Password-based Credentials Download Protocols Radia Perlman

Goal To download private key, encrypted with the user’s password. The user’s “credential” WS has some minimal amount of (trusted) software installed, but no user-specific info User Alice’s private key and other info stored in central place “Bob” (e.g., the directory) “Log into the network” means get Alice’s private key and everything else needed

Getting private key It would be nice if we all carried smart cards But do we need a backup if user loses it, or forgets it, or it is broken? But also, we don’t seem to have smart cards

Download protocol So, it might be nice to only need a password, and have a protocol that downloads the private key Immune to dictionary attacks –By eavesdropper (passive attacker) –By Alice-impersonator –By Bob-impersonator

Building Blocks Diffie-Hellman EKE (Bellovin-Merritt) –Encrypt Diffie-Hellman exchange with W (W=password, the weak secret) SPEKE (Jablon) –Replace base in Diffie-Hellman with W PDM (Kaufman-Perlman) –Replace modulus in Diffie-Hellman with f(W)

EKE (designed for mutual authentication) Alice Bob Share W=h(pwd), g, p Pick A “Alice”, {g A mod p}W Pick B Decrypt {g A mod p}W Calculate K=g AB mod p Choose challenge C1 {g B mod p}W, {C1}K Choose challenge C2 {C1,C2}K {C2}K

SPEKE Alice Bob Share W, p Pick A “Alice”, W A mod p Pick B Calculate K=W AB mod p Choose challenge C1 W B mod p, {C1}K Choose challenge C2 {C1,C2}K {C2}K

PDM (Password Derived Moduli) Alice Bob Share p Pick A “Alice”, 2 A mod p Pick B Calculate K=2 AB mod p Choose challenge C1 2 B mod p, {C1}K Choose challenge C2 {C1,C2}K {C2}K

But we don’t need mutual authentication, just credentials download Which we can do in two messages

2-msg EKE-based Alice Bob Share g, p, W Pick A “Alice”, {g A mod p}W Calculate K=g AB mod p g B mod p, {Y}K

2-msg SPEKE-based Alice Bob Share W, p Pick A “Alice”, W A mod p Calculate K=W AB mod p W B mod p, {Y}K

2-msg PDM-based Alice Bob Share p Pick A “Alice”, 2 A mod p Calculate K=2 AB mod p 2 B mod p, {Y}K

If we want to avoid strong password schemes Just let Y be world-readable –Anyone can request it and do dictionary attack –An eavesdropper can do a dictionary attack Could do CHAP-like thing to authenticate –Eavesdropper could do dictionary attack Could enhance that with anonymous Diffie- Hellman initial exchange –Active attacker could be man-in-the-middle, or impersonate whichever side authenticates last, to gain dictionary attack

To avoid strong pwd schemes Could do TLS, then CHAP-like thing –Requires good trust anchors at client, and certificate for server –No dictionary attack possible for eavesdropper or Alice-impersonator –Can’t have Bob-impersonator (since TLS would foil that)

Variants in Pre-shared Key TLS PSK only –Eavesdropper and server get dictionary attack DH-PSK –Bob-impersonator gets dictionary attack RSA-PSK –Can’t impersonate Bob if Alice checks his cert