1 / 35

SAE Protocols – Flaws and Fixes

This presentation discusses the vulnerabilities and flawed assumptions of the Simultaneous Authentication of Equals (SAE) protocols in password authenticated key exchange. It offers remedies and solutions to address these issues.

rdennis
Download Presentation

SAE Protocols – Flaws and Fixes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAE Protocols – Flaws and Fixes Author: Date: 2010-01-18 Abstract Two password authenticated key exchange protocols, called Simultaneous Authentication of Equals or SAE, appear to be going through Draft IEEE P802.11s, D4.0, November 2009, to IEEE Std. 802.11, for mutual authentication and master key generation between two stations sharing a password. If (a big if) designed correctly, they are in the protocol category of zero-knowledge password proofs, which resist offline dictionary attacks that have often plagued password based authentication protocols. However, both SAE protocols, as they stand now, are vulnerable to such attacks and have flawed assumptions as well. This presentation explains these issues and offer some remedies.

  2. Outline • Password authenticated public key exchanges • Introduction • Basic math • SAE protocols • Elliptic curve discrete logarithm (ECDL) setting • Review • Security analyses • Flaws and fixes • Multiplicative group discrete logarithm (DL) setting • Review • Security analyses • Flaws and fixes

  3. Password Authenticated Key Agreement Protocols– IEEE 802.11 SAE • First suite of strong authentication and key agreement protocols introduced to IEEE 802.11 • Via IEEE 802.11s (mesh networking) • Supposedly resistant to offline dictionary attacks • A major step in the right direction for WLAN (Wi Fi) security • Appears to be on the way to become a new authentication (and key agreement) method for IEEE Std. 802.11

  4. Password Authenticated Key Agreement Protocols– IEEE P1363.2 • A labyrinth of password authenticated key agreement (zero-knowledge password proof) protocols • Balanced (i.e., “equal”) and unbalanced versions • DL and ECDL settings • SPEKE, SRP, …

  5. Password Authenticated Key Agreement Protocols– Basic Idea • Key exchange • Alice and Bob exchange their public keys, one or both scrambled by their shared password • Entropy expansion • The password itself typically has low entropy, but it is now embedded into the scrambled public key along with the private key, which by design has high entropy • Shared secret derivation • Both parties calculate a shared secret using their own private key and the other’s public key which, if scrambled, must be de-scrambled with the password • Password proof • Each party sends the other a hash of the shared secret SS as her/his proof of knowing the password: H = H(SS), where SS is a function of the sender’s private key and the password  improbable offline dictionary attack

  6. ECDL Key Exchange – Underlying Math • Finite group  points on an elliptic curve E and O • Elliptic curve over a prime field E: Y2 = x3 + ax + b, a, b  Fp, 4a3 + 27b2 ≠ 0, p = prime • E(Fp) = {points (x, y)  Fp on E} U {O} • Group operation  point addition on E • Scalar multiplication: n*P = P + … +P = n P’s added together • #E(Fp) = h*r, gcd(h, r) = 1, h = cofactor ≤ 4, r = order of a finite cyclic subgroup Sr = large prime • If G is a base point (generator) of Sr , r*G = O, and n*G ≠ O for n  {1, 2, …, r-1} • Given G and Q = m*G  Sr , it takes exponential time (O(2L/2) group operations) to compute m (L = number of bits in p) –> computationally infeasible

  7. DL Key Exchange – Underlying Math • Multiplicative group of a prime field • Zp* = {1, 2, … p-1}, p = prime • Group operation  arithmetic multiplication modular p • Zp* = finite cyclic group of order p-1 • If g  Zp*, g generates a finite cyclic subgroup of order r • gr mod p = 1, gn mod p ≠ 1 for n  {1, 2, …, r-1} • r must be a factor of p-1 • If g is a generator of Zp*, r = p-1, and vice versa • Given g and q = gm mod p  Zp*, it takes subexponential time to compute m if g and r are chosen appropriately –> computationally infeasible

