Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIST/ETRI/ISIT/KDDI/Kyusyu Univ./NICT Joint Research Workshop on Ubiquitous Network Security 2005 Verifier-Based Password-Authenticated Key Exchange Jeong.

Published byBrandon Freeman Modified over 8 years ago

Similar presentations

Presentation on theme: "CIST/ETRI/ISIT/KDDI/Kyusyu Univ./NICT Joint Research Workshop on Ubiquitous Network Security 2005 Verifier-Based Password-Authenticated Key Exchange Jeong."— Presentation transcript:

1 CIST/ETRI/ISIT/KDDI/Kyusyu Univ./NICT Joint Research Workshop on Ubiquitous Network Security 2005 Verifier-Based Password-Authenticated Key Exchange Jeong Ok Kwon December 17th, 2005

2 A fundamental problem in cryptography is how to communicate securely over an insecure channel. Motivation sk data privacy/integrity

3 How can we obtain a secret session key? Public-key encryption or signature –too high for certain applications Password-Authenticated Key Exchange (PAKE) –PAKE is to share a secret key between specified parties using just a human-memorable password. –convenience, mobility, and less hardware requirement –no security infrastructure Motivation

4 Intrinsic Problem Low-entropy of passwords –i.e., 4 or 8 characters such as natural language phrase to be easily memorized. So they are susceptible to dictionary attacks. –On-line dictionary attacks –Off-line dictionary attacks Even tiny amounts of redundancy in the flows of the protocol could be used by the adversary to mount dictionary attacks. -> Protocol for PAKE must be immune to off-line attacks

5 Classification for PAKE

6 Our work is about In the Client/Server model –Verifier-based PAKE for two-party with same passwords for two-party with different passwords for multi-party with different passwords

7 Our work is about In the Client/Server model –Verifier-based PAKE for two-party with same passwords for two-party with different passwords for multi-party with different passwords U1U1 Information for pw 1 U1U1 Server 2-party with sk sk (pw 1 )

8 Our work is about In the Client/Server model –Verifier-based PAKE for two-party with same passwords for two-party with different passwords for multi-party with different passwords U1U1 Information for pw 1 U2U2 Information for pw 2 U1U1 Server U2U2 sk 2-party with sk (pw 1 ) (pw 2 )

9 Our work is about In the Client/Server model –Verifier-based PAKE for two-party with same passwords for two-party with different passwords for multi-party with different passwords (pw 1 ) (pw 3 ) (pw 4 ) (pw 2 ) U1U1 U2U2 U3U3 U4U4 Group with sk sk

10 Symmetric model vs. Verifier-based model Symmetric model –the server stores a plaintext-form of a password. Asymmetric model (or verifier-based) –the server stores a verifier for a password. pw 2 U2U2 pw 1 U1U1 (pw 1 )

11 Symmetric model vs. Verifier-based model Asymmetric model (or verifier-based) –the server stores a verifier for a password. (pw 1 ) U1U1 f(pw 1 ) U2U2 f(pw 2 ) A verifier is the information computed from a password. It is computable from the password whereas the reverse is infeasible in polynomial time.

12 Symmetric model vs. Verifier-based model Asymmetric model (or verifier-based) –it is designed to protect against server compromise so that an attacker that is able to steal a password file from a server cannot later masquerade as a legitimate user without performing dictionary attacks. (pw 1 ) U1U1 f(pw 1 ) U2U2 f(pw 2 )

13 Symmetric model vs. Verifier-based model Symmetric model –the server stores a plaintext-form of a password. pw 2 U2U2 pw 1 U1U1 (pw 1 )

14 Symmetric model vs. Verifier-based model Asymmetric model (or verifier-based) –even if the password file is compromised, the attacker has to perform additional off-line dictionary attacks to find out passwords of the clients. It will give the server system’s administrator time to react and to inform its clients, which would reduce the damage of the corruption. (pw 1 ) U1U1 f(pw 1 ) U2U2 f(pw 2 )

15 Comparison with the related verifier-based protocol Scheme/ Parameters PAKE for 2-party with same passwords PAKE for 2-party with different passwords PAKE for multi-party with different passwords EPAOur Scheme Round 3233 Communication UiUi |p|+|l| 2|p| S |p|+|l|2|p|+|l|4|p|3n|p| Exponentiation UiUi 1233 S 2142n Security Forward Secrecy Assumptions DDH in R.O.DDH in Standard [EPA] Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key Exchange,” ACISP 2003. |p| : length of a prime of Z p *, |l| : length of an output of a hash/MAC function, n : number of members in a group

