Password-based Authentication - PowerPoint PPT Presentation

1 / 45
About This Presentation
Title:

Password-based Authentication

Description:

Title: Notions of Security for Password-based Authenticated Key Exchange Author: Michel Ferreira Abdalla Last modified by: Michel Abdalla Created Date – PowerPoint PPT presentation

Number of Views:157
Avg rating:3.0/5.0
Slides: 46
Provided by: Michel356
Category:

less

Transcript and Presenter's Notes

Title: Password-based Authentication


1
Password-based Authentication
  • SBSeg 2007 Keynote
  • Michel Abdalla
  • Researcher
  • École normale supérieure CNRS

2
Diffie-Hellman protocol
Let G be a group in which the DDH problem is hard
and let g be a generator for G
skA ? 0,,G-1 pkA ? gsk
skB ? 0,,G-1 pkB ? gsk
A
B
Protocol does NOT provide authentication
3
Authenticated Key Exchange (AKE)
  • Allow two parties to establish a common secret in
    an authenticated way
  • Intuitive goal implicit authentication
  • The session key should only be known to the
    parties involved in the protocol
  • Formally semantic security
  • the session key should be indistinguishable from
    a random string

4
Authentication techniques
  • Asymmetric techniques
  • Assume the existence of a public-key
    infrastructure
  • Each party holds a pair of secret and public
    keys
  • Symmetric techniques
  • Users share a random secret key
  • 2-party or 3-party settings
  • Password-based techniques
  • Consider the case of weak secrets (e.g., a
    4-digit PIN)
  • Protocols are always subject to online guessing
    attacks

5
Password-based AKE (PAKE)
  • Realistic
  • Real-life applications usually rely on weak
    passwords
  • Convenient to use
  • Users do not need to store the secret
  • Comes at a cost
  • Protocols are always subject to online guessing
    attacks

6
Online dictionary attacks
  • Let D represent the set of possible passwords
    (i.e., dictionary)
  • As passwords need be memorized by humans, D is
    usually small
  • Online dictionary attack
  • Choose a password from D
  • Interact with authentication server using the
    guessed password
  • Each online attempt can succeed with probability
    1/D
  • Counter measures against online attacks
  • Limit the number of unsuccessful attempts
  • Goal of password-based authentication
  • Restrict the adversary to online dictionary
    attacks only

7
Group Password-basedAKE (GPAKE)
  • Scenario
  • Similar to the 2-party case, except that
  • Number of protocol participants is variable
  • Password is shared among all participants
  • Session key is shared among all participants
  • Security goals
  • Similar to the 2-party case Allow a pool of
    users to established a common session key with
    only the help of passwords

8
Security model
  • Users can have many protocol instances running
    concurrently
  • Communication may be controlled by the adversary
  • Adversary can create, modify, or forward messages
  • The transmission of messages is done via specific
    oracle queries
  • Adversary is given oracle access to all user
    instances and can corrupt some of them
  • Protocol is considered secure if the session key
    held by a honest user cannot be distinguished
    from a random key

9
Outline
  • Review of PAKE schemes
  • History of GPAKE scheme
  • A Simple GPAKE protocol
  • A generic GPAKE protocol
  • Concluding remarks

10
Background Ideal models
  • Random oracle model BellareRogaway93
  • Perhaps the most used ideal model in cryptography
  • The hash function is modeled as a perfectly
    random function
  • Random permutation model
  • Similar to the random-oracle model, but with a
    permutation instead of a function
  • Ideal cipher model
  • An extension of the random-permutation model
  • A block cipher is seen as a family of truly
    random and independent permutations (for each
    key)
  • Standard model
  • None of the above

