1 / 45

Password-based Authentication

Password-based Authentication. SBSeg 2007 Keynote Michel Abdalla Researcher École normale supérieure & CNRS. Alice. Bob. pk A. pk B. pk B sk = g sk sk = pk A sk. A. A. B. B. Diffie-Hellman protocol.

claire
Download Presentation

Password-based Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Password-based Authentication SBSeg 2007 Keynote Michel Abdalla Researcher École normale supérieure & CNRS

  2. Alice Bob pkA pkB pkBsk = gsksk = pkAsk A A B B Diffie-Hellman protocol Let G be a group in which the DDH problem is hard and let g be a generator for G skA {0,…,|G|-1} pkA  gsk skB {0,…,|G|-1} pkB  gsk A B Protocol does NOT provide authentication

  3. Authenticated Key Exchange (AKE) • Allow two parties to establish a common secret in an authenticated way • Intuitive goal: implicit authentication • The session key should only be known to the parties involved in the protocol • Formally: semantic security • the session key should be indistinguishable from a random string

  4. Authentication techniques • Asymmetric techniques • Assume the existence of a public-key infrastructure • Each party holds a pair of secret and public keys • Symmetric techniques • Users share a random secret key • 2-party or 3-party settings • Password-based techniques • Consider the case of weak secrets (e.g., a 4-digit PIN) • Protocols are always subject to online guessing attacks

  5. Password-based AKE (PAKE) • Realistic • Real-life applications usually rely on weak passwords • Convenient to use • Users do not need to store the secret • Comes at a cost • Protocols are always subject to online guessing attacks

  6. Online dictionary attacks • Let D represent the set of possible passwords (i.e., dictionary) • As passwords need be memorized by humans, |D| is usually small • Online dictionary attack • Choose a password from D • Interact with authentication server using the guessed password • Each online attempt can succeed with probability 1/|D| • Counter measures against online attacks • Limit the number of unsuccessful attempts • Goal of password-based authentication • Restrict the adversary to online dictionary attacks only

  7. Group Password-basedAKE (GPAKE) • Scenario • Similar to the 2-party case, except that … • Number of protocol participants is variable • Password is shared among all participants • Session key is shared among all participants • Security goals • Similar to the 2-party case: Allow a pool of users to established a common session key with only the help of passwords

  8. Security model • Users can have many protocol instances running concurrently • Communication may be controlled by the adversary • Adversary can create, modify, or forward messages • The transmission of messages is done via specific oracle queries • Adversary is given oracle access to all user instances and can corrupt some of them • Protocol is considered secure if the session key held by a honest user cannot be distinguished from a random key

  9. Outline • Review of PAKE schemes • History of GPAKE scheme • A Simple GPAKE protocol • A generic GPAKE protocol • Concluding remarks

  10. Background: Ideal models • Random oracle model [BellareRogaway93] • Perhaps the most used ideal model in cryptography • The hash function is modeled as a perfectly random function • Random permutation model • Similar to the random-oracle model, but with a permutation instead of a function • Ideal cipher model • An extension of the random-permutation model • A block cipher is seen as a family of truly random and independent permutations (for each key) • Standard model • None of the above

  11. Brief history of PAKE schemes • [BelMer92]: Encrypted Key Exchange (EKE) • Seminal work, no proofs • [BelPoiRog00,BoyMacPat00] • Formal security models • Protocols in the ideal-cipher and random-oracle models • [GolLin01] • Non-concurrent protocol in the standard model • [KatOstYun01,GenLin03,CHKLM05] • Efficient protocols in the CRS model • [BR00,BCP03/04,CatPoiPor04,MacKenzie02,AbPo05] • Efficient EKE and OKE protocols in the RO model

  12. Alice Bob = pwAlice,Bob x Zp X  gx y Zp Y  gy Alice, X=Enc(X) Bob, Y=Enc(Y) Y  Dec(Y) K  Yx X  Dec(X) K  Xy SK  H(Alice,Bob,,X,Y,K) Encrypted Key Exchange [Bellovin & Merritt, 1992] • Flows are encrypted with the password

  13. EKE instantiations • [BPR00,BCP03] • Enc = Ideal cipher • H = Random oracle • [MacKenzie02,BCP04] • Enc = Random oracle • H = Random oracle • [AbPo05] • Encpw(X) = X  hpw • H = Random oracle

