150 likes | 370 Views
Password-based authenticated key exchange. Ravi Sandhu. Variations. Public-key cryptography must be used
E N D
Password-based authenticated key exchange Ravi Sandhu
Variations • Public-key cryptography must be used • “Public-key cryptography and password protocols”, Shai Halevi and Hugo Krawczyk, ACM Transactions on Information and System Security (TISSEC), Volume 2 , Issue 3 (August 1999), Pages: 230 - 268 • Two variations • No public-key certificates (no PKI) • Use public-key certificates (requires PKI)
References • http://www.integritysciences.com/links.html • Comprehensive and long list of references • Principal reference for this lecture. • S. M. Bellovin and M. Merritt, “Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks,” Proceedings of the I.E.E.E. Symposium on Research in Security and Privacy, Oakland, May 1992. • “This is not your grandmother’s network login” Jab96
Broken approaches: use password directly(authentication only) • Original Telnet - vulnerable to eavesdropping pwd Client Server • Challenge-Response challenge Client Server h(challenge,pwd)
Broken approaches: use hashed password (authentication only) • Challenge-Response challenge Client Server h(challenge,f(pwd)) • Don’t need to store cleartext password on the server • Dictionary attack on f(pwd) stored at server remains a vulnerability
Kerberos is vulnerable Request TC,TGS Authentication Server TC,TGS, ENCkC(TGS, kC,TGS, …) kTGS TC,TGS, ENCkC,TGS(authenticator) Ticket Granting Server (kTGS) Client ENCkC,TGS(kC,S, …) kS Communication under kC,S Server (kS) The trouble: kC is defined to be some one-way function of password!
Patel’s classification (Pat97) • Querying attacker • Can initiate sessions with the server while pretending to be a legitimate client • Eavesdropping attacker • Can eavesdrop on legitimate runs of the protocol • Active attacker • Can intercept, drop, insert packets
SSL (and SSH) solution(need PKI) Server-side SSL Client Server pwd Client Server • Needs PKI • Has its pitfalls
Pre-EKE: use password directly(authentication and key exchange) User (pwd) Server (pwd) U ENCpwd(random) ENCrandom(challengeU) ENCrandom(challengeU, challengeS) ENCrandom(challengeS)
EKE: DH version [BM92] User (pwd) Server (pwd) U, ENCpwd(gx) K = f(gxy) ENCpwd(gy), ENCk(challengeS) K = f(gxy) ENCk(challengeU, challengeS) ENCk(challengeU)
EKE: DH version [BM92] • Potential problems [Patel, S&P97]: • If an active attacker, instead of sending g and p in clear, chooses to send gd and p such that d is a small prime and d|(p-1). Then, (gdy)(p-1)/d = 1 mod p. When the attacker receives the password encrypted ENCpwd(gy), he tries to decrypt it with different candidate passwords and raises the decrypted number to (p-1)/d. If the result is not 1 then that password is rejected. Since (p-1)/d number out of p-1 number will be dth power residue, hence 1/d numbers on average will be congruent to 1 when raised to (p-1)/d. At each session the possible space of password is reduced to 1/d and the space of valid passwords will be narrowed to 1 at a logarithm rate (typically, logp). • Avoidance: The success of the attack is due to the fact that gd is not a generator. To find a generator g it is necessary and sufficient to check that g(p-1)/m 1 mod p for all factors m of p-1.
[BPR Eurocrypt2000] User (pwd) Server (pwd) U, ENCpwd(gx) k’ = f(u,s, gx,gy,gxy) ENCpwd(gy), H(k’, 1) k’ = f(u,s, gx,gy,gxy) H(k’,2) k = H(k’,0) sid = A, ENCpwd(gx), B, ENCpwd(gy) pid = B k = H(k’,0) sid = A, ENCpwd(gx), B, ENCpwd(gy) pid = A
[BPR Eurocrypt2000] [BM92] proved secure (in ROM and ICM) Theorem. Let qse, qre, qco, qex, qor be integers and let q = qse + qre + qco + qex + qor. Let Password be a finite set of size N and assume (|Ģ|)1/2/q N 1. Let PW be the associated LL-key generator as discussed above, SK be the associated session key space. Assume the weak corruption model. The AdvfsP,PW,SK(t,qse,qre,qco,qex,qor) <= qse/N + qse· qor AdvdhĢ,g(t’,qor) + O(q2)/|Ģ| + O(1)/(|Ģ|)1/2 Where t’ = t + O(qse+qor).
SPEKE: [Jablon, CCR96] User (pwd) Server (pwd) U, f(pwd)x k = h(f(pwd)xy)) f(pwd)y k = h(f(pwd)xy)) ENCk(challengeU) ENCk(challengeU, challengeS) ENCk(challengeS)
[MacK01b] In this paper we prove (in the random oracle model) that a certain instantiation of the SPEKE protocol that uses hashed passwords instead of non-hashed passwords is a secure password-authenticated key exchange protocol (using our relaxed definition) based on a new assumption, the Decision Inverted-Additive Diffie-Hellman assumption. Since this is a new security assumption, we investigate its security and relation to other assumptions; specifically we prove a lower bound for breaking this new assumption in the generic model, and we show that the computational version of this new assumption is equivalent to the Computational Diffie-Hellman assumption.