Password-based authenticated key exchange Ravi Sandhu

Variations Public-key cryptography must be used Two variations “Public-key cryptography and password protocols”, Shai Halevi and Hugo Krawczyk, ACM Transactions on Information and System Security (TISSEC), Volume 2 , Issue 3 (August 1999), Pages: 230 - 268 Two variations No public-key certificates (no PKI) Use public-key certificates (requires PKI)

References http://www.integritysciences.com/links.html Comprehensive and long list of references Principal reference for this lecture. S. M. Bellovin and M. Merritt, “Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks,” Proceedings of the I.E.E.E. Symposium on Research in Security and Privacy, Oakland, May 1992. “This is not your grandmother’s network login” Jab96

Broken approaches: use password directly (authentication only) Original Telnet - vulnerable to eavesdropping pwd Client Server Challenge-Response challenge Client Server h(challenge,pwd)

Broken approaches: use hashed password (authentication only) Challenge-Response challenge Client Server h(challenge,f(pwd)) Don’t need to store cleartext password on the server Dictionary attack on f(pwd) stored at server remains a vulnerability

Kerberos is vulnerable Request TC,TGS Authentication Server TC,TGS, ENCkC(TGS, kC,TGS, …) kTGS TC,TGS, ENCkC,TGS(authenticator) Ticket Granting Server (kTGS) Client ENCkC,TGS(kC,S, …) kS Communication under kC,S Server (kS) The trouble: kC is defined to be some one-way function of password!

Patel’s classification (Pat97) Querying attacker Can initiate sessions with the server while pretending to be a legitimate client Eavesdropping attacker Can eavesdrop on legitimate runs of the protocol Active attacker Can intercept, drop, insert packets

SSL (and SSH) solution (need PKI) Server-side SSL Client Server pwd Client Server Needs PKI Has its pitfalls

Pre-EKE: use password directly (authentication and key exchange) User (pwd) Server (pwd) U ENCpwd(random) ENCrandom(challengeU) ENCrandom(challengeU, challengeS) ENCrandom(challengeS)

EKE: DH version [BM92] User (pwd) Server (pwd) U, ENCpwd(gx) K = f(gxy) ENCpwd(gy), ENCk(challengeS) K = f(gxy) ENCk(challengeU, challengeS) ENCk(challengeU)

EKE: DH version [BM92] Potential problems [Patel, S&P97]: If an active attacker, instead of sending g and p in clear, chooses to send gd and p such that d is a small prime and d|(p-1). Then, (gdy)(p-1)/d = 1 mod p. When the attacker receives the password encrypted ENCpwd(gy), he tries to decrypt it with different candidate passwords and raises the decrypted number to (p-1)/d. If the result is not 1 then that password is rejected. Since (p-1)/d number out of p-1 number will be dth power residue, hence 1/d numbers on average will be congruent to 1 when raised to (p-1)/d. At each session the possible space of password is reduced to 1/d and the space of valid passwords will be narrowed to 1 at a logarithm rate (typically, logp). Avoidance: The success of the attack is due to the fact that gd is not a generator. To find a generator g it is necessary and sufficient to check that g(p-1)/m  1 mod p for all factors m of p-1.

[BPR Eurocrypt2000] User (pwd) Server (pwd) U, ENCpwd(gx) k’ = f(u,s, gx,gy,gxy) ENCpwd(gy), H(k’, 1) k’ = f(u,s, gx,gy,gxy) H(k’,2) k = H(k’,0) sid = A, ENCpwd(gx), B, ENCpwd(gy) pid = B k = H(k’,0) sid = A, ENCpwd(gx), B, ENCpwd(gy) pid = A

[BPR Eurocrypt2000] [BM92] proved secure (in ROM and ICM) Theorem. Let qse, qre, qco, qex, qor be integers and let q = qse + qre + qco + qex + qor. Let Password be a finite set of size N and assume (|Ģ|)1/2/q  N  1. Let PW be the associated LL-key generator as discussed above, SK be the associated session key space. Assume the weak corruption model. The AdvfsP,PW,SK(t,qse,qre,qco,qex,qor) <= qse/N + qse · qor AdvdhĢ,g(t’,qor) + O(q2)/|Ģ| + O(1)/(|Ģ|)1/2 Where t’ = t + O(qse+qor).

SPEKE: [Jablon, CCR96] User (pwd) Server (pwd) U, f(pwd)x k = h(f(pwd)xy)) f(pwd)y k = h(f(pwd)xy)) ENCk(challengeU) ENCk(challengeU, challengeS) ENCk(challengeS)

[MacK01b] In this paper we prove (in the random oracle model) that a certain instantiation of the SPEKE protocol that uses hashed passwords instead of non-hashed passwords is a secure password-authenticated key exchange protocol (using our relaxed definition) based on a new assumption, the Decision Inverted-Additive Diffie-Hellman assumption. Since this is a new security assumption, we investigate its security and relation to other assumptions; specifically we prove a lower bound for breaking this new assumption in the generic model, and we show that the computational version of this new assumption is equivalent to the Computational Diffie-Hellman assumption.