Efficient Short-Password Key Exchange (ESP-KE)

1
Efficient Short-Password Key Exchange(ESP-KE)

• Proposed in 2001 by Michael Scott
• Problem We want a key-exchange protocol
  whichmakes Man-in-the-Middle attacks easily
  detected
• Solution Both parties share a small secret that
  the MITM cannot guess without revealing his
  presence.

2
ESP-KE - Setup(Some Number Theory Required)

• Global Parameters ?, ?, p and q
• Let p be a prime (of say 1024 bits)
• Let q be a prime divisor of p-1 (of say 160
  bits).
• ? and ? are unrelated generators the prime-order
  sub-group of order q.
• If ? and ? are related, there's a successful
  off-line dictionary attack. Scott01
• Password is on the order of 16-bits.

3
ESP-KE - Protocol(Note that the password P ltlt q)

• Bob Generate random b in 1, q). B
  ?b mod p?B If A0 Abort k (A ?P)b mod
  p Mb H(0, k, P)?Mb If H(1, k, P) ? Ma
  Abort

• AliceGenerate random a in 1, q).A ?a / ?P
  mod p A?k Ba mod pIf H(0, k, P) ? Mb
  AbortMa H(1, k, P) Ma?

• Session key k ?ab for both Alice and Bob.

4
Interesting Properties

• With P0, then ESP-KE is a simple Diffie-Hellman
  Key exchange.
• Small Protocol Can be condensed into 3 messages
  across the wire.
• Fast Extra operations when compared to DH are
  two small exponentiations, and two
  multiplications.
• Some values can be computed off-line (such as ?P
  mod p).
• Since P is on the order of 16-bits versus
  160-bits for q, ESP-KE will take 10 longer than
  DH .

5
Modeling ESP-KE

• Used Common Authentication Protocol Specification
  Language (CAPSL).
• CAPSL is a high-level translator which outputs
  CAPSL Intermediate Language (CIL).
• Secondary bundle program takes CIL and outputs
  Prolog strands.
• The bundle program was buggy.
• Very hard to model password-guessing attacks in
  the strand framework.

6
Simplifications for Modeling

• We can simplify the math down to encryption and
  decryption with a shared secret key (the
  password) for analysis.
• The values A ?a/?P and B ?b are effectively
  nonces, obfuscated with the password.
• Replaced with E(P, nA) and nB.
• The key k is some combination of those nonces.
• Replaced with nA, nB.

7
ESP-KE Simplified

• AliceA E(P, nA) A?k nA, nBIf H(0,
  k, P) ? Mb AbortMa H(1, k, P) Ma?

• Bob B nB?B k D(P, A), nB nA,
  nB Mb H(0, k, P)?Mb If H(1, k, P) ? Ma
  Abort

8
CAPSL Model (abridged)

• PROTOCOL ESPKE
• IMPORTS SKEY, ARITH
• VARIABLES
• Zero, One Field
• Alice, Bob Principal
• Na, Nb Nonce, FRESH,
• CRYPTO
• P Skey
• ASSUMPTIONS
• HOLDS Alice Bob, Na, Zero
• One, P
• HOLDS Bob Alice, Nb, Zero,
• One, P

• MESSAGES
• 1. Alice -gt Bob
• NaP
• 2. Bob -gt Alice
• Nb,
• sha(Zero,Na,Nb, P)
• 3. Alice -gt Bob
• sha(One, Na,Nb, P)

9
Resulting Strands(manually simplified)

• strand(roleAlice,Alice,Bob,Na,P,Nb,
• send(NaP),
• recv( Nb, sha( zero, Na,Nb, P )
  ),
• send(sha(one, Na,Nb, P))
• ).
• strand(roleBob,Bob,Alice,Nb,P,Na,
• recv(NaP),
• send( Nb, sha(zero, Na,Nb, P) ),
• recv(sha(one, Na,Nb, P))
• ).
• strand(test,X, recv(X), send(stop) ).

10
Modeling Results

• Used a constraint solver to check for secrecy of
  the key and P.
• No attacks found.
• Not too surprising, since the underlying system
  is basically Diffie-Hellman.
• Well, what about all that stuff we simplified? Is
  there an attack based on the mathematics of the
  protocol?
• Found a somewhat trivial, yet interesting attack.

11
Online Password Guessing Attack

• AliceGenerate random a in 1, q).A ?a / ?P
  mod p A?k Ba mod p 1a 1If H(0, k
  1, P) ? Mb AbortMa H(1, k, P) Ma?

• Evil Bob B 1?B Mb H(0, 1,
  Guess(P))?Mb If not aborted, guess is
  correct
• ltinsert evil laugh heregt

• Normally, Bob would have to guess k and P, but in
  this attack he can predict the value of k, and so
  only needs to guess P.
• Bob checks for A 0, so why no checks on Alice's
  side?
• Neat, but trivial to both fix and catch a guess
  attempt in progress.

12
What about Off-line Password Guessing Attacks?

• On-line Guessing Attacks aren't very serious.
• Gavin Lowe (of NSL fame) provided a formalization
  of guessing attacks in 2001
• A guessing attack consists of an intruder
  guessing a value g, and then verifying that guess
  in some way. The verification will be by the
  intruder using g to produce a value v which we
  call the verifier
• So, one way to look for guessing attacks is to
  look for verifiers an eavesdropper observes
  during the protocol.

13
Any Verifiers Present?

• The following values are sent across the wire
• A ?a / ?P mod p
• B ?b mod p
• Ma H(0, ?ab, P)
• Mb H(1, ?ab, P)
• B contains no information about P, so its
  useless.
• Ma and Mb can be seen as forms of M(?ab, P)
• So, two possible verifiers A and M.

14
Can we use A as a verifier?

• In order to use A as a verifier for P, we need to
  compute some value A' from our guess of P to
  compare against A.
• In order to construct some A' ?a / ?Guess(P) to
  compare, we'd need to a.
• Since a log?(?P / A), we would need to know
  log?(?).
• If we could find it, we would break the
  assumption that discrete-logs are hard.

15
Can we use M as a verifier?

• In order to use M as a verifier for P, we need to
  compute some value M' from our guess of P to
  compare against M.
• Since M' H(?ab, Guess(P)), our goal then
  becomes to compute ?ab to plug into H.
• We know B ?b and can derive a ?a from our
  Guess(P) since ?a A?Guess(P).
• However, if we were able to compute ?ab from ?a
  and ?b, we would break the Computational
  Diffie-Hellman assumption which is presumed to be
  hard.

16
What if ???Can we use M as a verifier?

• Suppose Alice transmits A?a and then stops after
  receiving B and Mb.
• Mb now equals H(0, (?a?P)b, P) H(0, ?ab Pb,
  P) H(0, ?b(a P), P)
• Alice can now calculate some M' from P'
  Guess(P) to verify against MbM' H(0, BaP',
  P'') H(0, (?b)aP', P') H(0, (?b)aP',
  P') H(0, ?b(aP'), P')

17
Conclusions

• About modeling
• Prolog is hard.
• Don't use CAPSL next time.
• About the protocol
• The online guessing attack removes the need to
  compute the session key to guess P.
• More input checks are needed for robustness on
  Alice's side.
• Nonetheless, seems secure against offline
  dictionary attacks.