Password-based Authentication

1
Password-based Authentication

• SBSeg 2007 Keynote
• Michel Abdalla
• Researcher
• École normale supérieure CNRS

2
Diffie-Hellman protocol
Let G be a group in which the DDH problem is hard
and let g be a generator for G
skA ? 0,,G-1 pkA ? gsk
skB ? 0,,G-1 pkB ? gsk
A
B
Protocol does NOT provide authentication
3
Authenticated Key Exchange (AKE)

• Allow two parties to establish a common secret in
  an authenticated way
• Intuitive goal implicit authentication
• The session key should only be known to the
  parties involved in the protocol
• Formally semantic security
• the session key should be indistinguishable from
  a random string

4
Authentication techniques

• Asymmetric techniques
• Assume the existence of a public-key
  infrastructure
• Each party holds a pair of secret and public
  keys
• Symmetric techniques
• Users share a random secret key
• 2-party or 3-party settings
• Password-based techniques
• Consider the case of weak secrets (e.g., a
  4-digit PIN)
• Protocols are always subject to online guessing
  attacks

5
Password-based AKE (PAKE)

• Realistic
• Real-life applications usually rely on weak
  passwords
• Convenient to use
• Users do not need to store the secret
• Comes at a cost
• Protocols are always subject to online guessing
  attacks

6
Online dictionary attacks

• Let D represent the set of possible passwords
  (i.e., dictionary)
• As passwords need be memorized by humans, D is
  usually small
• Online dictionary attack
• Choose a password from D
• Interact with authentication server using the
  guessed password
• Each online attempt can succeed with probability
  1/D
• Counter measures against online attacks
• Limit the number of unsuccessful attempts
• Goal of password-based authentication
• Restrict the adversary to online dictionary
  attacks only

7
Group Password-basedAKE (GPAKE)

• Scenario
• Similar to the 2-party case, except that
• Number of protocol participants is variable
• Password is shared among all participants
• Session key is shared among all participants
• Security goals
• Similar to the 2-party case Allow a pool of
  users to established a common session key with
  only the help of passwords

8
Security model

• Users can have many protocol instances running
  concurrently
• Communication may be controlled by the adversary
• Adversary can create, modify, or forward messages
• The transmission of messages is done via specific
  oracle queries
• Adversary is given oracle access to all user
  instances and can corrupt some of them
• Protocol is considered secure if the session key
  held by a honest user cannot be distinguished
  from a random key

9
Outline

• Review of PAKE schemes
• History of GPAKE scheme
• A Simple GPAKE protocol
• A generic GPAKE protocol
• Concluding remarks

10
Background Ideal models

• Random oracle model BellareRogaway93
• Perhaps the most used ideal model in cryptography
• The hash function is modeled as a perfectly
  random function
• Random permutation model
• Similar to the random-oracle model, but with a
  permutation instead of a function
• Ideal cipher model
• An extension of the random-permutation model
• A block cipher is seen as a family of truly
  random and independent permutations (for each
  key)
• Standard model
• None of the above

11
Brief history of PAKE schemes

• BelMer92 Encrypted Key Exchange (EKE)
• Seminal work, no proofs
• BelPoiRog00,BoyMacPat00
• Formal security models
• Protocols in the ideal-cipher and random-oracle
  models
• GolLin01
• Non-concurrent protocol in the standard model
• KatOstYun01,GenLin03,CHKLM05
• Efficient protocols in the CRS model
• BR00,BCP03/04,CatPoiPor04,MacKenzie02,AbPo05
• Efficient EKE and OKE protocols in the RO model

12
Encrypted Key Exchange Bellovin Merritt, 1992

• Flows are encrypted with the password

13
EKE instantiations

• BPR00,BCP03
• Enc Ideal cipher
• H Random oracle
• MacKenzie02,BCP04
• Enc Random oracle
• H Random oracle
• AbPo05
• Encpw(X) X ? hpw
• H Random oracle

14
Simple PAKE AbPo05
Alice
Bob
? pwAlice,Bob
x ? Zp X ? gx
y ? Zp Y ? gy
Alice, X X ? A?
Bob, Y Y ? B?
Y ? Y / B? K ? Yx
X ? X / A? K ? Xy
SK ? H(Alice,Bob,?,X,Y,K)
15
Security of simple PAKE

• Theorem If the DDH problem is hard, then the
  protocol described in the previous slide is a
  secure PAKE protocol in the random-oracle model.
• Proof see AbPo05

16
PAKE in the standard model The Gennaro-Lindell
Construction

• Design is not as simple as EKE
• Requires several different tools
• One-time signatures
• Non-malleable encryption schemes
• Smooth projective hash functions

