Lecture 11: Strong Passwords problem statement Lamport’s hash encrypted key exchange (EKE) secure credentials download
Strong Password Protocols Obtaining the benefits of cryptographic authentication with the user being able to remember passwords only in particular: no security information is kept at the user’s machine (the machine is trusted but not configured) someone impersonating either party will not be able to obtain information for off-line password guessing (online password guessing is not preventable)
Lamport’s Hash Bob stores <username, n, hn(password)>, n is a relatively large number, like 1000 Alice’s workstation sends hn-1(password) if successful, n is decremented, hn-1 replaces hn in Bob’s database Alice, password Alice Alice’s terminal n Alice Bob hn-1(password) why is sequence of hash transmissions reverse? because hash is one-way, if Trudy sees hn-1(password) she will not be able to find hn-2(password) trusted not trusted why is sequence of hash transmissions reverse? properties: safe against eavesdropping, database reading no authentication of Bob
Salting Lamport’s Hash hn-1(pwd|salt) is used for authentication salt is stored at Bob’s at setup time, Bob sends salt each time along with n advantages: Alice can use the same password with multiple servers, why? what may happen if two servers pick the same salt? to ensure that the salt is different, servers name is also hashed in easy password reset (when reaches 1) – just change the salt defense dictionary attacks how would Trudy mount a dictionary attack without the salt? Alice can use the same password with multiple servers, why? if servers use different salt the hashes look different what may happen if two servers pick the same salt? Trudy can remember the hash, and when she predicts that the second server ask for the same N she supplies the hash how would Trudy mount a dictionary attack without the salt? compiles hashes of all the words in the dictionary starting from 1000
Lamport’s Hash: Other Properties small n attack when Alice tries to login Trudy impersonates Bob and sends n’ < n and Bob’s salt, when Trudy gets the reply she can impersonate Alice after n is decremented to n’ defense: Alice’s workstation presents submitted n to Alice to verify the “approximate” range (Alice has to remember it) “human and paper” environment in case Alice workstation is not trusted or too “dumb” to do hashing Alice is given a list of all hashes starting from 1000, she uses each hash exactly once automatically prevents small n attack string size – 64 bits (~10 characters) is secure enough implemented as S/Key and standardized as one-time password system
Encryption-with-Password Protocols share weak secret W = f(pwd) “Alice” Alice Bob challenge C W{C} dictionary attack, how? from C & W{C} problems: dictionary attack, how? server database disclosure
share weak secret W = f(pwd) Enhanced with PKC: (EA&DA: per-session public/private key pair) Why not possible with secret key encryption? What is the weakness in this protocol? share weak secret W = f(pwd) “Alice”, W{EA} Alice Bob EA{C} W{C}
Encrypted Key Exchange (EKE) key establishment as well as authentication EA&DA: per-session public/private key pair KAB – symmetric session key one of the W{.} may possibly be removed. In that case, the non-encrypting side should not issue the first challenge, why? “Alice”, W{EA} W{EA{KAB}} KAB{CA} In that case, the non-encrypting side should not issue the first challenge, why? reflection attack Alice Bob KAB{CA, CB} KAB{CB}
Encrypted Key Exchange (EKE) what’s encrypted by weak key is ga, gb (which looks like a random number) – straightforward dictionary attack is impossible “Alice”, W{ga mod p} W{gb mod p, CA} can compute KAB = gab mod p Alice Bob KAB{CA, CB} KAB{CA}
Augmented EKE EKE vulnerable to database disclosure since Bob stores W in clear what’s the possible attack? defense: Augmented EKE – Alice knows the password, Bob knows a one-way hash of it Bob stores: gW mod p Alice Bob “Alice”, ga mod p gb mod p, H(gab mod p, gbW mod p) H’(gab mod p, gbW mod p) what’s the possible attack? if Trudy steals Alice’s password from Bob, Trudy can impersonate Alice
Secure Credentials Download credential: Y – quantity used for authorization (to prove one’s identity) – something like a private key problem: download Alice’s credential to Alice’s workstation when Alice only knows her password “Alice”, W{ga mod p} what’s the possible attack? if Trudy steals Alice’s password from Bob, Trudy can impersonate Alice Alice Bob stores “Alice”, W, Y gb mod p, (gab mod p){Y}