hash proof systems and password protocols
play

Hash Proof Systems and Password Protocols II Password-Authenticated - PDF document

Feb 19, 2024 •164 likes •319 views

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale sup erieure/PSL & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David

  1. Hash Proof Systems and Password Protocols II – Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale sup´ erieure/PSL & INRIA 8th BIU Winter School – Key Exchange February 2018 CNRS/ENS/PSL/INRIA David Pointcheval 1/41 Diffie-Hellman Key Exchange Diffie-Hellman protocol: allows two parties to agree on a common session key: In a finite cyclic group G , of prime order p , with a generator g X $ $ ← Z p , X ← g x ← Z p , Y ← g y x − − − − − − − − − − − − − → y Y K ← Y x = g xy K ← X y = g xy ← − − − − − − − − − − − − − No authentication provided Authenticated Key Exchange Semantic security / Implicit Authentication: the session key should be indistinguishable from a random string to all except the expected players CNRS/ENS/PSL/INRIA David Pointcheval 2/41 Authentication Techniques Asymmetric technique Assume the existence of a public-key infrastructure Each party holds a pair of secret and public keys Symmetric technique Users share a random secret key Password-based technique Users share a random low-entropy secret: password CNRS/ENS/PSL/INRIA David Pointcheval 3/41

  2. Electronic Passport Since 1998, some passports contain digital information on a chip Standards specified by ICAO (International Civil Aviation Organization) In 2004, security introduced: encrypted communication between the chip and the reader access control: BAC (Basic Access Control) The shared secret is on the MRZ (Machine Readable Zone) It has low entropy: at most 72 bits, but actually approx. 40 = ⇒ low-entropy shared secret: a password pw CNRS/ENS/PSL/INRIA David Pointcheval 4/41 BAC: Basic Access Control The symmetric encryption and MAC keys are deterministically derived from pw Passport Reader r P $ $ ← { 0 , 1 } 64 ← { 0 , 1 } 64 r P , k P r R , k R C R ← Enc pw ( r R , r P , k R ) C R , M R C P ← Enc pw ( r P , r R , k P ) M R ← Mac pw ( C R ) C P , M P M P ← Mac pw ( C P ) K ← k P ⊕ k R K ← k P ⊕ k R From a pair ( C R , M R ) , one can make an exhaustive search on the password pw to check the validity of the Mac M R After a few eavesdroppings only : password recovery What can we expect from a low-entropy secret? CNRS/ENS/PSL/INRIA David Pointcheval 5/41 Off-line Dictionary Attacks As in the previous scenario, after having eavesdropped some (possibly many) transcripts interacted (quite a few times) with players the adversary accumulates enough information to take the real password apart from the dictionary = ⇒ Efficient password-recovery after off-line exhaustive search For the BAC: quite a few passive eavesdroppings are enough to recover the password! How many active interactions could one enforce? CNRS/ENS/PSL/INRIA David Pointcheval 6/41

  3. On-line Dictionary Attacks On-line Dictionary Attacks The adversary interacts with a player, trying a password In case of success: it has guessed the password In case of failure: it tries again with another password In Practice This attack is unavoidable If the failures for a target user can be detected the impact can be limited by various techniques If the failures cannot be detected (anonymity, no check, . . . ) the impact can be dramatic CNRS/ENS/PSL/INRIA David Pointcheval 7/41 Outline Introduction Security Notions 1 Intuition Find-then-Guess Security Examples Real-or-Random Security Universal Composability 2 Definition Password-based Authenticated Key Exchange Advanced Security Notions Examples Conclusion CNRS/ENS/PSL/INRIA David Pointcheval 8/41 Outline Introduction Security Notions 1 Intuition Find-then-Guess Security Examples Real-or-Random Security Universal Composability 2 Definition Password-based Authenticated Key Exchange Advanced Security Notions Examples Conclusion CNRS/ENS/PSL/INRIA David Pointcheval 9/41

