1. Password-based authenticated key exchange
Ravi Sandhu

2. Variations Public-key cryptography must be used Two variations
“Public-key cryptography and password protocols”, Shai Halevi and Hugo Krawczyk, ACM Transactions on Information and System Security (TISSEC), Volume 2 , Issue 3 (August 1999), Pages:
Two variations
No public-key certificates (no PKI)
Use public-key certificates (requires PKI)

3. References http://www.integritysciences.com/links.html
Comprehensive and long list of references
Principal reference for this lecture.
S. M. Bellovin and M. Merritt, “Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks,” Proceedings of the I.E.E.E. Symposium on Research in Security and Privacy, Oakland, May 1992.
“This is not your grandmother’s network login” Jab96

4. Broken approaches: use password directly (authentication only)
Original Telnet - vulnerable to eavesdropping
pwd
Client
Server
Challenge-Response
challenge
Client
Server
h(challenge,pwd)

5. Broken approaches: use hashed password (authentication only)
Challenge-Response
challenge
Client
Server
h(challenge,f(pwd))
Don’t need to store cleartext password on the server
Dictionary attack on f(pwd) stored at server remains a vulnerability

6. Kerberos is vulnerable
Request TC,TGS
Authentication Server
TC,TGS, ENCkC(TGS, kC,TGS, …)
kTGS
TC,TGS, ENCkC,TGS(authenticator)
Ticket Granting Server (kTGS)
Client
ENCkC,TGS(kC,S, …) kS
Communication under kC,S
Server (kS)
The trouble: kC is defined to be some one-way function of password!

7. Patel’s classification (Pat97)
Querying attacker
Can initiate sessions with the server while pretending to be a legitimate client
Eavesdropping attacker
Can eavesdrop on legitimate runs of the protocol
Active attacker
Can intercept, drop, insert packets

8. SSL (and SSH) solution (need PKI)
Server-side SSL
Client
Server
pwd
Client
Server
Needs PKI
Has its pitfalls

9. Pre-EKE: use password directly (authentication and key exchange)
User (pwd)
Server (pwd) U
ENCpwd(random)
ENCrandom(challengeU)
ENCrandom(challengeU, challengeS)
ENCrandom(challengeS)

10. EKE: DH version [BM92] User (pwd) Server (pwd) U, ENCpwd(gx)
K = f(gxy)
ENCpwd(gy), ENCk(challengeS)
K = f(gxy)
ENCk(challengeU, challengeS)
ENCk(challengeU)

11. EKE: DH version [BM92] Potential problems [Patel, S&P97]:
If an active attacker, instead of sending g and p in clear, chooses to send gd and p such that d is a small prime and d|(p-1). Then, (gdy)(p-1)/d = 1 mod p. When the attacker receives the password encrypted ENCpwd(gy), he tries to decrypt it with different candidate passwords and raises the decrypted number to (p-1)/d. If the result is not 1 then that password is rejected. Since (p-1)/d number out of p-1 number will be dth power residue, hence 1/d numbers on average will be congruent to 1 when raised to (p-1)/d. At each session the possible space of password is reduced to 1/d and the space of valid passwords will be narrowed to 1 at a logarithm rate (typically, logp).
Avoidance: The success of the attack is due to the fact that gd is not a generator. To find a generator g it is necessary and sufficient to check that g(p-1)/m  1 mod p for all factors m of p-1.

12. [BPR Eurocrypt2000] User (pwd) Server (pwd) U, ENCpwd(gx)
k’ = f(u,s, gx,gy,gxy)
ENCpwd(gy), H(k’, 1)
k’ = f(u,s, gx,gy,gxy)
H(k’,2)
k = H(k’,0)
sid = A, ENCpwd(gx), B, ENCpwd(gy)
pid = B
k = H(k’,0)
sid = A, ENCpwd(gx), B, ENCpwd(gy)
pid = A

13. [BPR Eurocrypt2000] [BM92] proved secure (in ROM and ICM)
Theorem. Let qse, qre, qco, qex, qor be integers and let q = qse + qre + qco + qex + qor. Let Password be a finite set of size N and assume (|Ģ|)1/2/q  N  1. Let PW be the associated LL-key generator as discussed above, SK be the associated session key space. Assume the weak corruption model. The
AdvfsP,PW,SK(t,qse,qre,qco,qex,qor) <= qse/N + qse · qor AdvdhĢ,g(t’,qor) + O(q2)/|Ģ| + O(1)/(|Ģ|)1/2
Where t’ = t + O(qse+qor).

14. SPEKE: [Jablon, CCR96] User (pwd) Server (pwd) U, f(pwd)x
k = h(f(pwd)xy))
f(pwd)y
k = h(f(pwd)xy))
ENCk(challengeU)
ENCk(challengeU, challengeS)
ENCk(challengeS)

15. [MacK01b]
In this paper we prove (in the random oracle model) that a certain instantiation of the SPEKE protocol that uses hashed passwords instead of non-hashed passwords is a secure password-authenticated key exchange protocol (using our relaxed definition) based on a new assumption, the Decision Inverted-Additive Diffie-Hellman assumption. Since this is a new security assumption, we investigate its security and relation to other assumptions; specifically we prove a lower bound for breaking this new assumption in the generic model, and we show that the computational version of this new assumption is equivalent to the Computational Diffie-Hellman assumption.