1 / 43

國立清華大學資訊工程系 資訊安全實驗室

Network Security--- User Authentication and Key Agreement Protocols. 孫宏民 hmsun@cs.nthu.edu.tw Phone: 03-5742968. 國立清華大學資訊工程系 資訊安全實驗室. Outline. Basic Cryptographic Concept Symmetric Encryption Asymmetric Encryption Digital Signature Encrypted Key Exchange (EKE) Conclusions.

eilis
Download Presentation

國立清華大學資訊工程系 資訊安全實驗室

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network Security--- User Authentication and Key Agreement Protocols 孫宏民 hmsun@cs.nthu.edu.tw Phone: 03-5742968 國立清華大學資訊工程系 資訊安全實驗室

  2. Outline • Basic Cryptographic Concept • Symmetric Encryption • Asymmetric Encryption • Digital Signature • Encrypted Key Exchange (EKE) • Conclusions

  3. Cryptographic System

  4. Four Basic Services of Cryptography: • 1. Confidentiality (Secrecy): The intruder cannot read the encrypted message from the ciphertext. • 2.Authentication: It should be possible for the receiver of a message to ascertain its origin; an intruder should not be able to masquerade as someone else. • 3.Integrity: It should be possible for the receiver of a message to verify that it has not been modified in transit; an intruder cannot substitute a false message for a legitimate one. • 4.Nonrepudiation: A sender should not be able to falsely deny later that he sent a message.

  5. Ciphertext(C) Decryption Encryption M Plaintext(M) Cryptanalyst K1 K2 Cryptographic System • Symmetric Cryptosystem: The encryption & decryption keys are the same. (EK(M)= C & DK(C)= M). •  Asymmetric Cryptosystem: Encryption & decryption keys are different. (EK1(M)=C & DK2(C)=M) The encryption key is public, while the decryption key can not be calculated from the public key.

  6. Symmetric Cryptosystem • DES (1977) • IDEA (1992) • RC5 (1994) • AES (2001)

  7. Symmetric Cryptosystem • Security Service: • Confidentiality • Authentication • Integrity • Advantage:High Speed • Disadvantages: • how to obtain a common secret key between two parities, the number of secret keys is too big, can not achieve nonrepudiation.

  8. Asymmetric Cryptosystem • RSA (1978) • El-Gamal (1984) • McEliece (1978) • Knapsack (1978)

  9. Asymmetric Cryptosystem • Security Service: Confidentiality • Integrity • Authentication (by Signature) • Nonrepudiation (by Signature) • Advantage:a pair of keys for each user • Disadvantages: • Slow speed • Public key need to be authenticated by CA

  10. RSA (Encryption & Decryption) Public key: n = pq, p and q are large primes(512 bit), e ( gcd (e, (p-1)(q-1)) =1) Private key: d, where ed = 1 mod (p-1)( q-1) Encryption: C=M e mod n Decryption: M= C d mod n p=47, q=71, => n=3337 e=79, => d = 1019 M=688 Encryption: C=M e mod n = 68879 mod 3337 = 1570 Decryption: M= C d mod n =15701019 mod 3337 = 688

  11. One-way hash function • Input: X (unlimited length) Output: Y=H(X) (fixed length, e.g., 160 bit) • Given X, it is easy to compute Y. • Given Y, and H( ), it is computational infeasible to compute X. • Given X and Y, it is computational infeasible to find X’ such that Y=H(X’).

  12. Digital Signature M Message Message Signature Generation Signature Verification Ture or False Signature(S) Private Key Public Key Signer A Verifier B

  13. Hash Signature Functions : RSA DSA El-Gamal Elliptive Curve LUC Digital Signature M M S h(M) S Hash Functions : SHA MD5 FFT Snefru N Hash

  14. RSA Digital Signature Public key:n = pq, p and q are large primes(512 bit), e ( gcd (e, (p-1)(q-1)) =1), h is a hash function. Private key:d, where ed = 1 mod (p-1)( q-1) Sign: S= h(M)d mod n Verify: h(M) = S e mod n

  15. Secure Communication between Client and Server • Using Symmetric Cryptosystem: Each client and the server share a common secret key. Disadvantages: 1. Secret key must be strong 2. If the secret key is revealed, the messages in the past will also be revealed. IDc, Ek(M) Client Server Ek(M’)

  16. Secure Communication between Client and Server • Using Asymmetric Cryptosystem: Encryption + Signature (See next page) Disadvantages: 1. Public keys need to be authenticated by a CA. 2. Private key must be strong. 3. If the server’s private key is revealed, the messages in the past will also be revealed.

  17. Secure Communication between Client and Server

  18. User Authentication in general • Based on one or more of: • something a user has (smart card/token card) • something a user is (fingerprint/voiceprint/retinal scan) • something a user knows (password/short secret) • What’s a popular user authentication system based on three of these?

