Presentation is loading. Please wait.

Presentation is loading. Please wait.

Password-based Authentication SBSeg 2007 Keynote Michel Abdalla Researcher École normale supérieure & CNRS.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Password-based Authentication SBSeg 2007 Keynote Michel Abdalla Researcher École normale supérieure & CNRS."— Presentation transcript:

1 Password-based Authentication SBSeg 2007 Keynote Michel Abdalla Researcher École normale supérieure & CNRS

2 Diffie-Hellman protocol BobAlice sk A  {0,…,|G|-1} pk A  g sk A sk B  {0,…,|G|-1} pk B  g sk B pk A pk B Let G be a group in which the DDH problem is hard and let g be a generator for G pk B sk = g sk sk = pk A sk BB AA Protocol does NOT provide authentication

3 Authenticated Key Exchange (AKE) Allow two parties to establish a common secret in an authenticated way Intuitive goal: implicit authentication The session key should only be known to the parties involved in the protocol Formally: semantic security the session key should be indistinguishable from a random string

4 Authentication techniques Asymmetric techniques Assume the existence of a public-key infrastructure Each party holds a pair of secret and public keys Symmetric techniques Users share a random secret key 2-party or 3-party settings Password-based techniques Consider the case of weak secrets (e.g., a 4-digit PIN) Protocols are always subject to online guessing attacks

5 Password-based AKE (PAKE) Realistic Real-life applications usually rely on weak passwords Convenient to use Users do not need to store the secret Comes at a cost Protocols are always subject to online guessing attacks

6 Online dictionary attacks Let D represent the set of possible passwords (i.e., dictionary) As passwords need be memorized by humans, |D| is usually small Online dictionary attack Choose a password from D Interact with authentication server using the guessed password Each online attempt can succeed with probability 1/|D| Counter measures against online attacks Limit the number of unsuccessful attempts Goal of password-based authentication Restrict the adversary to online dictionary attacks only

7 Group Password-based AKE (GPAKE) Scenario Similar to the 2-party case, except that … Number of protocol participants is variable Password is shared among all participants Session key is shared among all participants Security goals Similar to the 2-party case: Allow a pool of users to established a common session key with only the help of passwords

8 Security model Users can have many protocol instances running concurrently Communication may be controlled by the adversary Adversary can create, modify, or forward messages The transmission of messages is done via specific oracle queries Adversary is given oracle access to all user instances and can corrupt some of them Protocol is considered secure if the session key held by a honest user cannot be distinguished from a random key

9 Outline Review of PAKE schemes History of GPAKE scheme A Simple GPAKE protocol A generic GPAKE protocol Concluding remarks

10 Background: Ideal models Random oracle model [BellareRogaway93] Perhaps the most used ideal model in cryptography The hash function is modeled as a perfectly random function Random permutation model Similar to the random-oracle model, but with a permutation instead of a function Ideal cipher model An extension of the random-permutation model A block cipher is seen as a family of truly random and independent permutations (for each key) Standard model None of the above

11 Brief history of PAKE schemes [BelMer92]: Encrypted Key Exchange (EKE) Seminal work, no proofs [BelPoiRog00,BoyMacPat00] Formal security models Protocols in the ideal-cipher and random-oracle models [GolLin01] Non-concurrent protocol in the standard model [KatOstYun01,GenLin03,CHKLM05] Efficient protocols in the CRS model [BR00,BCP03/04,CatPoiPor04,MacKenzie02,AbPo05] Efficient EKE and OKE protocols in the RO model

12 Encrypted Key Exchange [Bellovin & Merritt, 1992] Flows are encrypted with the password AliceBob x  Z p X  g x  = pw Alice,Bob y  Z p Y  g y Alice, X=Enc  (X) Bob, Y=Enc  (Y) Y  Dec  (Y) K  Y x X  Dec  (X) K  X y SK  H(Alice,Bob, ,X,Y,K)

13 EKE instantiations [BPR00,BCP03] Enc = Ideal cipher H = Random oracle [MacKenzie02,BCP04] Enc = Random oracle H = Random oracle [AbPo05] Enc pw (X) = X  h pw H = Random oracle

14 Simple PAKE [AbPo05] AliceBob x  Z p X  g x  = pw Alice,Bob y  Z p Y  g y Alice, X= X  A  Bob, Y= Y  B  Y  Y / B  K  Y x X  X / A  K  X y SK  H(Alice,Bob, ,X,Y,K)

15 Security of simple PAKE Theorem: If the DDH problem is hard, then the protocol described in the previous slide is a secure PAKE protocol in the random-oracle model. Proof: see [AbPo05]