17
Smooth projective hash functionsGL03 variant
Algorithms

• Hash key generation hk HK(pk)
• pk public encryption key, hk hashing key
• Projected key generation hp ?(hk, c)
• hk hashing key, hp projected key
• Hashing algorithm H (hk, m, c) ? G
• m message, c ciphertext, hk hashing key
• Projected hashing algorithm h h(hp, m, c r)
• hp projected key, r random used to generate c

18
Smooth projective hash functionsGL03 variant
Security properties

• Correctness
• If c E(pk,mr), then (m,c,hp) uniquely
  determines H(hk,m,c)
• When c E(mr), H(hk,m,c) can be computed
  efficiently given r
• h(hp,m,c r) H(hk,m,c)
• Smoothness
• If c is not an encryption of m,then (m, c, hp)
  gives no information (statistically) on H(hk,m,c)
• Pseudo-randomness
• When cE(mr) and hp?(hk,c), then H(hk,m,c) is
  pseudo-random given only (m,c,hp)

19
The Gennaro-Lindell Construction
Alice
Bob
Alice, vkR, cR
skR, vkR ? Sig-KG cR ? Epk(pw ?? vkR rR)
skL, vkL ? Sig-KG hkL ? hashKey hpL ? ?(hkL, cR,
vkR) cL ? Epk(pw ?? vkL rL)
Bob, hpL, vkL, cL
hkR ? hashKey hpR ? ?(hkR, cL, vkL) ?R ?
Sign(skR,Transcript)
hpR, ?R
?L ? Sign(skL,Transcript)
?L
KR ? HhkL(pw, vkR, cR) KL ? hhpR(pw, cL, vkL rL)
KL ? HhkR(pw, vkL, cL) KR ? hhpL(pw, cR, vkR rR)
SK ? KL ? KR
20
Outline

• Review of PAKE schemes
• History of GPAKE schemes
• A Simple GPAKE protocol
• A generic GPAKE protocol
• Concluding remarks

21
Brief history of GAKE schemes

• BurDes94, BurDes05
• Constant-round group Diffie-Hellman key exchange
• Passive attacks, security based on CDH
• KatzYung03
• Proof of security for BD protocol based on DDH
• Generic compiler from GKE to GAKE using
  signatures
• KimLeeLee04
• A variant of the BD protocol using random oracles
  and XOR operations
• Joux00
• A One Round Protocol for Tripartite
  Diffie-Hellman
• LiPieprzyk99,BreCat04
• Conference key agreement from secret sharing
• BoydNieto03, JeongKatzLee04,
• Round-Optimal contributory key agreement

22
The Burmester-Desmedt Group Key Exchange BD94
?
?
P1
Pi
PN
x1 ? Zp X1 ? gx1
xi ? Zp Xi ? gxi
xN ? Zp XN ? gxN
X1
Xi
XN
K1 ? X2x1 KN ? XNx1 Z1 ? K1 / KN
KN ? X1xN KN-1 ? XN-1xN ZN ? KN / KN-1
Ki ? Xi1xi Ki-1 ? Xi-1xi Zi ? Ki / Ki-1
Zi
ZN
Z1
SK ? K1 ? K2 ? ? ? KN
23
The Kim-Lee-Lee Group Key Exchange KLL04
?
?
P1
Pi
PN
s1 ? x1 ? Zp X1 ? gx1
si ? xi ? Zp Xi ? gxi
sN ? xN ? Zp XN ? gxN
X1
Xi
XN
K1 ? H(X2x1) KN ? H(XNx1) Z1 ? K1 ? KN T1 ? s1
KN ? H(X1xN) KN-1 ? H(XN-1xN) ZN ? KN ? KN-1
TN ? KN ? sN
Ki ? H(Xi1xi) Ki-1 ? H(Xi-1xi) Zi ? Ki ?
Ki-1 Ti ? si
Zi ?? Ti
ZN ?? TN
Z1 ?? T1
SK ? H2(s1 ?? s2 ?? ? ?? sN)
24
A generic version of the Burmester-Desmedt
protocol
?
?
Pi
Pi1
Pi-1
KE
KE
Ki
Ki
Ki-1
Ki-1
Zi-1 ? Ki-1 / Ki-2
Zi ? Ki / Ki-1
Zi1 ? Ki1 / Ki
Zi-1
Zi
Zi1
SK ? K1 ? K2 ? ? ? KN
25
A generic version of theKim-Lee-Lee protocol
?
?
Pi
Pi-1
Pi1
PN
si-1 ?
si ?
si1 ?
sN ?
Zi-1 ? Ki-1 ? Ki-2 Ti-1 ? si-1
Zi ? Ki ? Ki-1 Ti ? si
Zi1 ? Ki1 ? Ki Ti1 ? si1
ZN ? KN ? KN-1 TN ? KN ? sN
Zi-1 ?? Ti-1
Zi ?? Ti
Zi1 ?? Ti1
ZN ?? TN
SK ? H2(s1 ?? s2 ?? ? ?? sN)
26
Previous work on GPAKE