  14. Simple PAKE [AbPo05] Alice Bob = pwAlice,Bob x Zp X  gx y Zp Y  gy Alice, X= X  A Bob, Y= Y  B Y  Y/ B K  Yx X  X / A K  Xy SK  H(Alice,Bob,,X,Y,K)

  15. Security of simple PAKE • Theorem: If the DDH problem is hard, then the protocoldescribed in the previous slide is a secure PAKE protocol in the random-oracle model. • Proof: see [AbPo05]

  16. PAKE in the standard model: The Gennaro-Lindell Construction • Design is not as simple as EKE • Requires several different tools • One-time signatures • Non-malleable encryption schemes • Smooth projective hash functions

  17. Smooth projective hash functions[GL03 variant]: Algorithms • Hash key generation: hk = HK(pk) • pk – public encryption key, hk – hashing key • Projected key generation:hp = (hk, c) • hk – hashing key, hp – projected key • Hashing algorithm:H(hk, m, c)  G • m – message, c – ciphertext, hk – hashing key • Projected hashing algorithm:h = h(hp, m, c; r) • hp – projected key, r – random used to generate c

  18. Smooth projective hash functions[GL03 variant]: Security properties • Correctness: • If c = E(pk,m;r), then (m,c,hp) uniquely determines H(hk,m,c) • When c = E(m;r), H(hk,m,c) can be computed efficiently given r h(hp,m,c; r) = H(hk,m,c) • Smoothness: • If c is not an encryption of m,then (m, c, hp) gives no information (statistically) on H(hk,m,c) • Pseudo-randomness: • When c=E(m;r) and hp=(hk,c),then H(hk,m,c) is pseudo-random given only (m,c,hp)

  19. The Gennaro-Lindell Construction Alice Bob Alice, vkR, cR skR, vkR Sig-KG cR Epk(pw  vkR; rR) skL, vkL Sig-KG hkL hashKey hpL(hkL, cR, vkR) cL Epk(pw  vkL; rL) Bob, hpL, vkL, cL hkR hashKey hpR(hkR, cL, vkL) R Sign(skR,Transcript) hpR, R L Sign(skL,Transcript) L KR HhkL(pw, vkR, cR) KL hhpR(pw, cL, vkL; rL) KL HhkR(pw, vkL, cL) KR hhpL(pw, cR, vkR; rR) SK  KL◦ KR

  20. Outline • Review of PAKE schemes • History of GPAKE schemes • A Simple GPAKE protocol • A generic GPAKE protocol • Concluding remarks

  21. Brief history of GAKE schemes • [BurDes94, BurDes05]: • Constant-round group Diffie-Hellman key exchange • Passive attacks, security based on CDH • [KatzYung03] • Proof of security for BD protocol based on DDH • Generic compiler from GKE to GAKE using signatures • [KimLeeLee04] • A variant of the BD protocol using random oracles and XOR operations • [Joux00] • A One Round Protocol for Tripartite Diffie-Hellman • [LiPieprzyk99,BreCat04] • Conference key agreement from secret sharing • [BoydNieto03, JeongKatzLee04, …] • Round-Optimal contributory key agreement

  22. The Burmester-Desmedt Group Key Exchange [BD94]   P1 Pi PN x1 Zp X1  gx1 xi Zp Xi  gxi xN Zp XN  gxN X1 Xi XN K1  X2x1 KN  XNx1 Z1 K1 / KN KN  X1xN KN-1  XN-1xN ZN KN / KN-1 Ki  Xi+1xi Ki-1  Xi-1xi Zi Ki / Ki-1 Zi Z1 ZN SK K1◦ K2 ◦  ◦ KN

  23. The Kim-Lee-Lee Group Key Exchange [KLL04]   P1 Pi PN s1 $ x1 Zp X1  gx1 si $ xi Zp Xi  gxi sN $ xN Zp XN  gxN X1 Xi XN K1  H(X2x1) KN  H(XNx1) Z1 K1  KN T1  s1 KN  H(X1xN) KN-1  H(XN-1xN) ZN KN  KN-1 TN  KN  sN Ki  H(Xi+1xi) Ki-1  H(Xi-1xi) Zi Ki  Ki-1 Ti  si Zi Ti Z1 T1 ZN TN SK  H2(s1 s2    sN)

