Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 (Re)Introducing Strong Password Protocols Radia Perlman

Published byRosamund Warner Modified over 8 years ago

Similar presentations

Presentation on theme: "1 (Re)Introducing Strong Password Protocols Radia Perlman"— Presentation transcript:

1 1 (Re)Introducing Strong Password Protocols Radia Perlman Radia.Perlman@sun.com

2 2 What’s a strong password protocol? Alice and Bob share a weak secret (W)…a password In a strong password protocol, someone impersonating Alice or Bob, or eavesdropping, cannot capture a quantity with which to do a dictionary attack

3 3 Example non-strong password protocol Alice Bob I’m Alice Challenge=R H(W,R)‏ Knows WKnows (“Alice”, W)‏

4 4 Example non-strong password protocol Alice Bob I’m Alice Challenge=R h(W,R)‏ Knows WKnows (“Alice”, W)‏ Note: someone impersonating Bob, or eavesdropping, can test passwords to see if response h(W,R) matches R

5 5 First strong password protocol: EKE Bellovin-Merritt Encrypt Diffie-Hellman exchange with W

6 6 EKE Alice Bob I’m Alice, {g A mod p}W {g B mod p}W Mutual exchange based on g AB Knows WKnows (“Alice”, W)‏

7 7 EKE Alice Bob I’m Alice, {g A mod p}W {g B mod p}W Mutual exchange based on g AB Knows WKnows (“Alice”, W)‏ Note: someone impersonating Bob, or eavesdropping, cannot do a dictionary attack. Would have to break Diffie-Hellman

8 8 EKE Alice Bob I’m Alice, {g A mod p}W {g B mod p}W Mutual exchange based on g AB Knows WKnows (“Alice”, W)‏ Note: someone impersonating Bob, or eavesdropping, cannot do a dictionary attack. Would have to break Diffie-Hellman Note: Alice or Bob could do one on-line password guess, and verify if they are right

9 9 Variants of EKE SPEKE: (Jablon) replace “g” in Diffie- Hellman with W Alice Bob I’m Alice, W A mod p W B mod p Mutual exchange based on W AB Knows WKnows (“Alice”, W)‏

10 10 Variants of EKE PDM: (Kaufman, Perlman) derive p deterministically from W Alice Bob I’m Alice, 2 A mod p 2 B mod p Mutual exchange based on 2 AB Knows pwd, derives pKnows (“Alice”, p)‏

11 11 “Augmented” feature In EKE, SPEKE, and PDM, server knows W If someone stole the server database, they would be able to directly impersonate the user (without a dictionary attack)‏ “Augmented” feature: server database doesn’t completely divulge W (but allows a dictionary attack)‏ Many ways to do this

12 12 Example: augmented PDM AliceBob I’m Alice, 2 A mod p 2 B mod p, challenge=R, { {Alice’s priv}pwd} 2 AB mod p Sign R with private key, Mutual exchange based on 2 AB Knows pwd, derives pKnows for Alice: p, {Alice’s priv}pwd, Alice’s public key Verifies Alice’s sig

13 13 Augmented protocols All of EKE, SPEKE, PDM can be made augmented SRP only has an augmented form There are other variants of strong password protocols

14 14 What would one do with a strong password protocol? One could directly authenticate with it One could do credential download –Use it to download Alice’s private key, and then everything else follows once she knows her private key –Everything else she needs can be stored encrypted and/or signed –Authentication would be done with traditional public key

15 15 Credential download (based on EKE)‏ Alice Bob g B mod p, { CRED } g AB mod p Knows pwd, derives W Knows for Alice: W, CRED={Alice’s priv}pwd, Note: only need 2 msgs I’m Alice, {g A mod p}W

16 16 Other things Alice can customize her password for each site (use W servername = h(pwd, “servername”)) at site “servername” But if you just use strong password protocols to obtain Alice’s private key, she can authenticate to all other sites using public key

17 17 Why don’t we use strong password protocols? Possible IPR TLS with non-strong password protocol “good enough in practice”

Download ppt "1 (Re)Introducing Strong Password Protocols Radia Perlman"

Similar presentations

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
CNS2010handout 12 :: crypto protocols1 ELEC5616 computer and network security matt barrie

CNS2010handout 12 :: crypto protocols1 ELEC5616 computer and network security matt barrie
CSC 474 Information Systems Security

CSC 474 Information Systems Security
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Password-based Credentials Download Protocols Radia Perlman

Password-based Credentials Download Protocols Radia Perlman
SIP Authentication using EC- SRP5 Protocol draft-liu-sipcore-ecc-srp5-00.txt Authors: Fuwen Liu, Minpeng Qi and Min Zuo.

SIP Authentication using EC- SRP5 Protocol draft-liu-sipcore-ecc-srp5-00.txt Authors: Fuwen Liu, Minpeng Qi and Min Zuo.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Rennes, 23/10/2014 Cristina Onete Key-Exchange Protocols. Diffie-Hellman, Active Attacks, and TLS/SSL.

Rennes, 23/10/2014 Cristina Onete Key-Exchange Protocols. Diffie-Hellman, Active Attacks, and TLS/SSL.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

Similar presentations

Ads by Google