  4. Outline Introduction Security Notions 1 Intuition Find-then-Guess Security Examples Real-or-Random Security Universal Composability 2 Definition Password-based Authenticated Key Exchange Advanced Security Notions Examples Conclusion CNRS/ENS/PSL/INRIA David Pointcheval 10/41 First Attempt Alice Bob x ← { 0 , 1 } 64 $ x y ← { 0 , 1 } 64 $ y K ← H ( pw , x , y ) K ← H ( pw , x , y ) Seems better than BAC: no information leaks about K , so no leakage about pw either! But K will be later used: c = E K ( m ) any information about m leaks about K , and leaks on pw . . . = ⇒ The security model has to deal with information leakage about K CNRS/ENS/PSL/INRIA David Pointcheval 11/41 Second Attempt Alice Bob X ← Z p ; X ← g x $ x Y ← Z p ; Y ← g y $ y Z ← Y x ; K ← H ( pw , X , Y , Z ) Z ← X y ; K ← H ( pw , X , Y , Z ) Passive eavesdropping, even with leakage of K : secure under CDH ! But the adversary can try to impersonate Bob, and know Z . . . = ⇒ The security model has to deal with active attacks CNRS/ENS/PSL/INRIA David Pointcheval 12/41

  5. Security Models Game-based Security [Bellare-P .-Rogaway – Eurocrypt ’00] Find-then-Guess Real-or-Random [Abdalla-Fouque-P . – PKC ’05] Simulation-based Security [Boyko-MacKenzie-Patel – Eurocrypt ’00] Universal Composability [Canetti-Halevi-Katz-Lindell-MacKenzie – Eurocrypt ’05] Where The adversary controls the network: it can create, alter, delete, duplicate messages Users can participate in concurrent executions of the protocol On-line dictionary attack should be the best attack = ⇒ No adversary should win with probability greater than q S / N where q S = # Active Sessions and N = # Dictionary CNRS/ENS/PSL/INRIA David Pointcheval 13/41 Outline Introduction Security Notions 1 Intuition Find-then-Guess Security Examples Real-or-Random Security Universal Composability 2 Definition Password-based Authenticated Key Exchange Advanced Security Notions Examples Conclusion CNRS/ENS/PSL/INRIA David Pointcheval 14/41 Game-based Security [Bellare-P.-Rogaway – Eurocrypt ’00] The adversary A interacts with oracles: Execute ( A i , B j ) A gets the transcript of an execution between A and B = ⇒ Passive attacks (eavesdropping) Send ( U i , m ) A sends the message m to the instance U i ⇒ Active attacks against U i (active sessions) = Reveal ( U i ) A gets the session key established by U i and its partner = ⇒ Leakage of the session key, due to a misuse Test ( U i ) a random bit b is chosen If b = 0, A gets the session key ( i.e. , Reveal ( U i ) ) If b = 1, A gets a random key CNRS/ENS/PSL/INRIA David Pointcheval 15/41

  6. Security Game: Find-then-Guess Secrecy of the key: output b ′ , the guess of the bit b involved in the Test-query Is the obtained key real or random? Constraint: no Test -query on a trivially known key i.e. , key already revealed through the instance or its partner Execute A 1 A 2 Send b ′ Reveal Test ( b ) Adv FtG ( A ) = 2 × Pr[ b ′ = b ] − 1 ≤ q S N + negl () CNRS/ENS/PSL/INRIA David Pointcheval 16/41 Freshness and Partnering Partners Two players are partners if they share the same Session ID Where SID should model ideal executions: two players with same SID’s and same pw ’s conclude with the same session key two players with different SID’s or different pw ’s conclude with independent keys Freshness A key or a player is fresh if none of the key/player or the partner’s key/player has been revealed/tested Only fresh keys/players can be revealed/tested CNRS/ENS/PSL/INRIA David Pointcheval 17/41 Security Notions: Forward Secrecy Semantic Security The Find-then-Guess game models the secrecy of the key = ⇒ the session key is unknown to the other players What about this secrecy after the corruption of a player? What about the knowledge of the two players? Forward Secrecy An additional oracle: Corrupt ( U ) provides the password pw of the player U to the adversary A new constraint: For any Test ( U i ) , player U was not corrupted when U i was involved in its session CNRS/ENS/PSL/INRIA David Pointcheval 18/41

