Strong Password Protocols

Slides:



Advertisements
Similar presentations
Diffie-Hellman Diffie-Hellman is a public key distribution scheme First public-key type scheme, proposed in 1976.
Advertisements

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.
CSC 474 Information Systems Security
Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Password-based Credentials Download Protocols Radia Perlman
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Public Key Algorithms …….. RAIT M. Chatterjee.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
Authentication System
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Diffie-Hellman Key Exchange
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Lecture 6: Public Key Cryptography
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Chapter 2. Network Security Protocols
COEN 351 E-Commerce Security Essentials of Cryptography.
Lecture 11: Strong Passwords
Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.
Cryptography and Network Security (CS435) Part Eight (Key Management)
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.
Digital Signatures, Message Digest and Authentication Week-9.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
COEN 351 E-Commerce Security
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan Password Authentication1.
Key Management Network Systems Security Mort Anvari.
1 (Re)Introducing Strong Password Protocols Radia Perlman
Identify Friend or Foe (IFF) Chapter 9 Simple Authentication protocols Namibia Angola 1. N 2. E(N,K) SAAF Impala Russian MIG 1 Military needs many specialized.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Chapter eight: Authentication Protocols 2013 Term 2.
Handshake Protocols COEN 150.
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Strong Password Protocols
Strong Password Protocols
Strong Password Protocols
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
AIT 682: Network and Systems Security
Presentation transcript:

Strong Password Protocols COEN 350 Strong Password Protocols

Strong Password Protocols Password authentication over a network Transmit password in the clear. Open to password sniffing. Open to impersonation of server. Do Diffie-Hellman exchange to establish a secure key and an encrypted tunnel. Establish a SSL connection. Use trust anchors for mutual authentication of machines. Security depends on the security of the trust anchors.

Strong Password Protocols Password authentication over a network Compute a hash of the password. Use the hash as a secret key in a challenge response scheme. Scheme: Alice to Bob: Login request Bob to Alice: Here is challenge R. Alice to Bob: f (hash(password),R) Open to dictionary attack by eavesdropper or someone impersonating Bob.

Strong Password Protocols Password authentication over a network Use a one-time password Lamport Hash S/Key Use a strong password protocol Secure from dictionary attacks by impersonator or eavesdropper. Secure against impersonator on either side.

Lamport Hash Bob stores Password generation: Username Alice int n hn(password), h – one way function Password generation: Alice chooses a password. Alice calculates hm(password) and sends it to Bob. Bob initializes the database entry.

Lamport Hash Protocol: Alice n hn-1(pwd) Bob Alice Bob checks: Alice’s Workstation Alice password Bob checks: Is h(Alice’s answer) = hn(password). If yes, authenticate. Then replace n with n-1 and store hn-1(password)

Lamport’s Hash with Salting To prevent password guessing, randomly generate a salt and store it at the server. Calculate hi(pwd,salt)

Lamport’s Hash Alice’s workstation needs to regenerate the scheme with a new password whenever n counts down to 1. There is no mutual authentication. Vulnerable to the “small n” attack.

Lamport’s Hash Mallory impersonates Bob. Alice tries to log on to Bob, but talks to Mallory. Mallory sends a small n = n0. Mallory calculates hn(pwd), nn0. Mallory can now login.

S/Key Deployed version of Lamport hash. RFC 1938

Encrypted key exchange Alice has a “weak” password pswd. Bob stores a hash W = h(pswd) of the password. Alice’s workstation knows how to calculate W on the fly, once Alice types in her password. Use W in a way that does not give any hints on W.

Encrypted key exchange Alice Bob Alice and Bob share a weak secret W = h(password) Alice chooses a random number a. Bob chooses a random b and a challenge C1. He sends W {gb, C1} She sends: Alice, W{ga} Bob encrypts this message and finds that Alice has solved his challenge C 1. Finally, Bob authenticates himself to Alice. He proves his knowledge of W by his knowledge of K, which he proves by being able to correctly encrypt Alice’s challenge C2. He sends K {C2 } to Alice. Both Bob and Alice use their knowledge of W to encrypt their mutual messages. They both calculate K = gab. Alice then proves her knowledge of W by her ability to calculate K. She also picks a challenge C2 and sends K { C1, C2 } to Bob.