  8. ECDL Based SAE Protocol - Review Hashes of password & addresses  PWE  E(Fp), m  N = m*PWE r = order of a cyclic subgroup of points on chosen elliptic curve over a finite field Bob Alice • Choose random (rand2, mask2) < r • cs2 = (rand2+mask2) mod r • CE2 = -mask2*N • Choose random (rand1, mask1) < r • cs1 = (rand1+mask1) mod r • CE1 = -mask1*N cs1, CE1 cs2, CE2 • K = rand1*(cs2*N+CE2) • = rand1*rand2*N • cf1 = H(F(K)||sc||cs1||CE1||cs2||CE2) • K = rand2*(cs1*N+CE1) • = rand2*rand1*N • cf2 = H(F(K)||sc||cs2||CE2||cs1||CE1) * sc = number of cf1 or cf2 messages sent to peer; communicated by sender to receiver cf1 Verify cf1 Verify cf2 cf2 Password authenticated master key = Hash(x(K)||(cs1+cs2) mod r)

  9. ECDL Based SAE Protocol – Secure? Hashes of password & addresses  PWE  E(Fp), m  N = m*PWE r = order of a cyclic subgroup of points on chosen elliptic curve over a finite field Bob Eve impersonating Alice • Choose random (rand2, mask2) < r • cs2 = (rand2+mask2) mod r • CE2 = -mask2*N • Choose random (rand1, mask1) < r • cs1 = (rand1+mask1) mod r • CE1 = -mask1*N, N = E (guess) cs1, CE1 cs2, CE2 • To find the password, Eve must first find N, which is derived from the password • Can Eve find N from CE2 – which also depends on the unknown mask2? • No. It would have to do reverse search in password space×private key space  No offline dictionary attack (so far)

  10. ECDL Based SAE Protocol – Secure? Hashes of password & addresses  PWE  E(Fp), m  N = m*PWE r = order of a cyclic subgroup of points on chosen elliptic curve over a finite field Bob Eve impersonating Alice • To calculate Bob’s K, Eve must first find rand 2 and N • Can Eve find N and rand2 from cs2 and CE2? • No. It would have to do reverse search in password space×private key space • K = rand1*(cs2*E+CE2) • = rand1*(rand2*E+mask2*(E-N)) • K = rand2*(cs1*N+CE1) • = rand2*(rand1*N+mask1*(N-E)) Eve’s K ≠ Bob’s K unless E = N, i.e., unless Eve has the right guess of the password!!! • cf1 = H(F(K)||sc||cs1||CE1||cs2||CE2) • cf1 = H(F(K)||sc||cs1||CE1||cs2||CE2) cf1 cf1 verification failed  Impersonation attack failed (so far)

  11. ECDL Based SAE Protocol – Secure? Hashes of password & addresses  PWE  E(Fp), m  N = m*PWE r = order of a cyclic subgroup of points on chosen elliptic curve over a finite field Eve impersonating Bob Alice • Choose random (rand2, mask2) < r • cs2 = (rand2+mask2) mod r • CE2 = -mask2*N, N = E (guess) • Eve cannot find N from CE1 • Choose random (rand1, mask1) < r • cs1 = (rand1+mask1) mod r • CE1 = -mask1*N  No offline dictionary attack! cs1, CE1 cs2, CE2 cf1 cf1 verification not checked • K = rand1*(cs2*N+CE2) • = rand1*(rand2*N+mask2*(N-E)) • cf1 = H(F(K)||sc||cs1||CE1||cs2||CE2) • K = rand2*(cs1*E+CE1) • = rand2*(rand1*E+mask1*(E-N))

  12. ECDL Based SAE Protocol – Secure? Eve impersonating Bob Alice • Alice’s cf1 depends on rand1 and N • To find N (and hence password) from cf1, • Eve would have to do reverse search in • password space×private key space • K = rand1*(cs2*N+CE2) • = rand1*(rand2*N+mask2*(N-E)) • cf2 = H(F(K)||sc||cs2||CE2||cs1||CE1)  No offline dictionary attack! • Without knowing rand1 and N, • Eve cannot calculate Alice’s K and cf1 • K = rand2*(cs1*E+CE1) • = rand2*(rand1*E+mask1*(E-N)) • cf2 = H(F(K)||sc||cs2||CE2||cs1||CE1) Alice’s K ≠ Eve’s K (unless E= N)!!! cf2 verification failed cf2  Impersonation attack failed! No offline and impersonation attacks – really?  Impersonation attack failed!

