on the provable security of the dragonfly protocol
play

On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 - PowerPoint PPT Presentation

Mar 04, 2024 •257 likes •915 views

PAKEs Dragonfly Results Conclusion On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1 Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg ISC 2015 1 / 18 PAKEs

  1. PAKEs Dragonfly Results Conclusion On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan Škrobot 1 1 Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg ISC 2015 1 / 18

  2. PAKEs Dragonfly Results Conclusion Outline 1. PAKEs 2. Dragonfly 3. Results 4. Conclusion 2 / 18

  3. PAKEs Dragonfly Results Conclusion Intro Password Authenticated Key Exchange PAKE Problem: 3 / 18

  4. PAKEs Dragonfly Results Conclusion Intro Password Authenticated Key Exchange PAKE Problem: ◮ Setup: Shared low-entropy secret (password) 3 / 18

  5. PAKEs Dragonfly Results Conclusion Intro Password Authenticated Key Exchange PAKE Problem: ◮ Setup: Shared low-entropy secret (password) ◮ Goal: High-entropy session key 3 / 18

  6. PAKEs Dragonfly Results Conclusion Intro Password Authenticated Key Exchange PAKE Problem: ◮ Setup: Shared low-entropy secret (password) ◮ Goal: High-entropy session key ◮ Without PKI 3 / 18

  7. PAKEs Dragonfly Results Conclusion Intro Password Authenticated Key Exchange PAKE Problem: ◮ Setup: Shared low-entropy secret (password) ◮ Goal: High-entropy session key ◮ Without PKI ◮ Only password for authentication 3 / 18

  8. PAKEs Dragonfly Results Conclusion Intro Password Authenticated Key Exchange PAKE Problem: ◮ Setup: Shared low-entropy secret (password) ◮ Goal: High-entropy session key ◮ Without PKI ◮ Only password for authentication ◮ Prevent offline-dictionary attacks 3 / 18

  9. PAKEs Dragonfly Results Conclusion Intro Password Authenticated Key Exchange PAKE Problem: ◮ Setup: Shared low-entropy secret (password) ◮ Goal: High-entropy session key ◮ Without PKI ◮ Only password for authentication ◮ Prevent offline-dictionary attacks ◮ Limit online-guessing attacks 3 / 18

  10. PAKEs Dragonfly Results Conclusion Intro Design Techniques Typical approaches for designing efficient PAKEs in (ROM): 4 / 18

  11. PAKEs Dragonfly Results Conclusion Intro Design Techniques Typical approaches for designing efficient PAKEs in (ROM): 1. "EKE-style" E pw ( g x ) − − − − − − − − − − → E pw ( g y ) ← − − − − − − − − − − 4 / 18

  12. PAKEs Dragonfly Results Conclusion Intro Design Techniques Typical approaches for designing efficient PAKEs in (ROM): 1. "EKE-style" E pw ( g x ) − − − − − − − − − − → E pw ( g y ) ← − − − − − − − − − − 2. "SPEKE-style" ( H ( pw )) x − − − − − − − − − − → ( H ( pw )) y ← − − − − − − − − − − 4 / 18

  13. PAKEs Dragonfly Results Conclusion Intro Design Techniques Typical approaches for designing efficient PAKEs in (ROM): 1. "EKE-style" E pw ( g x ) − − − − − − − − − − → E pw ( g y ) ← − − − − − − − − − − 2. "SPEKE-style" ( H ( pw )) x − − − − − − − − − − → ( H ( pw )) y ← − − − − − − − − − − 3. "J-PAKE-style" ( D 1 ) xpw , π 1 − − − − − − − − − − → ( D 2 ) ypw , π 2 ← − − − − − − − − − − 4 / 18

  14. PAKEs Dragonfly Results Conclusion Security Models Security Models for PAKE PAKE Security Models: 5 / 18

  15. PAKEs Dragonfly Results Conclusion Security Models Security Models for PAKE PAKE Security Models: 1. Indistinguishability-Based Model [BR93,95] ◮ Find-then-Guess [BPR00] ◮ Real-or-Random [AFP05] 5 / 18

