Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 11: Strong Passwords

Published byRegina Daniels Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 11: Strong Passwords"— Presentation transcript:

1 Lecture 11: Strong Passwords
problem statement Lamport’s hash encrypted key exchange (EKE) secure credentials download

2 Strong Password Protocols
Obtaining the benefits of cryptographic authentication with the user being able to remember passwords only in particular: no security information is kept at the user’s machine (the machine is trusted but not configured) someone impersonating either party will not be able to obtain information for off-line password guessing (online password guessing is not preventable)

3 Lamport’s Hash Bob stores <username, n, hn(password)>, n is a relatively large number, like 1000 Alice’s workstation sends hn-1(password) if successful, n is decremented, hn-1 replaces hn in Bob’s database Alice, password Alice Alice’s terminal n Alice Bob hn-1(password) why is sequence of hash transmissions reverse? because hash is one-way, if Trudy sees hn-1(password) she will not be able to find hn-2(password) trusted not trusted why is sequence of hash transmissions reverse? properties: safe against eavesdropping, database reading no authentication of Bob

4 Salting Lamport’s Hash
hn-1(pwd|salt) is used for authentication salt is stored at Bob’s at setup time, Bob sends salt each time along with n advantages: Alice can use the same password with multiple servers, why? what may happen if two servers pick the same salt? to ensure that the salt is different, servers name is also hashed in easy password reset (when reaches 1) – just change the salt defense dictionary attacks how would Trudy mount a dictionary attack without the salt? Alice can use the same password with multiple servers, why? if servers use different salt the hashes look different what may happen if two servers pick the same salt? Trudy can remember the hash, and when she predicts that the second server ask for the same N she supplies the hash how would Trudy mount a dictionary attack without the salt? compiles hashes of all the words in the dictionary starting from 1000

5 Lamport’s Hash: Other Properties
small n attack when Alice tries to login Trudy impersonates Bob and sends n’ < n and Bob’s salt, when Trudy gets the reply she can impersonate Alice after n is decremented to n’ defense: Alice’s workstation presents submitted n to Alice to verify the “approximate” range (Alice has to remember it) “human and paper” environment in case Alice workstation is not trusted or too “dumb” to do hashing Alice is given a list of all hashes starting from 1000, she uses each hash exactly once automatically prevents small n attack string size – 64 bits (~10 characters) is secure enough implemented as S/Key and standardized as one-time password system

6 Encryption-with-Password Protocols
share weak secret W = f(pwd) “Alice” Alice Bob challenge C W{C} dictionary attack, how? from C & W{C} problems: dictionary attack, how? server database disclosure

7 share weak secret W = f(pwd)
Enhanced with PKC: (EA&DA: per-session public/private key pair) Why not possible with secret key encryption? What is the weakness in this protocol? share weak secret W = f(pwd) “Alice”, W{EA} Alice Bob EA{C} W{C}

8 Encrypted Key Exchange (EKE)
key establishment as well as authentication EA&DA: per-session public/private key pair KAB – symmetric session key one of the W{.} may possibly be removed. In that case, the non-encrypting side should not issue the first challenge, why? “Alice”, W{EA} W{EA{KAB}} KAB{CA} In that case, the non-encrypting side should not issue the first challenge, why? reflection attack Alice Bob KAB{CA, CB} KAB{CB}

9 Encrypted Key Exchange (EKE)
what’s encrypted by weak key is ga, gb (which looks like a random number) – straightforward dictionary attack is impossible “Alice”, W{ga mod p} W{gb mod p, CA} can compute KAB = gab mod p Alice Bob KAB{CA, CB} KAB{CA}

10 Augmented EKE EKE vulnerable to database disclosure since Bob stores W in clear what’s the possible attack? defense: Augmented EKE – Alice knows the password, Bob knows a one-way hash of it Bob stores: gW mod p Alice Bob “Alice”, ga mod p gb mod p, H(gab mod p, gbW mod p) H’(gab mod p, gbW mod p) what’s the possible attack? if Trudy steals Alice’s password from Bob, Trudy can impersonate Alice

11 Secure Credentials Download
credential: Y – quantity used for authorization (to prove one’s identity) – something like a private key problem: download Alice’s credential to Alice’s workstation when Alice only knows her password “Alice”, W{ga mod p} what’s the possible attack? if Trudy steals Alice’s password from Bob, Trudy can impersonate Alice Alice Bob stores “Alice”, W, Y gb mod p, (gab mod p){Y}

Download ppt "Lecture 11: Strong Passwords"

Similar presentations

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 23 Fall 2002.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.

Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

Similar presentations

Ads by Google