Presentation is loading. Please wait.

Presentation is loading. Please wait.

Strong Password Protocols

Published byHarry Terry Modified over 9 years ago

Similar presentations

Presentation on theme: "Strong Password Protocols"— Presentation transcript:

1 Strong Password Protocols
COEN 350 Strong Password Protocols

2 Strong Password Protocols
Password authentication over a network Transmit password in the clear. Open to password sniffing. Open to impersonation of server. Do Diffie-Hellman exchange to establish a secure key and an encrypted tunnel. Establish a SSL connection. Use trust anchors for mutual authentication of machines. Security depends on the security of the trust anchors.

3 Strong Password Protocols
Password authentication over a network Compute a hash of the password. Use the hash as a secret key in a challenge response scheme. Scheme: Alice to Bob: Login request Bob to Alice: Here is challenge R. Alice to Bob: f (hash(password),R) Open to dictionary attack by eavesdropper or someone impersonating Bob.

4 Strong Password Protocols
Password authentication over a network Use a one-time password Lamport Hash S/Key Use a strong password protocol Secure from dictionary attacks by impersonator or eavesdropper. Secure against impersonator on either side.

5 Lamport Hash Bob stores Password generation: Username Alice int n
hn(password), h – one way function Password generation: Alice chooses a password. Alice calculates hm(password) and sends it to Bob. Bob initializes the database entry.

6 Lamport Hash Protocol: Alice n hn-1(pwd) Bob Alice Bob checks:
Alice’s Workstation Alice password Bob checks: Is h(Alice’s answer) = hn(password). If yes, authenticate. Then replace n with n-1 and store hn-1(password)

7 Lamport’s Hash with Salting
To prevent password guessing, randomly generate a salt and store it at the server. Calculate hi(pwd,salt)

8 Lamport’s Hash Alice’s workstation needs to regenerate the scheme with a new password whenever n counts down to 1. There is no mutual authentication. Vulnerable to the “small n” attack.

9 Lamport’s Hash Mallory impersonates Bob.
Alice tries to log on to Bob, but talks to Mallory. Mallory sends a small n = n0. Mallory calculates hn(pwd), nn0. Mallory can now login.

10 S/Key Deployed version of Lamport hash. RFC 1938

11 Encrypted key exchange
Alice has a “weak” password pswd. Bob stores a hash W = h(pswd) of the password. Alice’s workstation knows how to calculate W on the fly, once Alice types in her password. Use W in a way that does not give any hints on W.

12 Encrypted key exchange
Alice Bob Alice and Bob share a weak secret W = h(password) Alice chooses a random number a. Bob chooses a random b and a challenge C1. He sends W {gb, C1} She sends: Alice, W{ga} Bob encrypts this message and finds that Alice has solved his challenge C 1. Finally, Bob authenticates himself to Alice. He proves his knowledge of W by his knowledge of K, which he proves by being able to correctly encrypt Alice’s challenge C2. He sends K {C2 } to Alice. Both Bob and Alice use their knowledge of W to encrypt their mutual messages. They both calculate K = gab. Alice then proves her knowledge of W by her ability to calculate K. She also picks a challenge C2 and sends K { C1, C2 } to Bob.

13 Encrypted key exchange
EKE: Diffie-Hellman exchange with encryption. W hash of password. (Bob stores it, Alice can recalculate it). p Modulus. All calculation are based on it. Alice: "Alice", EW(ga) Bob: EW(gb), Challenge CBob At this point, both Alice and Bob calculate K = gab EK(CAlice, CBob) EK(CAlice)

14 EKE: Encrypted Key Exchange
Secure against eavesdropper because all data are undistinguishable from random numbers. Eavesdropper cannot decide whether the ga, gb are the correct decryption. Secure against impersonation: If treacherous Trudy impersonates Bob, she guesses a single value W in the first exchange. See the definition again.

