ReIntroducing Strong Password Protocols

1
(Re)Introducing Strong Password Protocols

• Radia Perlman
• Radia.Perlman_at_sun.com

2
Whats a strong password protocol?

• Alice and Bob share a weak secret (W)a password
• In a strong password protocol, someone
  impersonating Alice or Bob, or eavesdropping,
  cannot capture a quantity with which to do a
  dictionary attack

3
Example non-strong password protocol
Knows W
Knows (Alice, W)?
Alice
Bob
Im Alice
ChallengeR
H(W,R)?
4
Example non-strong password protocol
Knows W
Knows (Alice, W)?
Alice
Bob
Im Alice
ChallengeR
h(W,R)?
Note someone impersonating Bob, or
eavesdropping, can test passwords to see if
response h(W,R) matches R
5
First strong password protocol EKE

• Bellovin-Merritt
• Encrypt Diffie-Hellman exchange with W

6
EKE
Knows W
Knows (Alice, W)?
Alice
Bob
Im Alice, gA mod pW
gB mod pW
Mutual exchange based on gAB
7
EKE
Knows W
Knows (Alice, W)?
Alice
Bob
Im Alice, gA mod pW
gB mod pW
Mutual exchange based on gAB
Note someone impersonating Bob, or
eavesdropping, cannot do a dictionary attack.
Would have to break Diffie-Hellman
8
EKE
Knows W
Knows (Alice, W)?
Alice
Bob
Im Alice, gA mod pW
gB mod pW
Mutual exchange based on gAB
Note someone impersonating Bob, or
eavesdropping, cannot do a dictionary attack.
Would have to break Diffie-Hellman Note Alice
or Bob could do one on-line password guess, and
verify if they are right
9
Variants of EKE

• SPEKE (Jablon) replace g in Diffie-Hellman
  with W

Knows W
Knows (Alice, W)?
Alice
Bob
Im Alice, WA mod p
WB mod p
Mutual exchange based on WAB
10
Variants of EKE

• PDM (Kaufman, Perlman) derive p
  deterministically from W

Knows pwd, derives p
Knows (Alice, p)?
Alice
Bob
Im Alice, 2A mod p
2B mod p
Mutual exchange based on 2AB
11
Augmented feature

• In EKE, SPEKE, and PDM, server knows W
• If someone stole the server database, they would
  be able to directly impersonate the user (without
  a dictionary attack)?
• Augmented feature server database doesnt
  completely divulge W (but allows a dictionary
  attack)?
• Many ways to do this

12
Example augmented PDM
Alice
Bob
Knows pwd, derives p
Knows for Alice p, Alices privpwd, Alices
public key
Im Alice, 2A mod p
2B mod p, challengeR, Alices privpwd 2AB
mod p
Sign R with private key, Mutual exchange based on
2AB
Verifies Alices sig
13
Augmented protocols

• All of EKE, SPEKE, PDM can be made augmented
• SRP only has an augmented form
• There are other variants of strong password
  protocols

14
What would one do with a strong password protocol?

• One could directly authenticate with it
• One could do credential download
• Use it to download Alices private key, and then
  everything else follows once she knows her
  private key
• Everything else she needs can be stored encrypted
  and/or signed
• Authentication would be done with traditional
  public key

15
Credential download (based on EKE)?
Bob
Alice
Knows for Alice W, CREDAlices privpwd,
Knows pwd, derives W
Im Alice, gA mod pW
gB mod p, CRED gAB mod p
Note only need 2 msgs
16
Other things

• Alice can customize her password for each site
  (use Wservername h(pwd, servername)) at site
  servername
• But if you just use strong password protocols to
  obtain Alices private key, she can authenticate
  to all other sites using public key

17
Why dont we use strong password protocols?

• Possible IPR
• TLS with non-strong password protocol good
  enough in practice