Presentation is loading. Please wait.

Presentation is loading. Please wait.

Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008.

Published byHillary Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008."— Presentation transcript:

1 Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008

2 All Rights Reserved © Alcatel-Lucent 2007,2008 2 | Mistyping in KE | July 2008 Program Key Exchange Intro Base Framework of [KR06] Our definitions “Proof” of goodness of definitions Protocol

3 All Rights Reserved © Alcatel-Lucent 2007,2008 3 | Mistyping in KE | July 2008 Communication Setting Insecure network … Full Control

4 All Rights Reserved © Alcatel-Lucent 2007,2008 4 | Mistyping in KE | July 2008 Secure Communication from Shared Random Key Trusted Party k 2 R D K k 2 2 R D K Trusted Party Simple Very efficient

5 All Rights Reserved © Alcatel-Lucent 2007,2008 5 | Mistyping in KE | July 2008 Key Exchange (KE) A protocol between two parties  Both output (the same) randomly chosen k 2 D K Security Adv does not know anything about k even if it sees all other exchanged keys Adv cannot mismatch players  If Alice instance ``thinks’’ she exchanged a key with Bob, then at most one instance of “Bob talking to Alice” may have the same key  Players must have secret credentials

6 All Rights Reserved © Alcatel-Lucent 2007,2008 6 | Mistyping in KE | July 2008 Defining KE Large amount of prior work An intuitive notion, but hard to define We want our definition to:  Be intuitive and easy to use  Reject “bad” protocols (allow powerful adversaries)  Accept “good” protocols (avoid unnecessary restrictions) Our adversary is the protocol designer He creates bad protocols which pass our criteria

7 All Rights Reserved © Alcatel-Lucent 2007,2008 7 | Mistyping in KE | July 2008 Related work UC-composable PAKE (Canetti Halevi Katz Lindell MacKenzie 05)  Consider pure password setting  Mistyping is handled by letting the environment type the password

8 All Rights Reserved © Alcatel-Lucent 2007,2008 8 | Mistyping in KE | July 2008 The combined keys setting Asymmetric – Server (e.g. Bank) and Clients Large secure storage of credentials Key on storage card can be lost or stolen Memorized password low entropy guessing attack possible Password can be mistyped

9 All Rights Reserved © Alcatel-Lucent 2007,2008 9 | Mistyping in KE | July 2008 Defining KE with mistyping Base on our previous game-based definition [KR06] Consider several natural extensions (don’t work) Modifications that work “Proof of security” of the definition

10 All Rights Reserved © Alcatel-Lucent 2007,2008 10 | Mistyping in KE | July 2008 KE Definition Plays the game: challenge a completed honest player Challenge: Present either a key or a random string Adversary guesses which Should not do too well Definition is mainly about precise description of Adv’s powers in the game (creation of players, instances, opening them, etc.)

11 All Rights Reserved © Alcatel-Lucent 2007,2008 11 | Mistyping in KE | July 2008 Defining KE with mistyping In [KR06], define several games which model parts of the setting (e.g. card compromised or not). When card is not compromised, not too hard to handle mistyping. Adv can be very powerful – the protocols still withstand because of strong keys. E.g. Adv can even know pwd. Interesting part is when card is compromised. This is approx. the HK setting:  C has public key of S and a shared password.

12 All Rights Reserved © Alcatel-Lucent 2007,2008 12 | Mistyping in KE | July 2008 Defining KE with mistyping In [KR06], definition mimics the real world. C and S instantiated with proper credentials  Adv learns of each P ? output by S.  This is essentially a password try, so Adv is charged for each P ?.  Adv is allowed q P ? ’s. He cannot win more often than Does not handle mistyping:  can leak long key if P ? occurred. (C never mistypes. To cause P ?, Adv needs long key, so OK to leak it)

