Create Presentation
Download Presentation

Download Presentation

Password-based Credentials Download Protocols

Download Presentation
## Password-based Credentials Download Protocols

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Radia Perlman radia.perlman@sun.com**Password-based Credentials Download Protocols**Goal**• To download private key, encrypted with the user’s password. The user’s “credential” • WS has some minimal amount of (trusted) software installed, but no user-specific info • User Alice’s private key and other info stored in central place “Bob” (e.g., the directory) • “Log into the network” means get Alice’s private key and everything else needed**Getting private key**• It would be nice if we all carried smart cards • But do we need a backup if user loses it, or forgets it, or it is broken? • But also, we don’t seem to have smart cards**Download protocol**• So, it might be nice to only need a password, and have a protocol that downloads the private key • Immune to dictionary attacks • By eavesdropper (passive attacker) • By Alice-impersonator • By Bob-impersonator**Building Blocks**• Diffie-Hellman • EKE (Bellovin-Merritt) • Encrypt Diffie-Hellman exchange with W (W=password, the weak secret) • SPEKE (Jablon) • Replace base in Diffie-Hellman with W • PDM (Kaufman-Perlman) • Replace modulus in Diffie-Hellman with f(W)**EKE (designed for mutual authentication)**Share W=h(pwd), g, p Bob Alice Pick A “Alice”, {gA mod p}W Pick B Decrypt {gA mod p}W Calculate K=gAB mod p Choose challenge C1 {gB mod p}W, {C1}K Choose challenge C2 {C1,C2}K {C2}K**SPEKE**Share W, p Bob Alice Pick A “Alice”, WA mod p Pick B Calculate K=WAB mod p Choose challenge C1 WB mod p, {C1}K Choose challenge C2 {C1,C2}K {C2}K**PDM (Password Derived Moduli)**Share p Bob Alice Pick A “Alice”, 2A mod p Pick B Calculate K=2AB mod p Choose challenge C1 2B mod p, {C1}K Choose challenge C2 {C1,C2}K {C2}K**But we don’t need mutual authentication, just credentials**download • Which we can do in two messages**2-msg EKE-based**Share g, p, W Bob Alice Pick A “Alice”, {gA mod p}W Calculate K=gAB mod p gB mod p, {Y}K**2-msg SPEKE-based**Share W, p Bob Alice Pick A “Alice”, WA mod p Calculate K=WAB mod p WB mod p, {Y}K**2-msg PDM-based**Share p Bob Alice Pick A “Alice”, 2A mod p Calculate K=2AB mod p 2B mod p, {Y}K**If we want to avoid strong password schemes**• Just let Y be world-readable • Anyone can request it and do dictionary attack • An eavesdropper can do a dictionary attack • Could do CHAP-like thing to authenticate • Eavesdropper could do dictionary attack • Could enhance that with anonymous Diffie-Hellman initial exchange • Active attacker could be man-in-the-middle, or impersonate whichever side authenticates last, to gain dictionary attack**To avoid strong pwd schemes**• Could do TLS, then CHAP-like thing • Requires good trust anchors at client, and certificate for server • No dictionary attack possible for eavesdropper or Alice-impersonator • Can’t have Bob-impersonator (since TLS would foil that)**Variants in Pre-shared Key TLS**• PSK only • Eavesdropper and server get dictionary attack • DH-PSK • Bob-impersonator gets dictionary attack • RSA-PSK • Can’t impersonate Bob if Alice checks his cert