Transcript Authentication System

Authentication System
Introduction
• Authentication is the process of reliably
verifying the identity of someone (or
something).
“I am Alice”
in a network,
Bob can not “see”
Alice, so Trudy simply
declares
herself to be Alice
Kinds of Authentication
• Password-Based Authentication
• Symmetric key Based Authentication
• Public-Key Based Authentication
Password-Based Authentication
• Attaining the benefits of cryptographic
authentication with the user being able to
remember passwords only
• Problems of password protocols:
– Eavesdropping
– Password guessing attack
• On-line password guessing
• Off-line password guessing
Encrypted Key Exchange (EKE)
Key establishment as well as authentication
“Alice”, W{EA}
KAB{CA}
Bob
Alice
W{EA{KAB}}
KAB{CA, CB}
KAB{CB}
• One of the W{.} may possibly be removed.
• In that case, the non-encrypting side should not issue the first
challenge. (Why not?)
EKE with Diffie-Hellman
“Alice”, W{ga mod p}
(KAB = gab mod p)
KAB{CA, CB}
KAB{CA}
• Why are ga, gb encrypted?
(authentication)
Bob
Alice
W{gb mod p}, CB
Augmented EKE
• EKE vulnerable to database disclosure
(since server has to store W)
• Augmented EKE: defense against this
threat
• Client has to know the password. Server
stores a one-way derivation of it.
Augmented EKE with DiffieHellman
Server stores gW mod p
gb mod p, H(gab mod p, gbW mod p)
Bob
Alice
“ Alice”, ga mod p
H’(gab mod p, gbW mod p)
• How does this protocol protect against database
disclosure?
• Why is this protocol not secure?
Secure Remote Password (SRP)
• Secure Remote Password Protocol
• Thomas Wu
• Notation
n : A large primenumber.All comput ations are performedmodulo n.
g : primitiveroot modulo n (oftencalled a generator).
s : A randomstringused as theuser's salt.
P : T heuser's password.
x : A privatekey derivedfrom thepassword and salt.
v : T hehost's password verifier.
u : Random scramblingparameter,publicly revealed.
a, b : Ephermeralprivatekeys,generatedrandomlyand not publicly revealed.
A, B : Corresponding public keys.
H () : One - way hash funct ion.
K : Session key.
• Protocol
– To establish a password P with Steve, Carol
picks a random salt s, and computes
Steve
. Carol
C (user name)
x  H ( s, P )
A  ga
s
A
B, u
S  ( B  g x ) a ux
K  H (S )
M1  H ( A, B, K )
(verifyM 2 )
(lookup s, v)
B  v  gb
S  ( Avu ) b
K  H (S )
M1
M2
(verifyM1 )
M 2  H ( A, M1 , K )
Off- vs. On-Line Password
Guessing
• On-line password guessing attack:
– Type passwords at the system that is going to
verify the password.
– The system can make it impossible to guess
too many passwords in this manner. Ex: ATM.
– The system can be designed to be slow, so as
not to allow very many guesses per unit time.
• Off-line password guessing attack:
– Dictionary attack
– An attacker guesses a password and verifies
his guess off-line.
– If his guess fails the attacker tries again with
another password, until he finds the proper
one.
Symmetric key based
Authentication
• Both Entity using a secret key k, |k|>64
• Not need CA.
• Compare with PASSWORD BASE
–
–
–
–
user need not to input password
More faster
Must store KEY
More security in theory
• In 1994, Bellare, Rogaway present Entity Authencation
and Key Distribution
– The MAP1, and AKEP1 are more important.
– MAP1 has Matural Authentcation
– AKEP1 add the part of Key Exchange
MAP1
Suppose the entities Alice and Bob share a
secret key .
[B, A, RA, RB]
[A, RB] 
Bob
Alice
RA
AKEP1
we assume t heent it iesA and B share secret keys and 
def
We define{ }  (r , f ' (r )   )
f ' is a pseudo - randomfamily
f ' : {0,1}k  {0,1} p (k )
p(k)is a polynomialand r is randomlysampled.
• we assume the entities A and B share
secret keys  and .
[B, A, RA, RB, {} ]
Bob
Alice
RA
[A, RB] 
•  is the session agreed after the protocol.