16 PAKE in the standard model: The Gennaro-Lindell Construction Design is not as simple as EKE Requires several different tools One-time signatures Non-malleable encryption schemes Smooth projective hash functions

17 Smooth projective hash functions [GL03 variant]: Algorithms Hash key generation: hk = HK(pk) pk – public encryption key, hk – hashing key Projected key generation: hp =  (hk, c) hk – hashing key, hp – projected key Hashing algorithm: H (hk, m, c)  G m – message, c – ciphertext, hk – hashing key Projected hashing algorithm: h = h(hp, m, c; r) hp – projected key, r – random used to generate c

18 Smooth projective hash functions [GL03 variant]: Security properties Correctness: If c = E(pk,m;r), then (m,c,hp) uniquely determines H(hk,m,c) When c = E(m;r), H(hk,m,c) can be computed efficiently given r h(hp,m,c; r) = H(hk,m,c) Smoothness: If c is not an encryption of m, then (m, c, hp) gives no information (statistically) on H(hk,m,c) Pseudo-randomness: When c=E(m;r) and hp=  (hk,c), then H(hk,m,c) is pseudo-random given only (m,c,hp)

19 The Gennaro-Lindell Construction AliceBob sk R, vk R  Sig-KG c R  E pk (pw  vk R ; r R ) sk L, vk L  Sig-KG hk L  hashKey hp L   (hk L, c R, vk R ) c L  E pk (pw  vk L ; r L ) Alice, vk R, c R Bob, hp L, vk L, c L hk R  hashKey hp R   (hk R, c L, vk L )  R  Sign(sk R,Transcript) K L  H hkR (pw, vk L, c L ) K R  h hpL (pw, c R, vk R ; r R ) K R  H hkL (pw, vk R, c R ) K L  h hpR (pw, c L, vk L ; r L ) hp R,  R  L  Sign(sk L,Transcript) LL SK  K L ◦ K R

20 Outline Review of PAKE schemes History of GPAKE schemes A Simple GPAKE protocol A generic GPAKE protocol Concluding remarks

21 Brief history of GAKE schemes [BurDes94, BurDes05]: Constant-round group Diffie-Hellman key exchange Passive attacks, security based on CDH [KatzYung03] Proof of security for BD protocol based on DDH Generic compiler from GKE to GAKE using signatures [KimLeeLee04] A variant of the BD protocol using random oracles and XOR operations [Joux00] A One Round Protocol for Tripartite Diffie-Hellman [LiPieprzyk99,BreCat04] Conference key agreement from secret sharing [BoydNieto03, JeongKatzLee04, …] Round-Optimal contributory key agreement

22 The Burmester-Desmedt Group Key Exchange [BD94] P1P1 PiPi PNPN   x 1  Z p X 1  g x1 X1X1 x i  Z p X i  g xi x N  Z p X N  g xN XiXi XNXN K 1  X 2 x1 K N  X N x1 Z 1  K 1 / K N K i  X i+1 xi K i-1  X i-1 xi Z i  K i / K i-1 K N  X 1 xN K N-1  X N-1 xN Z N  K N / K N-1 ZiZi ZNZN Z1Z1 SK  K 1 ◦ K 2 ◦  ◦ K N

23 The Kim-Lee-Lee Group Key Exchange [KLL04] P1P1 s 1  $ x 1  Z p X 1  g x1 X1X1 SK  H 2 ( s 1  s 2    s N ) PiPi PNPN s i  $ x i  Z p X i  g xi s N  $ x N  Z p X N  g xN XiXi XNXN K 1  H(X 2 x1 ) K N  H(X N x1 ) Z 1  K 1  K N T 1  s 1 K i  H(X i+1 xi ) K i-1  H(X i-1 xi ) Z i  K i  K i-1 T i  s i K N  H(X 1 xN ) K N-1  H(X N-1 xN ) Z N  K N  K N-1 T N  K N  s N   Z i  T i Z N  T N Z 1  T 1

24 A generic version of the Burmester-Desmedt protocol PiPi P i+1 Z i-1  K i-1 / K i-2 Z i  K i / K i-1 Z i+1  K i+1 / K i Z i-1 ZiZi Z i+1  KE P i-1 K i-1 KE KiKi K i-1 KiKi SK  K 1 ◦ K 2 ◦  ◦ K N

25 A generic version of the Kim-Lee-Lee protocol PiPi Z i-1  K i-1  K i-2 T i-1  s i-1 Z i  K i  K i-1 T i  s i  P i-1 KE K i-1 s i-1  $s i  $ SK  H 2 ( s 1  s 2    s N ) P i+1 s i+1  $ Z i+1  K i+1  K i T i+1  s i+1 KE KiKi KiKi Z i-1  T i-1 Z i  T i Z i+1  T i+1 PNPN Z N  K N  K N-1 T N  K N  s N s N  $ Z N  T N

