outline password based authenticated key exchange
play

Outline Password-based Authenticated Key Exchange Password-based - PowerPoint PPT Presentation

May 20, 2023 •805 likes •927 views

PAKE Game-based Security Universal Composability LAKE Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1 David Pointcheval Ecole Normale Sup erieure Game-based Security 2 Universal

  1. PAKE Game-based Security Universal Composability LAKE Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1 David Pointcheval Ecole Normale Sup´ erieure Game-based Security 2 Universal Composability 3 Language-based Authenticated Key Exchange 4 PKC 2012 Darmstadt, Germany May 22nd, 2012 ´ Ecole Normale Sup´ erieure David Pointcheval 2/40 PAKE Game-based Security Universal Composability LAKE PAKE Game-based Security Universal Composability LAKE Introduction Introduction Key Exchange Protocols Diffie-Hellman Key Exchange A fundamental problem in cryptography: The classical Diffie-Hellman protocol allows such a key exchange: Enable secure communication over insecure channels in a finite cyclic group G , of prime order p , with a generator g A common scenario: X $ $ ← Z p , X ← g x ← Z p , Y ← g y Users encrypt and authenticate their messages x − − − − − − − − − − − − − → y using a shared secret key Y K ← Y x = g xy K ← X y = g xy ← − − − − − − − − − − − − − m A m A No authentication provided − − − − − − → − − − − − − → Authenticated Key Exchange m B m B Semantic security / Implicit Authentication: ← − − − − − − ← − − − − − − the session key should be indistinguishable from a random string Alice Bob to all except the expected players How to obtain such a shared secret key? − → Key exchange protocols ´ ´ Ecole Normale Sup´ erieure David Pointcheval 3/40 Ecole Normale Sup´ erieure David Pointcheval 4/40

  2. PAKE Game-based Security Universal Composability LAKE PAKE Game-based Security Universal Composability LAKE Introduction A Case Study Authentication Techniques Electronic Passport Since 1998, some passports contain digital information on a chip. Asymmetric technique Standards are specified by ICAO Assume the existence of a public-key infrastructure (International Civil Aviation Organization) Each party holds a pair of secret and public keys In 2004, security introduced: 2-party and group settings encrypted communication between the chip and the reader access control: BAC (Basic Access Control) Symmetric technique The shared secret is on the MRZ Users share a random secret key (Machine Readable Zone) 2-party or server-based settings It has low entropy: at most 72 bits, Password-based technique but actually approx. 40 Users share a random low-entropy secret: password = ⇒ low-entropy shared secret: 2-party and group settings a password pw ´ ´ Ecole Normale Sup´ erieure David Pointcheval 5/40 Ecole Normale Sup´ erieure David Pointcheval 6/40 PAKE Game-based Security Universal Composability LAKE PAKE Game-based Security Universal Composability LAKE A Case Study Attacks BAC: Basic Access Control Off-line Dictionary Attacks The symmetric encryption and MAC keys are derived from pw As in the previous scenario, after having Passport Reader eavesdropped some (possibly many) transcripts r P $ $ ← { 0 , 1 } 64 ← { 0 , 1 } 64 − − − − − − − − − − − − − → r R , k R interacted (quite a few times) with players r P , k P C R ← Enc pw ( r R , r P , k R ) the adversary accumulates enough information C R , M R C P ← Enc pw ( r P , r R , k P ) ← − − − − − − − − − − − − − M R ← Mac pw ( C R ) to take the real password apart from the dictionary C P , M P efficient password-recovery after off-line exhaustive search M P ← Mac pw ( C P ) − − − − − − − − − − − − − → K ← k P ⊕ k R For the BAC: quite a few passive eavesdroppings are enough From a pair ( C R , M R ) , one can make an exhaustive search to recover the password! on the password pw to check the validity of the Mac M R How many active interactions could one enforce? After a few eavesdroppings only : password recovery What can we expect from a low-entropy secret? ´ ´ Ecole Normale Sup´ erieure David Pointcheval 7/40 Ecole Normale Sup´ erieure David Pointcheval 8/40

