170 likes | 280 Views
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005. The N/R One Time Password System By Vipul Goyal OSP Global Mumbai, India Coauthors: Ajith Abraham, Sugata Sanyal and Sang Yong Han. CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005.
E N D
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 The N/R One Time Password System By Vipul Goyal OSP Global Mumbai, India Coauthors: Ajith Abraham, Sugata Sanyal and Sang Yong Han
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 Introduction • Authentication for mobile devices needs to be efficient and low cost • Needs to prevent against two major attacks: eavesdropping and server compromise
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 Introduction contd .. • Lamport used just one way hash functions to design a very efficient authentication scheme called one time passwords (OTP) • Interestingly, it is secure against both eavesdropping and server compromise without using public key cryptography • The only scheme of its type
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 One time passwords • Setup phase: recursively hash the password n times to obtain a hash chain tip T T = h(h(….h(p)…)) (also denoted as hn(p) ) • The server stores T and client stores the password p • No need to keep T secret • n represents the number of times the client may login
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 One time passwords contd.. • Operation Phase: For the i th authentication, user computes hn-i(p) and sends to the server as a one time password • Server hashes the received OTP and matches with the one stored in its own database (which would be the last OTP sent) • Match signifies success, server replaces the OTP in its database with the received one
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 One time passwords contd.. • OTPs are secure because of non-invertiblity of the hash function used • Impossible to compute the next OTP by knowing all the previously used OTPs
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 Problems with OTPs • Computation might be prohibitive for mobile devices as its computation requires n/2 hash function evaluations on an average • System re-initialization required after n authentications • n cannot be made very large due to computational requirements
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 Our system • Basic idea is to have the server aid the client computation by sending a value whenever it attempts to login • Uses a new construction of hash chains in which, a ‘breakpoint’ is inserted after a fixed number of links • The server stores the links on which the breakpoint is inserted, one of these links is passed to client at the login time to aid computation
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 System overview • Denote with N the number of times a user may login. This is equal to the length of the hash chain • R is the server storage required • N/R will be the maximum number of hash function evaluations required by the client (in contrast to N in OTPs0 • Average number of hash operations will be N/2R
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 Simplified system description • First define a function Иx(p) using the following recurrence relation: Иk+1(p) = h(Иk(p) + δ*p) where δ = 1 for k = i(N-N%R)/R = 0 for k ≠ i(N-N%R)/R and, И0(p) = p
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 System description contd .. • Consider links where δ = 1 • Password knowledge will be required to find Иk+1(p) from Иk(p) for such links • Note that it is never possible to compute Иk-1(p) from Иk(p) • Thus, links with δ = 1 are not security sensitive
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 System setup • Client computes the hash chain using the formula given (i.e. computes ИN(p) ) • Server stores the tip ИN(p) as well as all non-security sensitive links • No secrets stored at the server
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 System operation (for tth login) • Client identifies himself • Server sends (n , Иk(p)) where n = (N-t)%R with n ≠ 0 and k = N-t-n • Client simply computes Иk+n(p) and sends it back as the OTP Иk+n(p) = hn(Иk(p) + p)
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 System operation contd .. • Server hashes the received OTP and matches it with the last one stored in its database • In case of success, server overwrites the last OTP with that received • Value of t is incremented
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 Protocol figure
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 Comparison • Host computation decreases by a factor of R at the cost of increasing the server storage by the same factor. Hence value of R is a system tradeoff. • Server computation remains the same • Protocol is more practical for mobile devices and it becomes possible to choose a high value of N
CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 Thank You