  16. PAKEs Dragonfly Results Conclusion Security Models Security Models for PAKE PAKE Security Models: 1. Indistinguishability-Based Model [BR93,95] ◮ Find-then-Guess [BPR00] ◮ Real-or-Random [AFP05] 2. Simulation-Based Model [S99] ◮ Modified Shoup’s model [BMP00] ◮ Plain model PAKEs [GL01] 5 / 18

  17. PAKEs Dragonfly Results Conclusion Security Models Security Models for PAKE PAKE Security Models: 1. Indistinguishability-Based Model [BR93,95] ◮ Find-then-Guess [BPR00] ◮ Real-or-Random [AFP05] 2. Simulation-Based Model [S99] ◮ Modified Shoup’s model [BMP00] ◮ Plain model PAKEs [GL01] 3. Universal Composability Model [CK02] ◮ UC for PAKE [CHKLM05] 5 / 18

  18. PAKEs Dragonfly Results Conclusion Security Models Security Models for PAKE PAKE Security Models: 1. Indistinguishability-Based Model [BR93,95] ◮ Find-then-Guess [BPR00] ◮ Real-or-Random [AFP05] 2. Simulation-Based Model [S99] ◮ Modified Shoup’s model [BMP00] ◮ Plain model PAKEs [GL01] 3. Universal Composability Model [CK02] ◮ UC for PAKE [CHKLM05] 5 / 18

  19. PAKEs Dragonfly Results Conclusion Indistinguishability-Based Model for PAKEs Find-then-Guess BPR Model Queries available to PPT adversary A : Send( U i , M ) - message exchange ◮ Send ◮ Execute Execute( C i , S j ) - eavesdropping ◮ Reveal Reveal( U i ) - leakage of the session key ◮ Corrupt Corrupt( U ) - leakage of the long term secret* Test( U i ) - semantic security of the session key ◮ Test 6 / 18

  20. PAKEs Dragonfly Results Conclusion Indistinguishability-Based Model for PAKEs Find-then-Guess BPR Model Queries available to PPT adversary A : Send( U i , M ) - message exchange ◮ Send ◮ Execute Execute( C i , S j ) - eavesdropping ◮ Reveal Reveal( U i ) - leakage of the session key ◮ Corrupt Corrupt( U ) - leakage of the long term secret* Test( U i ) - semantic security of the session key ◮ Test What security means in BPR model? 6 / 18

  21. PAKEs Dragonfly Results Conclusion Indistinguishability-Based Model for PAKEs Find-then-Guess BPR Model Queries available to PPT adversary A : Send( U i , M ) - message exchange ◮ Send ◮ Execute Execute( C i , S j ) - eavesdropping ◮ Reveal Reveal( U i ) - leakage of the session key ◮ Corrupt Corrupt( U ) - leakage of the long term secret* Test( U i ) - semantic security of the session key ◮ Test What security means in BPR model? Definition Protocol P is forward secure PAKE if for all PPT adversaries A making at most n se online attempts, where N is the size of the dictionary and C is a constant ( A ) ≤ C · n se Adv ake Adv + ε . (1) P N 6 / 18

  22. PAKEs Dragonfly Results Conclusion The Dragonfly Protocol Motivation Why Dragonfly? 7 / 18

  23. PAKEs Dragonfly Results Conclusion The Dragonfly Protocol Motivation Why Dragonfly? ◮ Submitted for standard in IETF (patent free) ◮ Dragonfly PAKE ◮ PSK (PWD) for IKE - RFC 6617 (Experimental), 2012 ◮ EAP-PWD - RFC 5931 (Informational), 2010 ◮ TLS-PWD 7 / 18

  24. PAKEs Dragonfly Results Conclusion The Dragonfly Protocol Motivation Why Dragonfly? ◮ Submitted for standard in IETF (patent free) ◮ Dragonfly PAKE ◮ PSK (PWD) for IKE - RFC 6617 (Experimental), 2012 ◮ EAP-PWD - RFC 5931 (Informational), 2010 ◮ TLS-PWD ◮ Fully symmetric (no strict roles) 7 / 18

  25. PAKEs Dragonfly Results Conclusion The Dragonfly Protocol Motivation Why Dragonfly? ◮ Submitted for standard in IETF (patent free) ◮ Dragonfly PAKE ◮ PSK (PWD) for IKE - RFC 6617 (Experimental), 2012 ◮ EAP-PWD - RFC 5931 (Informational), 2010 ◮ TLS-PWD ◮ Fully symmetric (no strict roles) ◮ Follows SPEKE design approach 7 / 18

