1 / 34

Verifier-Based Password-A uthenticated K ey Exchange

Verifier-Based Password-A uthenticated K ey Exchange. Jeong Ok Kwon December 1 7 th, 2005. sk. sk. data privacy/integrity. Motivation. A fundamental problem in cryptography is how to communicate securely over an insecure channel. Motivation. How can we obtain a secret session key?

lynnea
Download Presentation

Verifier-Based Password-A uthenticated K ey Exchange

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Verifier-Based Password-AuthenticatedKey Exchange Jeong Ok Kwon December 17th,2005

  2. sk sk data privacy/integrity Motivation • A fundamental problem in cryptography is how to communicate securely over an insecure channel.

  3. Motivation How can we obtain a secret session key? • Public-key encryption or signature • too high for certain applications • Password-AuthenticatedKey Exchange (PAKE) • PAKE is to share a secret key between specified parties using just a human-memorable password. • convenience, mobility, and less hardware requirement • no security infrastructure

  4. Intrinsic Problem • Low-entropy of passwords • i.e., 4 or 8 characters such as natural language phrase to be easily memorized. • So they are susceptible to dictionary attacks. • On-line dictionary attacks • Off-line dictionary attacks Even tiny amounts of redundancy in the flows of the protocol could be used by the adversary to mount dictionary attacks. -> Protocol for PAKE must be immune to off-line attacks

  5. Classification for PAKE

  6. Our work is about • In the Client/Server model • Verifier-basedPAKE • for two-party with same passwords • for two-party with different passwords • for multi-party with different passwords

  7. sk • sk 2-party with sk Our work is about • In the Client/Server model • Verifier-basedPAKE • for two-party with same passwords • for two-party with different passwords • for multi-party with different passwords • (pw1) • U1 • Server

  8. sk • sk 2-party with sk Our work is about • In the Client/Server model • Verifier-basedPAKE • for two-party with same passwords • for two-party with different passwords • for multi-party with different passwords • (pw1) • (pw2 ) • U1 • U2 • Server

  9. sk • sk • sk Group with sk • sk Our work is about • In the Client/Server model • Verifier-basedPAKE • for two-party with same passwords • for two-party with different passwords • for multi-party with different passwords • (pw4) • U4 • (pw1) • (pw3 ) • U3 • U1 • (pw2 ) • U2

  10. U1 pw1 U2 pw2 (pw1) Symmetric model vs. Verifier-based model • Symmetric model • the server storesa plaintext-form of a password. • Asymmetric model (or verifier-based) • the server stores a verifier for a password.

  11. Symmetric model vs. Verifier-based model • Asymmetric model (or verifier-based) • the server stores a verifier for a password. (pw1) A verifier is the information computed from a password. It is computable from the password whereas the reverse is infeasible in polynomial time.

  12. Symmetric model vs. Verifier-based model • Asymmetric model (or verifier-based) • it is designed to protect against server compromise so that an attacker that is able to steal a password file from a server cannot later masquerade as a legitimate user without performing dictionary attacks. (pw1)

  13. U1 pw1 U2 pw2 (pw1) Symmetric model vs. Verifier-based model • Symmetric model • the server storesa plaintext-form of a password.

  14. Symmetric model vs. Verifier-based model • Asymmetric model (or verifier-based) • even if the password file is compromised, the attacker has to perform additional off-line dictionary attacks to find out passwords of the clients. • It will give the server system’s administrator time to react and to inform its clients, which would reduce the damage of the corruption. (pw1)

  15. Comparison with the related verifier-basedprotocol [EPA]Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key Exchange,” ACISP 2003. |p| : length of a prime of Zp*,|l| : length of an output of a hash/MAC function, n : number of members in a group

  16. Comparison with the related verifier-basedprotocol [B-SPEKE] D. Jablon, “Extended password key exchange protocols immune to dictionary attack,” In WETICE’97 Workshop on Enterprise Security, 1997. [SRP] T. Wu, “Secure remote password protocol,” Proceedings of the ISOC NDSS Symposium, pages 99–111, 1998. [AMP] T. Kwon, “Authentication and key agreement via memorable password,” Proceedings of the ISOC NDSS Symposium, 2001. [PAK-Z] P. MacKenzie, “The PAK suit: Protocols for Password-Authenticated Key Exchange,” http://grouper.ieee.org/groups/1363/passwdPK/contributions.html#Mac02, April, 2002. [EPA]Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key Exchange,” ACISP 2003. [VB-EKE] M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based Encrypted Key Exchange,” PKC 05

