CIST/ETRI/ISIT/KDDI/Kyusyu Univ./NICT Joint Research Workshop on Ubiquitous Network Security 2005 Verifier-Based Password-Authenticated Key Exchange Jeong.

Slides:

Advertisements

Similar presentations

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.

Advertisements

Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.

Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

Lecture 23 Internet Authentication Applications

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Cross-Realm Password-Based Server Aided Key Exchange Source: WISA 2010, LNCS 6513, pp. 322–336, 2011(0) Author: Kazuki Yoneyama Presenter: Li-Tzu Chang.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 15 Jonathan Katz.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Network Security--- User Authentication and Key Agreement Protocols

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.

國立清華大學資訊工程系資訊安全實驗室孫宏民博士 Phone: Authenticated Key Exchange Protocols.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

Authentication System

國立清華大學資訊工程系資訊安全實驗室孫宏民 Phone: Network Security --- Network Security --- Key Establishment Protocols.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

The Secure Password-Based Authentication Protocol

Cryptanalysis of Two Dynamic ID-based Authentication

Guomin Yang et al. IEEE Transactions on Wireless Communication Vol. 6 No. 9 September

Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.

Prepared by They Yu Shu Lee Ern Yu.  Motivation  Previous Work  Remaining Issues  Improvement.

Lecture 11: Strong Passwords

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Efficient remote mutual authentication and key agreement Improvement of Chien et al. ’ s remote user authentication scheme using smart cards An efficient.

Key Agreement Guilin Wang School of Computer Science 12 Nov

An ID-Based Mutual Authentication and Key Exchange Protocol for Low- Power Mobile Devices Authors: Tsu-Yang Wu and Yuh-Min Tseng Source: The Computer Journal.

Cryptography and Network Security (CS435) Part Eight (Key Management)

Secure Authentication Scheme with Anonymity for Wireless Communications Speaker : Hong-Ji Wei Date :

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Department of Computer Engineering, Kyungpook National University Author : Eun-Jun Yoon, Wan-Soo Lee, Kee-Young Yoo Speaker : Wan-Soo Lee

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

Kerberos Guilin Wang School of Computer Science 03 Dec

1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,

Password-only Authenticated Key Agreement Protocols Based on Self-certified Approach Tzong-Chen Wu and Yen-Ching Lin Department of Information Management.

Secure Messenger Protocol using AES (Rijndael) Sang won, Lee

1 Number Theory and Advanced Cryptography 9. Authentication Protocols Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced.

Password-based user authentication and key distribution protocols for client-server applications Authors: Her-Tyan Yeh and Hung-Min Sun Sources: The Journal.

Interleaving and Collusion Attacks on a Dynamic Group Key Agreement Scheme for Low-Power Mobile Devices * Junghyun Nam 1, Juryon Paik 2, Jeeyeon Kim 2,

Robust and Efficient Password- Authenticated Key Agreement Using Smart Cards Authors: Wen-Shenq Juang, Sian-Teng Chen and Horng-Twu Liaw Src: IEEE Transaction.

Key Management Network Systems Security Mort Anvari.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Threshold password authentication against guessing attacks in Ad hoc networks ► Chai, Zhenchuan; Cao, Zhenfu; Lu, Rongxing ► Ad Hoc Networks Volume: 5,

多媒體網路安全實驗室 An ID-based client authentication with key agreement protocol for mobile client–server environment on ECC with provable security Date:2012/02/16.

SIP Authentication using EC- SRP5 Protocol Fuwen Liu, Minpeng Qi, Min Zuo, 1.

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

Smart Card Based Authenticated Key Agreement Schemes

網路環境中通訊安全技術之研究 Secure Communication Schemes in Network Environments

CMSC 414 Computer and Network Security Lecture 15

Strong Password Protocols

Presentation transcript:

CIST/ETRI/ISIT/KDDI/Kyusyu Univ./NICT Joint Research Workshop on Ubiquitous Network Security 2005 Verifier-Based Password-Authenticated Key Exchange Jeong Ok Kwon December 17th, 2005

A fundamental problem in cryptography is how to communicate securely over an insecure channel. Motivation sk data privacy/integrity

How can we obtain a secret session key? Public-key encryption or signature –too high for certain applications Password-Authenticated Key Exchange (PAKE) –PAKE is to share a secret key between specified parties using just a human-memorable password. –convenience, mobility, and less hardware requirement –no security infrastructure Motivation

Intrinsic Problem Low-entropy of passwords –i.e., 4 or 8 characters such as natural language phrase to be easily memorized. So they are susceptible to dictionary attacks. –On-line dictionary attacks –Off-line dictionary attacks Even tiny amounts of redundancy in the flows of the protocol could be used by the adversary to mount dictionary attacks. -> Protocol for PAKE must be immune to off-line attacks

Classification for PAKE

Our work is about In the Client/Server model –Verifier-based PAKE for two-party with same passwords for two-party with different passwords for multi-party with different passwords

