100 likes | 318 Vues
Lecture 11: Strong Passwords. problem statement Lamport’s hash encrypted key exchange (EKE) secure credentials download. Strong Password Protocols. Obtaining the benefits of cryptographic authentication with the user being able to remember passwords only in particular:
E N D
Lecture 11: Strong Passwords • problem statement • Lamport’s hash • encrypted key exchange (EKE) • secure credentials download
Strong Password Protocols • Obtaining the benefits of cryptographic authentication with the user being able to remember passwords only • in particular: • no security information is kept at the user’s machine (the machine is trusted but not configured) • someone impersonating either party will not be able to obtain information for off-line password guessing (online password guessing is not preventable)
Lamport’s Hash • Bob stores <username, n, hn(password)>, n is a relatively large number, like 1000 • Alice’s workstation sends hn-1(password) • if successful, n is decremented, hn-1 replaces hn inBob’s database Alice, password Alice Alice’s terminal n Alice Bob hn-1(password) trusted not trusted • why is sequence of hash transmissions reverse? • properties: • safe against eavesdropping, database reading • no authentication of Bob
Salting Lamport’s Hash • hn-1(pwd|salt) is used for authentication • salt is stored at Bob’s at setup time, Bob sends salt each time along with n • advantages: • Alice can use the same password with multiple servers, why? • what may happen if two servers pick the same salt? • to ensure that the salt is different, servers name is also hashed in • easy password reset (when reaches 1) – just change the salt • defense dictionary attacks • how would Trudy mount a dictionary attack without the salt?
Lamport’s Hash: Other Properties • small n attack • when Alice tries to login Trudy impersonates Bob and sends n’ < n and Bob’s salt, when Trudy gets the reply she can impersonate Alice after n is decremented to n’ • defense: Alice’s workstation presents submitted n to Alice to verify the “approximate” range (Alice has to remember it) • “human and paper” environment • in case Alice workstation is not trusted or too “dumb” to do hashing • Alice is given a list of all hashes starting from 1000, she uses each hash exactly once • automatically prevents small n attack • string size – 64 bits (~10 characters) is secure enough • implemented as S/Key and standardized as one-time password system
Encryption-with-Password Protocols problems: • dictionary attack, how? • server database disclosure share weak secret W = f(pwd) “Alice” Alice Bob challenge C W{C}
Encrypted Key Exchange (EKE) • what’s encrypted by weak key is ga, gb (which looks like a random number) – straightforward dictionary attack is impossible “Alice”, W{ga mod p} W{gb mod p, CA} can compute KAB = gab mod p Alice Bob KAB{CA, CB} KAB{CA}
“Alice”, ga mod p gb mod p, H(gab mod p, gbW mod p) Alice Bob H’(gab mod p, gbW mod p) Augmented EKE • EKE vulnerable to database disclosure since Bob stores W in clear • what’s the possible attack? • defense: Augmented EKE – Alice knows the password, Bob knows a one-way hash of it • Bob stores: gW mod p
Secure Credentials Download • credential: Y – quantity used for authorization (to prove one’s identity) – something like a private key • problem: download Alice’s credential to Alice’s workstation when Alice only knows her password “Alice”, W{ga mod p} stores “Alice”, W, Y Alice Bob gb mod p, (gab mod p){Y}