  26. PAKEs Dragonfly Results Conclusion The Dragonfly Protocol Motivation Why Dragonfly? ◮ Submitted for standard in IETF (patent free) ◮ Dragonfly PAKE ◮ PSK (PWD) for IKE - RFC 6617 (Experimental), 2012 ◮ EAP-PWD - RFC 5931 (Informational), 2010 ◮ TLS-PWD ◮ Fully symmetric (no strict roles) ◮ Follows SPEKE design approach ◮ Without security proof 7 / 18

  27. PAKEs Dragonfly Results Conclusion The Dragonfly Protocol Motivation Why Dragonfly? ◮ Submitted for standard in IETF (patent free) ◮ Dragonfly PAKE ◮ PSK (PWD) for IKE - RFC 6617 (Experimental), 2012 ◮ EAP-PWD - RFC 5931 (Informational), 2010 ◮ TLS-PWD ◮ Fully symmetric (no strict roles) ◮ Follows SPEKE design approach ◮ Without security proof ◮ Stirred some controversy 7 / 18

  28. PAKEs Dragonfly Results Conclusion The Dragonfly Protocol Dragonfly draft specifications Client Server Initialization Public: G , p , q ; H 0 , H 2 : { 0 , 1 } ∗ → { 0 , 1 } k ; H 1 : { 0 , 1 } ∗ → { 0 , 1 } 2 k ; π ∈ Passwords ; seed := H 0 ( C, S, π, c ) max,min ; PW := H & P ( seed, l 1 ). m 1 , r 1 ← Z q m 2 , r 2 ← Z q s 1 := r 1 + m 1 s 2 := r 2 + m 2 E 1 := PW − m 1 E 2 := PW − m 2 C, E 1 , s 1 S, E 2 , s 2 abort if ¬ Good( E 2 , s 2 ) abort if ¬ Good( E 1 , s 1 ) σ := ( PW s 2 × E 2 ) r 1 σ := ( PW s 1 × E 1 ) r 2 kck | sk C := H 1 ( σ, l 2 ) kck | sk S := H 1 ( σ, l 2 ) κ := H 2 ( kck, C, s 1 , s 2 , E 1 , E 2 ) τ := H 2 ( kck, S, s 2 , s 1 , E 2 , E 1 ) ˆ τ := H 2 ( kck, S, s 2 , s 1 , E 2 , E 1 ) ˆ κ := H 2 ( kck, C, s 1 , s 2 , E 1 , E 2 ) κ τ abort if τ � = ˆ τ abort if κ � = ˆ κ 8 / 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 1 Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or

1.32k views • 91 slides
Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly,

Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly,

2/7/2012 Goals Understand use of Dragonfly from game Dragonfly programmers perspective Mostly, Project 1 Provide overview of Dragonfly architecture Class diagrams Discuss details needed to fully implement Dragonfly classes

900 views • 42 slides
The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

623 views • 9 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

1.15k views • 99 slides
Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale suprieure France Summary Summary The Methodology of Provable Security Complexity Assumptions

351 views • 24 slides
Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2 Yassine Lakhnech 3 Santiago Zanella Beguelin 1 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - Mditerrane, France 2 VERIMAG, CNRS

675 views • 14 slides
Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

957 views • 56 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security

Dragonblood : Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen Background: Wi-Fi Security 1999: Wired Equivalent Privacy (WEP) RC4 with 40 (!) or 104 bits key Broken in 2001 [FMS01] Deprecated 2004 2

1.58k views • 105 slides
Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche Overview Overview Provable

365 views • 21 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

1. Why we created AEZ AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated Encryption 5. Components FF0 and EME4 by Enciphering 6. AEZ Extensions Viet Tung Hoang Ted Krovetz

721 views • 31 slides
Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals:

Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals:

IN3210 Network Security Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals: Authentication Integrity Confidentiality Transparent security protocol between TCP and application

1k views • 66 slides
Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Provable Security Meets the Real World Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH Binary Packet Protocol IPsec MAC-then-Encrypt Lessons learned? 2 Outline RSA encryption in PKCS#1