  13. Offline Dictionary Attack via Impersonation (h > 1) Hashes of password & addresses  PWE  E(Fp), m  N = m*PWE h = (small) cofactor of chosen elliptic curve, h*PWE ≠ O r = order of a cyclic subgroup of points on chosen elliptic curve over a finite field Eve impersonating Bob Alice • Choose cs2, CE2 such that • cs2 < r • h*CE2 = O • Choose random (rand1, mask1) < r • cs1 = (rand1+mask1) mod r • CE1 = -mask1*N = rand1*N-cs1*N cs1, CE1 cs2, CE2 • K = rand1*(cs2*N+CE2) = cs2*(rand1*N)+rand1*CE2 • = cs2*CE1+cs2*cs1*N+z*CE2, z = rand1 mod h • cf1 = H(F(K)||sc||cs1||CE1||cs2||CE2) K = cs2*(rand1*N) + rand1*CE2 to cs2*CE1+cs2*cs1*N+z*CE2

  14. Offline Dictionary Attack via Impersonation (h > 1) Hashes of password & addresses  PWE  E(Fp), m  N = m*PWE h = (small) cofactor of chosen elliptic curve, h*PWE ≠ O r = order of a cyclic subgroup of points on chosen elliptic curve over a finite field Eve impersonating Bob Alice • K = rand1*(cs2*N+CE2) = cs2*(rand1*N)+rand1*CE2 • = cs2*CE1+cs2*cs1*N+z*CE2, z = rand1 mod h • cf1 = H(F(K)||sc||cs1||CE1||cs2||CE2) cf1 is a function of known parameters and unknown password pw and z  {1, …, h-1} cf1 • Compute cf1 with candidate pw in a (small) password space and z in a small set {1, …, h-1} for a match with received cf1 • Password found • Ready for a new successful run

  15. Flawed Assumption (h > 1) Hashes of password & addresses  PWE E(Fp), m  N = m*PWE h = (small) cofactor of chosen elliptic curve, h*PWE ≠ O r = order of a cyclic subgroup of points on chosen elliptic curve over a finite field Bob Alice • cs2 = (rand2+mask2) mod r • = rand2+ mask2-i2*r • i2 = (rand2+mask2) div r • CE2 = -mask2*N • cs1 = (rand1+mask1) mod r • = rand1+ mask1-i1*r • i1 = (rand1+mask1) div r • CE1 = -mask1*N cs1, CE1 cs2, CE2 • K = rand1*(cs2*N+CE2) • = rand1*(rand2+mask2-i2*r-mask2)*N • = rand1*rand2*N-rand1*i2*r*N • K = rand2*(cs1*N+CE1) • = rand2*(rand1+mask1-i1*r-mask1)*N • = rand1*rand2*N-rand2*i1*r*N

  16. Flawed Assumption (h > 1) Hashes of password & addresses  PWE E(Fp), m  N = m*PWE h = (small) cofactor of chosen elliptic curve, h*PWE ≠ O r = order of a cyclic subgroup of points on chosen elliptic curve over a finite field Bob Alice • K = rand1*(cs2*N+CE2) • = rand1*(rand2+mask2-i2*r-mask2)*N • = rand1*rand2*N-rand1*i2*r*N • K = rand2*(cs1*N+CE1) • = rand2*(rand1+mask1-i1*r-mask1)*N • = rand1*rand2*N-rand2*i1*r*N • PWE = P1+P2, P1  subgroup of order h, P2  subgroup of order r • r*P1 ≠ O  r*PWE ≠ O  r*N ≠ O  rand1*i2*r*N ≠ rand2*i1*r*N  Alice’s K ≠ Bob’s K !!!

  17. Fixes for ECDL BasedSAE Protocol Flaws • Be selective – by using elliptic curve groups with order #E = prime and hence cofactor h = 1 • NIST recommended elliptic curves over prime fields (FIPS 186-2 or 186-3) are in this category. • Be preemptive – by setting N = h*m*PWE (instead of N = m*PWE ) for h > 1 • This ensures that PWE subgroup of order r and hence validates the assumption that r*N = O so that Alice’s K = Bob’s K. • Be defensive – by checking if peer commit-element CE is such that h*CE ≠ O for h > 1 • Proceed only if the check passes. • This detects and thwarts subgroup confinement and hence offline dictionary attacks via impersonation.

