Public Key CryptographyPublic Key Cryptography&&

Password Protocols Password Protocols

-Rashmi Kukanur-Rashmi Kukanur

OutlineOutline

►Study of protocols in assymetric Study of protocols in assymetric scenariosscenarios

►Present and analyze password Present and analyze password protocolsprotocols

►Provide authentication and security Provide authentication and security featuresfeatures

►Public passwordsPublic passwords

User Authentication MethodsUser Authentication Methods

►Based onBased on Something user knows (password)Something user knows (password) Something user has (smartcard)Something user has (smartcard) Something user is (fingerprint, speech Something user is (fingerprint, speech

recognition)recognition)

►Password Password Popular user authentication system Popular user authentication system Used in asymmetric scenarios Used in asymmetric scenarios

Password AuthenticationPassword Authentication

► Remote user accessRemote user access► Goal Goal

strong strong authentication authentication

without requiring the without requiring the user to user to carry/remember carry/remember except a password except a password

VPN traffic

(authenticated using password)

Firewall

Cracking a password is easyCracking a password is easy

►Weak : “low entropy” “easily guessed” Weak : “low entropy” “easily guessed” drawn from a small spacedrawn from a small space

►Dictionary Attack Dictionary Attack Simply guess the password and verify the Simply guess the password and verify the

guessed value using publicly guessed value using publicly available infoavailable info

(example : one way function (example : one way function a=h(password) a=h(password)

Password MechanismsPassword Mechanisms

►Password Transmission – ftp, telnetPassword Transmission – ftp, telnet

►Vulnerable to eavesdroppingVulnerable to eavesdropping►Hashing password does not helpHashing password does not help

pwdClient Server

Password Mechanisms – Password Mechanisms – Contd.Contd.

► Challenge ResponseChallenge Response

► Vulnerable to dictionary attack on Vulnerable to dictionary attack on

H(challenge, pwd)H(challenge, pwd)► One Time PasswordsOne Time Passwords

User uses a different password every timeUser uses a different password every time Inconvenient to the user Inconvenient to the user Still vulnerable to MIM , password guessing attacksStill vulnerable to MIM , password guessing attacks

ClientH (challenge, pwd)

challengeServer

Additional functionalities Additional functionalities

►Mutual Authentication Mutual Authentication ►Authenticated key-exchangeAuthenticated key-exchange

prevents session hijacking ,data forgery prevents session hijacking ,data forgery data exposure data exposure

►User identity protectionUser identity protection remote authentication of mobile users remote authentication of mobile users

Attacks on Password Attacks on Password Based ProtocolsBased Protocols

►Eavesdropping Eavesdropping ►Replay Replay ►Man-in-the-middle Man-in-the-middle ►Password Guessing AttacksPassword Guessing Attacks

Off-line AttackOff-line Attack On-line AttackOn-line Attack

► Insider-assisted attacksInsider-assisted attacks►Exposure of secretsExposure of secrets

Terminology usedTerminology used

►User - U , Server –SUser - U , Server –S S <-m <- U – message m from U to SS <-m <- U – message m from U to S

►User secret password – spwdUser secret password – spwd►Server public key – pkServer public key – pk►User public password – ppwdUser public password – ppwd►MD – collision resistant hash functionMD – collision resistant hash function►ENCENCpkpk – Encryption function – Encryption function

Encrypted Password Encrypted Password TransmissionTransmission

Set-up: ppwd:= MD(pk)Set-up: ppwd:= MD(pk)Server (S) User (U)Server (S) User (U)

n,pk Check n,pk Check ppwd=MD(pk)ppwd=MD(pk)

Decrypt & U,n,ENCDecrypt & U,n,ENCpkpk(spwd;U,S,n)(spwd;U,S,n)VerifyVerify

Encrypted Password Encrypted Password TransmissionTransmission

Contd.Contd.► The public password ppwd authenticates The public password ppwd authenticates

server’s public key server’s public key ► Does not rely on the password as a Does not rely on the password as a

cryptographic keycryptographic key► Encryption scheme is randomizedEncryption scheme is randomized► Should be infeasible to obtain ENCShould be infeasible to obtain ENCpkpk

(n1,spwd) from ENC(n1,spwd) from ENCpkpk(n,spwd) for some n1!(n,spwd) for some n1!=n without knowing spwd=n without knowing spwd

► One-time pad encryption and ElGamal One-time pad encryption and ElGamal encryption vulnerable to attackencryption vulnerable to attack

Generic Encrypted Challenge Generic Encrypted Challenge Response ProtocolResponse Protocol

Set-up: ppwd:= MD(pk)Set-up: ppwd:= MD(pk)

Server (S) User (U)Server (S) User (U)

n,pk Check ppwd n,pk Check ppwd =MD(pk)=MD(pk)

Decrypt & U,n,ENCDecrypt & U,n,ENCpkpk(f(spwd;U,S,n))(f(spwd;U,S,n))

VerifyVerify

Contd.Contd.

