Upload
mattox
View
26
Download
0
Embed Size (px)
DESCRIPTION
Public Key Cryptography & Password Protocols. -Rashmi Kukanur. Outline. Study of protocols in assymetric scenarios Present and analyze password protocols Provide authentication and security features Public passwords. User Authentication Methods. Based on Something user knows (password) - PowerPoint PPT Presentation
Citation preview
Public Key CryptographyPublic Key Cryptography&&
Password Protocols Password Protocols
-Rashmi Kukanur-Rashmi Kukanur
OutlineOutline
►Study of protocols in assymetric Study of protocols in assymetric scenariosscenarios
►Present and analyze password Present and analyze password protocolsprotocols
►Provide authentication and security Provide authentication and security featuresfeatures
►Public passwordsPublic passwords
User Authentication MethodsUser Authentication Methods
►Based onBased on Something user knows (password)Something user knows (password) Something user has (smartcard)Something user has (smartcard) Something user is (fingerprint, speech Something user is (fingerprint, speech
recognition)recognition)
►Password Password Popular user authentication system Popular user authentication system Used in asymmetric scenarios Used in asymmetric scenarios
Password AuthenticationPassword Authentication
► Remote user accessRemote user access► Goal Goal
strong strong authentication authentication
without requiring the without requiring the user to user to carry/remember carry/remember except a password except a password
VPN traffic
(authenticated using password)
Firewall
Cracking a password is easyCracking a password is easy
►Weak : “low entropy” “easily guessed” Weak : “low entropy” “easily guessed” drawn from a small spacedrawn from a small space
►Dictionary Attack Dictionary Attack Simply guess the password and verify the Simply guess the password and verify the
guessed value using publicly guessed value using publicly available infoavailable info
(example : one way function (example : one way function a=h(password) a=h(password)
Password MechanismsPassword Mechanisms
►Password Transmission – ftp, telnetPassword Transmission – ftp, telnet
►Vulnerable to eavesdroppingVulnerable to eavesdropping►Hashing password does not helpHashing password does not help
pwdClient Server
Password Mechanisms – Password Mechanisms – Contd.Contd.
► Challenge ResponseChallenge Response
► Vulnerable to dictionary attack on Vulnerable to dictionary attack on
H(challenge, pwd)H(challenge, pwd)► One Time PasswordsOne Time Passwords
User uses a different password every timeUser uses a different password every time Inconvenient to the user Inconvenient to the user Still vulnerable to MIM , password guessing attacksStill vulnerable to MIM , password guessing attacks
ClientH (challenge, pwd)
challengeServer
Additional functionalities Additional functionalities
►Mutual Authentication Mutual Authentication ►Authenticated key-exchangeAuthenticated key-exchange
prevents session hijacking ,data forgery prevents session hijacking ,data forgery data exposure data exposure
►User identity protectionUser identity protection remote authentication of mobile users remote authentication of mobile users
Attacks on Password Attacks on Password Based ProtocolsBased Protocols
►Eavesdropping Eavesdropping ►Replay Replay ►Man-in-the-middle Man-in-the-middle ►Password Guessing AttacksPassword Guessing Attacks
Off-line AttackOff-line Attack On-line AttackOn-line Attack
► Insider-assisted attacksInsider-assisted attacks►Exposure of secretsExposure of secrets
Terminology usedTerminology used
►User - U , Server –SUser - U , Server –S S <-m <- U – message m from U to SS <-m <- U – message m from U to S
►User secret password – spwdUser secret password – spwd►Server public key – pkServer public key – pk►User public password – ppwdUser public password – ppwd►MD – collision resistant hash functionMD – collision resistant hash function►ENCENCpkpk – Encryption function – Encryption function
Encrypted Password Encrypted Password TransmissionTransmission
Set-up: ppwd:= MD(pk)Set-up: ppwd:= MD(pk)Server (S) User (U)Server (S) User (U)
n,pk Check n,pk Check ppwd=MD(pk)ppwd=MD(pk)
Decrypt & U,n,ENCDecrypt & U,n,ENCpkpk(spwd;U,S,n)(spwd;U,S,n)VerifyVerify
Encrypted Password Encrypted Password TransmissionTransmission
Contd.Contd.► The public password ppwd authenticates The public password ppwd authenticates
server’s public key server’s public key ► Does not rely on the password as a Does not rely on the password as a
cryptographic keycryptographic key► Encryption scheme is randomizedEncryption scheme is randomized► Should be infeasible to obtain ENCShould be infeasible to obtain ENCpkpk
(n1,spwd) from ENC(n1,spwd) from ENCpkpk(n,spwd) for some n1!(n,spwd) for some n1!=n without knowing spwd=n without knowing spwd
► One-time pad encryption and ElGamal One-time pad encryption and ElGamal encryption vulnerable to attackencryption vulnerable to attack
Generic Encrypted Challenge Generic Encrypted Challenge Response ProtocolResponse Protocol
Set-up: ppwd:= MD(pk)Set-up: ppwd:= MD(pk)
Server (S) User (U)Server (S) User (U)
n,pk Check ppwd n,pk Check ppwd =MD(pk)=MD(pk)
Decrypt & U,n,ENCDecrypt & U,n,ENCpkpk(f(spwd;U,S,n))(f(spwd;U,S,n))
VerifyVerify
Contd.Contd.
