1 / 15

Password-based Credentials Download Protocols

Radia Perlman radia.perlman@sun.com. Password-based Credentials Download Protocols. Goal. To download private key, encrypted with the user’s password. The user’s “credential” WS has some minimal amount of (trusted) software installed, but no user-specific info

ave
Download Presentation

Password-based Credentials Download Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Radia Perlman radia.perlman@sun.com Password-based Credentials Download Protocols

  2. Goal • To download private key, encrypted with the user’s password. The user’s “credential” • WS has some minimal amount of (trusted) software installed, but no user-specific info • User Alice’s private key and other info stored in central place “Bob” (e.g., the directory) • “Log into the network” means get Alice’s private key and everything else needed

  3. Getting private key • It would be nice if we all carried smart cards • But do we need a backup if user loses it, or forgets it, or it is broken? • But also, we don’t seem to have smart cards

  4. Download protocol • So, it might be nice to only need a password, and have a protocol that downloads the private key • Immune to dictionary attacks • By eavesdropper (passive attacker) • By Alice-impersonator • By Bob-impersonator

  5. Building Blocks • Diffie-Hellman • EKE (Bellovin-Merritt) • Encrypt Diffie-Hellman exchange with W (W=password, the weak secret) • SPEKE (Jablon) • Replace base in Diffie-Hellman with W • PDM (Kaufman-Perlman) • Replace modulus in Diffie-Hellman with f(W)

  6. EKE (designed for mutual authentication) Share W=h(pwd), g, p Bob Alice Pick A “Alice”, {gA mod p}W Pick B Decrypt {gA mod p}W Calculate K=gAB mod p Choose challenge C1 {gB mod p}W, {C1}K Choose challenge C2 {C1,C2}K {C2}K

  7. SPEKE Share W, p Bob Alice Pick A “Alice”, WA mod p Pick B Calculate K=WAB mod p Choose challenge C1 WB mod p, {C1}K Choose challenge C2 {C1,C2}K {C2}K

  8. PDM (Password Derived Moduli) Share p Bob Alice Pick A “Alice”, 2A mod p Pick B Calculate K=2AB mod p Choose challenge C1 2B mod p, {C1}K Choose challenge C2 {C1,C2}K {C2}K

  9. But we don’t need mutual authentication, just credentials download • Which we can do in two messages

  10. 2-msg EKE-based Share g, p, W Bob Alice Pick A “Alice”, {gA mod p}W Calculate K=gAB mod p gB mod p, {Y}K

  11. 2-msg SPEKE-based Share W, p Bob Alice Pick A “Alice”, WA mod p Calculate K=WAB mod p WB mod p, {Y}K

  12. 2-msg PDM-based Share p Bob Alice Pick A “Alice”, 2A mod p Calculate K=2AB mod p 2B mod p, {Y}K

  13. If we want to avoid strong password schemes • Just let Y be world-readable • Anyone can request it and do dictionary attack • An eavesdropper can do a dictionary attack • Could do CHAP-like thing to authenticate • Eavesdropper could do dictionary attack • Could enhance that with anonymous Diffie-Hellman initial exchange • Active attacker could be man-in-the-middle, or impersonate whichever side authenticates last, to gain dictionary attack

  14. To avoid strong pwd schemes • Could do TLS, then CHAP-like thing • Requires good trust anchors at client, and certificate for server • No dictionary attack possible for eavesdropper or Alice-impersonator • Can’t have Bob-impersonator (since TLS would foil that)

  15. Variants in Pre-shared Key TLS • PSK only • Eavesdropper and server get dictionary attack • DH-PSK • Bob-impersonator gets dictionary attack • RSA-PSK • Can’t impersonate Bob if Alice checks his cert

More Related