  17. Password-based protocols submitted to IEEEP1363.2 (Password-based Techniques) http://grouper.ieee.org/groups/1363/passwdPK/purpose.html Comparison with the related verifier-basedprotocol [B-SPEKE] D. Jablon, “Extended password key exchange protocols immune to dictionary attack,” In WETICE’97 Workshop on Enterprise Security, 1997. [SRP] T. Wu, “Secure remote password protocol,” Proceedings of the ISOC NDSS Symposium, pages 99–111, 1998. [AMP] T. Kwon, “Authentication and key agreement via memorable password,” Proceedings of the ISOC NDSS Symposium, 2001. [PAK-Z]P. MacKenzie, “The PAK suit: Protocols for Password-Authenticated Key Exchange,”http://grouper.ieee.org/groups/1363/passwdPK/contributions.html#Mac02, April, 2002.

  18. Comparison with the related verifier-basedprotocol [EPA]Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key Exchange,” ACISP 2003. |p| : length of a prime of Zp*,|l| : length of an output of a hash/MAC function, n : number of members in a group The focus of this work is on the round-efficient verifier-basedPAKE protocol

  19. Comparison with the related verifier-basedprotocol |p| : length of a prime of Zp*,|l| : length of an output of a hash/MAC function, n : number of members in a group The focus of this work is on round-efficient verifier-basedPAKE protocol The focus of this work is to construct secure and round-efficientverifier-basedPAKE protocols for 2-/multi-party with different passwords

  20. Preliminary for our protocols • Public information • G : a finite cyclic group has order q • p : a safe prime such that p=2q+1 • g1,g2 : generators of G • H : a collision-resistant one-way hash function • Mac=(Key.gen,Mac.gen,Mac.ver):a secure message authentication code • Initialization step • Uiselects a password pwi • Ui registers vi,1 = g1H(Ui||S||pwi)mod p and vi,2 = g2H(Ui||S||pwi)mod p(verifiers of the password) to the server S overa secure channel. • S stores them in a password file with an entryfor each user Ui.

  21. R1 R2 Verifier-based PAKE for 2-party with same passwords U1 Server

  22. (pw) (pw) Verifier-based PAKE for 2-party with different passwords • Motivation • PAKE for 2-party with same passwords • If a user wants to communicate securely with many users? • the number of passwords that the user needs to memorize may be increased linearly with the number of possible partners.

  23. (pw2) (pw1) Verifier-based PAKE for 2-party with different passwords • Motivation • PAKE for 2-party with different passwords • each user only shares a password with a trusted server. • the trusted server helps the users with different passwords to agree on a common session key.

  24. R1 R2 R3 U1 Server U2

  25. Verifier-based PAKE for multi-party with different passwords • Motivation • PAKE formulti-party with same passwords • If a user wants to communicate securely with many groups? • the number of passwords that the user needs to memorize may be increased linearly with the number of possible groups. • the member have to newly share a password whenever one wants to communicate securely with new groups • (pw) • (pw) • (pw) Group with sk • (pw)

  26. Verifier-based PAKE for multi-party with different passwords • Motivation • PAKE formulti-party with different passwords • each user only shares a password with a trusted server. • the trusted server helps the users with different passwords to agree on a group key. • (pw1 ) • (pw4 ) • (pw2 ) Group with sk • (pw3 )

  27. U1 U2 U3 U4 Verifier-based PAKE for multi-party with different passwords R1 Server

  28. U1 U2 U3 U4 Verifier-based PAKE for multi-party with different passwords R1 Server

  29. U1 U2 U3 U4 Verifier-based PAKE for multi-party with different passwords R2 Server

  30. U1 U2 U3 U4 Verifier-based PAKE for multi-party with different passwords R3

  31. U1 U2 U3 U4 Verifier-based PAKE for multi-party with different passwords R3

  32. Security Goal: Verifier-based PAKE • Security against dictionary attacks • passive eavesdropping does not help the adversary in computing any information about the password. • only interactions with the instances help the adversary in computing information about the password. • Key secrecy • no computationally bounded adversary(including the server)should learn anything aboutsession keys shared between honest parties. • Server-compromise attack • even if an adversary steal the password file from the server, the adversary still cannot impersonate a user without performing dictionary attacks on the password file.

  33. Security Goal: Verifier-based PAKE • Forward secrecy • the expose of a password does not compromise the previous session keys. • Denning-Sacco attack • even with the session key from an eavesdropped session an adversary cannot gain the ability to impersonate the user directly. • an outsider attacker cannot gain the ability to performing off-line dictionary attacks against the passwords of users from using the compromised session keys which are successfully established between honest entities. • an insiderattacker that knows one’s password does not learn any information about other users’ passwords from the successfully established session key with the other.

  34. Q & A Thank you !

More Related