Password mistyping in two factor authenticated key exchange
Download
1 / 21

Password Mistyping in Two-Factor Authenticated Key Exchange - PowerPoint PPT Presentation


  • 98 Views
  • Uploaded on

Password Mistyping in Two-Factor Authenticated Key Exchange. Vladimir Kolesnikov Charles Rackoff Bell Labs U. Toronto ICALP 2008. Program. Key Exchange Intro Base Framework of [ KR06 ] Our definitions “Proof” of goodness of definitions Protocol. Communication Setting. …. Full Control.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Password Mistyping in Two-Factor Authenticated Key Exchange' - pancho


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Password mistyping in two factor authenticated key exchange

Password Mistyping in Two-FactorAuthenticated Key Exchange

Vladimir Kolesnikov Charles Rackoff

Bell Labs U. Toronto

ICALP 2008


Program
Program

  • Key Exchange Intro

  • Base Framework of [KR06]

  • Our definitions

  • “Proof” of goodness of definitions

  • Protocol


Communication setting
Communication Setting

Full Control

Insecure

network


Secure communication from shared random key
Secure Communication from Shared Random Key

Trusted Party

k 2R DK

  • Simple

  • Very efficient

k22R DK

Trusted Party


Key exchange ke
Key Exchange (KE)

A protocol between two parties

  • Both output (the same) randomly chosen k 2 DK

    Security

  • Adv does not know anything about k even if it sees all other exchanged keys

  • Adv cannot mismatch players

    • If Alice instance ``thinks’’ she exchanged a key with Bob, then at most one instance of “Bob talking to Alice” may have the same key

    • Players must have secret credentials


Defining ke
Defining KE

  • Large amount of prior work

  • An intuitive notion, but hard to define

  • We want our definition to:

    • Be intuitive and easy to use

    • Reject “bad” protocols (allow powerful adversaries)

    • Accept “good” protocols (avoid unnecessary restrictions)

  • Our adversary is the protocol designer

    • He creates bad protocols which pass our criteria


Related work
Related work

  • UC-composable PAKE (Canetti Halevi Katz Lindell MacKenzie 05)

    • Consider pure password setting

    • Mistyping is handled by letting the environment type the password


The combined keys setting
The combined keys setting

  • Asymmetric – Server (e.g. Bank) and Clients

  • Large secure storage

    of credentials

  • Key on storage card

    • can be lost or stolen

  • Memorized password

    • low entropy

    • guessing attack possible

Password can be mistyped


Defining ke with mistyping
Defining KE with mistyping

  • Base on our previous game-based definition [KR06]

  • Consider several natural extensions (don’t work)

  • Modifications that work

  • “Proof of security” of the definition


Ke definition
KE Definition

Plays the game:

  • challenge a completed

    honest player

Challenge:

  • Present either a key

    or a random string

    Adversary guesses which

  • Should not do too well

Definition is mainly about precise description of Adv’s powers in the game

(creation of players, instances, opening them, etc.)


Defining ke with mistyping1
Defining KE with mistyping

  • In [KR06], define several games which model parts of the setting (e.g. card compromised or not).

  • When card is not compromised, not too hard to handle mistyping. Adv can be very powerful – the protocols still withstand because of strong keys. E.g. Adv can even know pwd.

  • Interesting part is when card is compromised. This is approx. the HK setting:

    • C has public key of S and a shared password.


Defining ke with mistyping2
Defining KE with mistyping

  • In [KR06], definition mimics the real world.

  • C and S instantiated with proper credentials

  • Adv learns of each P? output by S.

  • This is essentially a password try, so Adv is charged for each P?.

  • Adv is allowed q P?’s. He cannot win more often than

Does not handle mistyping:  can leak long key if P? occurred.

(C never mistypes. To cause P?, Adv needs long key, so OK to leak it)


Mimicking mistyping in the games
Mimicking mistyping in the games

  • Idea

  • Ok, allow to mistype:

  • -Allow Adv to specify pwd inputs to the C instances in the game

  • -Allow Adv to specify a mistyping function


Mimicking mistyping in the games1
Mimicking mistyping in the games

More interestingly:

But what if “repeated password attempts” by game Adv?

He is being stupid -- these are wasted attempts. He “gets behind in the game”.

So protocol can “do something funny” on repeated attempts, to allow game

Adv to catch up, and still be secure. E.g. leak if pwd = 000..0.

This protocol is clearly insecure.


Player s knowledge of global state
Player’s knowledge of global state

  • Definition simplification: Instances don’t have “side channels” among themselves. They don’t “know”, e.g. how many password failures previously occurred.

  • Due to pkS, instances of S can have private communication with each other via Adv:

    • S1 encrypts and signs the message

    • Adv delivers the message to S2

  • m1 = “I’ve seen a password failure P?”

  • m2 = “There have been at least 2 P?”

  • m3 = “The sequence of events e1,… en has occurred”

  • Bad  can exhibit badness only if a global sequence of events occurred.


Mimicking mistyping in the games2
Mimicking mistyping in the games

Mimicking does not seem to work!


Do not mimic mistyping directly
Do not mimic mistyping directly

  • Idea: allow Adv to run free mistyped executions.

  • Don’t need to substitute input in honest instances.

  • Only amendment: In case of P?:

    • Do not notify Adv

    • Do not charge Adv

    • Allow Adv to check for P?, but risk the charge, as before

This is a good definition


How to prove this definition
How to “prove” this definition

First definition in the setting – cannot show equivalence

Could give a definition in the simulation or UC model and then show relationship (future work)

Instead, reduce to definition of [KR06]:

We prove: if  is secure, KE Adv cannot distinguish between two executions:

1. Adv mistypes C’s inputs adaptively at will

2. C’s are instantiated with their passwords

I.e. what is leaked due to mistyping is also leaked without mistyping.

If [KR06] is good, then our def. is also good:

Suppose  is “bad”, and leaks smth. due to mistyping. Then same is leaked

without mistyping. Then  is bad by [KR06]. Then  is bad by our def.


How to prove this definition cont
How to “prove” this definition (cont.)

Prove Adv cannot distinguish between two executions:

1. Adv mistypes C’s inputs at will

2. C’s are instantiated with their passwords

Proof idea: if Adv could distinguish executions where pwd and pwd’ are used,

then pwd  pwd’. Adv uses this to win KE game.

A distinguishing mistyping sequence is handled by a hybrid argument.



Application to biometrics
Application to biometrics

  • Key on storage card

    • can be lost or stolen

  • P = Gen()

R

, P