460 likes | 534 Views
Password-based Authentication. SBSeg 2007 Keynote Michel Abdalla Researcher École normale supérieure & CNRS. Alice. Bob. pk A. pk B. pk B sk = g sk sk = pk A sk. A. A. B. B. Diffie-Hellman protocol.
E N D
Password-based Authentication SBSeg 2007 Keynote Michel Abdalla Researcher École normale supérieure & CNRS
Alice Bob pkA pkB pkBsk = gsksk = pkAsk A A B B Diffie-Hellman protocol Let G be a group in which the DDH problem is hard and let g be a generator for G skA {0,…,|G|-1} pkA gsk skB {0,…,|G|-1} pkB gsk A B Protocol does NOT provide authentication
Authenticated Key Exchange (AKE) • Allow two parties to establish a common secret in an authenticated way • Intuitive goal: implicit authentication • The session key should only be known to the parties involved in the protocol • Formally: semantic security • the session key should be indistinguishable from a random string
Authentication techniques • Asymmetric techniques • Assume the existence of a public-key infrastructure • Each party holds a pair of secret and public keys • Symmetric techniques • Users share a random secret key • 2-party or 3-party settings • Password-based techniques • Consider the case of weak secrets (e.g., a 4-digit PIN) • Protocols are always subject to online guessing attacks
Password-based AKE (PAKE) • Realistic • Real-life applications usually rely on weak passwords • Convenient to use • Users do not need to store the secret • Comes at a cost • Protocols are always subject to online guessing attacks
Online dictionary attacks • Let D represent the set of possible passwords (i.e., dictionary) • As passwords need be memorized by humans, |D| is usually small • Online dictionary attack • Choose a password from D • Interact with authentication server using the guessed password • Each online attempt can succeed with probability 1/|D| • Counter measures against online attacks • Limit the number of unsuccessful attempts • Goal of password-based authentication • Restrict the adversary to online dictionary attacks only
Group Password-basedAKE (GPAKE) • Scenario • Similar to the 2-party case, except that … • Number of protocol participants is variable • Password is shared among all participants • Session key is shared among all participants • Security goals • Similar to the 2-party case: Allow a pool of users to established a common session key with only the help of passwords
Security model • Users can have many protocol instances running concurrently • Communication may be controlled by the adversary • Adversary can create, modify, or forward messages • The transmission of messages is done via specific oracle queries • Adversary is given oracle access to all user instances and can corrupt some of them • Protocol is considered secure if the session key held by a honest user cannot be distinguished from a random key
Outline • Review of PAKE schemes • History of GPAKE scheme • A Simple GPAKE protocol • A generic GPAKE protocol • Concluding remarks
Background: Ideal models • Random oracle model [BellareRogaway93] • Perhaps the most used ideal model in cryptography • The hash function is modeled as a perfectly random function • Random permutation model • Similar to the random-oracle model, but with a permutation instead of a function • Ideal cipher model • An extension of the random-permutation model • A block cipher is seen as a family of truly random and independent permutations (for each key) • Standard model • None of the above