  18. DL Based SAE Protocol - Review Hashes of password & addresses  PWE, m  N = PWEm mod p, Nr mod p = 1 p = prime = order of chosen finite field, r = order of a cyclic subgroup Bob Alice • Choose random (rand2, mask2) < r • cs2 = (rand2 + mask2) mod r • CE2 = N-mask2 mod p • Choose random (rand1, mask1) < r • cs1 = (rand1 + mask1) mod r • CE1 = N-mask1 mod p cs1, CE1 cs2, CE2 • k = (Ncs2*CE2)rand1 mod p • = Nrand2*rand1 mod p • cf1 = H(k||sc||cs1||CE1||cs2||CE2) • k = (Ncs1*CE1)rand2 mod p • = Nrand1*rand2 mod p • cf2 = H(k||sc||cs2||CE2||cs1||CE1) * sc = number of cf1 or cf2 messages sent to peer; communicated by sender to receiver cf1 Verify cf1 Verify cf2 cf2 Password authenticated master key = H(k||(cs1+cs2) mod r||(CE1*CE2) mod p)

  19. DL Based SAE Protocol – Secure? Hashes of password & addresses  PWE, m  N = PWEm mod p, Nr mod p = 1 p = prime = order of chosen finite field, r = order of a cyclic subgroup Bob Eve impersonating Alice • Choose random (rand2, mask2) < r • cs2 = (rand2 + mask2) mod r • CE2 = N-mask2 mod p • Choose random (rand1, mask1) < r • cs1 = (rand1 + mask1) mod r • CE1 = N-mask1 mod p, N = E (guess) cs1, CE1 cs2, CE2 • To find the password, Eve must first find N, which is derived from the password • Can Eve find N from CE2 – which also depends on the unknown mask2? • No. It would have to do reverse search in password space×private key space  No offline dictionary attack (so far)

  20. DL Based SAE Protocol – Secure? Hashes of password & addresses  PWE, m  N = PWEm mod p, Nr mod p = 1 p = prime = order of chosen finite field, r = order of a cyclic subgroup Bob Eve impersonating Alice • To calculate Bob’s K, Eve must first find rand 2 and N • Can Eve find N and rand2 from cs2 and CE2? • No. It would have to do reverse search in password space×private key space • k = (Ecs2*CE2)rand1 mod p • = [Erand2*(E/N)mask2]rand1 mod p • k = (Ncs1*CE1)rand2 mod p • = [Nrand1*(N/E)mask1]rand2 mod p Eve’s k ≠ Bob’s k unless E = N, i.e., unless Eve has the right guess of the password!!! • cf1 = H(k||sc||cs1||CE1||cs2||CE2) • cf1 = H(k||sc||cs1||CE1||cs2||CE2) cf1 cf1 verification failed  Impersonation attack failed (so far)

  21. DL Based SAE Protocol – Secure? Hashes of password & addresses  PWE, m  N = PWEm mod p, Nr mod p = 1 p = prime = order of chosen finite field, r = order of a cyclic subgroup Eve impersonating Bob Alice • Choose random (rand2, mask2) < r • cs2 = (rand2 + mask2) mod r • CE2 = N-mask2 mod p, N = E (guess) • Eve cannot find N from CE1 • Choose random (rand1, mask1) < r • cs1 = (rand1 + mask1) mod r • CE1 = N-mask1 mod p  No offline dictionary attack (so far) cs1, CE1 cs2, CE2 cf1 cf1 verification not checked • k = (Ncs2*CE2)rand1 mod p • = [Nrand2*(N/E)mask2]rand1 mod p • cf1 = H(k||sc||cs1||CE1||cs2||CE2) • k = (Ecs1*CE1)rand2 mod p • = [Erand1*(E/N)mask1]rand2 mod p

  22. DL Based SAE Protocol – Secure? Eve impersonating Bob Alice • Alice’s cf1 depends on rand1 and N • To find N (and hence password) from cf1, • Eve would have to do reverse search in • password space×private key space • k = (Ncs2*CE2)rand1 mod p • = [Nrand2*(N/E)mask2]rand1 mod p • cf2 = H(k|sc||cs2||CE2||cs1||CE1)  No offline dictionary attack (so far) • Without knowing rand1 and N, • Eve cannot calculate Alice’s K and cf1 • k = (Ecs1*CE1)rand2 mod p • = [Erand1*(E/N)mask1]rand2 mod p • cf2 = H(k|sc||cs2||CE2||cs1||CE1) Alice’s k ≠ Eve’s k(unless E= N)!!! cf2 verification failed cf2  Impersonation attack failed (so far) No offline and impersonation attacks – really?