16 Comparison with the related verifier-based protocol Scheme/ Parameters PAKE for 2-party with same passwords B-SPEKESRPAMPPAK-ZEPAVB-EKE Our protocol Round 4443332 Communication UiUi 2|p|+|l||p|+|l| 3|p|+|l||p|+|l| S 3|p|+2|l|2|p|+2|l|2|p|+|l| |p|+|l| 2|p|+|l| Exponentiation UiUi 2223112 S 2333241 Security Forward Secrecy Assumptions DDH in R.O. CDH in R.O.DDH in R.O. CDH in R.O. DDH in Standard [B-SPEKE] D. Jablon, “Extended password key exchange protocols immune to dictionary attack,” In WETICE’97 Workshop on Enterprise Security, 1997. [SRP] T. Wu, “Secure remote password protocol,” Proceedings of the ISOC NDSS Symposium, pages 99–111, 1998. [AMP] T. Kwon, “Authentication and key agreement via memorable password,” Proceedings of the ISOC NDSS Symposium, 2001. [PAK-Z] P. MacKenzie, “The PAK suit: Protocols for Password-Authenticated Key Exchange,” http://grouper.ieee.org/groups/1363/passwdPK/contributions.html#Mac02, April, 2002. [EPA] Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key Exchange,” ACISP 2003. [VB-EKE] M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based Encrypted Key Exchange,” PKC 05

17 Comparison with the related verifier-based protocol Scheme/ Parameters PAKE for 2-party with same passwords B-SPEKESRPAMPPAK-ZEPAVB-EKE Our protocol Round 4443332 Communication UiUi 2|p|+|l||p|+|l| 3|p|+|l||p|+|l| S 3|p|+2|l|2|p|+2|l|2|p|+|l| |p|+|l| 2|p|+|l| Exponentiation UiUi 2223112 S 2333241 Security Forward Secrecy Assumptions DDH in R.O. CDH in R.O.DDH in R.O. CDH in R.O. DDH in Standard [B-SPEKE] D. Jablon, “Extended password key exchange protocols immune to dictionary attack,” In WETICE’97 Workshop on Enterprise Security, 1997. [SRP] T. Wu, “Secure remote password protocol,” Proceedings of the ISOC NDSS Symposium, pages 99–111, 1998. [AMP] T. Kwon, “Authentication and key agreement via memorable password,” Proceedings of the ISOC NDSS Symposium, 2001. [PAK-Z] P. MacKenzie, “The PAK suit: Protocols for Password-Authenticated Key Exchange,” http://grouper.ieee.org/groups/1363/passwdPK/contributions.html#Mac02, April, 2002. Password-based protocols submitted to IEEE P1363.2 (Password-based Techniques) http://grouper.ieee.org/groups/1363/passwdPK/purpose.html

18 Comparison with the related verifier-based protocol Scheme/ Parameters PAKE for 2-party with same passwords PAKE for 2-party with different passwords PAKE for multi-party with different passwords EPAOur Scheme Round 3233 Communication UiUi |p|+|l| 2|p| S |p|+|l|2|p|+|l|4|p|3n|p| Exponentiation UiUi 1233 S 2142n Security Forward Secrecy Assumptions DDH in R.O.DDH in Standard [EPA] Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key Exchange,” ACISP 2003. |p| : length of a prime of Z p *, |l| : length of an output of a hash/MAC function, n : number of members in a group The focus of this work is on the round-efficient verifier-based PAKE protocol

19 Comparison with the related verifier-based protocol Scheme/ Parameters PAKE for 2-party with same passwords PAKE for 2-party with different passwords PAKE for multi-party with different passwords EPAOur Scheme Round 3233 Communication UiUi |p|+|l| 2|p|+|l| S |p|+|l|2|p|+|l|4|p|3n|p| Exponentiation UiUi 1233 S 2142n Security Forward Secrecy Assumptions DDH in R.O.DDH in Standard |p| : length of a prime of Z p *, |l| : length of an output of a hash/MAC function, n : number of members in a group The focus of this work is on round-efficient verifier-based PAKE protocol The focus of this work is to construct secure and round-efficient verifier-based PAKE protocols for 2-/multi-party with different passwords