15 Encrypted key exchange
EKE: Diffie-Hellman exchange with encryption. W hash of password. (Bob stores it, Alice can recalculate it). Alice: "Alice", EW(ga) Bob: EW(gb), Challenge CBob At this point, both Alice and Bob calculate K = gab EK(CAlice, CBob) EK(CAlice)

16 SPEKE: Simple Password Exponential Key Exchange
Use W in place of g in the Diffie Hellman exchange. Alice: "Alice", Wa Bob: Wb, Challenge CBob At this point, both Alice and Bob calculate K = Wab EK(CAlice, CBob) EK(CAlice)

17 PDM: Password Derived Moduli
PDM uses modulus p that is a function of the password and uses 2 for g in Diffie Hellman. Alice: "Alice", EW(2a mod p) Bob: EW(2b mod p), Challenge CBob At this point, both Alice and Bob calculate K = 2ab EK(CAlice, CBob) EK(CAlice)

18 Strong Passwords: EKE A bad implementation of EKE allows an eavesdropper to exclude passwords. Assume that we calculate in the field of number modulo p, p a prime. Then ga and gb are both m bit numbers smaller than p. Attacker maintains a dictionary of possible passwords and observes many authentication rounds. If W is in the dictionary, he encrypts Alice’s round 1 message M. If W -1{M } > p, then attacker excludes W. Chance of excluding a false password W is 2m – p / p. If this chance is about 80%, then 50 rounds determine the password out of a normal dictionary. Nr of Exchanges Chance of false password surviving % % % % % %

19 Augmented Strong Password Protocols
If someone knows W in EKE, they can impersonate Alice. Augmented Protocols Trudy can steal Bob’s database Trudy can do a dictionary attack. If the dictionary attack is unsuccessful, then she cannot impersonate Alice. Knowledge of W is not enough.

20 Augmented EKE Bob stores “Alice, p, gW mod p” Alice: "Alice", ga mod p
Bob: gb + gW mod p, u, Challenge CBob At this point, both Alice and Bob calculate K = gb(a+uW) mod p Alice: EK(CBob), CAlice Bob: EK(CAlice)

21 Strong Passwords Augmented PDM Server Information Creation Bob stores:
Alice has password pssw Alice sends to Bob p = f (pssw) [this is a prime] W = hash (pssw) [one-way hash] Bob stores: Alice, p, W,

22 Strong Passwords: Augmented PDM
Bob chooses a random number b. Bob calculates 2b mod p. Bob sends 2b, hash1 (2ab mod p , 2bW mod p) to Alice Alice creates random number a. She recomputes W and p from her password. Alice a mod p Bob Alice knows that Bob is Bob because Bob proves that he knows 2bW. Alice now sends hash2 (2ab mod p , 2bW mod p) Bob knows that Alice is Alice because she proves to him that she knows W. If Alice had just broken into the server, she would have to calculate 2bW from 2W mod p.

23 Augmented PDM Bob stores Alice, p, 2w mod p and picks b
Alice computes p and W=hash(passwd) from the password and picks a. Alice: "Alice", (2a mod p) Bob: (2b), Hash1(2ab mod p, 2bW mod p) Alice: Hash2(2ab mod p, 2bW mod p)

24 Strong Passwords Secure Remote Password RFC 2945
Bob stores {Alice, gW mod p}, where W = f (passwd).

25 Strong Passwords SRP Alice creates random a and sends ga to Bob.
Bob creates random b, challenge CBOB and 32b number u. Bob sends gb + gW mod p, u, CBOB to Alice. Both calculate K = g b(a+uW) mod p. Alice sends K {CBob}, CAlice to Bob. Bob sends K {CAlice} to Bob.

Download ppt "Strong Password Protocols"

Similar presentations

Diffie-Hellman Diffie-Hellman is a public key distribution scheme First public-key type scheme, proposed in 1976.

Diffie-Hellman Diffie-Hellman is a public key distribution scheme First public-key type scheme, proposed in 1976.
1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.

COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.
CSC 474 Information Systems Security

CSC 474 Information Systems Security
Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.

Handshake Protocols COEN 350. Simple Protocol Alice: Hi, I am Alice. My password is “fiddlesticks”. Bob: Welcome, Alice.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Password-based Credentials Download Protocols Radia Perlman

Password-based Credentials Download Protocols Radia Perlman
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Similar presentations

Ads by Google