26 Previous work on GPAKE [BreChePoi02, BreChePoi05]: Group Diffie-Hellman password-based key exchange Linear number of rounds [LeeHwangLee04] Based on the Kim-Lee-Lee GAKE protocol Proven secure in the random-oracle model Broken in [ABCP06] [DuttaBarua06] Based on the Kim-Lee-Lee GAKE protocol Proven secure in the random-oracle and ideal-cipher models Broken in [ABCP06] [ABCP06], [TangChoo06] Based on the Burmester-Desmedt protocol Proven secure in the ideal-cipher and random-oracle models

27 More recent work on GPAKE [KwonJeongLee06] Simplification of [ABCP06] protocol Proven secure in the “standard model” Apparently insecure (work in progress) [AbdallaPointcheval06] Based on the Gennaro-Lindell PAKE protocol Proven secure in the standard model [BohliGonzalezSteinwandt06] Proven secure in the standard model Similar to [AbdallaPointcheval06], but more efficient [ABGS07] Generic compiler from 2-party to group Proven secure in the standard model

28 Outline Review of PAKE schemes History of GPAKE schemes A Simple GPAKE protocol A generic GPAKE protocol Concluding remarks

29 Adding password authentication to the BD protocol EKE approach Encrypt all flows using the password pw X i =  pw (X i ), Z i =  pw (Z i ) Problem In the BD protocol, Z 1 ◦Z 2 ◦  ◦ Z N = 1 Dictionary attack Guess password pw Compute Z i = D pw (Z i ) for i=1, ,N Check if Z 1 ◦Z 2 ◦  ◦ Z N = 1

30 The Dutta-Barua GPAKE Protocol [DB06] P1P1 E pw (X 1 ) PiPi PNPN E pw (X i )E pw (X N ) E’ pw (Z 1  T 1 )E’ pw (Z i  T i ) E’’ pw (T N )   s 1  $ x 1  Z p X 1  g x1 s i  $ x i  Z p X i  g xi s N  $ x N  Z p X N  g xN K 1  H(X 2 x1 ) K N  H(X N x1 ) Z 1  K 1  K N T 1  s 1 K i  H(X i+1 xi ) K i-1  H(X i-1 xi ) Z i  K i  K i-1 T i  s i K N  H(X 1 xN ) K N-1  H(X N-1 xN ) Z N  K N  K N-1 T N  K N  s N SK  H 2 ( s 1  s 2    s N )

31 An attack against the Dutta-Barua GPAKE protocol Problem All flows are encrypted under the same key Attack Let P 1 and P 2 be honest users Attacker will play the role of P 3 Attacker waits for P 1 and P 2 to broadcast X 1 * =E pw (X 1 ) and X 2 * =E pw (X 2 ) Attacker sets X 3 * =X 1 * (This implicitly sets x 1 =x 3 ) and broadcasts it This causes K 1 =K 2 and Z 2 =0 Hence, T 2 * =E pw (0  s 2 )  Dictionary attack!

32 An attack against the Dutta-Barua GPAKE protocol P1P1 s 1  $ x 1  Z p X 1  g x1 E pw (X 1 ) P2P2 P3P3 s 2  $ x 2  Z p X 2  g x2 E pw (X 2 )E pw (X 1 ) K 1  H(X 2 x1 ) K 3  H(X 1 x1 ) Z 1  K 1  K 3 T 1  s 1 K 2  H(X 1 x2 ) K 1  H(X 1 x2 ) Z 2  K 2  K 1 = 0 T 2  s 2 E’ pw (Z 1  T 1 )E’ pw (0  T 2 ) Dictionary Attack!!! This implicitly sets x 3 =x 1

33 The Lee-Hwang-Lee GPAKE protocol [LHL04] P1P1 E pw (X 1 ) SK  H( K 1  K 2    K N ) PiPi PNPN E pw (X i )E pw (X N ) Z1Z1 ZiZi ZNZN   x 1  Z p X 1  g x1 x i  Z p X i  g xi x N  Z p X N  g xN K 1  H(X 2 x1 ) K N  H(X N x1 ) Z 1  K 1  K N K i  H(X i+1 xi ) K i-1  H(X i-1 xi ) Z i  K i  K i-1 K N  H(X 1 xN ) K N-1  H(X N-1 xN ) Z N  K N  K N-1