Brief history of PAKE schemes • [BelMer92]: Encrypted Key Exchange (EKE) • Seminal work, no proofs • [BelPoiRog00,BoyMacPat00] • Formal security models • Protocols in the ideal-cipher and random-oracle models • [GolLin01] • Non-concurrent protocol in the standard model • [KatOstYun01,GenLin03,CHKLM05] • Efficient protocols in the CRS model • [BR00,BCP03/04,CatPoiPor04,MacKenzie02,AbPo05] • Efficient EKE and OKE protocols in the RO model
Alice Bob = pwAlice,Bob x Zp X gx y Zp Y gy Alice, X=Enc(X) Bob, Y=Enc(Y) Y Dec(Y) K Yx X Dec(X) K Xy SK H(Alice,Bob,,X,Y,K) Encrypted Key Exchange [Bellovin & Merritt, 1992] • Flows are encrypted with the password
EKE instantiations • [BPR00,BCP03] • Enc = Ideal cipher • H = Random oracle • [MacKenzie02,BCP04] • Enc = Random oracle • H = Random oracle • [AbPo05] • Encpw(X) = X hpw • H = Random oracle
Simple PAKE [AbPo05] Alice Bob = pwAlice,Bob x Zp X gx y Zp Y gy Alice, X= X A Bob, Y= Y B Y Y/ B K Yx X X / A K Xy SK H(Alice,Bob,,X,Y,K)
Security of simple PAKE • Theorem: If the DDH problem is hard, then the protocoldescribed in the previous slide is a secure PAKE protocol in the random-oracle model. • Proof: see [AbPo05]
PAKE in the standard model: The Gennaro-Lindell Construction • Design is not as simple as EKE • Requires several different tools • One-time signatures • Non-malleable encryption schemes • Smooth projective hash functions
Smooth projective hash functions[GL03 variant]: Algorithms • Hash key generation: hk = HK(pk) • pk – public encryption key, hk – hashing key • Projected key generation:hp = (hk, c) • hk – hashing key, hp – projected key • Hashing algorithm:H(hk, m, c) G • m – message, c – ciphertext, hk – hashing key • Projected hashing algorithm:h = h(hp, m, c; r) • hp – projected key, r – random used to generate c
Smooth projective hash functions[GL03 variant]: Security properties • Correctness: • If c = E(pk,m;r), then (m,c,hp) uniquely determines H(hk,m,c) • When c = E(m;r), H(hk,m,c) can be computed efficiently given r h(hp,m,c; r) = H(hk,m,c) • Smoothness: • If c is not an encryption of m,then (m, c, hp) gives no information (statistically) on H(hk,m,c) • Pseudo-randomness: • When c=E(m;r) and hp=(hk,c),then H(hk,m,c) is pseudo-random given only (m,c,hp)
The Gennaro-Lindell Construction Alice Bob Alice, vkR, cR skR, vkR Sig-KG cR Epk(pw vkR; rR) skL, vkL Sig-KG hkL hashKey hpL(hkL, cR, vkR) cL Epk(pw vkL; rL) Bob, hpL, vkL, cL hkR hashKey hpR(hkR, cL, vkL) R Sign(skR,Transcript) hpR, R L Sign(skL,Transcript) L KR HhkL(pw, vkR, cR) KL hhpR(pw, cL, vkL; rL) KL HhkR(pw, vkL, cL) KR hhpL(pw, cR, vkR; rR) SK KL◦ KR
Outline • Review of PAKE schemes • History of GPAKE schemes • A Simple GPAKE protocol • A generic GPAKE protocol • Concluding remarks
Brief history of GAKE schemes • [BurDes94, BurDes05]: • Constant-round group Diffie-Hellman key exchange • Passive attacks, security based on CDH • [KatzYung03] • Proof of security for BD protocol based on DDH • Generic compiler from GKE to GAKE using signatures • [KimLeeLee04] • A variant of the BD protocol using random oracles and XOR operations • [Joux00] • A One Round Protocol for Tripartite Diffie-Hellman • [LiPieprzyk99,BreCat04] • Conference key agreement from secret sharing • [BoydNieto03, JeongKatzLee04, …] • Round-Optimal contributory key agreement