• BreChePoi02, BreChePoi05
• Group Diffie-Hellman password-based key exchange
• Linear number of rounds
• LeeHwangLee04
• Based on the Kim-Lee-Lee GAKE protocol
• Proven secure in the random-oracle model
• Broken in ABCP06
• DuttaBarua06
• Based on the Kim-Lee-Lee GAKE protocol
• Proven secure in the random-oracle and
  ideal-cipher models
• Broken in ABCP06
• ABCP06, TangChoo06
• Based on the Burmester-Desmedt protocol
• Proven secure in the ideal-cipher and
  random-oracle models

27
More recent work on GPAKE

• KwonJeongLee06
• Simplification of ABCP06 protocol
• Proven secure in the standard model
• Apparently insecure (work in progress)
• AbdallaPointcheval06
• Based on the Gennaro-Lindell PAKE protocol
• Proven secure in the standard model
• BohliGonzalezSteinwandt06
• Proven secure in the standard model
• Similar to AbdallaPointcheval06, but more
  efficient
• ABGS07
• Generic compiler from 2-party to group
• Proven secure in the standard model

28
Outline

• Review of PAKE schemes
• History of GPAKE schemes
• A Simple GPAKE protocol
• A generic GPAKE protocol
• Concluding remarks

29
Adding password authentication to the BD protocol

• EKE approach
• Encrypt all flows using the password pw
• Xi ?pw(Xi), Zi ?pw(Zi)
• Problem
• In the BD protocol, Z1?Z2 ? ? ? ZN 1
• Dictionary attack
• Guess password pw
• Compute Zi Dpw(Zi) for i1,?,N
• Check if Z1?Z2 ? ? ? ZN 1

30
The Dutta-Barua GPAKE Protocol DB06
?
?
P1
Pi
PN
s1 ? x1 ? Zp X1 ? gx1
si ? xi ? Zp Xi ? gxi
sN ? xN ? Zp XN ? gxN
Epw(X1)
Epw(Xi)
Epw(XN)
K1 ? H(X2x1) KN ? H(XNx1) Z1 ? K1 ? KN T1 ? s1
KN ? H(X1xN) KN-1 ? H(XN-1xN) ZN ? KN ? KN-1
TN ? KN ? sN
Ki ? H(Xi1xi) Ki-1 ? H(Xi-1xi) Zi ? Ki ?
Ki-1 Ti ? si
Epw(Z1??T1)
Epw(Zi??Ti)
Epw(TN)
SK ? H2(s1 ?? s2 ?? ? ?? sN)
31
An attack against the Dutta-Barua GPAKE protocol

• Problem
• All flows are encrypted under the same key
• Attack
• Let P1 and P2 be honest users
• Attacker will play the role of P3
• Attacker waits for P1 and P2 to broadcast
  X1Epw(X1) and X2Epw(X2)
• Attacker sets X3X1 (This implicitly sets
  x1x3) and broadcasts it
• This causes K1K2 and Z20
• Hence, T2Epw(0??s2) ? Dictionary attack!

32
An attack against the Dutta-Barua GPAKE protocol
P1
P2
P3
s1 ? x1 ? Zp X1 ? gx1
s2 ? x2 ? Zp X2 ? gx2
This implicitly sets x3x1
Epw(X1)
Epw(X2)
Epw(X1)
K1 ? H(X2x1) K3 ? H(X1x1) Z1 ? K1 ? K3 T1 ? s1
K2 ? H(X1x2 ) K1 ? H(X1x2) Z2 ? K2 ? K1 0 T2 ?
s2
Dictionary Attack!!!
Epw(Z1 ?? T1)
Epw(0 ?? T2)
33
The Lee-Hwang-Lee GPAKE protocol LHL04
?
?
P1
Pi
PN
x1 ? Zp X1 ? gx1
xi ? Zp Xi ? gxi
xN ? Zp XN ? gxN
Epw(X1)
Epw(Xi)
Epw(XN)
K1 ? H(X2x1) KN ? H(XNx1) Z1 ? K1 ? KN
KN ? H(X1xN) KN-1 ? H(XN-1xN) ZN ? KN ? KN-1
Ki ? H(Xi1xi) Ki-1 ? H(Xi-1xi) Zi ? Ki ? Ki-1
Z1
Zi
ZN
SK ? H(K1 ?? K2 ?? ? ?? KN)
34
An attack against the Lee-Hwang-Lee GPAKE
protocol
P1
P2
P3
P4
Epw(X1)
Epw(X1)
Epw(X1)
Epw(X1)
X1 ? gx1
K1 K2 K3 K4 H(X1x1)
0
0
0
0
SK ? H(K1 ?? K2 ?? K3 ?? K4)
P1
P2
P3
P4
Epw(X1)
Epw(X1)
Epw(X1)
Epw(X1)
X1 ? gx1
K1 K2 K3 K4 H(X1x1)
0
0
0
0
SK ? H(K1 ?? K2 ?? K3 ?? K4)
35
Outline

