draft-harkins-emu-eap-pwd-01 Dan Harkins and Glen Zorn
What Problem Does It Solve? People use secrets to gain network access must be possible to for a human to remember the secret. secret be repeatedly entered with a high probability of correctness. The secret is therefore drawn from a set of secrets that is, most likely, limited and the secret is, quite possibly, cryptographically weak. This opens up the possibility of a dictionary attack. This protocol is resistant to dictionary attack and allows for a (possibly weak) secret to be used.
A Few Words About Dictionary Attack The attacker is presumed to have access to the set, D, of from which the secret is drawn and can enumerate each element of D. Attacks are made against honest participants and can be active or passive. If |D| = s, then after n attacks the probability of success is not significantly greater than 1/(s-n). Canonical definition: The advantage the attacker gains is due to interaction and not computation.
A Few Words About Dictionary Attack RFC3748 says: “the method does not allow an offline attack that has a work factor based on the number of passwords in an attacker's dictionary.” Therefore, merely increasing the size of the set from which the secret is drawn does not make a protocol resistant to dictionary attack. e.g. “the secret used is a random number between one and 264 therefore the protocol is resistant to dictionary attack.” – wrong!
How Does It Work? There are 3 exchanges in EAP-pwd Identity exchange-- because the one in EAP is not suitable. Commit exchange in which each side is cryptographically bound to a password guess Confirm exchange in which each side uses the other party’s commitment to prove knowledge of the shared secret. Finite Cyclic group from IKE’s IANA registry– can be either a prime modulus group or an elliptic curve group– is used. A “random oracle” (as defined in the Bellare and Rogaway paper on the subject) is defined using SHA-256.
Identity Exchange The EAP server announces its identity and the group to use. The EAP client announces its identity After the exchange a “password element”, PWE, in the agreed-upon group is fixed. with prime modulus groups this is done with a hash and exponentiation with elliptic curve groups this is done in a hunt-and-peck fashion to find a random point on the curve.
Commit Exchange Choose p_rand at random sp = (p_rand * G).x EAP client EAP server Choose p_rand at random sp = (p_rand * G).x elem_p = -(sp * PWE) scalar_p = (sp+p_rand) mod order Choose s_rand at random ss = (s_rand * G).x elem_s = -(ss * PWE) scalar_s = (ss+s_rand) mod order elem_s, scalar_s elem_p, scalar_p
Confirm Exchange kp = (p_rand * (scalar_s * PWE + element_s)).x EAP client EAP server kp = (p_rand * (scalar_s * PWE + element_s)).x confirm_p = H(kp | element_p | scalar_p | element_s | scalar_s) ks = (s_rand * (scalar_p * PWE + element_p)).x confirm_s = H(ks | element_s | scalar_s | element_p | scalar_p) confirm_s confirm_p kp = (p_rand * s_rand * PWE).x = ks MK = H(k | (element_s + element_p).x | (scalar_s + scalar_p) mod order)
An EMU Work Item? This sort of work is in the charter (or was at 8am this morning!) This method is useful and not YAPBEM password/secret-based authentication which is resistant to dictionary attack and does not require a CA or certificate robust security: it’s still secure when the “verify server cert” checkbox is unchecked when used with a tunneled method useful for methods whose security is predicated on secure provisioning of an initial credential. Instead of leaps of faith, use EAP-pwd