150 likes | 292 Views
Radia Perlman radia.perlman@sun.com. Password-based Credentials Download Protocols. Goal. To download private key, encrypted with the user’s password. The user’s “credential” WS has some minimal amount of (trusted) software installed, but no user-specific info
E N D
Radia Perlman radia.perlman@sun.com Password-based Credentials Download Protocols
Goal • To download private key, encrypted with the user’s password. The user’s “credential” • WS has some minimal amount of (trusted) software installed, but no user-specific info • User Alice’s private key and other info stored in central place “Bob” (e.g., the directory) • “Log into the network” means get Alice’s private key and everything else needed
Getting private key • It would be nice if we all carried smart cards • But do we need a backup if user loses it, or forgets it, or it is broken? • But also, we don’t seem to have smart cards
Download protocol • So, it might be nice to only need a password, and have a protocol that downloads the private key • Immune to dictionary attacks • By eavesdropper (passive attacker) • By Alice-impersonator • By Bob-impersonator
Building Blocks • Diffie-Hellman • EKE (Bellovin-Merritt) • Encrypt Diffie-Hellman exchange with W (W=password, the weak secret) • SPEKE (Jablon) • Replace base in Diffie-Hellman with W • PDM (Kaufman-Perlman) • Replace modulus in Diffie-Hellman with f(W)
EKE (designed for mutual authentication) Share W=h(pwd), g, p Bob Alice Pick A “Alice”, {gA mod p}W Pick B Decrypt {gA mod p}W Calculate K=gAB mod p Choose challenge C1 {gB mod p}W, {C1}K Choose challenge C2 {C1,C2}K {C2}K
SPEKE Share W, p Bob Alice Pick A “Alice”, WA mod p Pick B Calculate K=WAB mod p Choose challenge C1 WB mod p, {C1}K Choose challenge C2 {C1,C2}K {C2}K
PDM (Password Derived Moduli) Share p Bob Alice Pick A “Alice”, 2A mod p Pick B Calculate K=2AB mod p Choose challenge C1 2B mod p, {C1}K Choose challenge C2 {C1,C2}K {C2}K
But we don’t need mutual authentication, just credentials download • Which we can do in two messages
2-msg EKE-based Share g, p, W Bob Alice Pick A “Alice”, {gA mod p}W Calculate K=gAB mod p gB mod p, {Y}K
2-msg SPEKE-based Share W, p Bob Alice Pick A “Alice”, WA mod p Calculate K=WAB mod p WB mod p, {Y}K
2-msg PDM-based Share p Bob Alice Pick A “Alice”, 2A mod p Calculate K=2AB mod p 2B mod p, {Y}K
If we want to avoid strong password schemes • Just let Y be world-readable • Anyone can request it and do dictionary attack • An eavesdropper can do a dictionary attack • Could do CHAP-like thing to authenticate • Eavesdropper could do dictionary attack • Could enhance that with anonymous Diffie-Hellman initial exchange • Active attacker could be man-in-the-middle, or impersonate whichever side authenticates last, to gain dictionary attack
To avoid strong pwd schemes • Could do TLS, then CHAP-like thing • Requires good trust anchors at client, and certificate for server • No dictionary attack possible for eavesdropper or Alice-impersonator • Can’t have Bob-impersonator (since TLS would foil that)
Variants in Pre-shared Key TLS • PSK only • Eavesdropper and server get dictionary attack • DH-PSK • Bob-impersonator gets dictionary attack • RSA-PSK • Can’t impersonate Bob if Alice checks his cert