11
Brief history of PAKE schemes
  • BelMer92 Encrypted Key Exchange (EKE)
  • Seminal work, no proofs
  • BelPoiRog00,BoyMacPat00
  • Formal security models
  • Protocols in the ideal-cipher and random-oracle
    models
  • GolLin01
  • Non-concurrent protocol in the standard model
  • KatOstYun01,GenLin03,CHKLM05
  • Efficient protocols in the CRS model
  • BR00,BCP03/04,CatPoiPor04,MacKenzie02,AbPo05
  • Efficient EKE and OKE protocols in the RO model

12
Encrypted Key Exchange Bellovin Merritt, 1992
  • Flows are encrypted with the password

13
EKE instantiations
  • BPR00,BCP03
  • Enc Ideal cipher
  • H Random oracle
  • MacKenzie02,BCP04
  • Enc Random oracle
  • H Random oracle
  • AbPo05
  • Encpw(X) X ? hpw
  • H Random oracle

14
Simple PAKE AbPo05
Alice
Bob
? pwAlice,Bob
x ? Zp X ? gx
y ? Zp Y ? gy
Alice, X X ? A?
Bob, Y Y ? B?
Y ? Y / B? K ? Yx
X ? X / A? K ? Xy
SK ? H(Alice,Bob,?,X,Y,K)
15
Security of simple PAKE
  • Theorem If the DDH problem is hard, then the
    protocol described in the previous slide is a
    secure PAKE protocol in the random-oracle model.
  • Proof see AbPo05

16
PAKE in the standard model The Gennaro-Lindell
Construction
  • Design is not as simple as EKE
  • Requires several different tools
  • One-time signatures
  • Non-malleable encryption schemes
  • Smooth projective hash functions

17
Smooth projective hash functionsGL03 variant
Algorithms
  • Hash key generation hk HK(pk)
  • pk public encryption key, hk hashing key
  • Projected key generation hp ?(hk, c)
  • hk hashing key, hp projected key
  • Hashing algorithm H (hk, m, c) ? G
  • m message, c ciphertext, hk hashing key
  • Projected hashing algorithm h h(hp, m, c r)
  • hp projected key, r random used to generate c

18
Smooth projective hash functionsGL03 variant
Security properties
  • Correctness
  • If c E(pk,mr), then (m,c,hp) uniquely
    determines H(hk,m,c)
  • When c E(mr), H(hk,m,c) can be computed
    efficiently given r
  • h(hp,m,c r) H(hk,m,c)
  • Smoothness
  • If c is not an encryption of m,then (m, c, hp)
    gives no information (statistically) on H(hk,m,c)
  • Pseudo-randomness
  • When cE(mr) and hp?(hk,c), then H(hk,m,c) is
    pseudo-random given only (m,c,hp)

19
The Gennaro-Lindell Construction
Alice
Bob
Alice, vkR, cR
skR, vkR ? Sig-KG cR ? Epk(pw ?? vkR rR)
skL, vkL ? Sig-KG hkL ? hashKey hpL ? ?(hkL, cR,
vkR) cL ? Epk(pw ?? vkL rL)
Bob, hpL, vkL, cL
hkR ? hashKey hpR ? ?(hkR, cL, vkL) ?R ?
Sign(skR,Transcript)
hpR, ?R
?L ? Sign(skL,Transcript)
?L
KR ? HhkL(pw, vkR, cR) KL ? hhpR(pw, cL, vkL rL)
KL ? HhkR(pw, vkL, cL) KR ? hhpL(pw, cR, vkR rR)
SK ? KL ? KR
20
Outline
  • Review of PAKE schemes
  • History of GPAKE schemes
  • A Simple GPAKE protocol
  • A generic GPAKE protocol
  • Concluding remarks

21
Brief history of GAKE schemes
  • BurDes94, BurDes05
  • Constant-round group Diffie-Hellman key exchange
  • Passive attacks, security based on CDH
  • KatzYung03
  • Proof of security for BD protocol based on DDH
  • Generic compiler from GKE to GAKE using
    signatures
  • KimLeeLee04
  • A variant of the BD protocol using random oracles
    and XOR operations
  • Joux00
  • A One Round Protocol for Tripartite
    Diffie-Hellman
  • LiPieprzyk99,BreCat04
  • Conference key agreement from secret sharing
  • BoydNieto03, JeongKatzLee04,
  • Round-Optimal contributory key agreement