  23. Offline Dictionary Attack via Impersonation Hashes of password & addresses  PWE, m  N = PWEm mod p, Nr mod p = 1 p = prime = order of chosen finite field, p-1 = t*q, t = small integer r = order of a cyclic subgroup Eve impersonating Bob Alice • Choose cs2 and CE2 such that • cs2 < r • CE2t = 1 • Choose random (rand1, mask1) < r • cs1 = (rand1 + mask1) mod r • CE1 = N-mask1 mod p = Nrand1 N-cs1 mod p cs1, CE1 cs2, CE2 • k = (Ncs2*CE2)rand1 mod p = (Nrand1)cs2*CE2rand1 mod p • = CE1cs2*Ncs1*cs2*CE2z mod p, z = rand1 mod t • cf1 = H(k||sc||cs1||CE1||cs2||CE2)

  24. Offline Dictionary Attack via Impersonation Hashes of password & addresses  PWE, m  N = PWEm mod p, Nr mod p = 1 p = prime = order of chosen finite field, p-1 = t*q, t = small integer Eve impersonating Bob Alice • k = (Ncs2*CE2)rand1 mod p = (Nrand1)cs2*CE2rand1 mod p • = CE1cs2*Ncs1*cs2*CE2z mod p, z = rand1 mod t • cf1 = H(k||sc||cs1||CE1||cs2||CE2) cf1 is a function of known parameters and unknown password pw and z  {1, …, t-1} cf1 • Compute cf1 with candidate pw in a (small) password space and z in a small set {1, …, t-1} for a match with received cf1 • Password found • Ready for a new successful run

  25. DL Based SAE Protocol– MITM Attack? Hashes of password & addresses  PWE, m  N = PWEm mod p, M≠ N Bob Meddle Alice • Choose random (rand2, mask2) < r • cs2 = (rand2 + mask2) mod r • CE2 = N-mask2 mod p • Choose random (rand1, mask1) < r • cs1 = (rand1 + mask1) mod r • CE1 = N-mask1 mod p cs1, CE1 cs1' = (rand1' + mask1') mod r, CE1' = M-mask1' mod p cs2' = (rand2' + mask2') mod r, CE2' = M-mask2' mod pcs2, CE2 • kA = (Ncs2'*CE2')rand1 mod p • = [(N/M)mask2'Nrand2']rand1 mod p • cf1A = H(kA||sc||cs1||CE1||cs2'||CE2') • cf2A = H(kA||sc||cs2'||CE2'||cs1||CE1) • kB = (Ncs1'*CE1')rand2 mod p • = [(N/M) mask1'Nrand1'] rand2 mod p • cf1B = H(kB||sc||cs1'||CE1'||cs2||CE2) • cf2B = H(kB||sc||cs2||CE2||cs1'||CE1') • kMA = (Mcs1*CE1)rand2' mod p • = Mrand1*rand2' mod p • cf2MA = H(kMA||sc||cs2'||CE2'||cs1||CE1) • kMB = (Mcs2*CE2)rand1' mod p • = Mrand2*rand1' mod p • cf1MB = H(kMB||sc||cs1'||CE1'||cs2||CE2)

