150 likes | 323 Views
SECURE REMOTE USER ACCESS OVER INSECURE NETWORKS. . Sogang Univ. Computational Theory Lab. Ji Hye Park. CONTENTS . Introduction. Hash-based Protocols User Authentication Protocol Password Change Protocol Security Analysis DH-based Protocols User Authentication Password change protocol
E N D
SECURE REMOTE USER ACCESS OVER INSECURE NETWORKS. Sogang Univ. Computational Theory Lab. Ji Hye Park
CONTENTS • Introduction. • Hash-based Protocols • User Authentication Protocol • Password Change Protocol • Security Analysis • DH-based Protocols • User Authentication • Password change protocol • Security analysis • Conclusion
1. INTRODUCTION • User authentication based on password, Secret info. server Public info. application Programs ex)telnet, ftp. exchange data by user user Include account ID corresponding to users and services Send (ID, Password) give access control DB
1. INTRODUCTION • User authentication protocol for protecting password. • Encrypting passwords with symmetric-key or public-key cryptosystems imposes additional overhead. • In this paper, do not use symmetric key or asymmestric-key, use a collision-resistant hash function such as SHA [6].
1. INTRODUCTION • In this paper, • Improve the base remote user authentication and password change protocols presented in [4]. • Present two sets of enhanced remote user authentication and password change protocols.
PASSWORD AUTHENTICATION PROTOCOL VS POSSIBLE ATTACK • Reply attack : 계속 공격을 가해서 비밀번호를 알아내는 것 • Password search attack : weak password는low entropy를 가지고, 따라서 dictionary attack이나 guess attack 으로password를 알아낼 수 있다. • Stolen-verifier attack : server로부터 저장되어 있는 password hash 값을 훔쳐내면, 사용할 수 있다.
PASSWORD CHANGE PROTOCOL VS POSSIBLE ATTACK • Denial of service attack : 공격자는, server로 하여금, user 가 로긴하는 것을 reject 하게 만들 수 있다. • Forward secrecy : forward secrecy provides protection of past encrypted data. The confidence that the compromise of a long term private key does not compromise any earlier session keys.(즉, 지금 키를 훔쳐도, 어차피 session key이므로 이전 키가 노출이 된다던가 미래 키를 예측할 수 없다.)
2. HASH-BASED PROTOCOL • Assume, • User has a “userid” denoted by id and a “password” denoted by pw. • The password is secret value that only the user and server know, but the userid is known to both the user and server and it is public value. • Server does not store the pw, instead it stores a password digest value referred to as the idpw_digest = Hash(id, pw).
2.1 USER AUTHENTICATION PROTOCOL user client server id pw rc idpw_digest cli_auth_token = Hash(idpw_digest,rs,rs(1)) rs ser_auth_token = Hash(idpw_digest,rc,rs) (id, pw) (id,rc) (rs, ser_auth_token) (id,cli_auth_token) access / reject
2.2 PASSWORD CHANGE PROTOCOL user client server id pw new_pw rc idpw_dig idpw_dig_new mask = H(idpw_dig,rc,rs(1)) mac =H(idpw_dig, idpw_dig_new, rc, rs) masked_idpw_dig_new = mask(idpw_dig_new) rs ser_auth_token = H(idpw_dig,rc,rs) (id, pw, new_pw) (id,rc) (rs, ser_auth_token) (masked_idpw_dig_new, mac, id) access / reject
2.3 SECURITY ANALYSIS • About stolen verifier attack : • H(id,pw) 값을 알고 있다면, attacker 는 user인 척하고 rc’값을 server에게 보낼 수 있다. 그럼 server는 rc’값을 가지고 ser_auth_token을 만들어내고, attacker는 쉽게 그 값을 검증을 하고 또 새로운 cli_auth_token’ = Hash(idpw_digest,rs,rs(1)) 값을 보내고 아무 의심없이 access할 권한을 받을 수 있다.
3. DH-BASED PROTOCOLS. • To protect for guessing attack, • We will employ the DH key agreement scheme in addition to a collision-resistant hash function such as SHA. • DH key agreement scheme is used by the client and server to establish a shared secret to protect exchanges.
3.1 USER AUTHENTICATION PROTOCOL. user client server id pw rc, gx idpw_digest, rs rs, gy, gxy challenge = rs(H(gxy,idpw_dig,rc)) ser_auth_token = H(gxy,idpw_digest,rc,rs) (id, pw) (id, rc, p, g, gx) (gy, challenge) (rs, id) ser_auth_token, access / reject
3.2 PASSWORD CHANGE PROTOCOL user client server id pw new_pw rc, gx idpw_digest, rs idpw_dig_new mask = H(gxy, rc,rs) mac =H(gxy, rc, rs idpw_dig_new) masked_idpw_dig_new = mask(idpw_dig_new) rs, gy , gxy challenge = rs(H(gxy,idpw_dig,rc)) ser_auth_token = H(gxy,idpw_digest,rc,rs) (id, pw, new_pw) (id, rc, p, q, gx) (gy, challenge) (rs, id) (ser_auth_token) (masked_idpw_dig_new, mac, id) access / reject