►With the use of weak human With the use of weak human passwords as keys to cryptographic passwords as keys to cryptographic functions the security is questionable functions the security is questionable
Solution - Use passwords under Solution - Use passwords under functionsfunctions
►These functions require to be one-to-These functions require to be one-to-one one
Resistance to server Resistance to server compromisecompromise
► The Encrypted password transmission protocolThe Encrypted password transmission protocol totally insecure if the server’s private key is compromisedtotally insecure if the server’s private key is compromised
► Common heuristics for the f definition to protect Common heuristics for the f definition to protect against thisagainst this p1=H1(spwd,U,S)p1=H1(spwd,U,S) p2=H2(spwd,U,S)p2=H2(spwd,U,S) p3=H3(p2,salt)p3=H3(p2,salt) f(spwd;n,U,S) = <MACf(spwd;n,U,S) = <MACp1p1(n,U,S),p2,n> (n,U,S),p2,n>
► Defends against compromise of either password file Defends against compromise of either password file or server’s private keyor server’s private key
► Attacker cannot break the MAC function since they Attacker cannot break the MAC function since they are keyed over a much larger spaceare keyed over a much larger space
Mutual Authentication and key Mutual Authentication and key exchangeexchange
Set-up: ppwd:= MD(pk)Set-up: ppwd:= MD(pk)
Server (S)Server (S) User (U)User (U) n,pk n,pk Check Check
ppwd=MD(pk)ppwd=MD(pk)
Decrypt &Decrypt & U,n,ENCU,n,ENCpkpk(k,f(spwd;k,U,S,n)) Pick random key k (k,f(spwd;k,U,S,n)) Pick random key k
VerifyVerify
y
y = PRFy = PRFkk(n,S,U) Check (n,S,U) Check y=PRFy=PRFkk(n,S,U) (n,S,U)
Set k1=PRFSet k1=PRFkk(y ) Set k1=PRF(y ) Set k1=PRFkk(y )(y )
Contd.Contd.
►Mutual Authentication achievedMutual Authentication achieved►Does not achieve perfect forward Does not achieve perfect forward
secrecy secrecy k1 revealed when servers private key k1 revealed when servers private key
exposedexposed
► Perfect forward secrecy achieved Perfect forward secrecy achieved through Diffie-Hellmanthrough Diffie-Hellman
Mutual Authentication & Diffie Mutual Authentication & Diffie Hellman exchangeHellman exchange
Set-up: ppwd:= MD(pk)Set-up: ppwd:= MD(pk)Server (S) Server (S) n,g n,gxx,pk ,pk User (U) User (U)
Check ppwd =MD(pk) Check ppwd =MD(pk)
Decrypt & U,n,gDecrypt & U,n,gyy,c Pick k,g,c Pick k,gyy
Verify Verify c= c=ENCpk(k,f(spwd;k,U,S,n,gx,gy))
z = PRFz = PRFkk(c) z Check z = PRF(c) z Check z = PRFkk(c) (c)
Set k1=PRFSet k1=PRFkk(g(gxyxy ) Set k1=PRF ) Set k1=PRFkk(g(gxyxy ) )
Contd.Contd.
►To compute k1 an attacker needs to To compute k1 an attacker needs to be able to compute gbe able to compute gxyxy
►The second argument of f hashed The second argument of f hashed under a collision resistant function under a collision resistant function
►Protocol provides user anonymity by Protocol provides user anonymity by including user-identity under public including user-identity under public key encryption key encryption
Public PasswordsPublic Passwords
► Used when client machine cannot verify the Used when client machine cannot verify the authenticity of the server’s public key authenticity of the server’s public key
► User verifies hashed version of the public keyUser verifies hashed version of the public key► It requires no secrecy protection but integrity It requires no secrecy protection but integrity ► It does not need to be memorized It does not need to be memorized ► It enables the user to participate in protocols It enables the user to participate in protocols
(impossible to carry out without a memory device)(impossible to carry out without a memory device)► Public password serves as a hand-held certificate Public password serves as a hand-held certificate
for a public key( e.g credit-card applications) for a public key( e.g credit-card applications)
Representation and Representation and identification of public identification of public
passwordspasswords► No need for the user to type in the passwordNo need for the user to type in the password► Not necessary to know all 1024 bits to verify the Not necessary to know all 1024 bits to verify the
key key ► More user readable and user friendly formatMore user readable and user friendly format► Mapping arbitrary binary strings into easy-to-read Mapping arbitrary binary strings into easy-to-read
words words ► A dictionary of 2048 words and mapping of 11-bit A dictionary of 2048 words and mapping of 11-bit
string to different word in the dictionary (e.g 66-bit string to different word in the dictionary (e.g 66-bit string represented by 6 words)string represented by 6 words)
► Using alphanumerics requires 12 characters to Using alphanumerics requires 12 characters to represent 60-bit stringsrepresent 60-bit strings
► Authentication through imageAuthentication through image
Need of public-key toolsNeed of public-key tools
►Proved that a secure password Proved that a secure password protocol can be used to implement protocol can be used to implement key-exchange protocolkey-exchange protocol
►Constructing secure password Constructing secure password protocols using block ciphers and hash protocols using block ciphers and hash functions is unlikelyfunctions is unlikely