Presentation is loading. Please wait.

Presentation is loading. Please wait.

Strong Password Protocols

Published byἌμπελιος Λούπης Modified over 5 years ago

Similar presentations

Presentation on theme: "Strong Password Protocols"— Presentation transcript:

1 Strong Password Protocols
CS 465 Strong Password Protocols Last Updated: Oct 27, 2016

2 Motivation Users continue to use the familiar password login method
Password is no longer sent in the clear Advanced approaches – the server doesn’t store the password or password equivalent data Eavesdroppers and impersonators obtain no information for an online attack

3 Lamport’s Hash

4 Lamport’s Hash Simple beginning: one time password scheme using iterated hashes see Trusted BOB knows  n, hashn(password)  Compares hash(x) to hashn (password); If equal, replaces  hashn (password)  With  n-1, x  Alice Alice, pwd Alice’s Workstation Bob Alice n x = hashn-1 (pwd)

5 Attack on Lamport’s Hash
Small n attack Active attacker intercepts servers reply message with n and changes it to a smaller value Attacker can easily manipulate the response (repeatedly) to impersonate Alice Eavesdropper captures Alice’s hashed reply and conducts off-line attack Replay Alice’s response to other servers where Alice may use the same password Thwart using salt at the server – server hashes pw || salt and sends n and the salt to Alice during login Salt also permits automatic password refresh when n reaches 1

6 Encrypted Key Exchange (EKE)

7 Encrypted Key Exchange (EKE)
Both parties know W Can an off-line attack be done? “Alice”, W{ga mod p} W{gb mod p, CA} can compute KAB = gab mod p Alice Bob KAB{CA, CB} KAB{CA}

8 Augmented EKE EKE vulnerable to database disclosure since Bob stores W in the clear Defense: Augmented EKE – Alice knows the password, Bob knows a one-way hash of it Bob stores: gW mod p Alice Bob “Alice”, ga mod p gb mod p, H(gab mod p, gbW mod p) H’(gab mod p, gbW mod p) what’s the possible attack? if Trudy steals Alice’s password from Bob, Trudy can impersonate Alice

9 Strong Remote Password (SRP)

10

11 SRP Setup Carol picks password P and salt s
Carol computes the following: Steve stores v and s as Carol’s password verifier and salt See authentication steps on next slide

12

13 SRP Benefits An attacker with neither the user's password nor the host's password file cannot mount a dictionary attack on the password. Mutual authentication is achieved in this scenario. An attacker who captures the host's password file cannot directly compromise user-to-host authentication and gain access to the host without an expensive dictionary search. An attacker who compromises the host does not obtain the the password from a legitimate authentication attempt. An attacker who captures the session key cannot use it to mount a dictionary attack on the password. An attacker who captures the user's password cannot use it to compromise the session keys of past sessions.

14 Summary Observe how DH idea has been extended to strong password protocols Patents have slowed the adoption of these ideas, but they are starting to expire. We may see a resurgence soon. SRP can run without an SSL connection. There is a proposed TLS-SRP extension to do an SRP mutual authentication handshake. Potential to deter phishing attacks.

Download ppt "Strong Password Protocols"

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Password-based Credentials Download Protocols Radia Perlman

Password-based Credentials Download Protocols Radia Perlman
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Interlock Protocol - Akanksha Srivastava 2002A7PS589.

Interlock Protocol - Akanksha Srivastava 2002A7PS589.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
Authentication System

Authentication System
Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function.

Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Similar presentations

Ads by Google