Transcript BR Crypto’93:

Password-based authenticated
key exchange
Ravi Sandhu
1
Variations

Public-key cryptography must be used


Two variations


© Ravi Sandhu, 2002
“Public-key cryptography and password protocols”, Shai Halevi and Hugo
Krawczyk, ACM Transactions on Information and System Security (TISSEC),
Volume 2 , Issue 3 (August 1999), Pages: 230 - 268
No public-key certificates (no PKI)
Use public-key certificates (requires PKI)
2
References

http://www.integritysciences.com/links.html


Principal reference for this lecture.


© Ravi Sandhu, 2002
Comprehensive and long list of references
S. M. Bellovin and M. Merritt, “Encrypted Key Exchange:
Password-Based Protocols Secure Against Dictionary Attacks,”
Proceedings of the I.E.E.E. Symposium on Research in
Security and Privacy, Oakland, May 1992.
“This is not your grandmother’s network login”
Jab96
3
Broken approaches: use password directly
(authentication only)

Original Telnet - vulnerable to eavesdropping
pwd
Client

Server
Challenge-Response
Client
challenge
Server
h(challenge,pwd)
© Ravi Sandhu, 2002
4
Broken approaches: use hashed password
(authentication only)

Challenge-Response
Client
challenge
Server
h(challenge,f(pwd))


© Ravi Sandhu, 2002
Don’t need to store cleartext password on the server
Dictionary attack on f(pwd) stored at server remains
a vulnerability
5
Kerberos is vulnerable
Request TC,TGS
TC,TGS, ENCkC(TGS, kC,TGS, …)
Authentication Server
kTGS
TC,TGS, ENCkC,TGS(authenticator)
Client
ENCkC,TGS(kC,S, …)
Ticket Granting
Server (kTGS)
kS
Communication under kC,S
Server (kS)
The trouble: kC is defined to be some one-way function of password!
© Ravi Sandhu, 2002
6
Patel’s classification (Pat97)

Querying attacker


Eavesdropping attacker


Can eavesdrop on legitimate runs of the
protocol
Active attacker

© Ravi Sandhu, 2002
Can initiate sessions with the server while
pretending to be a legitimate client
Can intercept, drop, insert packets
7
SSL (and SSH) solution
(need PKI)
Client
Client


© Ravi Sandhu, 2002
Server-side SSL
pwd
Server
Server
Needs PKI
Has its pitfalls
8
Pre-EKE: use password directly
(authentication and key exchange)
User (pwd)
Server (pwd)
U
ENCpwd(random)
ENCrandom(challengeU)
ENCrandom(challengeU, challengeS)
ENCrandom(challengeS)
© Ravi Sandhu, 2002
9
EKE: DH version [BM92]
User (pwd)
Server (pwd)
U, ENCpwd(gx)
K = f(gxy)
ENCpwd(gy), ENCk(challengeS)
K = f(gxy)
ENCk(challengeU, challengeS)
ENCk(challengeU)
© Ravi Sandhu, 2002
10
EKE: DH version [BM92]
Potential problems [Patel, S&P97]:
 If an active attacker, instead of sending g and p in clear, chooses to send gd and p such that
d is a small prime and d|(p-1). Then, (gdy)(p-1)/d = 1 mod p. When the attacker receives the
password encrypted ENCpwd(gy), he tries to decrypt it with different candidate passwords and
raises the decrypted number to (p-1)/d. If the result is not 1 then that password is rejected.
Since (p-1)/d number out of p-1 number will be dth power residue, hence 1/d numbers on
average will be congruent to 1 when raised to (p-1)/d. At each session the possible space of
password is reduced to 1/d and the space of valid passwords will be narrowed to 1 at a
logarithm rate (typically, logp).
 Avoidance: The success of the attack is due to the fact that gd is not a generator. To find a generator g it
is necessary and sufficient to check that g(p-1)/m  1 mod p for all factors m of p-1.
© Ravi Sandhu, 2002
11
[BPR Eurocrypt2000]
User (pwd)
Server (pwd)
U, ENCpwd(gx)
k’ = f(u,s, gx,gy,gxy)
ENCpwd(gy), H(k’, 1)
k’ = f(u,s, gx,gy,gxy)
H(k’,2)
© Ravi Sandhu, 2002
k = H(k’,0)
k = H(k’,0)
sid = A, ENCpwd(gx), B, ENCpwd(gy)
sid = A, ENCpwd(gx), B, ENCpwd(gy)
pid = B
pid = A
12
[BPR Eurocrypt2000]
[BM92] proved secure (in ROM and ICM)
Theorem. Let qse, qre, qco, qex, qor be integers and let q = qse + qre + qco + qex + qor. Let
Password be a finite set of size N and assume (|Ģ|)1/2/q  N  1. Let PW be the
associated LL-key generator as discussed above, SK be the associated session key
space. Assume the weak corruption model. The
AdvfsP,PW,SK(t,qse,qre,qco,qex,qor) <= qse/N + qse · qor AdvdhĢ,g(t’,qor) + O(q2)/|Ģ| + O(1)/(|Ģ|)1/2
Where t’ = t + O(qse+qor).
© Ravi Sandhu, 2002
13
SPEKE: [Jablon, CCR96]
User (pwd)
Server (pwd)
U, f(pwd)x
k = h(f(pwd)xy))
f(pwd)y
k = h(f(pwd)xy))
ENCk(challengeU)
ENCk(challengeU, challengeS)
ENCk(challengeS)
© Ravi Sandhu, 2002
14
[MacK01b]
In this paper we prove (in the random oracle model) that a certain instantiation of the SPEKE
protocol that uses hashed passwords instead of non-hashed passwords is a secure passwordauthenticated key exchange protocol (using our relaxed definition) based on a new
assumption, the Decision Inverted-Additive Diffie-Hellman assumption. Since this is a new
security assumption, we investigate its security and relation to other assumptions; specifically
we prove a lower bound for breaking this new assumption in the generic model, and we show
that the computational version of this new assumption is equivalent to the Computational
Diffie-Hellman assumption.
© Ravi Sandhu, 2002
15