Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure password-based cipher suite for TLS: The importance of end-to-end security Marie L.S. Dumont CS 265.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure password-based cipher suite for TLS: The importance of end-to-end security Marie L.S. Dumont CS 265."— Presentation transcript:

1 Secure password-based cipher suite for TLS: The importance of end-to-end security Marie L.S. Dumont CS 265

2 Why integration of DH-EKE in TLS?  Case Study: Web Banking –Authentication, Confidentiality and Integrity  Sending passwords on one-way authenticated SSL Channels Heavy burden on the user  SSL with Client Certification Requires proper protection of client’s keys  SSL Channels with DH-EKE passwords Resistant to (offline) dictionary attack Eliminates the requirement of a PKI

3 Diffie-Hellman Encrypted Key Exchange (DH-EKE) Client Server (password pwd) x  Z p-1 Ê pwd (h x ) y  Z p-1, K mstr  (h x ) y, C 1  domain(E) Ê pwd (h y ), E Kmstr (C 1 ) K mstr  (h y ) x, C 2  domain(E) E Kmstr (C 1, C 2 ) verify response E Kmstr (C 2 ) verify response

4 Refined DH-EKE Client Server (password pwd) (password pwd) x  Z p-1 K auth = H 1 (pwd, ID C, ID S ) Ê Kauth (h x ) y  Z q, K auth = H 1 (pwd, ID C, ID S ) K mstr  (h x ) (y((p-1)/q)) K conf  G 1 (K mstr ), K sess  G 2 (K mstr ) g y, MAC Kconf (“1”, Ê Kauth (h x ), g y ) K mstr  (g y ) (x (mod q)) K conf  G 1 (K mstr ), K sess  G 2 (K mstr ) abort if MAC not ok MAC Kconf (“2”, Ê Kauth (h x ), g y ) abort if MAC not OK

5 Overview of TLS Client Server ClientHello ServerHello, Certificate *, ServerKeyExchange *, CertificateRequest *, ServerHelloDone Certificate *, ClientKeyExchange, CertificateVerify *, [ChangeCipherSpec], Finished [ChangeCipherSpec] Finished Application Data  --------------------------------------------------------------------------------- 

6 Integration of DH-EKE in TLS Client Server (password pwd) (v = g * Kvrfy, K auth ) ClientHello choose y, y ’ ε R Z q ServerHello, ServerKeyExchange (g y, g * y’ ), ServerHelloDone derive K auth and K vrfy from pwd and choose, x ε R Z p-1 ClientKeyExchange (Ê Kauth ( h x )) calculate premaster secret pms = H 3 ((h x ) (y(p-1/q)),v y’ ) [ChangeCipherSpec], Finished (MAC G3(pms) (Ê Kauth ( h x ), g y, …)) calculate premaster secret pms = H 3 ((g y ) (x (mod q)), (g * y’ ) Kvrfy ) accept if Finished OK [ChangeCipherSpec], Finished (MAC G4(pms) (Ê Kauth (h x ), g y, …)) accept if Finished OK Application Data  --------------------------------------------------------- 

7 Notations p, qPrimes gGenerator in Z p hGenerator in subgroup G of Z p with order q x, y Secret exponent  R Z q pwdPassword / weak secret K auth Key derived from password (= H 1 (pwd, ID C, ID S )) vVerifier derived from password via one-way function E pwd Symmetric encryption with password as shared key MAC k (…)Message Authentication Code on … with key k HiHi Pseudo-randon functions GiGi Key derivation functions K mstr Master key for a session K conf Handshake confirmation key K sess Session key

8 Conclusion  Password-based protocols can be made secure no (trusted) storage minimal in Infrastructure requirements  Integration of DH-EKE in TLS is as non-intrusive as possible requires minimal number of flows has competitive performance

Download ppt "Secure password-based cipher suite for TLS: The importance of end-to-end security Marie L.S. Dumont CS 265."

Similar presentations

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS 4362 - CIS 5357 Network Security.

1 Lecture 12 SSL/TLS (Secure Sockets Layer / Transport Layer Security) CIS CIS 5357 Network Security.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Web security (Spoofing & TLS & DNS) Ge Zhang. Web surfing yahoo IP of yahoo? 1.2.3.4 Get index.htm from 1.2.3.4 Response from 1.2.3.4.

Web security (Spoofing & TLS & DNS) Ge Zhang. Web surfing yahoo IP of yahoo? Get index.htm from Response from
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Lecture 7: Transport Level Security – SSL/TLS CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lecture by Tony Barnard.

Lecture 7: Transport Level Security – SSL/TLS CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lecture by Tony Barnard.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Internet Security CSCE 813 Transport Layer Security

Internet Security CSCE 813 Transport Layer Security
SSL: Secure Sockets Layer

SSL: Secure Sockets Layer
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security.

Slide 1 Vitaly Shmatikov CS 378 SSL/TLS. slide 2 What is SSL / TLS? uTransport Layer Security protocol, version 1.0 De facto standard for Internet security.
1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.

1 SSL/TLS 2 Web security Security requirements Secrecy to prevent eavesdroppers to learn sensitive information Entity authentication Message authentication.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.

December 2006Prof. Reuven Aviv, SSL1 Web Security with SSL Prof. Reuven Aviv Dept. of Computer Science Tel Hai Academic College.
We leave the world of cryptography for a while.

We leave the world of cryptography for a while.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
A Survey of WAP Security Architecture Neil Daswani

A Survey of WAP Security Architecture Neil Daswani

Similar presentations

Ads by Google