Download presentation

Presentation is loading. Please wait.

Published byJuan Moran Modified over 4 years ago

1
1 Password-based authenticated key exchange Ravi Sandhu

2
© Ravi Sandhu, 2002 2 Variations Public-key cryptography must be used Public-key cryptography and password protocols, Shai Halevi and Hugo Krawczyk, ACM Transactions on Information and System Security (TISSEC), Volume 2, Issue 3 (August 1999), Pages: 230 - 268 Two variations No public-key certificates (no PKI) Use public-key certificates (requires PKI)

3
© Ravi Sandhu, 2002 3 References http://www.integritysciences.com/links.html Comprehensive and long list of references Principal reference for this lecture. S. M. Bellovin and M. Merritt, Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks, Proceedings of the I.E.E.E. Symposium on Research in Security and Privacy, Oakland, May 1992. This is not your grandmothers network login Jab96

4
© Ravi Sandhu, 2002 4 Broken approaches: use password directly (authentication only) Original Telnet - vulnerable to eavesdropping pwd ClientServer ClientServer challenge h(challenge,pwd) Challenge-Response

5
© Ravi Sandhu, 2002 5 Broken approaches: use hashed password (authentication only) ClientServer challenge h(challenge,f(pwd)) Challenge-Response Dont need to store cleartext password on the server Dictionary attack on f(pwd) stored at server remains a vulnerability

6
© Ravi Sandhu, 2002 6 Kerberos is vulnerable Client Authentication Server Ticket Granting Server (k TGS ) Server (k S ) Request T C,TGS T C,TGS, ENC k C (TGS, k C,TGS, …) T C,TGS, ENC k C,TGS (authenticator) ENC k C,TGS (k C,S, …) Communication under k C,S kSkS k TGS The trouble: k C is defined to be some one-way function of password!

7
© Ravi Sandhu, 2002 7 Patels classification (Pat97) Querying attacker Can initiate sessions with the server while pretending to be a legitimate client Eavesdropping attacker Can eavesdrop on legitimate runs of the protocol Active attacker Can intercept, drop, insert packets

8
© Ravi Sandhu, 2002 8 SSL (and SSH) solution (need PKI) pwd ClientServer Needs PKI Has its pitfalls Server-side SSL ClientServer

9
© Ravi Sandhu, 2002 9 Pre-EKE: use password directly (authentication and key exchange) User (pwd)Server (pwd) U ENC pwd (random) ENC random (challenge U ) ENC random (challenge U, challenge S ) ENC random (challenge S )

10
© Ravi Sandhu, 2002 10 EKE: DH version [BM92] User (pwd)Server (pwd) U, ENC pwd (g x ) ENC pwd (g y ), ENC k (challenge S ) ENC k (challenge U, challenge S ) ENC k (challenge U ) K = f(g xy )

11
© Ravi Sandhu, 2002 11 EKE: DH version [BM92] Potential problems [Patel, S&P97]: If an active attacker, instead of sending g and p in clear, chooses to send g d and p such that d is a small prime and d|(p-1). Then, (g dy ) (p-1)/d = 1 mod p. When the attacker receives the password encrypted ENC pwd (g y ), he tries to decrypt it with different candidate passwords and raises the decrypted number to (p-1)/d. If the result is not 1 then that password is rejected. Since (p-1)/d number out of p-1 number will be dth power residue, hence 1/d numbers on average will be congruent to 1 when raised to (p-1)/d. At each session the possible space of password is reduced to 1/d and the space of valid passwords will be narrowed to 1 at a logarithm rate (typically, logp). Avoidance: The success of the attack is due to the fact that g d is not a generator. To find a generator g it is necessary and sufficient to check that g (p-1)/m 1 mod p for all factors m of p-1.

12
© Ravi Sandhu, 2002 12 [BPR Eurocrypt2000] User (pwd)Server (pwd) U, ENC pwd (g x ) ENC pwd (g y ), H(k, 1) H(k,2) k = f(u,s, g x,g y,g xy ) k = H(k,0) sid = A, ENC pwd (g x ), B, ENC pwd (g y ) pid = B k = H(k,0) sid = A, ENC pwd (g x ), B, ENC pwd (g y ) pid = A k = f(u,s, g x,g y,g xy )

13
© Ravi Sandhu, 2002 13 [BPR Eurocrypt2000] [BM92] proved secure (in ROM and ICM) Theorem. Let q se, q re, q co, q ex, q or be integers and let q = q se + q re + q co + q ex + q or. Let Password be a finite set of size N and assume (|Ģ|) 1/2 /q N 1. Let PW be the associated LL-key generator as discussed above, SK be the associated session key space. Assume the weak corruption model. The Adv fs P,PW,SK (t,q se,q re,q co,q ex,q or ) <= q se /N + q se · q or Adv dh Ģ,g (t,q or ) + O(q 2 )/|Ģ| + O(1)/(|Ģ|) 1/2 Where t = t + O(q se +q or ).

14
© Ravi Sandhu, 2002 14 SPEKE: [Jablon, CCR96] User (pwd)Server (pwd) U, f(pwd) x ENC k (challenge U ) ENC k (challenge U, challenge S ) k = h(f(pwd) xy )) ENC k (challenge S ) f(pwd) y k = h(f(pwd) xy ))

15
© Ravi Sandhu, 2002 15 [ MacK01b ] In this paper we prove (in the random oracle model) that a certain instantiation of the SPEKE protocol that uses hashed passwords instead of non-hashed passwords is a secure password- authenticated key exchange protocol (using our relaxed definition) based on a new assumption, the Decision Inverted-Additive Diffie-Hellman assumption. Since this is a new security assumption, we investigate its security and relation to other assumptions; specifically we prove a lower bound for breaking this new assumption in the generic model, and we show that the computational version of this new assumption is equivalent to the Computational Diffie-Hellman assumption.

Similar presentations

OK

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

© 2018 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google