1 / 7

Mistyping in Two-Factor Password-Assisted Key Exchange

Mistyping in Two-Factor Password-Assisted Key Exchange. Vlad Kolesnikov (Bell Labs) Charles Rackoff (U. Toronto). This talk. People often mistype (obvious) It is easy to overlook Formal approach is subtle. Warm-up. Alice goes to an ATM. Adv looks over her shoulder

Download Presentation

Mistyping in Two-Factor Password-Assisted Key Exchange

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Mistyping in Two-Factor Password-Assisted Key Exchange Vlad Kolesnikov (Bell Labs) Charles Rackoff (U. Toronto)

  2. This talk People often mistype (obvious) It is easy to overlook Formal approach is subtle

  3. Warm-up Alice goes to an ATM. Adv looks over her shoulder (and controls the network). Alice’s PIN = 1234 A: 0000 B: Wrong A: 0000 B: Wrong A: 0000 B: Wrong Adv learned PIN  0000 Q: Anything else? Can design a secure protocol, where Adv checks 3 passwords of his choice Natural variants of [HK99] (and its fix [KR06]) have this feature This feature is not an insecurity, but should be understood.

  4. Mistyping should not be outside of the model • Definition of Robust Fuzzy Extractors (RFE) [B+05,D+06] should have stronger guarantees when fingerprint is meta-mistyped (misread beyond the error-correction distance). • Their RFE construction satisfies stronger requirements. • Their generic KE from RFE is insecure when funky RFE are used. • Denial of Access resistance of [KR06] on two-factor KE is vulnerable when parties mistype.

  5. How to model mistyping • Adv can mess with the fingerprint reader • Adv can perform social engineering attacks • Adv should be able to effect any mistyping on users.

  6. What is so hard about the definition? Current KE definitions do not model mistyping by honest players Secure protocols are “free to be bad” in many creative ways • Leaking when C mistypes (randomly or to something related) Long keys = opportunities to be bad Protocol can send encrypted messages to other instances of itself. Protocol’s actions can depend on global state. • Leak if a specific sequence of mistyping occurred (e.g. p+1,p+1,p,0,p-2). Difficulty – cannot give too much power to Adv of the definition because of use of short keys and precise allowed quantitative advantage.

  7. Summary Mistyping causes subtle issues – give examples. Give the first mistyping-secure definitions Justify them (prove that any badness of a secure protocol can be exploited without mistyping) Give protocols

More Related