Encrypted key exchange EKE: Diffie-Hellman exchange with encryption. W hash of password. (Bob stores it, Alice can recalculate it). p Modulus. All calculation are based on it. Alice: "Alice", EW(ga) Bob: EW(gb), Challenge CBob At this point, both Alice and Bob calculate K = gab EK(CAlice, CBob) EK(CAlice)

EKE: Encrypted Key Exchange Secure against eavesdropper because all data are undistinguishable from random numbers. Eavesdropper cannot decide whether the ga, gb are the correct decryption. Secure against impersonation: If treacherous Trudy impersonates Bob, she guesses a single value W in the first exchange. See the definition again.

Encrypted key exchange EKE: Diffie-Hellman exchange with encryption. W hash of password. (Bob stores it, Alice can recalculate it). Alice: "Alice", EW(ga) Bob: EW(gb), Challenge CBob At this point, both Alice and Bob calculate K = gab EK(CAlice, CBob) EK(CAlice)

SPEKE: Simple Password Exponential Key Exchange Use W in place of g in the Diffie Hellman exchange. Alice: "Alice", Wa Bob: Wb, Challenge CBob At this point, both Alice and Bob calculate K = Wab EK(CAlice, CBob) EK(CAlice)

PDM: Password Derived Moduli PDM uses modulus p that is a function of the password and uses 2 for g in Diffie Hellman. Alice: "Alice", EW(2a mod p) Bob: EW(2b mod p), Challenge CBob At this point, both Alice and Bob calculate K = 2ab EK(CAlice, CBob) EK(CAlice)

Strong Passwords: EKE A bad implementation of EKE allows an eavesdropper to exclude passwords. Assume that we calculate in the field of number modulo p, p a prime. Then ga and gb are both m bit numbers smaller than p. Attacker maintains a dictionary of possible passwords and observes many authentication rounds. If W is in the dictionary, he encrypts Alice’s round 1 message M. If W -1{M } > p, then attacker excludes W. Chance of excluding a false password W is 2m – p / p. If this chance is about 80%, then 50 rounds determine the password out of a normal dictionary. Nr of Exchanges Chance of false password surviving 1 80% 2 64% 5 33% 10 10% 20 1.2% 50 0.0014%

Augmented Strong Password Protocols If someone knows W in EKE, they can impersonate Alice. Augmented Protocols Trudy can steal Bob’s database Trudy can do a dictionary attack. If the dictionary attack is unsuccessful, then she cannot impersonate Alice. Knowledge of W is not enough.

Augmented EKE Bob stores “Alice, p, gW mod p” Alice: "Alice", ga mod p Bob: gb + gW mod p, u, Challenge CBob At this point, both Alice and Bob calculate K = gb(a+uW) mod p Alice: EK(CBob), CAlice Bob: EK(CAlice)

Strong Passwords Augmented PDM Server Information Creation Bob stores: Alice has password pssw Alice sends to Bob p = f (pssw) [this is a prime] W = hash (pssw) [one-way hash] Bob stores: Alice, p, W,

Strong Passwords: Augmented PDM Bob chooses a random number b. Bob calculates 2b mod p. Bob sends 2b, hash1 (2ab mod p , 2bW mod p) to Alice Alice creates random number a. She recomputes W and p from her password. Alice 2a mod p Bob Alice knows that Bob is Bob because Bob proves that he knows 2bW. Alice now sends hash2 (2ab mod p , 2bW mod p) Bob knows that Alice is Alice because she proves to him that she knows W. If Alice had just broken into the server, she would have to calculate 2bW from 2W mod p.

Augmented PDM Bob stores Alice, p, 2w mod p and picks b Alice computes p and W=hash(passwd) from the password and picks a. Alice: "Alice", (2a mod p) Bob: (2b), Hash1(2ab mod p, 2bW mod p) Alice: Hash2(2ab mod p, 2bW mod p)

Strong Passwords Secure Remote Password RFC 2945 Bob stores {Alice, gW mod p}, where W = f (passwd).

Strong Passwords SRP Alice creates random a and sends ga to Bob. Bob creates random b, challenge CBOB and 32b number u. Bob sends gb + gW mod p, u, CBOB to Alice. Both calculate K = g b(a+uW) mod p. Alice sends K {CBob}, CAlice to Bob. Bob sends K {CAlice} to Bob.