1 / 16

Strong Password Protocols

Strong Password Protocols. CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk. Password Protocols. Humans are incapable of remembering strong, random cryptographic keys; hence weak secrets (passwords/PINs) Risks of password protocols: Eavesdropping (*)

keala
Télécharger la présentation

Strong Password Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Strong Password Protocols CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk Strong Password Protocols

  2. Password Protocols • Humans are incapable of remembering strong, random cryptographic keys; hence weak secrets (passwords/PINs) • Risks of password protocols: • Eavesdropping (*) • Online password guessing: easy to defend • Offline password guessing (dict.attack): possibly with active impersonation • Server database disclosure (+ dict.attack) Strong Password Protocols

  3. Password Protocols • Send pwd, compare against h(pwd) • Send h(pwd), compare against h(pwd) • Send h(pwd), compare against h(h(pwd)) • Use h(pwd) as the key in a C-R protocol; server stores h(pwd). (why not h(h(pwd))?) (What are the limitations of each?) • Lamport’s hash (S/KEY) • Strong password protocols Strong Password Protocols

  4. Lamport’s Hash • Server stores <username, n, Hn(password)> • Workstation sends Hn-1(password) • If successful, n is decremented Alice Alice, pwd Alice’s terminal n Alice Bob Hn-1(password) Strong Password Protocols

  5. Lamport’s Hash Salting: • Hn-1(pwd|salt) is used for authentication • Salt is installed with the server at setup time.Sent by the server along with n. • Advantages: • Easy password reset • Using same password over different servers • Slows down dictionary attacks Strong Password Protocols

  6. Lamport’s Hash Properties: • Safe against eavesdropping, database reading • No mutual authentication (login only) • Small n attack: Intruder sends n’ < n Defense: Alice verifies displayed n value • Can be used from dumb terminals as well (human-paper setting) Strong Password Protocols

  7. Strong Password Protocols • Achieving benefits of cryptographic authentication while users remember only weak secrets (passwords). • Problems of password protocols: • Eavesdropping • Offline password guessing (dictionary attacks) • Server database disclosure Strong Password Protocols

  8. Encryption-with-Password Protocols A basic protocol: Problems: • Dictionary attack (from R & W{R}) • Server database disclosure share weak secret W = f(pwd) “Alice” Alice Bob challenge R W{R} Strong Password Protocols

  9. share weak secret W = f(pwd) Enhanced with PKC: E & D: public/private key pair generated per-session (by the terminal) • Why not possible with secret key encryption? • What is the weakness in this protocol? (Passive attack? Active attack?) “Alice”, E Alice Bob E{R} W{R} Strong Password Protocols

  10. share weak secret W = f(pwd) How about this one? • Is an active attack still possible? (What if encryption E{.} is deterministic or randomized?) • One of the W{.} encryptions can be removed. “Alice”, W{E} Alice Bob W{E{R}} R Strong Password Protocols

  11. Encrypted Key Exchange (EKE) • Key establishment as well as authentication: “Alice”, W{E} W{E{KAB}} RA Alice Bob KAB{RA}, RB KAB{RB} Strong Password Protocols

  12. EKE Why per session E/D ? • Dictionary attack if E is known. • Replay attack possible from server side. Why encrypt a “public” key (i.e. W{E}) ? • Authentication • In fact, one of W{.} can be removed. (Then the non-encrypting side should not issue the first challenge.) Risk of W{E}: Public keys can easily be distinguished from random string; enabling a dictionary attack. Risk of W{E{KAB}}: E-residue attack. Strong Password Protocols

  13. EKE with Diffie-Hellman “Alice”, W{ga mod p} • Why are “public” ga, gb encrypted? W{gb mod p}, RB (KAB = gab mod p) Alice Bob RA, KAB{RB} KAB{RA} Strong Password Protocols

  14. Augmented EKE • EKE vulnerable to database disclosure(since server has to store W) • Augmented EKE: defense against this threat • Client has to know the password. Server stores a one-way derivation of it. Strong Password Protocols

  15. “Alice”, ga mod p gb mod p, H(gab mod p, gbW mod p) Alice Bob H’(gab mod p, gbW mod p) Augmented D-H EKE Server stores gW mod p • How does this protocol protect against database disclosure? • Why is this protocol not secure? Strong Password Protocols

  16. Alternative Approaches Things become easy if server has a long-term public key, securely distributed. Password exchange or C-R can take place over a secured channel. • Gong, Lomas, Needham, Saltzer(’93): server’s public key is installed at terminals in advance. • SSL: server’s PK is distributed by certificates. • SSH: weak authentication (by “leap of faith”) Strong Password Protocols

More Related