  24. A generic version of the Burmester-Desmedt protocol   Pi-1 Pi Pi+1 KE KE Ki Ki Ki-1 Ki-1 Zi-1  Ki-1 / Ki-2 Zi  Ki / Ki-1 Zi+1  Ki+1 / Ki Zi-1 Zi Zi+1 SK K1◦ K2 ◦  ◦ KN

  25. KE KE Ki-1 Ki-1 Ki Ki A generic version of theKim-Lee-Lee protocol   Pi-1 Pi Pi+1 PN si-1 $ si $ si+1 $ sN $ Zi-1 Ki-1  Ki-2 Ti-1  si-1 Zi Ki  Ki-1 Ti  si Zi+1 Ki+1  Ki Ti+1  si+1 ZN KN  KN-1 TN  KN  sN Zi-1 Ti-1 Zi Ti Zi+1 Ti+1 ZN TN SK  H2(s1 s2    sN)

  26. Previous work on GPAKE • [BreChePoi02, BreChePoi05]: • Group Diffie-Hellman password-based key exchange • Linear number of rounds • [LeeHwangLee04] • Based on the Kim-Lee-Lee GAKE protocol • Proven secure in the random-oracle model • Broken in [ABCP06] • [DuttaBarua06] • Based on the Kim-Lee-Lee GAKE protocol • Proven secure in the random-oracle and ideal-cipher models • Broken in [ABCP06] • [ABCP06], [TangChoo06] • Based on the Burmester-Desmedt protocol • Proven secure in the ideal-cipher and random-oracle models

  27. More recent work on GPAKE • [KwonJeongLee06] • Simplification of [ABCP06] protocol • Proven secure in the “standard model” • Apparently insecure (work in progress) • [AbdallaPointcheval06] • Based on the Gennaro-Lindell PAKE protocol • Proven secure in the standard model • [BohliGonzalezSteinwandt06] • Proven secure in the standard model • Similar to [AbdallaPointcheval06], but more efficient • [ABGS07] • Generic compiler from 2-party to group • Proven secure in the standard model

  28. Outline • Review of PAKE schemes • History of GPAKE schemes • A Simple GPAKE protocol • A generic GPAKE protocol • Concluding remarks

  29. Adding password authentication to the BD protocol • EKE approach • Encrypt all flows using the password pw • Xi= pw(Xi), Zi= pw(Zi) • Problem • In the BD protocol, Z1◦Z2◦ ◦ ZN = 1 • Dictionary attack • Guess password pw • Compute Zi= Dpw(Zi) for i=1,,N • Check if Z1◦Z2◦ ◦ ZN = 1

  30. The Dutta-Barua GPAKE Protocol [DB06]   P1 Pi PN s1 $ x1 Zp X1  gx1 si $ xi Zp Xi  gxi sN $ xN Zp XN  gxN Epw(X1) Epw(Xi) Epw(XN) K1  H(X2x1) KN  H(XNx1) Z1 K1  KN T1  s1 KN  H(X1xN) KN-1  H(XN-1xN) ZN KN  KN-1 TN  KN  sN Ki  H(Xi+1xi) Ki-1  H(Xi-1xi) Zi Ki  Ki-1 Ti  si E’’pw(TN) E’pw(Z1T1) E’pw(ZiTi) SK  H2(s1 s2    sN)

  31. An attack against the Dutta-Barua GPAKE protocol • Problem • All flows are encrypted under the same key • Attack • Let P1 and P2 be honest users • Attacker will play the role of P3 • Attacker waits for P1 and P2 to broadcast X1*=Epw(X1) and X2*=Epw(X2) • Attacker sets X3*=X1* (This implicitly sets x1=x3) and broadcasts it • This causes K1=K2 and Z2=0 • Hence, T2*=Epw(0s2)  Dictionary attack!

  32. An attack against the Dutta-Barua GPAKE protocol P1 P2 P3 s1 $ x1 Zp X1  gx1 s2 $ x2 Zp X2  gx2 This implicitly sets x3=x1 Epw(X1) Epw(X2) Epw(X1) K1  H(X2x1) K3  H(X1x1) Z1 K1  K3 T1  s1 K2  H(X1x2 ) K1  H(X1x2) Z2 K2  K1= 0 T2  s2 Dictionary Attack!!! E’pw(Z1  T1) E’pw(0  T2)