13 All Rights Reserved © Alcatel-Lucent 2007,2008 13 | Mistyping in KE | July 2008 Mimicking mistyping in the games Idea Ok, allow to mistype: -Allow Adv to specify pwd inputs to the C instances in the game -Allow Adv to specify a mistyping function

14 All Rights Reserved © Alcatel-Lucent 2007,2008 14 | Mistyping in KE | July 2008 Mimicking mistyping in the games More interestingly: But what if “repeated password attempts” by game Adv? He is being stupid -- these are wasted attempts. He “gets behind in the game”. So protocol can “do something funny” on repeated attempts, to allow game Adv to catch up, and still be secure. E.g. leak if pwd = 000..0. This protocol is clearly insecure.

15 All Rights Reserved © Alcatel-Lucent 2007,2008 15 | Mistyping in KE | July 2008 Player’s knowledge of global state Definition simplification: Instances don’t have “side channels” among themselves. They don’t “know”, e.g. how many password failures previously occurred. Due to pk S, instances of S can have private communication with each other via Adv:  S 1 encrypts and signs the message  Adv delivers the message to S 2  m 1 = “I’ve seen a password failure P ? ”  m 2 = “There have been at least 2 P ? ” m 3 = “The sequence of events e 1,… e n has occurred”  Bad  can exhibit badness only if a global sequence of events occurred.

16 All Rights Reserved © Alcatel-Lucent 2007,2008 16 | Mistyping in KE | July 2008 Mimicking mistyping in the games Mimicking does not seem to work!

17 All Rights Reserved © Alcatel-Lucent 2007,2008 17 | Mistyping in KE | July 2008 Do not mimic mistyping directly Idea: allow Adv to run free mistyped executions. Don’t need to substitute input in honest instances.  Only amendment: In case of P ? :  Do not notify Adv  Do not charge Adv  Allow Adv to check for P ?, but risk the charge, as before This is a good definition

18 All Rights Reserved © Alcatel-Lucent 2007,2008 18 | Mistyping in KE | July 2008 How to “prove” this definition First definition in the setting – cannot show equivalence Could give a definition in the simulation or UC model and then show relationship (future work) Instead, reduce to definition of [KR06]: We prove: if  is secure, KE Adv cannot distinguish between two executions: 1. Adv mistypes C’s inputs adaptively at will 2. C’s are instantiated with their passwords I.e. what is leaked due to mistyping is also leaked without mistyping. If [KR06] is good, then our def. is also good: Suppose  is “bad”, and leaks smth. due to mistyping. Then same is leaked without mistyping. Then  is bad by [KR06]. Then  is bad by our def.

19 All Rights Reserved © Alcatel-Lucent 2007,2008 19 | Mistyping in KE | July 2008 How to “prove” this definition (cont.) Prove Adv cannot distinguish between two executions: 1. Adv mistypes C’s inputs at will 2. C’s are instantiated with their passwords Proof idea: if Adv could distinguish executions where pwd and pwd’ are used, then pwd  pwd’. Adv uses this to win KE game. A distinguishing mistyping sequence is handled by a hybrid argument.

20 All Rights Reserved © Alcatel-Lucent 2007,2008 20 | Mistyping in KE | July 2008 Our Protocol

21 All Rights Reserved © Alcatel-Lucent 2007,2008 21 | Mistyping in KE | July 2008 Application to biometrics Key on storage card can be lost or stolen P = Gen(), P R

22 All Rights Reserved © Alcatel-Lucent 2007,2008 22 | Mistyping in KE | July 2008 On confirmation flow S ! C  Our definition does not allow for this flow in  (o.w. Adv always wins)  This flow is useful for exact P ? accounting on the client side. (O.w. attacks related to convincing C that he mistyped give free password tries) We also give an alternative definition that allows this flow and argue its security.

Download ppt "Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008."

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 22 Fall 2002.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.

Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Copyright Justin Klein Keane InfoSec Training Encryption.

Copyright Justin Klein Keane InfoSec Training Encryption.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Similar presentations

Ads by Google