80 likes | 212 Views
Secure password-based cipher suite for TLS: The importance of end-to-end security. Marie L.S. Dumont CS 265. Why integration of DH-EKE in TLS?. Case Study: Web Banking Authentication, Confidentiality and Integrity Sending passwords on one-way authenticated SSL Channels
E N D
Secure password-based cipher suite for TLS:The importance of end-to-end security Marie L.S. Dumont CS 265
Why integration of DH-EKE in TLS? • Case Study: Web Banking • Authentication, Confidentiality and Integrity • Sending passwords on one-way authenticated SSL Channels • Heavy burden on the user • SSL with Client Certification • Requires proper protection of client’s keys • SSL Channels with DH-EKE passwords • Resistant to (offline) dictionary attack • Eliminates the requirement of a PKI
Diffie-Hellman Encrypted Key Exchange (DH-EKE) Client Server (password pwd)(password pwd) x Zp-1 Êpwd(hx) y Zp-1, Kmstr(hx)y, C1 domain(E) Êpwd(hy),EKmstr(C1) Kmstr(hy)x, C2 domain(E) EKmstr (C1, C2) verify response EKmstr(C2) verify response
Refined DH-EKE Client Server (password pwd)(password pwd) x Zp-1 Kauth = H1(pwd, IDC, IDS) ÊKauth(hx) y Zq, Kauth= H1(pwd, IDC, IDS) Kmstr(hx)(y((p-1)/q)) Kconf G1(Kmstr), Ksess G2(Kmstr) gy, MACKconf(“1”, ÊKauth(hx), gy) Kmstr(gy)(x (mod q)) Kconf G1(Kmstr), Ksess G2(Kmstr) abort if MAC not ok MACKconf(“2”, ÊKauth(hx), gy) abort if MAC not OK
Overview of TLS Client Server ClientHello ServerHello, Certificate*, ServerKeyExchange*, CertificateRequest*, ServerHelloDone Certificate*, ClientKeyExchange, CertificateVerify*, [ChangeCipherSpec], Finished [ChangeCipherSpec] Finished Application Data ---------------------------------------------------------------------------------
Integration of DH-EKE in TLS Client Server (password pwd)(v = g*Kvrfy, Kauth) ClientHello choose y, y’εR Zq ServerHello, ServerKeyExchange (gy, g*y’), ServerHelloDone derive Kauth and Kvrfy from pwd and choose , x εR Zp-1 ClientKeyExchange (ÊKauth( hx)) calculate premaster secret pms = H3((hx)(y(p-1/q)),vy’) [ChangeCipherSpec], Finished (MACG3(pms) (ÊKauth( hx), gy, …)) calculate premaster secret pms = H3((gy)(x (mod q)), (g*y’)Kvrfy) accept if Finished OK [ChangeCipherSpec], Finished (MACG4(pms) (ÊKauth(hx), gy, …)) accept if Finished OK Application Data ---------------------------------------------------------
p, q Primes g Generator in Zp h Generator in subgroup G of Zp with order q x, y Secret exponent R Zq pwd Password / weak secret Kauth Key derived from password (= H1(pwd, IDC, IDS)) v Verifier derived from password via one-way function Epwd Symmetric encryption with password as shared key MACk(…) Message Authentication Code on … with key k Hi Pseudo-randon functions Gi Key derivation functions Kmstr Master key for a session Kconf Handshake confirmation key Ksess Session key Notations
Conclusion • Password-based protocols • can be made secure • no (trusted) storage • minimal in Infrastructure requirements • Integration of DH-EKE in TLS • is as non-intrusiveas possible • requires minimal number of flows • has competitive performance