  26. DL Based SAE Protocol– MITM Attack? Hashes of password & addresses  PWE, m  N = PWEm mod p, M≠ N Bob Meddle Alice • kA = (Ncs2'*CE2')rand1 mod p • = [(N/M)mask2'Nrand2']rand1 mod p • cf1A = H(kA||sc||cs1||CE1||cs2'||CE2') • cf2A = H(kA||sc||cs2'||CE2'||cs1||CE1) • kB = (Ncs1'*CE1')rand2 mod p • = [(N/M) mask1'Nrand1'] rand2 mod p • cf1B = H(kB||sc||cs1'||CE1'||cs2||CE2) • cf2B = H(kB||sc||cs2||CE2||cs1'||CE1') • kMA = (Mcs1*CE1)rand2' mod p • = Mrand1*rand2' mod p ≠ kA • cf2MA = H(kMA||sc||cs2'||CE2'||cs1||CE1) • kMB = (Mcs2*CE2)rand1' mod p • = Mrand2*rand1' mod p ≠ kB • cf1MB = H(kMB||sc||cs1'||CE1'||cs2||CE2) cf1Acf1MB cf1B ≠ cf1MB cf2MA ≠ cf2Acf2MA cf2B MITM detected! MITM detected! No MITM attacks – really?

  27. Man-In-The-Middle Attack Hashes of password & addresses  PWE, m  N = PWEm mod p, Nr mod p = 1 p = prime = order of chosen finite field, p-1 = t*q, t = small integer r = order of a cyclic subgroup Bob Meddle Alice • Choose random (rand2, mask2) < r • cs2 = (rand2 + mask2) mod r • CE2 = N-mask2 mod p • Choose random (rand1, mask1) < r • cs1 = (rand1 + mask1) mod r • CE1 = N-mask1 mod p cs1, CE1 cs1' = cs1*q mod r, CE1' = CE1q mod p cs2' = cs2*q mod r, CE2' = CE2q mod pcs2, CE2 • k = (Ncs2'*CE2')rand1 mod p • = (Nq)rand2*rand1 mod p • = (Nq)(rand2*rand1 mod t) mod p • cf1 = H(k||sc||cs1||CE1||cs2||CE2) • k = (Ncs1'*CE1')rand2 mod p • = (Nq)rand1*rand2 mod p • = (Nq)(rand1*rand2 mod t) mod p • cf2 = H(k||sc||cs2||CE2||cs1||CE1)

  28. Man-In-The-Middle Attack Bob Meddle Alice • k = (Nq)(rand1*rand2 mod t) mod p • = (Nq)z mod p, z = rand1*rand2 mod t • cf2 = H(k||sc||cs2||CE2||cs1'||CE1') • cf1 = H(k||sc||cs1'||CE1'||cs2||CE2) • k = (Nq)(rand2*rand1 mod t) mod p • = (Nq)z mod p, z = rand2*rand1 mod t • cf1 = H(k||sc||cs1||CE1||cs2'||CE2') • cf2 = H(k||sc||cs2'||CE2'||cs1||CE1) cf1 Alice’s cf1  Bob’s cf1 Verify cf1 Verify cf2 Alice’s cf2  Bob’s cf2 cf2 Alice’s authenticated master key = H(k||(cs1+cs2') mod r|| (CE1*CE2') mod p) Bob’s authenticated master key = H(k||(cs1'+cs2) mod r|| (CE1'*CE2) mod p) • k, cf1, and cf2 are functions of known parameters and unknown password pw and z = rand1*rand2 mod t  {1, …, t-1} • Meddle computes cf1 or cf2 with candidate pw in a (small) password space and z in a small set {1, …, t-1} for a match with overheard cf1 or cf2 • Password, z, and hence keys found  Ready for MITM message attacks

  29. Fixes for DL Based SAE Protocol Flaws • Be selective – by using only primes p = 1 + t×q, with q being a prime and having adequate bit length ≥ 160 bits(NIST SP 800-56A) • Caveat – double check if IETF &NIST recommended primes meet this requirement. • Be preemptive – by setting PWE = pwd-valuet mod p for p = 1 + t×q • This ensures that N = PWEm mod p  subgroup of order q and hence preempts subgroup confinement and offline dictionary attacks via MITM. • In p = 1 + t×q, t must be such that q is a prime. This is not necessarily the case in the current draft where PWE = pwd-valuer mod p and p = 1+2×r. • Be defensive – by checking if peer commit-element CE is such that CEt mod p ≠ 1 • Proceed only if the check passes. • This detects and thwarts subgroup confinement and hence offline dictionary attack via impersonation and MITM.

