Passwordbased authenticated key exchange - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Passwordbased authenticated key exchange

Description:

'Public-key cryptography and password protocols', Shai Halevi and Hugo Krawczyk, ... Can initiate sessions with the server while pretending to be a legitimate client ... – PowerPoint PPT presentation

Number of Views:38
Avg rating:3.0/5.0
Slides: 16
Provided by: shxu
Category:

less

Transcript and Presenter's Notes

Title: Passwordbased authenticated key exchange


1
Password-based authenticated key exchange
  • Ravi Sandhu

2
Variations
  • Public-key cryptography must be used
  • Public-key cryptography and password protocols,
    Shai Halevi and Hugo Krawczyk, ACM Transactions
    on Information and System Security (TISSEC),
    Volume 2 , Issue 3 (August 1999), Pages 230 -
    268
  • Two variations
  • No public-key certificates (no PKI)
  • Use public-key certificates (requires PKI)

3
References
  • http//www.integritysciences.com/links.html
  • Comprehensive and long list of references
  • Principal reference for this lecture.
  • S. M. Bellovin and M. Merritt, Encrypted Key
    Exchange Password-Based Protocols Secure Against
    Dictionary Attacks, Proceedings of the I.E.E.E.
    Symposium on Research in Security and Privacy,
    Oakland, May 1992.
  • This is not your grandmothers network
    login Jab96

4
Broken approaches use password
directly(authentication only)
  • Original Telnet - vulnerable to eavesdropping

pwd
Client
Server
  • Challenge-Response

challenge
Client
Server
h(challenge,pwd)
5
Broken approaches use hashed password
(authentication only)
  • Challenge-Response

challenge
Client
Server
h(challenge,f(pwd))
  • Dont need to store cleartext password on the
    server
  • Dictionary attack on f(pwd) stored at server
    remains a vulnerability

6
Kerberos is vulnerable
Request TC,TGS
Authentication Server
TC,TGS, ENCkC(TGS, kC,TGS, )
kTGS
TC,TGS, ENCkC,TGS(authenticator)
Ticket Granting Server (kTGS)
Client
ENCkC,TGS(kC,S, )
kS
Communication under kC,S
Server (kS)
The trouble kC is defined to be some one-way
function of password!
7
Patels classification (Pat97)
  • Querying attacker
  • Can initiate sessions with the server while
    pretending to be a legitimate client
  • Eavesdropping attacker
  • Can eavesdrop on legitimate runs of the protocol
  • Active attacker
  • Can intercept, drop, insert packets

8
SSL (and SSH) solution(need PKI)
Server-side SSL
Client
Server
pwd
Client
Server
  • Needs PKI
  • Has its pitfalls

9
Pre-EKE use password directly(authentication
and key exchange)
User (pwd)
Server (pwd)
U
ENCpwd(random)
ENCrandom(challengeU)
ENCrandom(challengeU, challengeS)
ENCrandom(challengeS)
10
EKE DH version BM92
User (pwd)
Server (pwd)
U, ENCpwd(gx)
K f(gxy)
ENCpwd(gy), ENCk(challengeS)
K f(gxy)
ENCk(challengeU, challengeS)
ENCk(challengeU)
11
EKE DH version BM92
  • Potential problems Patel, SP97
  • If an active attacker, instead of sending g and
    p in clear, chooses to send gd and p such that d
    is a small prime and d(p-1). Then, (gdy)(p-1)/d
    1 mod p. When the attacker receives the
    password encrypted ENCpwd(gy), he tries to
    decrypt it with different candidate passwords and
    raises the decrypted number to (p-1)/d. If the
    result is not 1 then that password is rejected.
    Since (p-1)/d number out of p-1 number will be
    dth power residue, hence 1/d numbers on average
    will be congruent to 1 when raised to (p-1)/d. At
    each session the possible space of password is
    reduced to 1/d and the space of valid passwords
    will be narrowed to 1 at a logarithm rate
    (typically, logp).
  • Avoidance The success of the attack is due to
    the fact that gd is not a generator. To find a
    generator g it is necessary and sufficient to
    check that g(p-1)/m ? 1 mod p for all factors m
    of p-1.

12
BPR Eurocrypt2000
User (pwd)
Server (pwd)
U, ENCpwd(gx)
k f(u,s, gx,gy,gxy)
ENCpwd(gy), H(k, 1)
k f(u,s, gx,gy,gxy)
H(k,2)
k H(k,0) sid A, ENCpwd(gx), B,
ENCpwd(gy) pid B
k H(k,0) sid A, ENCpwd(gx), B,
ENCpwd(gy) pid A
13
BPR Eurocrypt2000
BM92 proved secure (in ROM and ICM) Theorem.
Let qse, qre, qco, qex, qor be integers and let q
qse qre qco qex qor. Let Password be a
finite set of size N and assume (G)1/2/q ? N ?
1. Let PW be the associated LL-key generator as
discussed above, SK be the associated session key
space. Assume the weak corruption model.
The AdvfsP,PW,SK(t,qse,qre,qco,qex,qor) lt qse/N
qse qor AdvdhG,g(t,qor) O(q2)/G
O(1)/(G)1/2 Where t t O(qseqor).
14
SPEKE Jablon, CCR96
User (pwd)
Server (pwd)
U, f(pwd)x
k h(f(pwd)xy))
f(pwd)y
k h(f(pwd)xy))
ENCk(challengeU)
ENCk(challengeU, challengeS)
ENCk(challengeS)
15
MacK01b
In this paper we prove (in the random oracle
model) that a certain instantiation of the SPEKE
protocol that uses hashed passwords instead of
non-hashed passwords is a secure
password-authenticated key exchange protocol
(using our relaxed definition) based on a new
assumption, the Decision Inverted-Additive
Diffie-Hellman assumption. Since this is a new
security assumption, we investigate its security
and relation to other assumptions specifically
we prove a lower bound for breaking this new
assumption in the generic model, and we show that
the computational version of this new assumption
is equivalent to the Computational Diffie-Hellman
assumption.
Write a Comment
User Comments (0)
About PowerShow.com