  19. Secure Password Authentication • Remote user access • Goal: to be secure without requiring the user to carry/remember anything except password VPN traffic protected domain (authenticated using password) Remote client Firewall

  20. Dictionary Attacks (Password Guessing Attacks) • An off- line, brute force guessing attack conducted by an attacker on the network. • Attacker usually has a “dictionary” of commonly-used passwords to try • People pick easily remembered passwords • “Easy- to- remember” is also “easy- to- guess”

  21. Passwords in the Real World • Entropy is less than most people think • Dictionary words, e. g. “pudding”, “plan9” • – Entropy: 20 bits or less • Word pairs or phrases, e. g. “hate2die” • – Represents average password quality • – Entropy: around 30 bits • Random printable text, e. g. “nDz2\ u> O” • – Entropy: slightly over 50 bits

  22. IDc , h(Password) Server Client Password-based protocols • Telnet, FTP are insecure IDc , Password Server Client • Hash function is still insecure due to dictionary attacks.

  23. Server Client ID Cha h(Cha,Password) Password-based Protocol with Challenge • Insecure against the dictionary attacks.

  24. We need .............. a password-based authentication protocol which is secure against dictionary attacks.

  25. Secure Communication between Client and Server • What to do after authentication? • We need a common session key to protect our communication. • Diffie-Hellman key agreement provides two parties to share a common session key.

  26. Diffie-Hellman Key Agreement • Goal : to provide two parties share a common session key • p : large prime, g : generator gRa mod p Client Server gRb mod p K= (gRa)Rb mod p K= (gRb)Ra mod p

  27. Man-in-the-middle attack

  28. Diffie-Hellman Key Agreement • Diffie-Hellman key agreement is vulnerable to the man-in-the-middle attack; it does not reach authentication • How about Diffie-Hellman key agreement using public key? • Problem: (1) does not provide forward secrecy, (2) hard to remember (not a password). Client Server

  29. Forward Secrecy • Prevents one compromise from causing further damage • CompromisingShould Not Compromise • Current passwordFuture passwords • Old passwordCurrent password • Current passwordCurrent or past session keys • Current session keyCurrent password

  30. Research Goal • To design a user authentication and key agreement protocol via password. • The protocol must satisfy the following requirements: 1. based on password only, 2. password may be weak, 3. be secure against the dictionary attack, 4. can provide perfect forward secrecy.

  31. Encrypted Key Exchange (EKE)[Bellovin and Merritt, 1992] • Two parties share a common password • EKE can withstand dictionary attack P P Client Server Generate encrypt/decrypt keys Generate R R(Cha) R(Cha||Chb) R(Chb)

  32. DHEKE [Bellovin and Merritt, 1992]

  33. Three-Party Key Exchange Protocol • Each client shares an easy-to-remember password with the server. • The protocol is responsible for establishing secure communication between two clients via the help of the server. • Application: E.g., ICQ, or mobile users

  34. STW-3PEKE [Steiner, Tsudik, and Waidner, 1995] A S B

  35. record get guess Undetectable On-line guessing attack (I)[Ding and Horster, 1995] A S B

  36. guess compute Undetectable On-line guessing attack (II)[Ding and Horster, 1995] S B

  37. Off-line Guessing Attack on STW-3PEKE[Lin, Sun, and Hwang, 2000] A* S* B

  38. LSH-3PEKE (with server’s public key)[Lin, Sun, and Hwang, 2000] A S B

  39. LSSH-3PEKE (without server’s public key)[Lin, Sun, Steiner, and Hwang, 2001] A S B A,B

  40. Performance Comparison

  41. Conclusions • Password authentication and key agreement protocols are widely used. • EX:Electronic Commerce, Electronic Stock Trading • Two-parties protocols are suitable for client/server environment. • EX:Telnet, FTP • Three-Party protocols are suit for single server and multiple clients environment. Any two clients can authenticate each other and reach secure communication.

  42. Verifier-based Protocol • A server does not store plain password directly. • Instead of storing a plain password, a server stores a verifiable text (called verifier). • It provides higher security level: an attacker must perform dictionary attack when the server is corrupted. • Furthermore, a verifier-based protocol can withstand the stolen verifier attack.

  43. References 1. Bellovin, S. Merritt, M., 1992, “Encrypted key Exchange: Password-based Protocols Secure against Dictionary Attacks. Proceedings of IEEE Symposium on Research in Security and privacy, Oakland. 2. Steiner, M. Tsudik G. and Waidner, M., 1995, “Refinement and Extension of Encrypted Key Exchange,” ACM Operating Systems Review, Vol.29, Issue 3, pp. 22-30. 3. Ding, Y. and Horster, P., 1995, “Undetectable On-line Password Guessing Attacks”, Technical Report, TR-95-13-F, July. 4. C. L. Lin, H. M. Sun, and T. Hwang, 2000, Three-Party Encrypted Key Exchange: Attacks and a Solution,” ACM Operating Systems Review, Vol. 34, No. 4, pp. 12-20. 5. C. L. Lin, H. M. Sun, M. Steiner, and T. Hwang, 2001, "Three-party Encrypted Key Exchange Without Server Public-Keys,"IEEE Communications Letters, Vol. 5, No. 12, pp. 497-499. 6. C. L. Lin, H. M. Sun, and T. Hwang, 2001, “Efficient and Practical DHEKE Protocols ,” ACM Operating Systems Review, Vol. 35, No. 1, pp. 41-47.

More Related