Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008.

Slides:



Advertisements
Similar presentations
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Advertisements

Secure Multiparty Computations on Bitcoin
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Great Theoretical Ideas in Computer Science.
Copyright Justin Klein Keane InfoSec Training Encryption.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with.
Computer Security CS 426 Lecture 3
Introduction to Cryptography
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Adaptively Secure Broadcast, Revisited
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Cryptography Lecture 8 Stefan Dziembowski
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
Provable Unlinkability Against Traffic Analysis Amnon Ta-Shma Joint work with Ron Berman and Amos Fiat School of Computer Science, Tel-Aviv University.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Lecture 11: Strong Passwords
All Rights Reserved © Alcatel-Lucent 2006, 2007 Mistyping in Two-Factor Password- Assisted Key Exchange Vlad Kolesnikov (Bell Labs) Charles Rackoff(U.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
Attacks on PRNGs - By Nupura Neurgaonkar CS-265 (Prof. Mark Stamp)
14.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 14 Entity Authentication.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
CS426Fall 2010/Lecture 251 Computer Security CS 426 Lecture 26 Review of Some Mid-Term Problems.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Authentication Protocols (I): Secure Handshake.
Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.
The question Can we generate provable random numbers? …. ?
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
Universally Composable Authentication and Key-exchange with Global PKI Ran Canetti (TAU and BU) Daniel Shahaf (TAU) Margarita Vald(TAU) PKC2016 Taipei,
Chapter eight: Authentication Protocols 2013 Term 2.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Topic 36: Zero-Knowledge Proofs
Topic 3: Perfect Secrecy
Presentation transcript:

Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 Program Key Exchange Intro Base Framework of [KR06] Our definitions “Proof” of goodness of definitions Protocol

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 Communication Setting Insecure network … Full Control

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 Secure Communication from Shared Random Key Trusted Party k 2 R D K k 2 2 R D K Trusted Party Simple Very efficient

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 Key Exchange (KE) A protocol between two parties  Both output (the same) randomly chosen k 2 D K Security Adv does not know anything about k even if it sees all other exchanged keys Adv cannot mismatch players  If Alice instance ``thinks’’ she exchanged a key with Bob, then at most one instance of “Bob talking to Alice” may have the same key  Players must have secret credentials

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 Defining KE Large amount of prior work An intuitive notion, but hard to define We want our definition to:  Be intuitive and easy to use  Reject “bad” protocols (allow powerful adversaries)  Accept “good” protocols (avoid unnecessary restrictions) Our adversary is the protocol designer He creates bad protocols which pass our criteria

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 Related work UC-composable PAKE (Canetti Halevi Katz Lindell MacKenzie 05)  Consider pure password setting  Mistyping is handled by letting the environment type the password

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 The combined keys setting Asymmetric – Server (e.g. Bank) and Clients Large secure storage of credentials Key on storage card can be lost or stolen Memorized password low entropy guessing attack possible Password can be mistyped

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 Defining KE with mistyping Base on our previous game-based definition [KR06] Consider several natural extensions (don’t work) Modifications that work “Proof of security” of the definition

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 KE Definition Plays the game: challenge a completed honest player Challenge: Present either a key or a random string Adversary guesses which Should not do too well Definition is mainly about precise description of Adv’s powers in the game (creation of players, instances, opening them, etc.)

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 Defining KE with mistyping In [KR06], define several games which model parts of the setting (e.g. card compromised or not). When card is not compromised, not too hard to handle mistyping. Adv can be very powerful – the protocols still withstand because of strong keys. E.g. Adv can even know pwd. Interesting part is when card is compromised. This is approx. the HK setting:  C has public key of S and a shared password.

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 Defining KE with mistyping In [KR06], definition mimics the real world. C and S instantiated with proper credentials  Adv learns of each P ? output by S.  This is essentially a password try, so Adv is charged for each P ?.  Adv is allowed q P ? ’s. He cannot win more often than Does not handle mistyping:  can leak long key if P ? occurred. (C never mistypes. To cause P ?, Adv needs long key, so OK to leak it)

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 Mimicking mistyping in the games Idea Ok, allow to mistype: -Allow Adv to specify pwd inputs to the C instances in the game -Allow Adv to specify a mistyping function

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 Mimicking mistyping in the games More interestingly: But what if “repeated password attempts” by game Adv? He is being stupid -- these are wasted attempts. He “gets behind in the game”. So protocol can “do something funny” on repeated attempts, to allow game Adv to catch up, and still be secure. E.g. leak if pwd = This protocol is clearly insecure.

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 Player’s knowledge of global state Definition simplification: Instances don’t have “side channels” among themselves. They don’t “know”, e.g. how many password failures previously occurred. Due to pk S, instances of S can have private communication with each other via Adv:  S 1 encrypts and signs the message  Adv delivers the message to S 2  m 1 = “I’ve seen a password failure P ? ”  m 2 = “There have been at least 2 P ? ” m 3 = “The sequence of events e 1,… e n has occurred”  Bad  can exhibit badness only if a global sequence of events occurred.

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 Mimicking mistyping in the games Mimicking does not seem to work!

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 Do not mimic mistyping directly Idea: allow Adv to run free mistyped executions. Don’t need to substitute input in honest instances.  Only amendment: In case of P ? :  Do not notify Adv  Do not charge Adv  Allow Adv to check for P ?, but risk the charge, as before This is a good definition

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 How to “prove” this definition First definition in the setting – cannot show equivalence Could give a definition in the simulation or UC model and then show relationship (future work) Instead, reduce to definition of [KR06]: We prove: if  is secure, KE Adv cannot distinguish between two executions: 1. Adv mistypes C’s inputs adaptively at will 2. C’s are instantiated with their passwords I.e. what is leaked due to mistyping is also leaked without mistyping. If [KR06] is good, then our def. is also good: Suppose  is “bad”, and leaks smth. due to mistyping. Then same is leaked without mistyping. Then  is bad by [KR06]. Then  is bad by our def.

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 How to “prove” this definition (cont.) Prove Adv cannot distinguish between two executions: 1. Adv mistypes C’s inputs at will 2. C’s are instantiated with their passwords Proof idea: if Adv could distinguish executions where pwd and pwd’ are used, then pwd  pwd’. Adv uses this to win KE game. A distinguishing mistyping sequence is handled by a hybrid argument.

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 Our Protocol

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 Application to biometrics Key on storage card can be lost or stolen P = Gen(), P R

All Rights Reserved © Alcatel-Lucent 2007, | Mistyping in KE | July 2008 On confirmation flow S ! C  Our definition does not allow for this flow in  (o.w. Adv always wins)  This flow is useful for exact P ? accounting on the client side. (O.w. attacks related to convincing C that he mistyped give free password tries) We also give an alternative definition that allows this flow and argue its security.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.