Presentation is loading. Please wait.

Presentation is loading. Please wait.

Password-based Credentials Download Protocols Radia Perlman

Published byTiara Biddick Modified over 9 years ago

Similar presentations

Presentation on theme: "Password-based Credentials Download Protocols Radia Perlman"— Presentation transcript:

1 Password-based Credentials Download Protocols Radia Perlman radia.perlman@sun.com radia.perlman@sun.com

2 Goal To download private key, encrypted with the user’s password. The user’s “credential” WS has some minimal amount of (trusted) software installed, but no user-specific info User Alice’s private key and other info stored in central place “Bob” (e.g., the directory) “Log into the network” means get Alice’s private key and everything else needed

3 Getting private key It would be nice if we all carried smart cards But do we need a backup if user loses it, or forgets it, or it is broken? But also, we don’t seem to have smart cards

4 Download protocol So, it might be nice to only need a password, and have a protocol that downloads the private key Immune to dictionary attacks –By eavesdropper (passive attacker) –By Alice-impersonator –By Bob-impersonator

5 Building Blocks Diffie-Hellman EKE (Bellovin-Merritt) –Encrypt Diffie-Hellman exchange with W (W=password, the weak secret) SPEKE (Jablon) –Replace base in Diffie-Hellman with W PDM (Kaufman-Perlman) –Replace modulus in Diffie-Hellman with f(W)

6 EKE (designed for mutual authentication) Alice Bob Share W=h(pwd), g, p Pick A “Alice”, {g A mod p}W Pick B Decrypt {g A mod p}W Calculate K=g AB mod p Choose challenge C1 {g B mod p}W, {C1}K Choose challenge C2 {C1,C2}K {C2}K

7 SPEKE Alice Bob Share W, p Pick A “Alice”, W A mod p Pick B Calculate K=W AB mod p Choose challenge C1 W B mod p, {C1}K Choose challenge C2 {C1,C2}K {C2}K

8 PDM (Password Derived Moduli) Alice Bob Share p Pick A “Alice”, 2 A mod p Pick B Calculate K=2 AB mod p Choose challenge C1 2 B mod p, {C1}K Choose challenge C2 {C1,C2}K {C2}K

9 But we don’t need mutual authentication, just credentials download Which we can do in two messages

10 2-msg EKE-based Alice Bob Share g, p, W Pick A “Alice”, {g A mod p}W Calculate K=g AB mod p g B mod p, {Y}K

11 2-msg SPEKE-based Alice Bob Share W, p Pick A “Alice”, W A mod p Calculate K=W AB mod p W B mod p, {Y}K

12 2-msg PDM-based Alice Bob Share p Pick A “Alice”, 2 A mod p Calculate K=2 AB mod p 2 B mod p, {Y}K

13 If we want to avoid strong password schemes Just let Y be world-readable –Anyone can request it and do dictionary attack –An eavesdropper can do a dictionary attack Could do CHAP-like thing to authenticate –Eavesdropper could do dictionary attack Could enhance that with anonymous Diffie- Hellman initial exchange –Active attacker could be man-in-the-middle, or impersonate whichever side authenticates last, to gain dictionary attack

14 To avoid strong pwd schemes Could do TLS, then CHAP-like thing –Requires good trust anchors at client, and certificate for server –No dictionary attack possible for eavesdropper or Alice-impersonator –Can’t have Bob-impersonator (since TLS would foil that)

15 Variants in Pre-shared Key TLS PSK only –Eavesdropper and server get dictionary attack DH-PSK –Bob-impersonator gets dictionary attack RSA-PSK –Can’t impersonate Bob if Alice checks his cert

Download ppt "Password-based Credentials Download Protocols Radia Perlman"

Similar presentations

1 Password-based authenticated key exchange Ravi Sandhu.

1 Password-based authenticated key exchange Ravi Sandhu.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.

COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.

Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.

Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.

Similar presentations

Ads by Google