  30. Miscellaneous • 8.2A.1: “Pre-shared key, passphrase, or password” • In case of “passphrase” or “password”, what is the encoding? • For example, when someone types in “SAE2010” as the password, what is the binary representation of the input “password” to the hash function in the pwd-seed computation (8.2A.3.2.2 & 8.2A.3.3.2)? • Suggested encoding based on the following spec: • ISO/IEC 10646, Universal Multiple-Octet Coded Character Set (UCS), December 2003. Amendment 1, November 2005. Amendment 2, July 2006. Amendment 3, February 2008. • 8.2A.3.1: “SAE uses two arithmetic operators defined for finite fields.” • Change “for” to “over”. The operators are defined for finite groups over finite fields. • 8.2A.3.2.2: Add “(mod p)” to the end of the following equation: • if there exists y: y2 = x3 + ax + b • 8.2A.3.3.1: “Elements in a prime modulus finite cyclic group are represented as numbers less than the prime modulus.” • Add “positive” before “numbers”. This is a multiplicative group.

  31. Miscellaneous • 8.2A.3.3.1: “The scalar operation of prime modulus field groups is exponentiation of one number by another modulus the prime:.” • Change “modulus the prime” to “modulo the prime”. • 8.2A.3.3.1: “Some prime modulus groups do not have an order as part of their definition. For these groups the order, r, shall be computed as (p-1)/2, where p is the prime modulus.” • Which group is precisely being referenced here? • The multiplicative group of integers modulo prime p always has an order of p-1. • A number of this group, such as PWE or N, has an order not predetermined or prefixed and not necessarily equal to r = (p-1)/2. • This SAE protocol assumes thatNr mod p = 1, so the order of concern is that of the generator N = PWEm mod p. Given the construction of PWE = pwd-value(p-1)/2 mod p – only in this specific context – shall the “order” r “be computed as (p-1)/2”.

  32. DL Based SAE Protocol– Equivalent Form Hashes of password & addresses  PWE, m  N = PWEm mod p, Nr mod p = 1 p = prime = order of chosen finite field, r = order of a cyclic subgroup Bob Alice • Choose random (rand2, mask2) < r • cs2 = (rand2 + mask2) mod r • CE2 = N-mask2 mod p = Nrand2*N-cs2 mod p • CE2' = Nrand2 mod p = Ncs2*CE2 mod p • Equivalent to (unconstrained) SPEKE: • Choose random rand2 • CE2' = Nrand2 mod p • Choose random (rand1, mask1) < r • cs1 = (rand1 + mask1) mod r • CE1 = N-mask1 mod p = Nrand1*N-cs1 mod p • CE1' = Nrand1 mod p = Ncs1*CE1 mod p • Equivalent to (unconstrained) SPEKE: • Choose random rand1 • CE1' = Nrand1 mod p CE1' = Nrand1 mod p CE2' = Nrand2 mod p

  33. DL Based SAE Protocol– Equivalent Form Hashes of password & addresses  PWE, m  N = PWEm mod p, Nr mod p = 1 p = prime = order of chosen finite field, r = order of a cyclic subgroup Bob Alice • k = (CE2')rand1 mod p • = Nrand2*rand1 mod p • cf1 = H(k||sc||cs1||CE1||cs2||CE2) • k = (CE1')rand2 mod p • = Nrand1*rand2 mod p • cf2 = H(k||sc||cs2||CE2||cs1||CE1) cf1 Verify cf1 Verify cf2 cf2 Authenticated master key = H(k||(cs1+cs2) mod r||(CE1*CE2) mod p) DL based SAE is essentially SPEKE but a bit more communication and bandwidth demanding – the former requires selection of two random numbers and transmission of two messages by each party

  34. Concluding Remarks • Crackers/hackers are choosers • They don’t attack known strongholds • In the case of password authenticated public key agreement protocols, they don’t blindly crack the private key and password from the received password scrambled public key – a known mathematically intractable problem • They choose their battlefields to launch their attacks • In the case of password authenticated public key agreement protocols, they don’t follow the “conventional etiquette” – selecting their private keys first and computing their public keys accordingly • Instead, they pick their public keys directly from small – and hence tractable – groups, thereby forcing the other (legitimate) side to a small group for the shared secret key computation and handily flexing their muscles there

  35. Dr. Lily Chen of NIST provided valuable comments, especially on the MITM attack analysis of the DL based SAE protocol and the prime selection for the remedial action. Acknowledgment

More Related