Download
1 / 17
170 likes | 291 Views
Discover the importance of strong password protocols that prevent impersonation and eavesdropping. Unlike weak protocols that allow for dictionary attacks, strong methods like EKE, SPEKE, and PDM enhance security during user authentication. These protocols enable mutual exchanges to verify identities without exposing sensitive passwords. Learn how to leverage these advanced techniques for credential downloads and secure authentication across various platforms while understanding the limitations of current practices. Protect your digital identity effectively!
E N D
Radia Perlman Radia.Perlman@sun.com (Re)Introducing Strong Password Protocols
What’s a strong password protocol? • Alice and Bob share a weak secret (W)…a password • In a strong password protocol, someone impersonating Alice or Bob, or eavesdropping, cannot capture a quantity with which to do a dictionary attack
Example non-strong password protocol Knows W Knows (“Alice”, W) Alice Bob I’m Alice Challenge=R H(W,R)
Example non-strong password protocol Knows W Knows (“Alice”, W) Alice Bob I’m Alice Challenge=R h(W,R) Note: someone impersonating Bob, or eavesdropping, can test passwords to see if response h(W,R) matches R
First strong password protocol: EKE • Bellovin-Merritt • Encrypt Diffie-Hellman exchange with W
EKE Knows W Knows (“Alice”, W) Alice Bob I’m Alice, {gA mod p}W {gB mod p}W Mutual exchange based on gAB
EKE Knows W Knows (“Alice”, W) Alice Bob I’m Alice, {gA mod p}W {gB mod p}W Mutual exchange based on gAB Note: someone impersonating Bob, or eavesdropping, cannot do a dictionary attack. Would have to break Diffie-Hellman
EKE Knows W Knows (“Alice”, W) Alice Bob I’m Alice, {gA mod p}W {gB mod p}W Mutual exchange based on gAB Note: someone impersonating Bob, or eavesdropping, cannot do a dictionary attack. Would have to break Diffie-Hellman Note: Alice or Bob could do one on-line password guess, and verify if they are right
Variants of EKE • SPEKE: (Jablon) replace “g” in Diffie-Hellman with W Knows W Knows (“Alice”, W) Alice Bob I’m Alice, WA mod p WB mod p Mutual exchange based on WAB
Variants of EKE • PDM: (Kaufman, Perlman) derive p deterministically from W Knows pwd, derives p Knows (“Alice”, p) Alice Bob I’m Alice, 2A mod p 2B mod p Mutual exchange based on 2AB
“Augmented” feature • In EKE, SPEKE, and PDM, server knows W • If someone stole the server database, they would be able to directly impersonate the user (without a dictionary attack) • “Augmented” feature: server database doesn’t completely divulge W (but allows a dictionary attack) • Many ways to do this
Example: augmented PDM Alice Bob Knows pwd, derives p Knows for Alice: p, {Alice’s priv}pwd, Alice’s public key I’m Alice, 2A mod p 2B mod p, challenge=R, { {Alice’s priv}pwd} 2AB mod p Sign R with private key, Mutual exchange based on 2AB Verifies Alice’s sig
Augmented protocols • All of EKE, SPEKE, PDM can be made augmented • SRP only has an augmented form • There are other variants of strong password protocols
What would one do with a strong password protocol? • One could directly authenticate with it • One could do credential download • Use it to download Alice’s private key, and then everything else follows once she knows her private key • Everything else she needs can be stored encrypted and/or signed • Authentication would be done with traditional public key
Credential download (based on EKE) Bob Alice Knows for Alice: W, CRED={Alice’s priv}pwd, Knows pwd, derives W I’m Alice, {gA mod p}W gBmod p, { CRED } gAB mod p Note: only need 2 msgs
Other things • Alice can customize her password for each site (use Wservername = h(pwd, “servername”)) at site “servername” • But if you just use strong password protocols to obtain Alice’s private key, she can authenticate to all other sites using public key
Why don’t we use strong password protocols? • Possible IPR • TLS with non-strong password protocol “good enough in practice”