22
The Burmester-Desmedt Group Key Exchange BD94
?
?
P1
Pi
PN
x1 ? Zp X1 ? gx1
xi ? Zp Xi ? gxi
xN ? Zp XN ? gxN
X1
Xi
XN
K1 ? X2x1 KN ? XNx1 Z1 ? K1 / KN
KN ? X1xN KN-1 ? XN-1xN ZN ? KN / KN-1
Ki ? Xi1xi Ki-1 ? Xi-1xi Zi ? Ki / Ki-1
Zi
ZN
Z1
SK ? K1 ? K2 ? ? ? KN
23
The Kim-Lee-Lee Group Key Exchange KLL04
?
?
P1
Pi
PN
s1 ? x1 ? Zp X1 ? gx1
si ? xi ? Zp Xi ? gxi
sN ? xN ? Zp XN ? gxN
X1
Xi
XN
K1 ? H(X2x1) KN ? H(XNx1) Z1 ? K1 ? KN T1 ? s1
KN ? H(X1xN) KN-1 ? H(XN-1xN) ZN ? KN ? KN-1
TN ? KN ? sN
Ki ? H(Xi1xi) Ki-1 ? H(Xi-1xi) Zi ? Ki ?
Ki-1 Ti ? si
Zi ?? Ti
ZN ?? TN
Z1 ?? T1
SK ? H2(s1 ?? s2 ?? ? ?? sN)
24
A generic version of the Burmester-Desmedt
protocol
?
?
Pi
Pi1
Pi-1
KE
KE
Ki
Ki
Ki-1
Ki-1
Zi-1 ? Ki-1 / Ki-2
Zi ? Ki / Ki-1
Zi1 ? Ki1 / Ki
Zi-1
Zi
Zi1
SK ? K1 ? K2 ? ? ? KN
25
A generic version of theKim-Lee-Lee protocol
?
?
Pi
Pi-1
Pi1
PN
si-1 ?
si ?
si1 ?
sN ?
Zi-1 ? Ki-1 ? Ki-2 Ti-1 ? si-1
Zi ? Ki ? Ki-1 Ti ? si
Zi1 ? Ki1 ? Ki Ti1 ? si1
ZN ? KN ? KN-1 TN ? KN ? sN
Zi-1 ?? Ti-1
Zi ?? Ti
Zi1 ?? Ti1
ZN ?? TN
SK ? H2(s1 ?? s2 ?? ? ?? sN)
26
Previous work on GPAKE
  • BreChePoi02, BreChePoi05
  • Group Diffie-Hellman password-based key exchange
  • Linear number of rounds
  • LeeHwangLee04
  • Based on the Kim-Lee-Lee GAKE protocol
  • Proven secure in the random-oracle model
  • Broken in ABCP06
  • DuttaBarua06
  • Based on the Kim-Lee-Lee GAKE protocol
  • Proven secure in the random-oracle and
    ideal-cipher models
  • Broken in ABCP06
  • ABCP06, TangChoo06
  • Based on the Burmester-Desmedt protocol
  • Proven secure in the ideal-cipher and
    random-oracle models

27
More recent work on GPAKE
  • KwonJeongLee06
  • Simplification of ABCP06 protocol
  • Proven secure in the standard model
  • Apparently insecure (work in progress)
  • AbdallaPointcheval06
  • Based on the Gennaro-Lindell PAKE protocol
  • Proven secure in the standard model
  • BohliGonzalezSteinwandt06
  • Proven secure in the standard model
  • Similar to AbdallaPointcheval06, but more
    efficient
  • ABGS07
  • Generic compiler from 2-party to group
  • Proven secure in the standard model