  7. Outline Introduction Security Notions 1 Intuition Find-then-Guess Security Examples Real-or-Random Security Universal Composability 2 Definition Password-based Authenticated Key Exchange Advanced Security Notions Examples Conclusion CNRS/ENS/PSL/INRIA David Pointcheval 19/41 Encrypted Key Exchange [Bellovin-Merritt – S&P ’92] Alice Bob ← Z p ; X ← g x $ ← Z p ; Y ← g y $ x y X ∗ X ∗ ← E pw ( X ) X ← D pw ( X ∗ ) Y ∗ Y ∗ ← E pw ( Y ) Z ← Y x Y ← D pw ( Y ∗ ) Z ← X y K ← H ( A , B , X ∗ , Y ∗ , Z ) K ← H ( A , B , X ∗ , Y ∗ , Z ) Semantically Secure with Forward Secrecy if CDH assumption holds ( E , D ) is an Ideal Cipher onto G = � g � H is a Random Oracle [Bellare-P .-Rogaway – Eurocrypt ’00] CNRS/ENS/PSL/INRIA David Pointcheval 20/41 Simple PAKE [Abdalla-P. – CT-RSA ’05] Alice Bob ← Z p ; X ← g x $ ← Z p ; Y ← g y $ x y X ∗ X ∗ ← X · M pw X ← X ∗ / M pw Y ∗ Y ∗ ← Y · N pw Y ← Y ∗ / N pw Z ← Y x Z ← X y K ← H ( A , B , pw , X ∗ , Y ∗ , Z ) K ← H ( A , B , pw , X ∗ , Y ∗ , Z ) Semantically Secure if CDH ( M , N ) hard to break H is a Random Oracle CNRS/ENS/PSL/INRIA David Pointcheval 21/41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole

Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole

Hash Proof Systems and Password Protocols I Hash Proof Systems David Pointcheval CNRS, Ecole normale sup erieure/PSL & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David Pointcheval 1/51 Hard

300 views • 17 slides
Hash Proof Systems and Password Protocols III SPHF-based PAKE David Pointcheval CNRS, Ecole

Hash Proof Systems and Password Protocols III SPHF-based PAKE David Pointcheval CNRS, Ecole

Hash Proof Systems and Password Protocols III SPHF-based PAKE David Pointcheval CNRS, Ecole normale sup erieure/PSL & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David Pointcheval 1/53 Intuition

475 views • 18 slides
(username, password) ? x ? ? ? ? but (username,hash(password))

(username, password) ? x ? ? ? ? but (username,hash(password))

Hash Functions - Bart Preneel June 2016 Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 MD2, MD4, MD5 Introduction to the SHA-512 SHA-1 Design and Cryptanalysis of Cryptographic Hash Functions This is an input to a crypto-

517 views • 10 slides
return password return hash( password ) return hash( password, salt )

return password return hash( password ) return hash( password, salt )

return password return hash( password ) return hash( password, salt ) return hash( password, salt, cost ) b83546b4 V[i] = H( V[i-1] ), i=0..N-1 b83546b4 b2e2a2f5 V[i] = H( V[i-1] ),

503 views • 47 slides
Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo Krawczyk (IBM Research) Works with Stanislaw Jarecki, Jiayu Xu (UC Irvine) Aggelos Kiayas (U Edinburgh) Nitesh Saxena, Maliheh Shirvanian (UA Birmingham)

750 views • 32 slides
1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People [Chapter 10]

396 views • 17 slides
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of

A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. 3. Each statement is derived via the derivation rules. Zero Knowledge Protocols 4. The proof is fixed, i.e, in any time,

642 views • 14 slides
Authentication Dr. Steven Bitner Hashing Hashing is ONE WAY encryption You cannot

Authentication Dr. Steven Bitner Hashing Hashing is ONE WAY encryption You cannot

Authentication Dr. Steven Bitner Hashing Hashing is ONE WAY encryption You cannot retrieve the plain text Common hashes: md5 sha1 sha256 $password = hash (md5,$password); Better (though less common hash) Bcrypt

355 views • 18 slides
Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic

Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic

Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic complexity classes and Interactive proofs Graph isomorphism and PCP Some zero knowledge protocols: Feige-Fiat-Shamir authentication protocol

170 views • 16 slides
PROTOCOLS ETI 2506 Telecommunication Systems Monday, 7 November 2016 TELECOMMUNICATION

PROTOCOLS ETI 2506 Telecommunication Systems Monday, 7 November 2016 TELECOMMUNICATION

POINT TO POINT DATALINK PROTOCOLS ETI 2506 Telecommunication Systems Monday, 7 November 2016 TELECOMMUNICATION SYLLABUS Principles of Telecom (IP Telephony and IP TV) - Key Issues to remember PPP Frame and Phases Password Authentication

825 views • 15 slides
A Sybil-Proof Distributed Hash Table Chris Lesniewski-Laas M. Frans Kaashoek MIT 28 April 2010

A Sybil-Proof Distributed Hash Table Chris Lesniewski-Laas M. Frans Kaashoek MIT 28 April 2010