• Review of PAKE schemes
• History of GPAKE schemes
• A Simple GPAKE protocol
• A generic GPAKE protocol
• Concluding remarks

36
A simple GPAKE protocol Intuition

• Add an extra flow of random nonces ri at the
  beginning of the each session S P1 ??
  r1 ?? ? ?? PN ?? rN
• Use a different encryption key for each user and
  session to avoid replaying of messages
  pwi H(pw ?? S ?? i)
• Only encrypt the flow containing the values Xi to
  avoid dictionary attacks
• Add an authentication flow to avoid malleability
  attacks Authi H(S ?? X1 ?? Z1 ?? ? ??
  XN ?? ZN ?? SK ?? i)

37
A simple GPAKE protocol Construction ABCP06
?
?
P1
Pi
PN
r1 ?
ri ?
rN ?
P1, r1
Pi, ri
PN, rN
x1 ? Zp X1 ? gx1
xi ? Zp Xi ? gxi
xN ? Zp XN ? gxN
Epw1(X1)
Epwi(Xi)
EpwN(XN)
K1 ? X2x1 KN ? XNx1 Z1 ? K1 / KN
KN ? X1xN KN-1 ? XN-1xN ZN ? KN / KN-1
Ki ? Xi1xi Ki-1 ? Xi-1xi Zi ? Ki / Ki-1
Z1
Zi
ZN
Auth1
Authi
AuthN
Session Key ? H(Transcript ?? SK)
SK ? K1 ? K2 ? ? ? KN
38
A simple GPAKE protocol Security

• Theorem If the DDH problem is hard, then the
  protocol described in the previous slide is a
  secure GPAKE protocol in the random-oracle and
  ideal-cipher models
• Proof see ABCP06

39
Outline

• Review of PAKE schemes
• History of GPAKE schemes
• A Simple GPAKE protocol
• A generic GPAKE protocol
• Concluding remarks

40
A generic GPAKE protocol ABGS07 Intuition

• Generate Ki using a (2-party) PAKE
• Each user authenticates its neighbors
• Commit to Zi before making it public
• Commitment should be non-malleable
• Use the fact that Z1? ? ZN 1 for verification

41
A generic GPAKE protocol
Pi
Pi1
Pi-1
AKE
AKE
Ki-1
Ki-1
Ki
Ki
Zi-1 ? Ki-1 ? Ki-2
Zi ? Ki ? Ki-1
Zi1 ? Ki1 ? Ki
Com(Zi-1 ??i-1 ri-1)
Com(Zi ??I ri)
Com(Zi1??i1 ri1)
Zi-1, ri-1
Zi, ri
Zi1, ri1
SK ? UH(K1, ?,KN,Transcript)
Session Key ? FSK(0)
42
Advantages of generic construction

• Allows a modular design approach
• Transformation is reasonably efficient
• No ideal assumptions
• Non-interactive non-malleable commitments
• Family of collision-resistant pseudorandom
  functions Katz-Shin 05
• Family of universal hash functions
• Simpler proof of security

43
Outline

• Review of PAKE schemes
• History of GPAKE schemes
• A Simple GPAKE protocol
• A generic GPAKE protocol
• Concluding remarks

44
Concluding remarks

• Recap
• Attacks against previous constructions ABCP06
• A simple construction in the IC and RO models
  ABCP06
• A generic GPAKE construction ABGS07
• The design of password-based protocols can be
  tricky
• Small modifications to the protocol can make them
  insecure
• The only way to be sure is to provide a security
  proof
• Password-based authenticated key exchange remains
  a very active area

45
Future directions

• More efficient constructions in the standard
  model
• Stronger security guarantees
• universal composability
• Stronger corruption models