A New Two-Server Approach for Authentication with Short Secrets John Brainard, Ari Juels,Burt...
-
date post
21-Dec-2015 -
Category
Documents
-
view
220 -
download
3
Transcript of A New Two-Server Approach for Authentication with Short Secrets John Brainard, Ari Juels,Burt...
A New Two-Server Approach A New Two-Server Approach for Authentication with Short for Authentication with Short
SecretsSecrets
John Brainard, Ari Juels,Burt KalJohn Brainard, Ari Juels,Burt Kaliski and Michael Szydlo RSA Labiski and Michael Szydlo RSA Lab
oratoriesoratories
To appear in USENIX Security 2003/4/9
Passwords and PINsPasswords and PINs
Short secrets are convenience .Short secrets are convenience . The secrets stored in a central The secrets stored in a central
database.database.
ProblemProblem
How is it possible to provide secure How is it possible to provide secure services to users who can services to users who can authenticate using only short secrets authenticate using only short secrets or weak password?or weak password?
Smartcards , similar key-storageSmartcards , similar key-storage
Memorable PW – guessing attackMemorable PW – guessing attack
SPAKA protocolsSPAKA protocols
(Secure password authenticated key a(Secure password authenticated key agreement)greement)
EKE:Share a password, mutual ensure EKE:Share a password, mutual ensure to established a session key.to established a session key.
Attack to SPAKAAttack to SPAKA
Client SERVER
password
celartext
steal
Off-line dictionary attacks
Cleartext
LOOKALL ?
Previous workPrevious work
A mechanism called A mechanism called password hardeningpassword hardening , by F , by Ford and Kaliski.ord and Kaliski.
Client
password
i i i…
Server secret
Now new workNow new work
Two-server solution .Two-server solution .
Server Red
SSL SSL
Server Blue
p
P’
P = P’ ??
Client
SSL
OutlineOutline
IntroductionIntroduction Previous WorkPrevious Work New WorkNew Work Equality-Testing ProtocolEquality-Testing Protocol
Equality-Testing ProtocolEquality-Testing Protocol
H is a large group(160-bit)H is a large group(160-bit)
and + be the group operatorand + be the group operator f is collision-free hash functionf is collision-free hash function *:{0,1}f H
Equality-Testing ProtocolEquality-Testing Protocol
Registration:Registration:
blue
red
P f P R
P R
UR H
Equality-Testing ProtocolEquality-Testing Protocol
Authentication:Authentication:
If P = P’
0
blue redQ Q
'
' '
'
'
( ( ) ( )) ( )
blue blue blue
red red red
Q P P
f P f P R R
Q P P
R R
G is large group (hard to discrete log)G is large group (hard to discrete log) g : generatorg : generator q : order in Zp (p=2q+1)q : order in Zp (p=2q+1) p (1024 bits)p (1024 bits) w: H -> Gw: H -> G
0 ,Y U
1, redY H
1
1
'1
{2,4,..., 1}R
e
e q
Y g
1
,
'1 1
0
?
0 1
( )
( / )
{2,..., 2}
( || || || )
red U
ered
red
red red
B w Q
Y BY
Z Y B
Z p
H h Z Y Y U
0
1
?
( / )
{2,..., 2}
( || )
eblue
blue
blue blue red
Z Y A
Z p
H h Z H
0
0
,
0
{2,4,..., 1}
( )R
blue U
e
e q
A w Q
Y Ag
1, redY H
?0 1( || || || )red blueH h Z Y Y U ? ( || )blue red redH h Z H
blueH
1
,
'1 1
0
?
0 1
( )
( / )
{2,..., 2}
( || || || )
red U
ered
red
red red
B w Q
Y BY
Z Y B
Z p
H h Z Y Y U
0
1
?
( / )
{2,..., 2}
( || )
eblue
blue
blue blue red
Z Y A
Z p
H h Z H
Compare with SPAKACompare with SPAKA
Mutually authenticated channel Mutually authenticated channel betweenbetween
two servers.two servers. not derive a shared key.not derive a shared key. Client need perform no cryptographic Client need perform no cryptographic
computation, and operation in H. computation, and operation in H.
OutlineOutline
IntroductionIntroduction Previous WorkPrevious Work New WorkNew Work Equality-Testing ProtocolEquality-Testing Protocol Architectural MotivationArchitectural Motivation
Architectural MotivationArchitectural Motivation
Security in two servers.Security in two servers. * different OSs* different OSs * different organizations* different organizations (privacy outsourcing): (privacy outsourcing): service providerservice provider privacy providerprivacy provider
Architectural MotivationArchitectural Motivation
UniversalityUniversality Pseudonymity Pseudonymity Engineering simplicityEngineering simplicity System isolation System isolation Mitigation of denial-of-service attacksMitigation of denial-of-service attacks
OutlineOutline
IntroductionIntroduction Previous WorkPrevious Work New WorkNew Work Equality-Testing ProtocolEquality-Testing Protocol Architectural MotivationArchitectural Motivation Avoiding ProblemsAvoiding Problems