1 (Re)Introducing Strong Password Protocols Radia Perlman

2 What’s a strong password protocol? Alice and Bob share a weak secret (W)…a password In a strong password protocol, someone impersonating Alice or Bob, or eavesdropping, cannot capture a quantity with which to do a dictionary attack

3 Example non-strong password protocol Alice Bob I’m Alice Challenge=R H(W,R)‏ Knows WKnows (“Alice”, W)‏

4 Example non-strong password protocol Alice Bob I’m Alice Challenge=R h(W,R)‏ Knows WKnows (“Alice”, W)‏ Note: someone impersonating Bob, or eavesdropping, can test passwords to see if response h(W,R) matches R

5 First strong password protocol: EKE Bellovin-Merritt Encrypt Diffie-Hellman exchange with W

6 EKE Alice Bob I’m Alice, {g A mod p}W {g B mod p}W Mutual exchange based on g AB Knows WKnows (“Alice”, W)‏

7 EKE Alice Bob I’m Alice, {g A mod p}W {g B mod p}W Mutual exchange based on g AB Knows WKnows (“Alice”, W)‏ Note: someone impersonating Bob, or eavesdropping, cannot do a dictionary attack. Would have to break Diffie-Hellman

8 EKE Alice Bob I’m Alice, {g A mod p}W {g B mod p}W Mutual exchange based on g AB Knows WKnows (“Alice”, W)‏ Note: someone impersonating Bob, or eavesdropping, cannot do a dictionary attack. Would have to break Diffie-Hellman Note: Alice or Bob could do one on-line password guess, and verify if they are right

9 Variants of EKE SPEKE: (Jablon) replace “g” in Diffie- Hellman with W Alice Bob I’m Alice, W A mod p W B mod p Mutual exchange based on W AB Knows WKnows (“Alice”, W)‏

10 Variants of EKE PDM: (Kaufman, Perlman) derive p deterministically from W Alice Bob I’m Alice, 2 A mod p 2 B mod p Mutual exchange based on 2 AB Knows pwd, derives pKnows (“Alice”, p)‏

11 “Augmented” feature In EKE, SPEKE, and PDM, server knows W If someone stole the server database, they would be able to directly impersonate the user (without a dictionary attack)‏ “Augmented” feature: server database doesn’t completely divulge W (but allows a dictionary attack)‏ Many ways to do this

12 Example: augmented PDM AliceBob I’m Alice, 2 A mod p 2 B mod p, challenge=R, { {Alice’s priv}pwd} 2 AB mod p Sign R with private key, Mutual exchange based on 2 AB Knows pwd, derives pKnows for Alice: p, {Alice’s priv}pwd, Alice’s public key Verifies Alice’s sig

13 Augmented protocols All of EKE, SPEKE, PDM can be made augmented SRP only has an augmented form There are other variants of strong password protocols

14 What would one do with a strong password protocol? One could directly authenticate with it One could do credential download –Use it to download Alice’s private key, and then everything else follows once she knows her private key –Everything else she needs can be stored encrypted and/or signed –Authentication would be done with traditional public key

15 Credential download (based on EKE)‏ Alice Bob g B mod p, { CRED } g AB mod p Knows pwd, derives W Knows for Alice: W, CRED={Alice’s priv}pwd, Note: only need 2 msgs I’m Alice, {g A mod p}W

16 Other things Alice can customize her password for each site (use W servername = h(pwd, “servername”)) at site “servername” But if you just use strong password protocols to obtain Alice’s private key, she can authenticate to all other sites using public key

17 Why don’t we use strong password protocols? Possible IPR TLS with non-strong password protocol “good enough in practice”