1 / 39

Improved Server Authentication

Improved Server Authentication. Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002. Outline. Why public key verification ? Human friendly public key verification Authentication through image SSH integration and demo. g^x. g^y | sign Kprv ( g^y,g^x ) | K pub.

ella-carpenter
Télécharger la présentation

Improved Server Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improved Server Authentication Presented by Dmitri Epshtein Supervised by Prof. Hugo Krawczyk January 2002

  2. Outline • Why public key verification ? • Human friendly public key verification • Authentication through image • SSH integration and demo Improved Server Authentication

  3. g^x g^y | signKprv(g^y,g^x) | Kpub login+psswd Encrypted channel (K) K=(g^x)^y K=(g^y)^x Client-Server security Confirm Server Kpub VerifyKpub(signKprv(g^y,g^x)) Verify psswd Improved Server Authentication

  4. Man in the middle attack K= (g^y’)^x=(g^x)^y’ K’= (g^y)^x’=(g^x’)^y Improved Server Authentication

  5. Public Key Verification • Local (stored in client machine) • Not applicable everywhere (e.g. Internet-Cafe) • CA - Certification Authority • CA root key should be known • It is not widely available on the Internet yet • User verifies hashed version of public key “public password” as described in [HK99] Improved Server Authentication

  6. Outline • Why public key verification ? • Human friendly public key verification • Authentication through image • SSH integration and demo Improved Server Authentication

  7. Public Passwords • Not necessary to know all 1024 bits to verify the key • About 64 bits (2^64 different values) is secure for most applications • Use hash function MD5/SHA1(Public Key) to reduce key size • It is infeasible to find a different public key that corresponds to the same “public password” • Public key is not secret information Improved Server Authentication

  8. SSH public password SSH requires user to verify 128 bits - hash value of server public key. Public Key (1024 bits) Fingerprint (128 bits) Example: DSA key fingerprint is: d7:7d:cf:16:07:3b:5e:17:dc:b7:52:f1:eb:49:37:b1 Too difficult to recognize or retype => Blind Acceptance Improved Server Authentication

  9. Improved solution • Use more user friendly format for public key verification (with the same security) • Public key(1024) Hashed Public Key(64) • String of English words: • “SCAN TOTE NOON DIE MAID COP” • String Alpha-Numeric words: • “4786 8fsh hprb” • Picture Improved Server Authentication

  10. English Words format RFC1760 (The S/KEY One-Time Password System) defines Table of 2048 English words 2-4 letters each one. • Public key(1024) Hashed Public Key(66) • Each 11 bits represent one word from the table • 6 words (66 bits) are secure enough • 6 English Words are easy to recognize e.g. SCAN TOTE NOON DIE MAID COP Improved Server Authentication

  11. Verification interface • It is important that a user really checks for the validity of displayed value • The purpose of attacker is to find an alternative public key with similar “public password” • Our interface is designed to avoid tendency of users to answer every question by simply hitting Enter-key Improved Server Authentication

  12. Interface to user • 4 different (but similar) options are displayed • User should choose the appropriate one. (1) SCAN NOON DIE MAID TOTE COP (2) SCAN TOTE NOON DIE MAID COP (3) COP TOTE DIE SCAN MAID NOON (4) TOTE DIE SCAN COP MAID NOON What is the appropriate phrase ? Improved Server Authentication

  13. Too mush diversity (1) TUM TANK TIP CUBE LID HELM (2) SCAN TOTE NOON DIE MAID COP! (3) BANK HANS BIN GOAT JET BEAM (4) HIGH TUNE REID BARB BONY RAIN • User will remember only first word “SCAN” • Attacker can find the other key that converted to the string started with “SCAN” e.g. “SCAN GOAT DIE JET TANK COP” • Security decreased from 2^66 to 2^11 Improved Server Authentication

  14. Too much similarity (1) SCAN BEAM NOON DIE MAID COP (2) SCAN TOTE NOON DIE MAID COP ! (3) BANK TOTE NOON DIE MAID COP (4) SCAN TOTE NOON JET MAID COP • One-word distance from right string. • In place of checking the correct answer user may derive the “right” option from the proposed list Improved Server Authentication

  15. Our suggestion (1) SCAN NOON DIE MAID TOTE COP (2) SCAN TOTE NOON DIE MAID COP ! (3) COP TOTE DIE SCAN MAID NOON (4) TOTE DIE SCAN COP MAID NOON • Each alternative created from previous one by permutation of two randomly chosen words. • Strings are randomly placed from 1 to 4. Improved Server Authentication

  16. Alpha-Numeric format Based on 26 letters and 10 digits. Letters ‘l’ and ‘o’ excluded. Digits ‘1’ and ‘0’ excluded. Total 32 symbols are used. • Public key(1024) Hashed Public Key(60) • Each 5 bits represent one Alpha-Numeric symbol • 12 symbols (60 bits) are secure enough • 12 symbols - 3 words are easy to recognize e.g. “qu24 ih2q sswb” Improved Server Authentication

  17. Outline • Why public key verification ? • Human friendly public key verification • Authentication through image • SSH integration and demo Improved Server Authentication