28
Outline
  • Review of PAKE schemes
  • History of GPAKE schemes
  • A Simple GPAKE protocol
  • A generic GPAKE protocol
  • Concluding remarks

29
Adding password authentication to the BD protocol
  • EKE approach
  • Encrypt all flows using the password pw
  • Xi ?pw(Xi), Zi ?pw(Zi)
  • Problem
  • In the BD protocol, Z1?Z2 ? ? ? ZN 1
  • Dictionary attack
  • Guess password pw
  • Compute Zi Dpw(Zi) for i1,?,N
  • Check if Z1?Z2 ? ? ? ZN 1

30
The Dutta-Barua GPAKE Protocol DB06
?
?
P1
Pi
PN
s1 ? x1 ? Zp X1 ? gx1
si ? xi ? Zp Xi ? gxi
sN ? xN ? Zp XN ? gxN
Epw(X1)
Epw(Xi)
Epw(XN)
K1 ? H(X2x1) KN ? H(XNx1) Z1 ? K1 ? KN T1 ? s1
KN ? H(X1xN) KN-1 ? H(XN-1xN) ZN ? KN ? KN-1
TN ? KN ? sN
Ki ? H(Xi1xi) Ki-1 ? H(Xi-1xi) Zi ? Ki ?
Ki-1 Ti ? si
Epw(Z1??T1)
Epw(Zi??Ti)
Epw(TN)
SK ? H2(s1 ?? s2 ?? ? ?? sN)
31
An attack against the Dutta-Barua GPAKE protocol
  • Problem
  • All flows are encrypted under the same key
  • Attack
  • Let P1 and P2 be honest users
  • Attacker will play the role of P3
  • Attacker waits for P1 and P2 to broadcast
    X1Epw(X1) and X2Epw(X2)
  • Attacker sets X3X1 (This implicitly sets
    x1x3) and broadcasts it
  • This causes K1K2 and Z20
  • Hence, T2Epw(0??s2) ? Dictionary attack!

32
An attack against the Dutta-Barua GPAKE protocol
P1
P2
P3
s1 ? x1 ? Zp X1 ? gx1
s2 ? x2 ? Zp X2 ? gx2
This implicitly sets x3x1
Epw(X1)
Epw(X2)
Epw(X1)
K1 ? H(X2x1) K3 ? H(X1x1) Z1 ? K1 ? K3 T1 ? s1
K2 ? H(X1x2 ) K1 ? H(X1x2) Z2 ? K2 ? K1 0 T2 ?
s2
Dictionary Attack!!!
Epw(Z1 ?? T1)
Epw(0 ?? T2)
33
The Lee-Hwang-Lee GPAKE protocol LHL04
?
?
P1
Pi
PN
x1 ? Zp X1 ? gx1
xi ? Zp Xi ? gxi
xN ? Zp XN ? gxN
Epw(X1)
Epw(Xi)
Epw(XN)
K1 ? H(X2x1) KN ? H(XNx1) Z1 ? K1 ? KN
KN ? H(X1xN) KN-1 ? H(XN-1xN) ZN ? KN ? KN-1
Ki ? H(Xi1xi) Ki-1 ? H(Xi-1xi) Zi ? Ki ? Ki-1
Z1
Zi
ZN
SK ? H(K1 ?? K2 ?? ? ?? KN)
34
An attack against the Lee-Hwang-Lee GPAKE
protocol
P1
P2
P3
P4
Epw(X1)
Epw(X1)
Epw(X1)
Epw(X1)
X1 ? gx1
K1 K2 K3 K4 H(X1x1)
0
0
0
0
SK ? H(K1 ?? K2 ?? K3 ?? K4)
P1
P2
P3
P4
Epw(X1)
Epw(X1)
Epw(X1)
Epw(X1)
X1 ? gx1
K1 K2 K3 K4 H(X1x1)
0
0
0
0
SK ? H(K1 ?? K2 ?? K3 ?? K4)
35
Outline
  • Review of PAKE schemes
  • History of GPAKE schemes
  • A Simple GPAKE protocol
  • A generic GPAKE protocol
  • Concluding remarks

