We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJuan Moran
Modified over 3 years ago
1 Password-based authenticated key exchange Ravi Sandhu
© Ravi Sandhu, 2002 2 Variations Public-key cryptography must be used Public-key cryptography and password protocols, Shai Halevi and Hugo Krawczyk, ACM Transactions on Information and System Security (TISSEC), Volume 2, Issue 3 (August 1999), Pages: 230 - 268 Two variations No public-key certificates (no PKI) Use public-key certificates (requires PKI)
© Ravi Sandhu, 2002 3 References http://www.integritysciences.com/links.html Comprehensive and long list of references Principal reference for this lecture. S. M. Bellovin and M. Merritt, Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks, Proceedings of the I.E.E.E. Symposium on Research in Security and Privacy, Oakland, May 1992. This is not your grandmothers network login Jab96
© Ravi Sandhu, 2002 4 Broken approaches: use password directly (authentication only) Original Telnet - vulnerable to eavesdropping pwd ClientServer ClientServer challenge h(challenge,pwd) Challenge-Response
© Ravi Sandhu, 2002 5 Broken approaches: use hashed password (authentication only) ClientServer challenge h(challenge,f(pwd)) Challenge-Response Dont need to store cleartext password on the server Dictionary attack on f(pwd) stored at server remains a vulnerability
© Ravi Sandhu, 2002 6 Kerberos is vulnerable Client Authentication Server Ticket Granting Server (k TGS ) Server (k S ) Request T C,TGS T C,TGS, ENC k C (TGS, k C,TGS, …) T C,TGS, ENC k C,TGS (authenticator) ENC k C,TGS (k C,S, …) Communication under k C,S kSkS k TGS The trouble: k C is defined to be some one-way function of password!
© Ravi Sandhu, 2002 7 Patels classification (Pat97) Querying attacker Can initiate sessions with the server while pretending to be a legitimate client Eavesdropping attacker Can eavesdrop on legitimate runs of the protocol Active attacker Can intercept, drop, insert packets
© Ravi Sandhu, 2002 8 SSL (and SSH) solution (need PKI) pwd ClientServer Needs PKI Has its pitfalls Server-side SSL ClientServer
© Ravi Sandhu, 2002 9 Pre-EKE: use password directly (authentication and key exchange) User (pwd)Server (pwd) U ENC pwd (random) ENC random (challenge U ) ENC random (challenge U, challenge S ) ENC random (challenge S )
© Ravi Sandhu, 2002 10 EKE: DH version [BM92] User (pwd)Server (pwd) U, ENC pwd (g x ) ENC pwd (g y ), ENC k (challenge S ) ENC k (challenge U, challenge S ) ENC k (challenge U ) K = f(g xy )
© Ravi Sandhu, 2002 11 EKE: DH version [BM92] Potential problems [Patel, S&P97]: If an active attacker, instead of sending g and p in clear, chooses to send g d and p such that d is a small prime and d|(p-1). Then, (g dy ) (p-1)/d = 1 mod p. When the attacker receives the password encrypted ENC pwd (g y ), he tries to decrypt it with different candidate passwords and raises the decrypted number to (p-1)/d. If the result is not 1 then that password is rejected. Since (p-1)/d number out of p-1 number will be dth power residue, hence 1/d numbers on average will be congruent to 1 when raised to (p-1)/d. At each session the possible space of password is reduced to 1/d and the space of valid passwords will be narrowed to 1 at a logarithm rate (typically, logp). Avoidance: The success of the attack is due to the fact that g d is not a generator. To find a generator g it is necessary and sufficient to check that g (p-1)/m 1 mod p for all factors m of p-1.
© Ravi Sandhu, 2002 12 [BPR Eurocrypt2000] User (pwd)Server (pwd) U, ENC pwd (g x ) ENC pwd (g y ), H(k, 1) H(k,2) k = f(u,s, g x,g y,g xy ) k = H(k,0) sid = A, ENC pwd (g x ), B, ENC pwd (g y ) pid = B k = H(k,0) sid = A, ENC pwd (g x ), B, ENC pwd (g y ) pid = A k = f(u,s, g x,g y,g xy )
© Ravi Sandhu, 2002 13 [BPR Eurocrypt2000] [BM92] proved secure (in ROM and ICM) Theorem. Let q se, q re, q co, q ex, q or be integers and let q = q se + q re + q co + q ex + q or. Let Password be a finite set of size N and assume (|Ģ|) 1/2 /q N 1. Let PW be the associated LL-key generator as discussed above, SK be the associated session key space. Assume the weak corruption model. The Adv fs P,PW,SK (t,q se,q re,q co,q ex,q or ) <= q se /N + q se · q or Adv dh Ģ,g (t,q or ) + O(q 2 )/|Ģ| + O(1)/(|Ģ|) 1/2 Where t = t + O(q se +q or ).
© Ravi Sandhu, 2002 14 SPEKE: [Jablon, CCR96] User (pwd)Server (pwd) U, f(pwd) x ENC k (challenge U ) ENC k (challenge U, challenge S ) k = h(f(pwd) xy )) ENC k (challenge S ) f(pwd) y k = h(f(pwd) xy ))
© Ravi Sandhu, 2002 15 [ MacK01b ] In this paper we prove (in the random oracle model) that a certain instantiation of the SPEKE protocol that uses hashed passwords instead of non-hashed passwords is a secure password- authenticated key exchange protocol (using our relaxed definition) based on a new assumption, the Decision Inverted-Additive Diffie-Hellman assumption. Since this is a new security assumption, we investigate its security and relation to other assumptions; specifically we prove a lower bound for breaking this new assumption in the generic model, and we show that the computational version of this new assumption is equivalent to the Computational Diffie-Hellman assumption.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.
KERBEROS SYSTEM Kumar Madugula.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
1 SUBMITTED BY- PATEL KUMAR C.S.E(8 th - sem). SUBMITTED TO- Mr. DESHRAJ AHIRWAR.
Strong Password Protocols
KERBEROS LtCdr Samit Mehra (05IT 6018).
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
1 Cryptography CSS 329 Lecture 12: Kerberos. 2 Lecture Outline Kerberos - Overview - V4 - V5.
Kerberos Guilin Wang School of Computer Science 03 Dec
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
SCSC 455 Computer Security
ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.
Interlock Protocol - Akanksha Srivastava 2002A7PS589.
© 2017 SlidePlayer.com Inc. All rights reserved.