A Sybil-Proof Distributed Hash Table Chris Lesniewski-Laas M. Frans Kaashoek MIT 28 April 2010 NSDI http://pdos.csail.mit.edu/whanau/slides.pptx Distributed Hash Table Interface: PUT( key , value ), GET( key ) value Route to peer

424 views • 30 slides
How to (not) Share a Password: Privacy preserving protocols for finding heavy vy hit itters

How to (not) Share a Password: Privacy preserving protocols for finding heavy vy hit itters

How to (not) Share a Password: Privacy preserving protocols for finding heavy vy hit itters with adversarial behavior Moni Naor Benny Pinkas Eyal Ronen Passwords First modern use in MIT's CTSS (1961) Passwords First

747 views • 60 slides
Proof of work, Hash chaining CS 161: Computer Security Prof. David Wagner April 13, 2016 A

Proof of work, Hash chaining CS 161: Computer Security Prof. David Wagner April 13, 2016 A

Crypto tricks: Proof of work, Hash chaining CS 161: Computer Security Prof. David Wagner April 13, 2016 A Tangent: How Can I Prove I Am Rich? Math Puzzle Proof of Work Problem. To prove to Bob Im not a spammer, Bob wants me to do 10

488 views • 29 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and Interactions September 20, 2016 1/47 Introduction to SAT and QBF Proof Checking Clausal Proof Systems for SAT and QBF Abstract Proof System for SAT

924 views • 67 slides
Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password Validate password strength Store salted hash of the password Authentication User sends username/password Retrieve the stored salted

359 views • 20 slides
Investigating the Distribution of Password Choices David Malone and Kevin Maher, Hamilton

Investigating the Distribution of Password Choices David Malone and Kevin Maher, Hamilton

Investigating the Distribution of Password Choices David Malone and Kevin Maher, Hamilton Institute, NUI Maynooth. 19 April 2012 How to Guess a Password? Passwords are everywhere. If you dont know the password, can you guess it? 1. Make a

420 views • 18 slides
BITCRACKER Elena Agostini, Massimo Bernaschi 2 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER

BITCRACKER Elena Agostini, Massimo Bernaschi 2 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER

BITLOCKER MEETS GPUS BITCRACKER Elena Agostini, Massimo Bernaschi 2 BITCRACKER: BITLOCKER MEETS GPUS BITLOCKER Windows Vista, 7, 8.1 and 10 encryption feature (Ultimate, Pro, Enterprise, etc..) It encrypts several types of memory units

904 views • 30 slides
User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and

CSS322 Passwords Authentication Passwords Entropy User Authentication and Passwords Storing Passwords Selecting Passwords CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

670 views • 28 slides
Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as

Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as

Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as all keys are shared Use protocols to agree on a shared key (see earlier) Public key: bind identity to public key Crucial as people will

690 views • 41 slides
Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks

Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks

Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks and Telematics University of Freiburg Free-Net Ian Clarke, Oskar Sandberg, Brandon Wiley, Theodore Hong, 2000 Goal - peer-to-peer network -

746 views • 36 slides
S ecurit e des protocoles cryptographiques : aspects logiques et calculatoires Mathieu

S ecurit e des protocoles cryptographiques : aspects logiques et calculatoires Mathieu

Introduction Symbolic analysis Constraint solving Computational justification Conclusion S ecurit e des protocoles cryptographiques : aspects logiques et calculatoires Mathieu Baudet Laboratoire Sp ecification et V erification

963 views • 58 slides
machine learning JOE GARDINER (@THECYBERJOE) Who am I? Final year PhD student at Lancaster

machine learning JOE GARDINER (@THECYBERJOE) Who am I? Final year PhD student at Lancaster

Tricking binary trees: The (in)security of machine learning JOE GARDINER (@THECYBERJOE) Who am I? Final year PhD student at Lancaster University President Lancaster University Ethical Hacking Group (LUHack) Joining University of

1.41k views • 65 slides
Strong Cryptography from Weak Secrets Building Efficient PKE and IBE from Distributed Passwords

Strong Cryptography from Weak Secrets Building Efficient PKE and IBE from Distributed Passwords

Distributed Cryptography Distributed Password Public-Key Cryptography The Decision-Linear Case Strong Cryptography from Weak Secrets Building Efficient PKE and IBE from Distributed Passwords Xavier Boyen 1 Cline Chevalier 2 Georg Fuchsbauer 3

680 views • 36 slides

More recommend