Presentation is loading. Please wait.

Presentation is loading. Please wait.

國立清華大學資訊工程系 資訊安全實驗室 孫宏民 博士 Phone: 03-5742968 Authenticated Key Exchange Protocols.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "國立清華大學資訊工程系 資訊安全實驗室 孫宏民 博士 Phone: 03-5742968 Authenticated Key Exchange Protocols."— Presentation transcript:

1 國立清華大學資訊工程系 資訊安全實驗室 孫宏民 博士 hmsun@cs.nthu.edu.tw Phone: 03-5742968 Authenticated Key Exchange Protocols

2 第 2 頁 Cryptographic System

3 第 3 頁 Symmetric Cryptosystem  Stream Cipher  DES (1977)  IDEA (1992)  RC5 (1994)  Skipjack (1993)  AES (2001)

4 第 4 頁 Security Service: Confidentiality Authentication  Integrity Advantage : High Speed Disadvantages :  how to obtain a common secret key between two parities, the number of secret keys is too big, can not achieve nonrepudiation. Symmetric Cryptosystem

5 第 5 頁 Asymmetric Cryptosystem RSA (1978) El-Gamal (1984) McEliece (1978) Knapsack (1978) Elliptive Curve

6 第 6 頁 Security Service: Confidentiality Integrity Authentication (by Signature) Nonrepudiation (by Signature) Advantage : a pair of keys for each user Disadvantages : Slow speed Public key need to be authenticated by CA Asymmetric Cryptosystem

7 第 7 頁 One-way hash function  Input: X (unlimited length) Output: Y=H(X) (fixed length, e.g., 160 bit) Given X, it is easy to compute Y. Given Y, and H( ), it is computational infeasible to compute X.  Given X and Y, it is computational infeasible to find X’ such that Y=H(X’).

8 第 8 頁 Message Signature(S) M Signer AVerifier B Signature Generation Private Key Signature Verification Public Key Ture or False Digital Signature

9 第 9 頁 Hash Functions : SHA MD5 FFT Snefru N Hash Hash Signature Functions : RSA DSA El-Gamal Elliptive Curve LUC Digital Signature M h(M) S S M

10 第 10 頁 Digital Envelope (1) M

11 第 11 頁 Digital Envelope (2)

12 第 12 頁 Secure Communication between Client and Server  Using Symmetric Cryptosystem: Each client and the server share a common secret key. Disadvantages: 1. Secret key must be strong 2. If the secret key is revealed, the messages in the past will also be revealed. ClientServer E(M’) ID, E(M)

13 第 13 頁 Secure Communication between Client and Server  Using Asymmetric Cryptosystem: Use Digital Envelope (2) to send a session key. Disadvantages: 1. Public keys need to be authenticated by a CA. 2. Private key must be strong. 3. If the server’s private key is revealed, the messages in the past will also be revealed.

14 第 14 頁 Authentication in general  Based on one or more of: something a user has (smart card/token card) something a user is (fingerprint/voiceprint/retinal scan) something a user knows (password/short secret)  What’s a popular user authentication system based on three of these?

15 第 15 頁 Secure Password Authentication  Remote user access  Goal: secure without requiring the user to carry/remember anything except password Remote clientFirewall protected domain VPN traffic (authenticated using password)

16 第 16 頁 Dictionary Attacks (Password Guessing Attacks)  An off- line, brute force guessing attack conducted by an attacker on the network.  Attacker usually has a “dictionary” of commonly-used passwords to try  People pick easily remembered passwords  “Easy- to- remember” is also “easy- to- guess”

17 第 17 頁 Passwords in the Real World  Entropy is less than most people think  Dictionary words, e. g. “pudding”, “plan9” – Entropy: 20 bits or less  Word pairs or phrases, e. g. “hate2die” – Represents average password quality – Entropy: around 30 bits  Random printable text, e. g. “nDz2\ u> O” – Entropy: slightly over 50 bits

18 第 18 頁 Password-based protocols  Telnet, FTP are insecure Client Server ID, Password Client Server ID, h(Password)  Hash function is not helpful due to dictionary attacks.

19 第 19 頁 Password-based Protocol with Challenge  Insecure against the dictionary attacks. Client Server h(Cha,Password) Cha ID

20 第 20 頁 We need.............. a password-based authentication protocol which is secure against dictionary attacks.

21 第 21 頁  What to do after authentication?  We need a common session key to protect our communication.  Diffie-Hellman key agreement provides two parties to share a common session key. Secure Communication between Client and Server

22 第 22 頁 Diffie-Hellman Key Agreement  Goal : to provide two parties share a common session key  p : large prime, g : generator g Ra mod p g Rb mod p K= (g Rb ) Ra mod p K= (g Ra ) Rb mod p ClientServer

23 第 23 頁 Man-in-the-middle attack

24 第 24 頁 Diffie-Hellman Key Agreement  Diffie-Hellman key agreement is vulnerable to the man-in- the-middle attack; it does not reach authentication  How about Diffie-Hellman key agreement using public key?  Problem: (1) does not provide forward secrecy, (2) hard to remember (not a password). Client Server

25 第 25 頁 Forward Secrecy  Prevents one compromise from causing further damage Compromising Should Not Compromise Current password Future passwords Old password Current password Current password Current or past session keys Current session key Current password

26 第 26 頁 Research Goal  To design a user authentication and key agreement protocol via password.  The protocol must satisfy the following requirements: 1. based on password only, 2. password may be weak, 3. be secure against the dictionary attack, 4. can provide perfect forward secrecy.