  33. The Lee-Hwang-Lee GPAKE protocol [LHL04]   P1 Pi PN x1 Zp X1  gx1 xi Zp Xi  gxi xN Zp XN  gxN Epw(X1) Epw(Xi) Epw(XN) K1  H(X2x1) KN  H(XNx1) Z1 K1  KN KN  H(X1xN) KN-1  H(XN-1xN) ZN KN  KN-1 Ki  H(Xi+1xi) Ki-1  H(Xi-1xi) Zi Ki  Ki-1 Z1 Zi ZN SK  H(K1 K2    KN)

  34. An attack against the Lee-Hwang-Lee GPAKE protocol P1 P2 P3 P4 Epw(X1) Epw(X’1) Epw(X1) Epw(X’1) X1  gx1 K1 = K2 = K3 = K4 = H(X’1x1) 0 0 0 0 SK  H(K1 K2  K3  K4) P’1 P’2 P’3 P’4 Epw(X’1) Epw(X1) Epw(X’1) Epw(X1) X’1  gx1’ K’1 = K’2 = K’3 = K’4 = H(X1x1’) 0 0 0 0 SK’  H(K’1 K’2  K’3  K’4)

  35. Outline • Review of PAKE schemes • History of GPAKE schemes • A Simple GPAKE protocol • A generic GPAKE protocol • Concluding remarks

  36. A simple GPAKE protocol: Intuition • Add an extra flow of random nonces ri at the beginning of the each sessionS = P1 r1  PN rN • Use a different encryption key for each user and session to avoid replaying of messagespwi = H(pw  S i) • Only encrypt the flow containing the values Xi to avoid dictionary attacks • Add an authentication flow to avoid malleability attacksAuthi = H’(S X1* Z1  XN* ZN  SK  i)

  37. A simple GPAKE protocol: Construction [ABCP06]   P1 Pi PN r1 $ ri $ rN $ P1, r1 Pi, ri PN, rN x1 Zp X1  gx1 xi Zp Xi  gxi xN Zp XN  gxN Epw1(X1) Epwi(Xi) EpwN(XN) K1  X2x1 KN  XNx1 Z1 K1 / KN KN  X1xN KN-1  XN-1xN ZN KN / KN-1 Ki  Xi+1xi Ki-1  Xi-1xi Zi Ki / Ki-1 Z1 Zi ZN Auth1 Authi AuthN Session Key  H’’(Transcript  SK) SK  K1◦ K2 ◦  ◦ KN

  38. A simple GPAKE protocol: Security • Theorem: If the DDH problem is hard, then the protocoldescribed in the previous slide is a secure GPAKE protocol in the random-oracle and ideal-cipher models • Proof: see [ABCP06]

  39. Outline • Review of PAKE schemes • History of GPAKE schemes • A Simple GPAKE protocol • A generic GPAKE protocol • Concluding remarks

  40. A generic GPAKE protocol [ABGS07]: Intuition • Generate Ki using a (2-party) PAKE • Each user authenticates its neighbors • Commit to Zi before making it public • Commitment should be non-malleable • Use the fact that Z1◦ …◦ ZN = 1 for verification

  41. A generic GPAKE protocol Pi-1 Pi Pi+1 AKE AKE Ki-1 Ki-1 Ki Ki Zi-1  Ki-1  Ki-2 Zi  Ki  Ki-1 Zi+1  Ki+1  Ki Com(Zi-1 i-1; ri-1) Com(Zi I; ri) Com(Zi+1i+1; ri+1) Zi-1, ri-1 Zi, ri Zi+1, ri+1 SK  UH(K1, ,KN,Transcript) Session Key  FSK(0)

  42. Advantages of generic construction • Allows a modular design approach • Transformation is reasonably efficient • No ideal assumptions • Non-interactive non-malleable commitments • Family of collision-resistant pseudorandom functions [Katz-Shin 05] • Family of universal hash functions • Simpler proof of security

  43. Outline • Review of PAKE schemes • History of GPAKE schemes • A Simple GPAKE protocol • A generic GPAKE protocol • Concluding remarks

  44. Concluding remarks • Recap • Attacks against previous constructions [ABCP06] • A simple construction in the IC and RO models [ABCP06] • A generic GPAKE construction [ABGS07] • The design of password-based protocols can be tricky • Small modifications to the protocol can make them insecure • The only way to be sure is to provide a security proof • Password-based authenticated key exchange remains a very active area

  45. Future directions • More efficient constructions in the standard model • Stronger security guarantees • universal composability • Stronger corruption models

More Related