Password-based Credentials Download Protocols - PowerPoint PPT Presentation

radia perlman radia perlman@sun com n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Password-based Credentials Download Protocols PowerPoint Presentation
Download Presentation
Password-based Credentials Download Protocols

play fullscreen
1 / 15
Password-based Credentials Download Protocols
99 Views
Download Presentation
ave
Download Presentation

Password-based Credentials Download Protocols

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Radia Perlman radia.perlman@sun.com Password-based Credentials Download Protocols

  2. Goal • To download private key, encrypted with the user’s password. The user’s “credential” • WS has some minimal amount of (trusted) software installed, but no user-specific info • User Alice’s private key and other info stored in central place “Bob” (e.g., the directory) • “Log into the network” means get Alice’s private key and everything else needed

  3. Getting private key • It would be nice if we all carried smart cards • But do we need a backup if user loses it, or forgets it, or it is broken? • But also, we don’t seem to have smart cards

  4. Download protocol • So, it might be nice to only need a password, and have a protocol that downloads the private key • Immune to dictionary attacks • By eavesdropper (passive attacker) • By Alice-impersonator • By Bob-impersonator

  5. Building Blocks • Diffie-Hellman • EKE (Bellovin-Merritt) • Encrypt Diffie-Hellman exchange with W (W=password, the weak secret) • SPEKE (Jablon) • Replace base in Diffie-Hellman with W • PDM (Kaufman-Perlman) • Replace modulus in Diffie-Hellman with f(W)

  6. EKE (designed for mutual authentication) Share W=h(pwd), g, p Bob Alice Pick A “Alice”, {gA mod p}W Pick B Decrypt {gA mod p}W Calculate K=gAB mod p Choose challenge C1 {gB mod p}W, {C1}K Choose challenge C2 {C1,C2}K {C2}K

  7. SPEKE Share W, p Bob Alice Pick A “Alice”, WA mod p Pick B Calculate K=WAB mod p Choose challenge C1 WB mod p, {C1}K Choose challenge C2 {C1,C2}K {C2}K

  8. PDM (Password Derived Moduli) Share p Bob Alice Pick A “Alice”, 2A mod p Pick B Calculate K=2AB mod p Choose challenge C1 2B mod p, {C1}K Choose challenge C2 {C1,C2}K {C2}K

  9. But we don’t need mutual authentication, just credentials download • Which we can do in two messages

  10. 2-msg EKE-based Share g, p, W Bob Alice Pick A “Alice”, {gA mod p}W Calculate K=gAB mod p gB mod p, {Y}K

  11. 2-msg SPEKE-based Share W, p Bob Alice Pick A “Alice”, WA mod p Calculate K=WAB mod p WB mod p, {Y}K

  12. 2-msg PDM-based Share p Bob Alice Pick A “Alice”, 2A mod p Calculate K=2AB mod p 2B mod p, {Y}K

  13. If we want to avoid strong password schemes • Just let Y be world-readable • Anyone can request it and do dictionary attack • An eavesdropper can do a dictionary attack • Could do CHAP-like thing to authenticate • Eavesdropper could do dictionary attack • Could enhance that with anonymous Diffie-Hellman initial exchange • Active attacker could be man-in-the-middle, or impersonate whichever side authenticates last, to gain dictionary attack

  14. To avoid strong pwd schemes • Could do TLS, then CHAP-like thing • Requires good trust anchors at client, and certificate for server • No dictionary attack possible for eavesdropper or Alice-impersonator • Can’t have Bob-impersonator (since TLS would foil that)

  15. Variants in Pre-shared Key TLS • PSK only • Eavesdropper and server get dictionary attack • DH-PSK • Bob-impersonator gets dictionary attack • RSA-PSK • Can’t impersonate Bob if Alice checks his cert