Our work is about In the Client/Server model –Verifier-based PAKE for two-party with same passwords for two-party with different passwords for multi-party with different passwords U1U1 Information for pw 1 U1U1 Server 2-party with sk sk (pw 1 )

Our work is about In the Client/Server model –Verifier-based PAKE for two-party with same passwords for two-party with different passwords for multi-party with different passwords U1U1 Information for pw 1 U2U2 Information for pw 2 U1U1 Server U2U2 sk 2-party with sk (pw 1 ) (pw 2 )

Our work is about In the Client/Server model –Verifier-based PAKE for two-party with same passwords for two-party with different passwords for multi-party with different passwords (pw 1 ) (pw 3 ) (pw 4 ) (pw 2 ) U1U1 U2U2 U3U3 U4U4 Group with sk sk

Symmetric model vs. Verifier-based model Symmetric model –the server stores a plaintext-form of a password. Asymmetric model (or verifier-based) –the server stores a verifier for a password. pw 2 U2U2 pw 1 U1U1 (pw 1 )

Symmetric model vs. Verifier-based model Asymmetric model (or verifier-based) –the server stores a verifier for a password. (pw 1 ) U1U1 f(pw 1 ) U2U2 f(pw 2 ) A verifier is the information computed from a password. It is computable from the password whereas the reverse is infeasible in polynomial time.

Symmetric model vs. Verifier-based model Asymmetric model (or verifier-based) –it is designed to protect against server compromise so that an attacker that is able to steal a password file from a server cannot later masquerade as a legitimate user without performing dictionary attacks. (pw 1 ) U1U1 f(pw 1 ) U2U2 f(pw 2 )

Symmetric model vs. Verifier-based model Symmetric model –the server stores a plaintext-form of a password. pw 2 U2U2 pw 1 U1U1 (pw 1 )

Symmetric model vs. Verifier-based model Asymmetric model (or verifier-based) –even if the password file is compromised, the attacker has to perform additional off-line dictionary attacks to find out passwords of the clients. It will give the server system’s administrator time to react and to inform its clients, which would reduce the damage of the corruption. (pw 1 ) U1U1 f(pw 1 ) U2U2 f(pw 2 )

Comparison with the related verifier-based protocol Scheme/ Parameters PAKE for 2-party with same passwords PAKE for 2-party with different passwords PAKE for multi-party with different passwords EPAOur Scheme Round 3233 Communication UiUi |p|+|l| 2|p| S |p|+|l|2|p|+|l|4|p|3n|p| Exponentiation UiUi 1233 S 2142n Security Forward Secrecy Assumptions DDH in R.O.DDH in Standard [EPA] Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key Exchange,” ACISP |p| : length of a prime of Z p *, |l| : length of an output of a hash/MAC function, n : number of members in a group

Comparison with the related verifier-based protocol Scheme/ Parameters PAKE for 2-party with same passwords B-SPEKESRPAMPPAK-ZEPAVB-EKE Our protocol Round Communication UiUi 2|p|+|l||p|+|l| 3|p|+|l||p|+|l| S 3|p|+2|l|2|p|+2|l|2|p|+|l| |p|+|l| 2|p|+|l| Exponentiation UiUi S Security Forward Secrecy Assumptions DDH in R.O. CDH in R.O.DDH in R.O. CDH in R.O. DDH in Standard [B-SPEKE] D. Jablon, “Extended password key exchange protocols immune to dictionary attack,” In WETICE’97 Workshop on Enterprise Security, [SRP] T. Wu, “Secure remote password protocol,” Proceedings of the ISOC NDSS Symposium, pages 99–111, [AMP] T. Kwon, “Authentication and key agreement via memorable password,” Proceedings of the ISOC NDSS Symposium, [PAK-Z] P. MacKenzie, “The PAK suit: Protocols for Password-Authenticated Key Exchange,” April, [EPA] Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key Exchange,” ACISP [VB-EKE] M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based Encrypted Key Exchange,” PKC 05

Comparison with the related verifier-based protocol Scheme/ Parameters PAKE for 2-party with same passwords B-SPEKESRPAMPPAK-ZEPAVB-EKE Our protocol Round Communication UiUi 2|p|+|l||p|+|l| 3|p|+|l||p|+|l| S 3|p|+2|l|2|p|+2|l|2|p|+|l| |p|+|l| 2|p|+|l| Exponentiation UiUi S Security Forward Secrecy Assumptions DDH in R.O. CDH in R.O.DDH in R.O. CDH in R.O. DDH in Standard [B-SPEKE] D. Jablon, “Extended password key exchange protocols immune to dictionary attack,” In WETICE’97 Workshop on Enterprise Security, [SRP] T. Wu, “Secure remote password protocol,” Proceedings of the ISOC NDSS Symposium, pages 99–111, [AMP] T. Kwon, “Authentication and key agreement via memorable password,” Proceedings of the ISOC NDSS Symposium, [PAK-Z] P. MacKenzie, “The PAK suit: Protocols for Password-Authenticated Key Exchange,” April, Password-based protocols submitted to IEEE P (Password-based Techniques)

