM92] User (pwd)Server (pwd) U, ENC pwd (g x ) ENC pwd (g y ), ENC k (challenge S ) ENC k (challenge U, challenge S ) ENC k (challenge U ) K = f(g xy )

11
© Ravi Sandhu, 2002 11 EKE: DH version [BM92] Potential problems [Patel, S&P97]: If an active attacker, instead of sending g and p in clear, chooses to send g d and p such that d is a small prime and d|(p-1). Then, (g dy ) (p-1)/d = 1 mod p. When the attacker receives the password encrypted ENC pwd (g y ), he tries to decrypt it with different candidate passwords and raises the decrypted number to (p-1)/d. If the result is not 1 then that password is rejected. Since (p-1)/d number out of p-1 number will be dth power residue, hence 1/d numbers on average will be congruent to 1 when raised to (p-1)/d. At each session the possible space of password is reduced to 1/d and the space of valid passwords will be narrowed to 1 at a logarithm rate (typically, logp). Avoidance: The success of the attack is due to the fact that g d is not a generator. To find a generator g it is necessary and sufficient to check that g (p-1)/m 1 mod p for all factors m of p-1.

12
© Ravi Sandhu, 2002 12 [BPR Eurocrypt2000] User (pwd)Server (pwd) U, ENC pwd (g x ) ENC pwd (g y ), H(k, 1) H(k,2) k = f(u,s, g x,g y,g xy ) k = H(k,0) sid = A, ENC pwd (g x ), B, ENC pwd (g y ) pid = B k = H(k,0) sid = A, ENC pwd (g x ), B, ENC pwd (g y ) pid = A k = f(u,s, g x,g y,g xy )

13
© Ravi Sandhu, 2002 13 [BPR Eurocrypt2000] [BM92] proved secure (in ROM and ICM) Theorem. Let q se, q re, q co, q ex, q or be integers and let q = q se + q re + q co + q ex + q or. Let Password be a finite set of size N and assume (|Ģ|) 1/2 /q N 1. Let PW be the associated LL-key generator as discussed above, SK be the associated session key space. Assume the weak corruption model. The Adv fs P,PW,SK (t,q se,q re,q co,q ex,q or ) <= q se /N + q se · q or Adv dh Ģ,g (t,q or ) + O(q 2 )/|Ģ| + O(1)/(|Ģ|) 1/2 Where t = t + O(q se +q or ).

14
© Ravi Sandhu, 2002 14 SPEKE: [Jablon, CCR96] User (pwd)Server (pwd) U, f(pwd) x ENC k (challenge U ) ENC k (challenge U, challenge S ) k = h(f(pwd) xy )) ENC k (challenge S ) f(pwd) y k = h(f(pwd) xy ))

15
© Ravi Sandhu, 2002 15 [ MacK01b ] In this paper we prove (in the random oracle model) that a certain instantiation of the SPEKE protocol that uses hashed passwords instead of non-hashed passwords is a secure password- authenticated key exchange protocol (using our relaxed definition) based on a new assumption, the Decision Inverted-Additive Diffie-Hellman assumption. Since this is a new security assumption, we investigate its security and relation to other assumptions; specifically we prove a lower bound for breaking this new assumption in the generic model, and we show that the computational version of this new assumption is equivalent to the Computational Diffie-Hellman assumption.

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google