The Burmester-Desmedt Group Key Exchange [BD94] P1 Pi PN x1 Zp X1 gx1 xi Zp Xi gxi xN Zp XN gxN X1 Xi XN K1 X2x1 KN XNx1 Z1 K1 / KN KN X1xN KN-1 XN-1xN ZN KN / KN-1 Ki Xi+1xi Ki-1 Xi-1xi Zi Ki / Ki-1 Zi Z1 ZN SK K1◦ K2 ◦ ◦ KN
The Kim-Lee-Lee Group Key Exchange [KLL04] P1 Pi PN s1 $ x1 Zp X1 gx1 si $ xi Zp Xi gxi sN $ xN Zp XN gxN X1 Xi XN K1 H(X2x1) KN H(XNx1) Z1 K1 KN T1 s1 KN H(X1xN) KN-1 H(XN-1xN) ZN KN KN-1 TN KN sN Ki H(Xi+1xi) Ki-1 H(Xi-1xi) Zi Ki Ki-1 Ti si Zi Ti Z1 T1 ZN TN SK H2(s1 s2 sN)
A generic version of the Burmester-Desmedt protocol Pi-1 Pi Pi+1 KE KE Ki Ki Ki-1 Ki-1 Zi-1 Ki-1 / Ki-2 Zi Ki / Ki-1 Zi+1 Ki+1 / Ki Zi-1 Zi Zi+1 SK K1◦ K2 ◦ ◦ KN
KE KE Ki-1 Ki-1 Ki Ki A generic version of theKim-Lee-Lee protocol Pi-1 Pi Pi+1 PN si-1 $ si $ si+1 $ sN $ Zi-1 Ki-1 Ki-2 Ti-1 si-1 Zi Ki Ki-1 Ti si Zi+1 Ki+1 Ki Ti+1 si+1 ZN KN KN-1 TN KN sN Zi-1 Ti-1 Zi Ti Zi+1 Ti+1 ZN TN SK H2(s1 s2 sN)
Previous work on GPAKE • [BreChePoi02, BreChePoi05]: • Group Diffie-Hellman password-based key exchange • Linear number of rounds • [LeeHwangLee04] • Based on the Kim-Lee-Lee GAKE protocol • Proven secure in the random-oracle model • Broken in [ABCP06] • [DuttaBarua06] • Based on the Kim-Lee-Lee GAKE protocol • Proven secure in the random-oracle and ideal-cipher models • Broken in [ABCP06] • [ABCP06], [TangChoo06] • Based on the Burmester-Desmedt protocol • Proven secure in the ideal-cipher and random-oracle models
More recent work on GPAKE • [KwonJeongLee06] • Simplification of [ABCP06] protocol • Proven secure in the “standard model” • Apparently insecure (work in progress) • [AbdallaPointcheval06] • Based on the Gennaro-Lindell PAKE protocol • Proven secure in the standard model • [BohliGonzalezSteinwandt06] • Proven secure in the standard model • Similar to [AbdallaPointcheval06], but more efficient • [ABGS07] • Generic compiler from 2-party to group • Proven secure in the standard model
Outline • Review of PAKE schemes • History of GPAKE schemes • A Simple GPAKE protocol • A generic GPAKE protocol • Concluding remarks
Adding password authentication to the BD protocol • EKE approach • Encrypt all flows using the password pw • Xi= pw(Xi), Zi= pw(Zi) • Problem • In the BD protocol, Z1◦Z2◦ ◦ ZN = 1 • Dictionary attack • Guess password pw • Compute Zi= Dpw(Zi) for i=1,,N • Check if Z1◦Z2◦ ◦ ZN = 1
The Dutta-Barua GPAKE Protocol [DB06] P1 Pi PN s1 $ x1 Zp X1 gx1 si $ xi Zp Xi gxi sN $ xN Zp XN gxN Epw(X1) Epw(Xi) Epw(XN) K1 H(X2x1) KN H(XNx1) Z1 K1 KN T1 s1 KN H(X1xN) KN-1 H(XN-1xN) ZN KN KN-1 TN KN sN Ki H(Xi+1xi) Ki-1 H(Xi-1xi) Zi Ki Ki-1 Ti si E’’pw(TN) E’pw(Z1T1) E’pw(ZiTi) SK H2(s1 s2 sN)
An attack against the Dutta-Barua GPAKE protocol • Problem • All flows are encrypted under the same key • Attack • Let P1 and P2 be honest users • Attacker will play the role of P3 • Attacker waits for P1 and P2 to broadcast X1*=Epw(X1) and X2*=Epw(X2) • Attacker sets X3*=X1* (This implicitly sets x1=x3) and broadcasts it • This causes K1=K2 and Z2=0 • Hence, T2*=Epw(0s2) Dictionary attack!