►With the use of weak human With the use of weak human passwords as keys to cryptographic passwords as keys to cryptographic functions the security is questionable functions the security is questionable

Solution - Use passwords under Solution - Use passwords under functionsfunctions

►These functions require to be one-to-These functions require to be one-to-one one

Resistance to server Resistance to server compromisecompromise

► The Encrypted password transmission protocolThe Encrypted password transmission protocol totally insecure if the server’s private key is compromisedtotally insecure if the server’s private key is compromised

► Common heuristics for the f definition to protect Common heuristics for the f definition to protect against thisagainst this p1=H1(spwd,U,S)p1=H1(spwd,U,S) p2=H2(spwd,U,S)p2=H2(spwd,U,S) p3=H3(p2,salt)p3=H3(p2,salt) f(spwd;n,U,S) = <MACf(spwd;n,U,S) = <MACp1p1(n,U,S),p2,n> (n,U,S),p2,n>

► Defends against compromise of either password file Defends against compromise of either password file or server’s private keyor server’s private key

► Attacker cannot break the MAC function since they Attacker cannot break the MAC function since they are keyed over a much larger spaceare keyed over a much larger space

Mutual Authentication and key Mutual Authentication and key exchangeexchange

Set-up: ppwd:= MD(pk)Set-up: ppwd:= MD(pk)

Server (S)Server (S) User (U)User (U) n,pk n,pk Check Check

ppwd=MD(pk)ppwd=MD(pk)

Decrypt &Decrypt & U,n,ENCU,n,ENCpkpk(k,f(spwd;k,U,S,n)) Pick random key k (k,f(spwd;k,U,S,n)) Pick random key k

VerifyVerify

y

y = PRFy = PRFkk(n,S,U) Check (n,S,U) Check y=PRFy=PRFkk(n,S,U) (n,S,U)

Set k1=PRFSet k1=PRFkk(y ) Set k1=PRF(y ) Set k1=PRFkk(y )(y )

Contd.Contd.

►Mutual Authentication achievedMutual Authentication achieved►Does not achieve perfect forward Does not achieve perfect forward

secrecy secrecy k1 revealed when servers private key k1 revealed when servers private key

exposedexposed

► Perfect forward secrecy achieved Perfect forward secrecy achieved through Diffie-Hellmanthrough Diffie-Hellman

Mutual Authentication & Diffie Mutual Authentication & Diffie Hellman exchangeHellman exchange

Set-up: ppwd:= MD(pk)Set-up: ppwd:= MD(pk)Server (S) Server (S) n,g n,gxx,pk ,pk User (U) User (U)

Check ppwd =MD(pk) Check ppwd =MD(pk)

Decrypt & U,n,gDecrypt & U,n,gyy,c Pick k,g,c Pick k,gyy

Verify Verify c= c=ENCpk(k,f(spwd;k,U,S,n,gx,gy))

z = PRFz = PRFkk(c) z Check z = PRF(c) z Check z = PRFkk(c) (c)

Set k1=PRFSet k1=PRFkk(g(gxyxy ) Set k1=PRF ) Set k1=PRFkk(g(gxyxy ) )

Contd.Contd.

►To compute k1 an attacker needs to To compute k1 an attacker needs to be able to compute gbe able to compute gxyxy

►The second argument of f hashed The second argument of f hashed under a collision resistant function under a collision resistant function

►Protocol provides user anonymity by Protocol provides user anonymity by including user-identity under public including user-identity under public key encryption key encryption

Public PasswordsPublic Passwords

► Used when client machine cannot verify the Used when client machine cannot verify the authenticity of the server’s public key authenticity of the server’s public key

► User verifies hashed version of the public keyUser verifies hashed version of the public key► It requires no secrecy protection but integrity It requires no secrecy protection but integrity ► It does not need to be memorized It does not need to be memorized ► It enables the user to participate in protocols It enables the user to participate in protocols

(impossible to carry out without a memory device)(impossible to carry out without a memory device)► Public password serves as a hand-held certificate Public password serves as a hand-held certificate

for a public key( e.g credit-card applications) for a public key( e.g credit-card applications)

Representation and Representation and identification of public identification of public

passwordspasswords► No need for the user to type in the passwordNo need for the user to type in the password► Not necessary to know all 1024 bits to verify the Not necessary to know all 1024 bits to verify the

key key ► More user readable and user friendly formatMore user readable and user friendly format► Mapping arbitrary binary strings into easy-to-read Mapping arbitrary binary strings into easy-to-read

words words ► A dictionary of 2048 words and mapping of 11-bit A dictionary of 2048 words and mapping of 11-bit

string to different word in the dictionary (e.g 66-bit string to different word in the dictionary (e.g 66-bit string represented by 6 words)string represented by 6 words)

► Using alphanumerics requires 12 characters to Using alphanumerics requires 12 characters to represent 60-bit stringsrepresent 60-bit strings

► Authentication through imageAuthentication through image

Need of public-key toolsNeed of public-key tools

►Proved that a secure password Proved that a secure password protocol can be used to implement protocol can be used to implement key-exchange protocolkey-exchange protocol

►Constructing secure password Constructing secure password protocols using block ciphers and hash protocols using block ciphers and hash functions is unlikelyfunctions is unlikely