Title: Passwordbased authenticated key exchange
1Password-based authenticated key exchange
2Variations
- Public-key cryptography must be used
- Public-key cryptography and password protocols,
Shai Halevi and Hugo Krawczyk, ACM Transactions
on Information and System Security (TISSEC),
Volume 2 , Issue 3 (August 1999), Pages 230 -
268 - Two variations
- No public-key certificates (no PKI)
- Use public-key certificates (requires PKI)
3References
- http//www.integritysciences.com/links.html
- Comprehensive and long list of references
- Principal reference for this lecture.
- S. M. Bellovin and M. Merritt, Encrypted Key
Exchange Password-Based Protocols Secure Against
Dictionary Attacks, Proceedings of the I.E.E.E.
Symposium on Research in Security and Privacy,
Oakland, May 1992. - This is not your grandmothers network
login Jab96
4Broken approaches use password
directly(authentication only)
- Original Telnet - vulnerable to eavesdropping
pwd
Client
Server
challenge
Client
Server
h(challenge,pwd)
5Broken approaches use hashed password
(authentication only)
challenge
Client
Server
h(challenge,f(pwd))
- Dont need to store cleartext password on the
server - Dictionary attack on f(pwd) stored at server
remains a vulnerability
6Kerberos is vulnerable
Request TC,TGS
Authentication Server
TC,TGS, ENCkC(TGS, kC,TGS, )
kTGS
TC,TGS, ENCkC,TGS(authenticator)
Ticket Granting Server (kTGS)
Client
ENCkC,TGS(kC,S, )
kS
Communication under kC,S
Server (kS)
The trouble kC is defined to be some one-way
function of password!
7Patels classification (Pat97)
- Querying attacker
- Can initiate sessions with the server while
pretending to be a legitimate client - Eavesdropping attacker
- Can eavesdrop on legitimate runs of the protocol
- Active attacker
- Can intercept, drop, insert packets
8SSL (and SSH) solution(need PKI)
Server-side SSL
Client
Server
pwd
Client
Server
- Needs PKI
- Has its pitfalls
9Pre-EKE use password directly(authentication
and key exchange)
User (pwd)
Server (pwd)
U
ENCpwd(random)
ENCrandom(challengeU)
ENCrandom(challengeU, challengeS)
ENCrandom(challengeS)
10EKE DH version BM92
User (pwd)
Server (pwd)
U, ENCpwd(gx)
K f(gxy)
ENCpwd(gy), ENCk(challengeS)
K f(gxy)
ENCk(challengeU, challengeS)
ENCk(challengeU)
11EKE DH version BM92
- Potential problems Patel, SP97
- If an active attacker, instead of sending g and
p in clear, chooses to send gd and p such that d
is a small prime and d(p-1). Then, (gdy)(p-1)/d
1 mod p. When the attacker receives the
password encrypted ENCpwd(gy), he tries to
decrypt it with different candidate passwords and
raises the decrypted number to (p-1)/d. If the
result is not 1 then that password is rejected.
Since (p-1)/d number out of p-1 number will be
dth power residue, hence 1/d numbers on average
will be congruent to 1 when raised to (p-1)/d. At
each session the possible space of password is
reduced to 1/d and the space of valid passwords
will be narrowed to 1 at a logarithm rate
(typically, logp). - Avoidance The success of the attack is due to
the fact that gd is not a generator. To find a
generator g it is necessary and sufficient to
check that g(p-1)/m ? 1 mod p for all factors m
of p-1.
12BPR Eurocrypt2000
User (pwd)
Server (pwd)
U, ENCpwd(gx)
k f(u,s, gx,gy,gxy)
ENCpwd(gy), H(k, 1)
k f(u,s, gx,gy,gxy)
H(k,2)
k H(k,0) sid A, ENCpwd(gx), B,
ENCpwd(gy) pid B
k H(k,0) sid A, ENCpwd(gx), B,
ENCpwd(gy) pid A
13BPR Eurocrypt2000
BM92 proved secure (in ROM and ICM) Theorem.
Let qse, qre, qco, qex, qor be integers and let q
qse qre qco qex qor. Let Password be a
finite set of size N and assume (G)1/2/q ? N ?
1. Let PW be the associated LL-key generator as
discussed above, SK be the associated session key
space. Assume the weak corruption model.
The AdvfsP,PW,SK(t,qse,qre,qco,qex,qor) lt qse/N
qse qor AdvdhG,g(t,qor) O(q2)/G
O(1)/(G)1/2 Where t t O(qseqor).
14SPEKE Jablon, CCR96
User (pwd)
Server (pwd)
U, f(pwd)x
k h(f(pwd)xy))
f(pwd)y
k h(f(pwd)xy))
ENCk(challengeU)
ENCk(challengeU, challengeS)
ENCk(challengeS)
15MacK01b
In this paper we prove (in the random oracle
model) that a certain instantiation of the SPEKE
protocol that uses hashed passwords instead of
non-hashed passwords is a secure
password-authenticated key exchange protocol
(using our relaxed definition) based on a new
assumption, the Decision Inverted-Additive
Diffie-Hellman assumption. Since this is a new
security assumption, we investigate its security
and relation to other assumptions specifically
we prove a lower bound for breaking this new
assumption in the generic model, and we show that
the computational version of this new assumption
is equivalent to the Computational Diffie-Hellman
assumption.