948 views • 61 slides
CHILD INJURY SUMMIT II Mohan Rao Tuesday, May 13, 2014 Child Injury Summit II 13 May 2014

CHILD INJURY SUMMIT II Mohan Rao Tuesday, May 13, 2014 Child Injury Summit II 13 May 2014

Visible changes for a healthy future CHILD INJURY SUMMIT II Mohan Rao Tuesday, May 13, 2014 Child Injury Summit II 13 May 2014 Presentation outline Brief overview of 2007 - 2009 findings Scope for 2010 - 2012 dataset analysis

553 views • 29 slides
ASX ANNOUNCEMENT 28 November 2018 MANAGING DIRECTORS PRESENTATION ANNUAL GENERAL MEETING

ASX ANNOUNCEMENT 28 November 2018 MANAGING DIRECTORS PRESENTATION ANNUAL GENERAL MEETING

ASX ANNOUNCEMENT 28 November 2018 MANAGING DIRECTORS PRESENTATION ANNUAL GENERAL MEETING 2018 Please find attached Managing Director John Hoedemakers presentation to shareholders at todays Annual General Meeting. - END- Further

441 views • 16 slides
Me rg e r with Co mmunity Ba nk F e b rua ry 26, 2018 c b b a nk.c o m F o rwa rd L o o king

Me rg e r with Co mmunity Ba nk F e b rua ry 26, 2018 c b b a nk.c o m F o rwa rd L o o king

Me rg e r with Co mmunity Ba nk F e b rua ry 26, 2018 c b b a nk.c o m F o rwa rd L o o king Sta te me nts Certain matters set forth herein (including the exhibits hereto) constitute forward-looking statements within the meaning of the

732 views • 25 slides
Birds of Different Feathers Improving Work Relationships Personal Work Style Assessment Rank

Birds of Different Feathers Improving Work Relationships Personal Work Style Assessment Rank

Birds of Different Feathers Improving Work Relationships Personal Work Style Assessment Rank each Row with a 4-1 Name:______________ PERSONAL WORK STYLE ASSESSMENT 4 most like me 1. Rank each row using the scale at the right. 3 a lot

584 views • 21 slides
Introducing Stet the frog & Drago the dragonfly Drago did you know that Rotoruas

Introducing Stet the frog & Drago the dragonfly Drago did you know that Rotoruas

Introducing Stet the frog & Drago the dragonfly Drago did you know that Rotoruas Water Supply is from springs? Wow thats why its so clean! Then what happens after people use it? PUMP STATION & TREATMENT Well Drago.

364 views • 13 slides
MONITORING the ODONATA of CYPRUS Dr. David Sparrow Rosalyn Sparrow Quick facts on Odonates

MONITORING the ODONATA of CYPRUS Dr. David Sparrow Rosalyn Sparrow Quick facts on Odonates

MONITORING the ODONATA of CYPRUS Dr. David Sparrow Rosalyn Sparrow Quick facts on Odonates Odonata (Greek: toothed one): one of the oldest orders of flying insects Two suborders : Anisoptera (true dragonflies) &

682 views • 32 slides
PRESENTER OUTLINE Edward Schmalfeld II, P.E. PRESENTER OVERVIEW Owner of Dragonfly

PRESENTER OUTLINE Edward Schmalfeld II, P.E. PRESENTER OVERVIEW Owner of Dragonfly

11/18/2019 MISSISSIPPI SWANA DRONES & SOLID WASTE Presented By: Edward Schmalfeld, P.E. PRESENTER OUTLINE Edward Schmalfeld II, P.E. PRESENTER OVERVIEW Owner of Dragonfly AeroSolutions Headquartered in Jacksonville, Florida

287 views • 8 slides
Applying Robotic Satellite Servicing Technologies to On-Orbit Servicing, Assembly, and

Applying Robotic Satellite Servicing Technologies to On-Orbit Servicing, Assembly, and

Applying Robotic Satellite Servicing Technologies to On-Orbit Servicing, Assembly, and Manufacturing (OSAM) Robotic Assembly for In-Space Assembly Workshop ICRA 2019 May 23, 2018 National Space Strategy 2018 Priorities Transforming to

245 views • 11 slides

More recommend