27 第 27 頁 Encrypted Key Exchange (EKE) [Bellovin and Merritt, 1992]  Two parties share a common password  EKE can withstand dictionary attack P P Generate encrypt/decrypt keys Generate R R(Cha) R(Cha||Chb) R(Chb) ServerClient

28 第 28 頁 DHEKE [Bellovin and Merritt, 1992]

29 第 29 頁 Three-Party Key Exchange Protocol  Each client shares an easy-to-remember password with the server.  The protocol is responsible for establishing secure communication between two clients via the help of the server.  Application: E.g., ICQ, or mobile users

30 第 30 頁 STW-3PEKE [Steiner, Tsudik, and Waidner, 1995] ASBASB

31 第 31 頁 Undetectable On-line guessing attack (I) [Ding and Horster, 1995] ASBASB record guess get

32 第 32 頁 Undetectable On-line guessing attack (II) [Ding and Horster, 1995] SBSB guess compute

33 第 33 頁 Off-line Guessing Attack on STW-3PEKE [Lin, Sun, and Hwang, 2000] A*S*B

34 第 34 頁 LSH-3PEKE (with server’s public key) [Lin, Sun, and Hwang, 2000] ASBASB

35 第 35 頁 LSSH-3PEKE (without server’s public key) [ Lin, Sun, Steiner, and Hwang, 2001] ASBASB A,B

36 第 36 頁 Performance Comparison

37 第 37 頁 Conclusions  Password authentication and key agreement protocols are widely used. EX : Electronic Commerce, Electronic Stock Trading  Two-parties protocols are suitable for client/server environment. EX : Telnet, FTP  Three-Party protocols are suit for single server and multiple clients environment. Any two clients can authenticate each other and reach secure communication.

38 第 38 頁 MQV A B

39 第 39 頁 EKE, Bellovin & Merritt: 1992 “Secret public- key”, Gong, Lomas, Needham, Saltzer: 1993 SPEKE, Jablon: 1996 OKE, Lucks: 1997 Plaintext-Equivalent Protocols

40 第 40 頁 Verifier-based Protocols A- EKE, Bellovin & Merritt: 1994 B- SPEKE, Jablon: 1997 SRP, Wu: 1997 GXY, SNAPI X, AuthA, and PAK X

41 第 41 頁 Verifier-based Protocol  A server does not store plain password directly.  Instead of storing a plain password, a server stores a verifiable text (called verifier).  It provides higher security level: an attacker must perform dictionary attack when the server is corrupted.  Furthermore, a verifier-based protocol can withstand the stolen verifier attack.

42 第 42 頁 1. Bellovin, S. Merritt, M., 1992, “Encrypted key Exchange: Password-based Protocols Secure against Dictionary Attacks. Proceedings of IEEE Symposium on Research in Security and privacy, Oakland. 2. Steiner, M. Tsudik G. and Waidner, M., 1995, “Refinement and Extension of Encrypted Key Exchange,” ACM Operating Systems Review, Vol.29, Issue 3, pp. 22-30. 3. Ding, Y. and Horster, P., 1995, “Undetectable On-line Password Guessing Attacks”, Technical Report, TR-95-13-F, July. 4. C. L. Lin, H. M. Sun, and T. Hwang, 2001, “Efficient and Practical DHEKE Protocols,” ACM Operating Systems Review, Vol. 35, No. 1, pp. 41-47. 5. C. L. Lin, H. M. Sun, M. Steiner, and T. Hwang, 2001, "Three-party Encrypted Key Exchange Without Server Public-Keys," IEEE Communications Letters, Vol. 5, No. 12, pp. 497-499. 6. C. L. Lin, H. M. Sun, and T. Hwang, 2001, “Efficient and Practical DHEKE Protocols,” ACM Operating Systems Review, Vol. 35, No. 1, pp. 41-47. References

Download ppt "國立清華大學資訊工程系 資訊安全實驗室 孫宏民 博士 Phone: 03-5742968 Authenticated Key Exchange Protocols."

Similar presentations

Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.

Cryptanalysis of a Communication-Efficient Three-Party Password Authenticated Key Exchange Protocol Source: Information Sciences in review Presenter: Tsuei-Hung.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
NSRC Workshop Some fundamental security concerns... Confidentiality - could someone else read my data? Integrity - has my data been changed? Authentication.

NSRC Workshop Some fundamental security concerns... Confidentiality - could someone else read my data? Integrity - has my data been changed? Authentication.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Web Security for Network and System Administrators1 Chapter 4 Encryption.

Web Security for Network and System Administrators1 Chapter 4 Encryption.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Three-Party Encrypted Key Exchange Without Server Public-Keys C. L. Lin, H. M. Sun, M. Steiner, and T. Hwang IEEE COMMUNICATIONS LETTER, VOL. 5, NO.12,

1 Three-Party Encrypted Key Exchange Without Server Public-Keys C. L. Lin, H. M. Sun, M. Steiner, and T. Hwang IEEE COMMUNICATIONS LETTER, VOL. 5, NO.12,
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Cryptography Basic (cont)

Cryptography Basic (cont)
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Network Security--- User Authentication and Key Agreement Protocols

Network Security--- User Authentication and Key Agreement Protocols

Similar presentations

Ads by Google