1 / 17

(Re)Introducing Strong Password Protocols

Radia Perlman Radia.Perlman@sun.com. (Re)Introducing Strong Password Protocols. What’s a strong password protocol?. Alice and Bob share a weak secret (W)…a password

june
Download Presentation

(Re)Introducing Strong Password Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Radia Perlman Radia.Perlman@sun.com (Re)Introducing Strong Password Protocols

  2. What’s a strong password protocol? • Alice and Bob share a weak secret (W)…a password • In a strong password protocol, someone impersonating Alice or Bob, or eavesdropping, cannot capture a quantity with which to do a dictionary attack

  3. Example non-strong password protocol Knows W Knows (“Alice”, W)‏ Alice Bob I’m Alice Challenge=R H(W,R)‏

  4. Example non-strong password protocol Knows W Knows (“Alice”, W)‏ Alice Bob I’m Alice Challenge=R h(W,R)‏ Note: someone impersonating Bob, or eavesdropping, can test passwords to see if response h(W,R) matches R

  5. First strong password protocol: EKE • Bellovin-Merritt • Encrypt Diffie-Hellman exchange with W

  6. EKE Knows W Knows (“Alice”, W)‏ Alice Bob I’m Alice, {gA mod p}W {gB mod p}W Mutual exchange based on gAB

  7. EKE Knows W Knows (“Alice”, W)‏ Alice Bob I’m Alice, {gA mod p}W {gB mod p}W Mutual exchange based on gAB Note: someone impersonating Bob, or eavesdropping, cannot do a dictionary attack. Would have to break Diffie-Hellman

  8. EKE Knows W Knows (“Alice”, W)‏ Alice Bob I’m Alice, {gA mod p}W {gB mod p}W Mutual exchange based on gAB Note: someone impersonating Bob, or eavesdropping, cannot do a dictionary attack. Would have to break Diffie-Hellman Note: Alice or Bob could do one on-line password guess, and verify if they are right

  9. Variants of EKE • SPEKE: (Jablon) replace “g” in Diffie-Hellman with W Knows W Knows (“Alice”, W)‏ Alice Bob I’m Alice, WA mod p WB mod p Mutual exchange based on WAB

  10. Variants of EKE • PDM: (Kaufman, Perlman) derive p deterministically from W Knows pwd, derives p Knows (“Alice”, p)‏ Alice Bob I’m Alice, 2A mod p 2B mod p Mutual exchange based on 2AB

  11. “Augmented” feature • In EKE, SPEKE, and PDM, server knows W • If someone stole the server database, they would be able to directly impersonate the user (without a dictionary attack)‏ • “Augmented” feature: server database doesn’t completely divulge W (but allows a dictionary attack)‏ • Many ways to do this

  12. Example: augmented PDM Alice Bob Knows pwd, derives p Knows for Alice: p, {Alice’s priv}pwd, Alice’s public key I’m Alice, 2A mod p 2B mod p, challenge=R, { {Alice’s priv}pwd} 2AB mod p Sign R with private key, Mutual exchange based on 2AB Verifies Alice’s sig

  13. Augmented protocols • All of EKE, SPEKE, PDM can be made augmented • SRP only has an augmented form • There are other variants of strong password protocols

  14. What would one do with a strong password protocol? • One could directly authenticate with it • One could do credential download • Use it to download Alice’s private key, and then everything else follows once she knows her private key • Everything else she needs can be stored encrypted and/or signed • Authentication would be done with traditional public key

  15. Credential download (based on EKE)‏ Bob Alice Knows for Alice: W, CRED={Alice’s priv}pwd, Knows pwd, derives W I’m Alice, {gA mod p}W gBmod p, { CRED } gAB mod p Note: only need 2 msgs

  16. Other things • Alice can customize her password for each site (use Wservername = h(pwd, “servername”)) at site “servername” • But if you just use strong password protocols to obtain Alice’s private key, she can authenticate to all other sites using public key

  17. Why don’t we use strong password protocols? • Possible IPR • TLS with non-strong password protocol “good enough in practice”

More Related