CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005

1
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• The N/R One Time Password System
• By
• Vipul Goyal
• OSP Global
• Mumbai, India
• Coauthors Ajith Abraham, Sugata Sanyal and Sang
  Yong Han

2
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Introduction
• Authentication for mobile devices needs to be
  efficient and low cost
• Needs to prevent against two major attacks
  eavesdropping and server compromise

3
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Introduction contd ..
• Lamport used just one way hash functions to
  design a very efficient authentication scheme
  called one time passwords (OTP)
• Interestingly, it is secure against both
  eavesdropping and server compromise without using
  public key cryptography
• The only scheme of its type

4
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• One time passwords
• Setup phase recursively hash the password n
  times to obtain a hash chain tip T
• T h(h(.h(p))) (also denoted as hn(p) )
• The server stores T and client stores the
  password p
• No need to keep T secret
• n represents the number of times the client may
  login

5
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• One time passwords contd..
• Operation Phase For the i th authentication,
  user computes hn-i(p) and sends to the server as
  a one time password
• Server hashes the received OTP and matches with
  the one stored in its own database (which would
  be the last OTP sent)
• Match signifies success, server replaces the OTP
  in its database with the received one

6
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• One time passwords contd..
• OTPs are secure because of non-invertiblity of
  the hash function used
• Impossible to compute the next OTP by knowing all
  the previously used OTPs

7
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Problems with OTPs
• Computation might be prohibitive for mobile
  devices as its computation requires n/2 hash
  function evaluations on an average
• System re-initialization required after n
  authentications
• n cannot be made very large due to computational
  requirements

8
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Our system
• Basic idea is to have the server aid the client
  computation by sending a value whenever it
  attempts to login
• Uses a new construction of hash chains in which,
  a breakpoint is inserted after a fixed number
  of links
• The server stores the links on which the
  breakpoint is inserted, one of these links is
  passed to client at the login time to aid
  computation

9
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• System overview
• Denote with N the number of times a user may
  login. This is equal to the length of the hash
  chain
• R is the server storage required
• N/R will be the maximum number of hash function
  evaluations required by the client (in contrast
  to N in OTPs0
• Average number of hash operations will be N/2R

10
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Simplified system description
• First define a function ?x(p) using the following
  recurrence relation
• ?k1(p) h(?k(p) dp)
• where d 1 for k i(N-NR)/R
• 0 for k ? i(N-NR)/R
• and, ?0(p) p

11
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• System description contd ..
• Consider links where d 1
• Password knowledge will be required to find
  ?k1(p) from ?k(p) for such links
• Note that it is never possible to compute ?k-1(p)
  from ?k(p)
• Thus, links with d 1 are not security sensitive

12
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• System setup
• Client computes the hash chain using the formula
  given (i.e. computes ?N(p) )
• Server stores the tip ?N(p) as well as all
  non-security sensitive links
• No secrets stored at the server

13
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• System operation (for tth login)
• Client identifies himself
• Server sends (n , ?k(p))
• where n (N-t)R with n ? 0 and k N-t-n
• Client simply computes ?kn(p) and sends it back
  as the OTP
• ?kn(p) hn(?k(p) p)

14
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• System operation contd ..
• Server hashes the received OTP and matches it
  with the last one stored in its database
• In case of success, server overwrites the last
  OTP with that received
• Value of t is incremented

15
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Protocol figure

16
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Comparison
• Host computation decreases by a factor of R at
  the cost of increasing the server storage by the
  same factor. Hence value of R is a system
  tradeoff.
• Server computation remains the same
• Protocol is more practical for mobile devices and
  it becomes possible to choose a high value of N

17
CompChall Addressing Password Guessing Attacks
IAS, ITCC-2005, April 2005

• Thank You