  18. Visual format • Maybe the most user friendly option. • Huge number of different pictures. • Easy to remember and recognize. Improved Server Authentication

  19. Image verification What is the appropriate Image ? Improved Server Authentication

  20. Image properties The images should meet the following requirements [PS99]: • Regularity • Easy to recognize • Minimal complexity • Avoid too simplified images • Collision resistance • Hard to find two different keys represented by the same or very similar image. Improved Server Authentication

  21. Compression (zlib) used to check regularity and minimal complexity of the image. Minimal complexity Too high compression ratio == Very simplified image == Easy to falsify e.g. Compression ratio 6% Improved Server Authentication

  22. Regularity Too low compression ratio == Not regular image == Difficult to recognize e.g. Compression ratio 82% Compression ratio thresholds that guarantees Regularity and Minimal Complexity of the image 35 - 70 % Improved Server Authentication

  23. Collision Resistance Very small probability to find two different keys represented by the same (or very similar) image. To calculate differences between two pictures “normal corelation” formula used: w – width of picture in pixels, h – height of picture in pixels ri, gi, bi – red, green and blue components of the colour for pixel “i”in the picture. Improved Server Authentication

  24. Image creation method • Based on idea of “randomArt ” [Bau98]. • N*M image created from the 64 bits key. • Picture format is array of long words (32 bits) of size of “width*height” (N*M) • Each long word represents an RGB colour of a pixel in the picture (0x00bbggrr). • 0x000000FF – red, 0x00FF0000 – blue, 0x0000FF00 – green Improved Server Authentication

  25. Image creation method (1) Improved Server Authentication

  26. Image creation method (1) • The algorithm based on set of 16 mathematical functions that convert input colour {r, g, b} to output colour {r’, g’, b’}. • Each 4 bits of the key define one of the functions from the set. • The initial value of the colour for each pixel depends on coordinates {x, y} of the pixel • S(1) .. S(16) - shifts color accordingly with function location. Improved Server Authentication

  27. Image creation method (3) • Each one of the 16 functions: • Continuous, r  [-1; 1], r’  [-1; 1], r’=log10(4.1 + 4*r) r’=sin(5*r); r’=0.8*atan(-3*r) Improved Server Authentication

  28. Statistical results Quality of image (Regularity and Minimal Complexity) 1000 randomly chosen keys About 700 from 1000 images are Good images. Compression rate in range 35-70 % Improved Server Authentication

  29. Statistical results (1) • Collision resistance of the image • One “good” reference image is chosen • 1000 other “good” images compared with the reference image accordingly to the formula above. • Results: • Most of images have ~25-40% difference from the reference image. • No image has difference less than 15% from the reference image. Improved Server Authentication

  30. Outline • Why public key verification ? • Human friendly public key verification • Authentication through image • SSH integration and demo Improved Server Authentication

  31. SSH Overview • SSH is a protocol for secure network services (telnet, rlogin) over insecure network. • It consists of three major components: • Transport layer protocol provides Server Authentication, Confidentiality and Integrity. • User authentication protocol authenticates the Client side to the Server. • Connection protocol multiplexes encrypted tunnels into several logical channels. Improved Server Authentication

  32. SSH integration • No changes in SSH server (sshd) • Key Generator (ssh-keygen) is changed • SSH Client (ssh) is changed • Full Backward compatibility Improved Server Authentication

  33. SSH Framework • Key Generation • Generate and display all possible formats • Only key that can be converted in “good” image will be accepted • Diffie-Hellman Key Exchange and Server Authentication • Server has Kprv/Kpub - private/public keys pair • Client creates e=(g^x mod p) and sends to Server • Server creates f=(g^y mod p) Improved Server Authentication

  34. SSH Framework (1) • Server receives “e” from Client • Server computes K=(e^y mod p) • Server computes H=hash( Kpub | e | f | K ) • Server computes s = sign(H) with Kprv • Server sends ( Kpub | f | s ) to Client • Client verifies Kpub received from Server !!! • Client computes K=(f^x mod p) • Client computes H=hash( Kpub | e | f | K ) • Client verifies the signature “s” on H Improved Server Authentication

  35. Supported formats • Client choose key representation format: • (1) Fingerprint • (2) EnglishWords • (3) AlphaNumeric • (4) Visual Improved Server Authentication

  36. Verification actions • Client choose key verification action: • (1) Confirm • (2) Retype • (3) Abort Start Updated SSH demonstration !!! Improved Server Authentication

  37. Summary • “Public passwords” are more user friendly method for Server authentication • New method for key visualization and authentication • Integrate all above into SSH and improve the its overall security Improved Server Authentication

  38. Future work • Other user friendly string formats • Other mechanism to create alternative strings • Improve picture quality (Regularity) • Improve picture compare algorithm and analyze collision resistance • Grayscale images Improved Server Authentication

  39. References [SH99] Shai Halevi, Hugo Krawczyk. Public cryptography and password protocols. 1999 [PS99] Adrian Perrig, Dawn Song. Hash Visualization: a New Technique to improve Real-World Security. 1999 [DP00] Rachna Dhamija, Adrian Perrig. Using Images for Authentication. 2000 [Bau98] Andrej Bauer. Gallery of random art. 1998 Improved Server Authentication

More Related