36
A simple GPAKE protocol Intuition
  • Add an extra flow of random nonces ri at the
    beginning of the each session S P1 ??
    r1 ?? ? ?? PN ?? rN
  • Use a different encryption key for each user and
    session to avoid replaying of messages
    pwi H(pw ?? S ?? i)
  • Only encrypt the flow containing the values Xi to
    avoid dictionary attacks
  • Add an authentication flow to avoid malleability
    attacks Authi H(S ?? X1 ?? Z1 ?? ? ??
    XN ?? ZN ?? SK ?? i)

37
A simple GPAKE protocol Construction ABCP06
?
?
P1
Pi
PN
r1 ?
ri ?
rN ?
P1, r1
Pi, ri
PN, rN
x1 ? Zp X1 ? gx1
xi ? Zp Xi ? gxi
xN ? Zp XN ? gxN
Epw1(X1)
Epwi(Xi)
EpwN(XN)
K1 ? X2x1 KN ? XNx1 Z1 ? K1 / KN
KN ? X1xN KN-1 ? XN-1xN ZN ? KN / KN-1
Ki ? Xi1xi Ki-1 ? Xi-1xi Zi ? Ki / Ki-1
Z1
Zi
ZN
Auth1
Authi
AuthN
Session Key ? H(Transcript ?? SK)
SK ? K1 ? K2 ? ? ? KN
38
A simple GPAKE protocol Security
  • Theorem If the DDH problem is hard, then the
    protocol described in the previous slide is a
    secure GPAKE protocol in the random-oracle and
    ideal-cipher models
  • Proof see ABCP06

39
Outline
  • Review of PAKE schemes
  • History of GPAKE schemes
  • A Simple GPAKE protocol
  • A generic GPAKE protocol
  • Concluding remarks

40
A generic GPAKE protocol ABGS07 Intuition
  • Generate Ki using a (2-party) PAKE
  • Each user authenticates its neighbors
  • Commit to Zi before making it public
  • Commitment should be non-malleable
  • Use the fact that Z1? ? ZN 1 for verification

41
A generic GPAKE protocol
Pi
Pi1
Pi-1
AKE
AKE
Ki-1
Ki-1
Ki
Ki
Zi-1 ? Ki-1 ? Ki-2
Zi ? Ki ? Ki-1
Zi1 ? Ki1 ? Ki
Com(Zi-1 ??i-1 ri-1)
Com(Zi ??I ri)
Com(Zi1??i1 ri1)
Zi-1, ri-1
Zi, ri
Zi1, ri1
SK ? UH(K1, ?,KN,Transcript)
Session Key ? FSK(0)
42
Advantages of generic construction
  • Allows a modular design approach
  • Transformation is reasonably efficient
  • No ideal assumptions
  • Non-interactive non-malleable commitments
  • Family of collision-resistant pseudorandom
    functions Katz-Shin 05
  • Family of universal hash functions
  • Simpler proof of security

43
Outline
  • Review of PAKE schemes
  • History of GPAKE schemes
  • A Simple GPAKE protocol
  • A generic GPAKE protocol
  • Concluding remarks

44
Concluding remarks
  • Recap
  • Attacks against previous constructions ABCP06
  • A simple construction in the IC and RO models
    ABCP06
  • A generic GPAKE construction ABGS07
  • The design of password-based protocols can be
    tricky
  • Small modifications to the protocol can make them
    insecure
  • The only way to be sure is to provide a security
    proof
  • Password-based authenticated key exchange remains
    a very active area

45
Future directions
  • More efficient constructions in the standard
    model
  • Stronger security guarantees
  • universal composability
  • Stronger corruption models
Write a Comment
User Comments (0)
About PowerShow.com