1 / 8

Secure password-based cipher suite for TLS: The importance of end-to-end security

Secure password-based cipher suite for TLS: The importance of end-to-end security. Marie L.S. Dumont CS 265. Why integration of DH-EKE in TLS?. Case Study: Web Banking Authentication, Confidentiality and Integrity Sending passwords on one-way authenticated SSL Channels

lore
Download Presentation

Secure password-based cipher suite for TLS: The importance of end-to-end security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure password-based cipher suite for TLS:The importance of end-to-end security Marie L.S. Dumont CS 265

  2. Why integration of DH-EKE in TLS? • Case Study: Web Banking • Authentication, Confidentiality and Integrity • Sending passwords on one-way authenticated SSL Channels • Heavy burden on the user • SSL with Client Certification • Requires proper protection of client’s keys • SSL Channels with DH-EKE passwords • Resistant to (offline) dictionary attack • Eliminates the requirement of a PKI

  3. Diffie-Hellman Encrypted Key Exchange (DH-EKE) Client Server (password pwd)(password pwd) x  Zp-1 Êpwd(hx) y  Zp-1, Kmstr(hx)y, C1 domain(E) Êpwd(hy),EKmstr(C1) Kmstr(hy)x, C2 domain(E) EKmstr (C1, C2) verify response EKmstr(C2) verify response

  4. Refined DH-EKE Client Server (password pwd)(password pwd) x  Zp-1 Kauth = H1(pwd, IDC, IDS) ÊKauth(hx) y  Zq, Kauth= H1(pwd, IDC, IDS) Kmstr(hx)(y((p-1)/q)) Kconf G1(Kmstr), Ksess G2(Kmstr)  gy, MACKconf(“1”, ÊKauth(hx), gy) Kmstr(gy)(x (mod q)) Kconf G1(Kmstr), Ksess G2(Kmstr) abort if MAC not ok MACKconf(“2”, ÊKauth(hx), gy) abort if MAC not OK

  5. Overview of TLS Client Server ClientHello ServerHello, Certificate*, ServerKeyExchange*, CertificateRequest*, ServerHelloDone Certificate*, ClientKeyExchange, CertificateVerify*, [ChangeCipherSpec], Finished [ChangeCipherSpec] Finished Application Data  ---------------------------------------------------------------------------------

  6. Integration of DH-EKE in TLS Client Server (password pwd)(v = g*Kvrfy, Kauth) ClientHello   choose y, y’εR Zq   ServerHello, ServerKeyExchange (gy, g*y’), ServerHelloDone   derive Kauth and Kvrfy from pwd and choose , x εR Zp-1 ClientKeyExchange (ÊKauth( hx))   calculate premaster secret pms = H3((hx)(y(p-1/q)),vy’) [ChangeCipherSpec], Finished (MACG3(pms) (ÊKauth( hx), gy, …))   calculate premaster secret pms = H3((gy)(x (mod q)), (g*y’)Kvrfy) accept if Finished OK [ChangeCipherSpec], Finished (MACG4(pms) (ÊKauth(hx), gy, …))   accept if Finished OK Application Data  ---------------------------------------------------------

  7. p, q Primes g Generator in Zp h Generator in subgroup G of Zp with order q x, y Secret exponent R Zq pwd Password / weak secret Kauth Key derived from password (= H1(pwd, IDC, IDS)) v Verifier derived from password via one-way function Epwd Symmetric encryption with password as shared key MACk(…) Message Authentication Code on … with key k Hi Pseudo-randon functions Gi Key derivation functions Kmstr Master key for a session Kconf Handshake confirmation key Ksess Session key Notations

  8. Conclusion • Password-based protocols • can be made secure • no (trusted) storage • minimal in Infrastructure requirements • Integration of DH-EKE in TLS • is as non-intrusiveas possible • requires minimal number of flows • has competitive performance

More Related