34 An attack against the Lee-Hwang-Lee GPAKE protocol P1P1 X 1  g x1 E pw (X 1 ) P2P2 P3P3 E pw (X’ 1 )E pw (X 1 ) P4P4 E pw (X’ 1 ) P’ 1 X’ 1  g x1’ P’ 2 P’ 3 P’ 4 E pw (X’ 1 )E pw (X 1 )E pw (X’ 1 )E pw (X 1 ) K 1 = K 2 = K 3 = K 4 = H(X’ 1 x1 ) 0000 SK  H(K 1  K 2  K 3  K 4 ) K’ 1 = K’ 2 = K’ 3 = K’ 4 = H(X 1 x1’ ) 0000 SK’  H(K’ 1  K’ 2  K’ 3  K’ 4 )

35 Outline Review of PAKE schemes History of GPAKE schemes A Simple GPAKE protocol A generic GPAKE protocol Concluding remarks

36 A simple GPAKE protocol: Intuition Add an extra flow of random nonces r i at the beginning of the each session S = P 1  r 1    P N  r N Use a different encryption key for each user and session to avoid replaying of messages pw i = H(pw  S  i) Only encrypt the flow containing the values X i to avoid dictionary attacks Add an authentication flow to avoid malleability attacks Auth i = H’(S  X 1 *  Z 1    X N *  Z N  SK  i)

37 A simple GPAKE protocol: Construction [ABCP06] P1P1 E pw1 (X 1 ) SK  K 1 ◦ K 2 ◦  ◦ K N PiPi PNPN E pwi (X i )E pwN (X N ) Z1Z1 ZiZi ZNZN   r 1  $ P 1, r 1 r i  $r N  $ P i, r i P N, r N Auth 1 Auth i Auth N Session Key  H’’(Transcript  SK) x 1  Z p X 1  g x1 x i  Z p X i  g xi x N  Z p X N  g xN K 1  X 2 x1 K N  X N x1 Z 1  K 1 / K N K i  X i+1 xi K i-1  X i-1 xi Z i  K i / K i-1 K N  X 1 xN K N-1  X N-1 xN Z N  K N / K N-1

38 A simple GPAKE protocol: Security Theorem: If the DDH problem is hard, then the protocol described in the previous slide is a secure GPAKE protocol in the random-oracle and ideal- cipher models Proof: see [ABCP06]

39 Outline Review of PAKE schemes History of GPAKE schemes A Simple GPAKE protocol A generic GPAKE protocol Concluding remarks

40 A generic GPAKE protocol [ABGS07]: Intuition Generate K i using a (2-party) PAKE Each user authenticates its neighbors Commit to Z i before making it public Commitment should be non-malleable Use the fact that Z 1 ◦ … ◦ Z N = 1 for verification

41 A generic GPAKE protocol PiPi P i+1 Z i-1  K i-1  K i-2 Z i  K i  K i-1 Z i+1  K i+1  K i Com(Z i-1  i-1; r i-1 )Com(Z i  I; r i )Com(Z i+1  i+1; r i+1 ) AKE P i-1 K i-1 SK  UH( K 1, ,K N,Transcript) Z i-1, r i-1 Z i, r i Z i+1, r i+1 AKE KiKi KiKi Session Key  F SK (0)

42 Advantages of generic construction Allows a modular design approach Transformation is reasonably efficient No ideal assumptions Non-interactive non-malleable commitments Family of collision-resistant pseudorandom functions [Katz-Shin 05] Family of universal hash functions Simpler proof of security

43 Outline Review of PAKE schemes History of GPAKE schemes A Simple GPAKE protocol A generic GPAKE protocol Concluding remarks

44 Recap Attacks against previous constructions [ABCP06] A simple construction in the IC and RO models [ABCP06] A generic GPAKE construction [ABGS07] The design of password-based protocols can be tricky Small modifications to the protocol can make them insecure The only way to be sure is to provide a security proof Password-based authenticated key exchange remains a very active area

45 Future directions More efficient constructions in the standard model Stronger security guarantees universal composability Stronger corruption models

Download ppt "Password-based Authentication SBSeg 2007 Keynote Michel Abdalla Researcher École normale supérieure & CNRS."

Similar presentations

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.
Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.

Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Cross-Realm Password-Based Server Aided Key Exchange Source: WISA 2010, LNCS 6513, pp. 322–336, 2011(0) Author: Kazuki Yoneyama Presenter: Li-Tzu Chang.

Cross-Realm Password-Based Server Aided Key Exchange Source: WISA 2010, LNCS 6513, pp. 322–336, 2011(0) Author: Kazuki Yoneyama Presenter: Li-Tzu Chang.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

Similar presentations

Ads by Google