20 Preliminary for our protocols Public information –G : a finite cyclic group has order q –p : a safe prime such that p=2q+1 –g 1,g 2 : generators of G –H : a collision-resistant one-way hash function –Mac=(Key.gen,Mac.gen,Mac.ver):a secure message authentication code Initialization step –U i selects a password pw i –U i registers v i,1 = g 1 H(U i ||S||pw i ) mod p and v i,2 = g 2 H(U i ||S||pw i ) mod p (verifiers of the password) to the server S over a secure channel. –S stores them in a password file with an entry for each user U i.

21 Verifier-based PAKE for 2-party with same passwords U 1 Server R1R1 R2R2

22 Verifier-based PAKE for 2-party with different passwords Motivation –PAKE for 2-party with same passwords –If a user wants to communicate securely with many users? the number of passwords that the user needs to memorize may be increased linearly with the number of possible partners. (pw)

23 Verifier-based PAKE for 2-party with different passwords Motivation –PAKE for 2-party with different passwords –each user only shares a password with a trusted server. –the trusted server helps the users with different passwords to agree on a common session key. (pw 1 ) (pw 2 ) U1U1 f(pw 1 ) U2U2 f(pw 2 )

24 U 1 Server U 2 R2R2 R1R1 R3R3

25 Verifier-based PAKE for multi-party with different passwords Motivation –PAKE for multi-party with same passwords –If a user wants to communicate securely with many groups? the number of passwords that the user needs to memorize may be increased linearly with the number of possible groups. the member have to newly share a password whenever one wants to communicate securely with new groups (pw ) Group with sk

26 Verifier-based PAKE for multi-party with different passwords Motivation –PAKE for multi-party with different passwords –each user only shares a password with a trusted server. –the trusted server helps the users with different passwords to agree on a group key. (pw 2 ) (pw 4 ) (pw 1 ) (pw 3 ) Group with sk

27 R1R1 Verifier-based PAKE for multi-party with different passwords Server U 1 U2U2 U3U3 U4U4

28 R1R1 Verifier-based PAKE for multi-party with different passwords Server U 1 U2U2 U3U3 U4U4

29 R2R2 Verifier-based PAKE for multi-party with different passwords Server U2U2 U3U3 U4U4 U 1

30 R3R3 Verifier-based PAKE for multi-party with different passwords U2U2 U3U3 U4U4 U 1

31 R3R3 Verifier-based PAKE for multi-party with different passwords U2U2 U3U3 U4U4 U 1

32 Security Goal: Verifier-based PAKE Security against dictionary attacks –passive eavesdropping does not help the adversary in computing any information about the password. –only interactions with the instances help the adversary in computing information about the password. Key secrecy –no computationally bounded adversary (including the server) should learn anything about session keys shared between honest parties. Server-compromise attack –even if an adversary steal the password file from the server, the adversary still cannot impersonate a user without performing dictionary attacks on the password file.

33 Security Goal: Verifier-based PAKE Forward secrecy –the expose of a password does not compromise the previous session keys. Denning-Sacco attack 1.even with the session key from an eavesdropped session an adversary cannot gain the ability to impersonate the user directly. 2.an outsider attacker cannot gain the ability to performing off- line dictionary attacks against the passwords of users from using the compromised session keys which are successfully established between honest entities. 3.an insider attacker that knows one’s password does not learn any information about other users’ passwords from the successfully established session key with the other.

34 Q & A Thank you !

Download ppt "CIST/ETRI/ISIT/KDDI/Kyusyu Univ./NICT Joint Research Workshop on Ubiquitous Network Security 2005 Verifier-Based Password-Authenticated Key Exchange Jeong."

Similar presentations

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.
Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.

Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.
Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.

Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Cross-Realm Password-Based Server Aided Key Exchange Source: WISA 2010, LNCS 6513, pp. 322–336, 2011(0) Author: Kazuki Yoneyama Presenter: Li-Tzu Chang.

Cross-Realm Password-Based Server Aided Key Exchange Source: WISA 2010, LNCS 6513, pp. 322–336, 2011(0) Author: Kazuki Yoneyama Presenter: Li-Tzu Chang.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 15 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 15 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Similar presentations

Ads by Google