An attack against the Dutta-Barua GPAKE protocol P1 P2 P3 s1 $ x1 Zp X1 gx1 s2 $ x2 Zp X2 gx2 This implicitly sets x3=x1 Epw(X1) Epw(X2) Epw(X1) K1 H(X2x1) K3 H(X1x1) Z1 K1 K3 T1 s1 K2 H(X1x2 ) K1 H(X1x2) Z2 K2 K1= 0 T2 s2 Dictionary Attack!!! E’pw(Z1 T1) E’pw(0 T2)
The Lee-Hwang-Lee GPAKE protocol [LHL04] P1 Pi PN x1 Zp X1 gx1 xi Zp Xi gxi xN Zp XN gxN Epw(X1) Epw(Xi) Epw(XN) K1 H(X2x1) KN H(XNx1) Z1 K1 KN KN H(X1xN) KN-1 H(XN-1xN) ZN KN KN-1 Ki H(Xi+1xi) Ki-1 H(Xi-1xi) Zi Ki Ki-1 Z1 Zi ZN SK H(K1 K2 KN)
An attack against the Lee-Hwang-Lee GPAKE protocol P1 P2 P3 P4 Epw(X1) Epw(X’1) Epw(X1) Epw(X’1) X1 gx1 K1 = K2 = K3 = K4 = H(X’1x1) 0 0 0 0 SK H(K1 K2 K3 K4) P’1 P’2 P’3 P’4 Epw(X’1) Epw(X1) Epw(X’1) Epw(X1) X’1 gx1’ K’1 = K’2 = K’3 = K’4 = H(X1x1’) 0 0 0 0 SK’ H(K’1 K’2 K’3 K’4)
Outline • Review of PAKE schemes • History of GPAKE schemes • A Simple GPAKE protocol • A generic GPAKE protocol • Concluding remarks
A simple GPAKE protocol: Intuition • Add an extra flow of random nonces ri at the beginning of the each sessionS = P1 r1 PN rN • Use a different encryption key for each user and session to avoid replaying of messagespwi = H(pw S i) • Only encrypt the flow containing the values Xi to avoid dictionary attacks • Add an authentication flow to avoid malleability attacksAuthi = H’(S X1* Z1 XN* ZN SK i)
A simple GPAKE protocol: Construction [ABCP06] P1 Pi PN r1 $ ri $ rN $ P1, r1 Pi, ri PN, rN x1 Zp X1 gx1 xi Zp Xi gxi xN Zp XN gxN Epw1(X1) Epwi(Xi) EpwN(XN) K1 X2x1 KN XNx1 Z1 K1 / KN KN X1xN KN-1 XN-1xN ZN KN / KN-1 Ki Xi+1xi Ki-1 Xi-1xi Zi Ki / Ki-1 Z1 Zi ZN Auth1 Authi AuthN Session Key H’’(Transcript SK) SK K1◦ K2 ◦ ◦ KN
A simple GPAKE protocol: Security • Theorem: If the DDH problem is hard, then the protocoldescribed in the previous slide is a secure GPAKE protocol in the random-oracle and ideal-cipher models • Proof: see [ABCP06]
Outline • Review of PAKE schemes • History of GPAKE schemes • A Simple GPAKE protocol • A generic GPAKE protocol • Concluding remarks
A generic GPAKE protocol [ABGS07]: Intuition • Generate Ki using a (2-party) PAKE • Each user authenticates its neighbors • Commit to Zi before making it public • Commitment should be non-malleable • Use the fact that Z1◦ …◦ ZN = 1 for verification
A generic GPAKE protocol Pi-1 Pi Pi+1 AKE AKE Ki-1 Ki-1 Ki Ki Zi-1 Ki-1 Ki-2 Zi Ki Ki-1 Zi+1 Ki+1 Ki Com(Zi-1 i-1; ri-1) Com(Zi I; ri) Com(Zi+1i+1; ri+1) Zi-1, ri-1 Zi, ri Zi+1, ri+1 SK UH(K1, ,KN,Transcript) Session Key FSK(0)
Advantages of generic construction • Allows a modular design approach • Transformation is reasonably efficient • No ideal assumptions • Non-interactive non-malleable commitments • Family of collision-resistant pseudorandom functions [Katz-Shin 05] • Family of universal hash functions • Simpler proof of security
Outline • Review of PAKE schemes • History of GPAKE schemes • A Simple GPAKE protocol • A generic GPAKE protocol • Concluding remarks
Concluding remarks • Recap • Attacks against previous constructions [ABCP06] • A simple construction in the IC and RO models [ABCP06] • A generic GPAKE construction [ABGS07] • The design of password-based protocols can be tricky • Small modifications to the protocol can make them insecure • The only way to be sure is to provide a security proof • Password-based authenticated key exchange remains a very active area
Future directions • More efficient constructions in the standard model • Stronger security guarantees • universal composability • Stronger corruption models