Comparison with the related verifier-based protocol Scheme/ Parameters PAKE for 2-party with same passwords PAKE for 2-party with different passwords PAKE for multi-party with different passwords EPAOur Scheme Round 3233 Communication UiUi |p|+|l| 2|p| S |p|+|l|2|p|+|l|4|p|3n|p| Exponentiation UiUi 1233 S 2142n Security Forward Secrecy Assumptions DDH in R.O.DDH in Standard [EPA] Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key Exchange,” ACISP |p| : length of a prime of Z p *, |l| : length of an output of a hash/MAC function, n : number of members in a group The focus of this work is on the round-efficient verifier-based PAKE protocol

Comparison with the related verifier-based protocol Scheme/ Parameters PAKE for 2-party with same passwords PAKE for 2-party with different passwords PAKE for multi-party with different passwords EPAOur Scheme Round 3233 Communication UiUi |p|+|l| 2|p|+|l| S |p|+|l|2|p|+|l|4|p|3n|p| Exponentiation UiUi 1233 S 2142n Security Forward Secrecy Assumptions DDH in R.O.DDH in Standard |p| : length of a prime of Z p *, |l| : length of an output of a hash/MAC function, n : number of members in a group The focus of this work is on round-efficient verifier-based PAKE protocol The focus of this work is to construct secure and round-efficient verifier-based PAKE protocols for 2-/multi-party with different passwords

Preliminary for our protocols Public information –G : a finite cyclic group has order q –p : a safe prime such that p=2q+1 –g 1,g 2 : generators of G –H : a collision-resistant one-way hash function –Mac=(Key.gen,Mac.gen,Mac.ver):a secure message authentication code Initialization step –U i selects a password pw i –U i registers v i,1 = g 1 H(U i ||S||pw i ) mod p and v i,2 = g 2 H(U i ||S||pw i ) mod p (verifiers of the password) to the server S over a secure channel. –S stores them in a password file with an entry for each user U i.

Verifier-based PAKE for 2-party with same passwords U 1 Server R1R1 R2R2

Verifier-based PAKE for 2-party with different passwords Motivation –PAKE for 2-party with same passwords –If a user wants to communicate securely with many users? the number of passwords that the user needs to memorize may be increased linearly with the number of possible partners. (pw)

Verifier-based PAKE for 2-party with different passwords Motivation –PAKE for 2-party with different passwords –each user only shares a password with a trusted server. –the trusted server helps the users with different passwords to agree on a common session key. (pw 1 ) (pw 2 ) U1U1 f(pw 1 ) U2U2 f(pw 2 )

U 1 Server U 2 R2R2 R1R1 R3R3

Verifier-based PAKE for multi-party with different passwords Motivation –PAKE for multi-party with same passwords –If a user wants to communicate securely with many groups? the number of passwords that the user needs to memorize may be increased linearly with the number of possible groups. the member have to newly share a password whenever one wants to communicate securely with new groups (pw ) Group with sk

Verifier-based PAKE for multi-party with different passwords Motivation –PAKE for multi-party with different passwords –each user only shares a password with a trusted server. –the trusted server helps the users with different passwords to agree on a group key. (pw 2 ) (pw 4 ) (pw 1 ) (pw 3 ) Group with sk

R1R1 Verifier-based PAKE for multi-party with different passwords Server U 1 U2U2 U3U3 U4U4

R1R1 Verifier-based PAKE for multi-party with different passwords Server U 1 U2U2 U3U3 U4U4

R2R2 Verifier-based PAKE for multi-party with different passwords Server U2U2 U3U3 U4U4 U 1

R3R3 Verifier-based PAKE for multi-party with different passwords U2U2 U3U3 U4U4 U 1

R3R3 Verifier-based PAKE for multi-party with different passwords U2U2 U3U3 U4U4 U 1

Security Goal: Verifier-based PAKE Security against dictionary attacks –passive eavesdropping does not help the adversary in computing any information about the password. –only interactions with the instances help the adversary in computing information about the password. Key secrecy –no computationally bounded adversary (including the server) should learn anything about session keys shared between honest parties. Server-compromise attack –even if an adversary steal the password file from the server, the adversary still cannot impersonate a user without performing dictionary attacks on the password file.

Security Goal: Verifier-based PAKE Forward secrecy –the expose of a password does not compromise the previous session keys. Denning-Sacco attack 1.even with the session key from an eavesdropped session an adversary cannot gain the ability to impersonate the user directly. 2.an outsider attacker cannot gain the ability to performing off- line dictionary attacks against the passwords of users from using the compromised session keys which are successfully established between honest entities. 3.an insider attacker that knows one’s password does not learn any information about other users’ passwords from the successfully established session key with the other.

Q & A Thank you !