1 / 15

Password-based authenticated key exchange

Password-based authenticated key exchange. Ravi Sandhu. Variations. Public-key cryptography must be used

dolan-blanchard
Download Presentation

Password-based authenticated key exchange

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Password-based authenticated key exchange Ravi Sandhu

  2. Variations • Public-key cryptography must be used • “Public-key cryptography and password protocols”, Shai Halevi and Hugo Krawczyk, ACM Transactions on Information and System Security (TISSEC), Volume 2 , Issue 3 (August 1999), Pages: 230 - 268 • Two variations • No public-key certificates (no PKI) • Use public-key certificates (requires PKI)

  3. References • http://www.integritysciences.com/links.html • Comprehensive and long list of references • Principal reference for this lecture. • S. M. Bellovin and M. Merritt, “Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks,” Proceedings of the I.E.E.E. Symposium on Research in Security and Privacy, Oakland, May 1992. • “This is not your grandmother’s network login” Jab96

  4. Broken approaches: use password directly(authentication only) • Original Telnet - vulnerable to eavesdropping pwd Client Server • Challenge-Response challenge Client Server h(challenge,pwd)

  5. Broken approaches: use hashed password (authentication only) • Challenge-Response challenge Client Server h(challenge,f(pwd)) • Don’t need to store cleartext password on the server • Dictionary attack on f(pwd) stored at server remains a vulnerability

  6. Kerberos is vulnerable Request TC,TGS Authentication Server TC,TGS, ENCkC(TGS, kC,TGS, …) kTGS TC,TGS, ENCkC,TGS(authenticator) Ticket Granting Server (kTGS) Client ENCkC,TGS(kC,S, …) kS Communication under kC,S Server (kS) The trouble: kC is defined to be some one-way function of password!

  7. Patel’s classification (Pat97) • Querying attacker • Can initiate sessions with the server while pretending to be a legitimate client • Eavesdropping attacker • Can eavesdrop on legitimate runs of the protocol • Active attacker • Can intercept, drop, insert packets

  8. SSL (and SSH) solution(need PKI) Server-side SSL Client Server pwd Client Server • Needs PKI • Has its pitfalls

  9. Pre-EKE: use password directly(authentication and key exchange) User (pwd) Server (pwd) U ENCpwd(random) ENCrandom(challengeU) ENCrandom(challengeU, challengeS) ENCrandom(challengeS)

  10. EKE: DH version [BM92] User (pwd) Server (pwd) U, ENCpwd(gx) K = f(gxy) ENCpwd(gy), ENCk(challengeS) K = f(gxy) ENCk(challengeU, challengeS) ENCk(challengeU)

  11. EKE: DH version [BM92] • Potential problems [Patel, S&P97]: • If an active attacker, instead of sending g and p in clear, chooses to send gd and p such that d is a small prime and d|(p-1). Then, (gdy)(p-1)/d = 1 mod p. When the attacker receives the password encrypted ENCpwd(gy), he tries to decrypt it with different candidate passwords and raises the decrypted number to (p-1)/d. If the result is not 1 then that password is rejected. Since (p-1)/d number out of p-1 number will be dth power residue, hence 1/d numbers on average will be congruent to 1 when raised to (p-1)/d. At each session the possible space of password is reduced to 1/d and the space of valid passwords will be narrowed to 1 at a logarithm rate (typically, logp). • Avoidance: The success of the attack is due to the fact that gd is not a generator. To find a generator g it is necessary and sufficient to check that g(p-1)/m 1 mod p for all factors m of p-1.

  12. [BPR Eurocrypt2000] User (pwd) Server (pwd) U, ENCpwd(gx) k’ = f(u,s, gx,gy,gxy) ENCpwd(gy), H(k’, 1) k’ = f(u,s, gx,gy,gxy) H(k’,2) k = H(k’,0) sid = A, ENCpwd(gx), B, ENCpwd(gy) pid = B k = H(k’,0) sid = A, ENCpwd(gx), B, ENCpwd(gy) pid = A

  13. [BPR Eurocrypt2000] [BM92] proved secure (in ROM and ICM) Theorem. Let qse, qre, qco, qex, qor be integers and let q = qse + qre + qco + qex + qor. Let Password be a finite set of size N and assume (|Ģ|)1/2/q  N  1. Let PW be the associated LL-key generator as discussed above, SK be the associated session key space. Assume the weak corruption model. The AdvfsP,PW,SK(t,qse,qre,qco,qex,qor) <= qse/N + qse· qor AdvdhĢ,g(t’,qor) + O(q2)/|Ģ| + O(1)/(|Ģ|)1/2 Where t’ = t + O(qse+qor).

  14. SPEKE: [Jablon, CCR96] User (pwd) Server (pwd) U, f(pwd)x k = h(f(pwd)xy)) f(pwd)y k = h(f(pwd)xy)) ENCk(challengeU) ENCk(challengeU, challengeS) ENCk(challengeS)

  15. [MacK01b] In this paper we prove (in the random oracle model) that a certain instantiation of the SPEKE protocol that uses hashed passwords instead of non-hashed passwords is a secure password-authenticated key exchange protocol (using our relaxed definition) based on a new assumption, the Decision Inverted-Additive Diffie-Hellman assumption. Since this is a new security assumption, we investigate its security and relation to other assumptions; specifically we prove a lower bound for breaking this new assumption in the generic model, and we show that the computational version of this new assumption is equivalent to the Computational Diffie-Hellman assumption.

More Related