  3. PAKE Game-based Security Universal Composability LAKE PAKE Game-based Security Universal Composability LAKE Attacks Examples On-line Dictionary Attacks The Most Famous Examples On-line Dictionary Attacks In a finite group G , of prime order p , with key derivation function K The adversary interacts with a player, trying a password EKE: Encrypted Key Exchange [Bellovin–Merritt, 1992] In case of success: it has guessed the password $ $ ← Z p , X ← g x ← Z p , Y ← g y x y DH Key Exchange In case of failure: it tries again with another password X X ′ X ′ ← E pw ( X ) X ← D pw ( X ′ ) − − − − − − − − − − − − → with flows Y Y ′ If the dictionary has a size N , the adversary wins after N / 2 attempts Y ′ ← E pw ( Y ) Y ← D pw ( Y ′ ) ← − − − − − − − − − − − − encrypted under pw k ← Y x = g xy k ← X y = g xy K ← K ( A , B , X , Y , k ) K ← K ( A , B , X ′ , Y ′ , k ) In Practice This attack is unavoidable SPEKE: Simple Password Exponential Key Exchange [Jablon, 1996] If the failures for a target user can be detected: the impact can be limited by various techniques g ← G ( A , B , pw ) DH Key Exchange X $ $ ← Z p , X ← g x ← Z p , Y ← g y (limited number of failures, delays between attempts, . . . ) x − − − − − − − − − − − − → y with a basis Y k ← Y x = g xy k ← X y = g xy derived from pw ← − − − − − − − − − − − − If the failures cannot be detected (anonymity, no check, . . . ) the impact can be dramatic K ← K ( A , B , X , Y , k ) K ← K ( A , B , g , X , Y , k ) ´ ´ Ecole Normale Sup´ erieure David Pointcheval 9/40 Ecole Normale Sup´ erieure David Pointcheval 10/40 PAKE Game-based Security Universal Composability LAKE PAKE Game-based Security Universal Composability LAKE Examples Examples PACE: Password Authenticated Security Models Connection Establishment Game-based Security [Bellare–P.–Rogaway, 2000] Find-then-Guess The recent alternative to BAC is PACE: Real-or-Random [Abdalla–Fouque–P., 2005] Password Authenticated Connection Establishment Simulation-based Security [Boyko–MacKenzie–Patel, 2000] In the spirit of SPEKE: a generator derived from the password Universal Composability [Canetti–Halevi–Katz–Lindell–MacKenzie, 2005] With security analyses: Where PACE v1 [Bender–Fischlin–Kuegler, 2009] The adversary controls all the communications: PACE v2 It can create, modify, transfer, alter, delete messages [Coron–Gouget–Icart–Paillier, 2011] Users can participate in concurrent executions of the protocol Instances of the players are denoted A i and B j What does security really mean? On-line dictionary attack should be the best attack = ⇒ No adversary should win with probability greater than q S / N where q S = # Active Sessions and N = # Dictionary ´ ´ Ecole Normale Sup´ erieure David Pointcheval 11/40 Ecole Normale Sup´ erieure David Pointcheval 12/40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based

IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based

IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based Authenticated Key Exchange Authenticated Key Exchange Dario Catalano David Pointcheval Password-based CNRS-ENS France Authenticated Key

291 views • 5 slides
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale sup erieure/PSL & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David

319 views • 14 slides
A Scalable Password-based Group Key Exchange Protocol in the Standard Model David Pointcheval

A Scalable Password-based Group Key Exchange Protocol in the Standard Model David Pointcheval

A Scalable Password-based Group Key Exchange Protocol in the Standard Model David Pointcheval cole normale suprieure & CNRS Joint work with: Michel Abdalla Authenticated Key Exchange (AKE) Goal: Secure channel Allows two parties

283 views • 12 slides
Password Authenticated Key Agreement for Contactless Smart Cards Dennis Kgler 1 , Heike Neumann

Password Authenticated Key Agreement for Contactless Smart Cards Dennis Kgler 1 , Heike Neumann

Password Authenticated Key Agreement for Contactless Smart Cards Dennis Kgler 1 , Heike Neumann 2 , Sebastian Stappert 2 , Markus Ullmann 1 , Matthias Vgeler 2 1 Bundesamt fr Sicherheit in der Informationstechnik 2 NXP Semiconductors Outline

174 views • 16 slides
Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai

Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai Ding Michael Snook zgr Dagdelen DIMACS Workshop on the Mathematics of

339 views • 33 slides
Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on

Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on

Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on Real-World Crypto and Privacy ibenik, Croatia June 17 th , 2019 Outline Security of the Diffie-Hellman Key Exchange Man-in-the-Middle attacks

1.09k views • 85 slides
AKE via 2-key KEM Haiyang Xue, Xianhui Lu, Bao Li, Bei Liang Jingnan He Outline Authenticated

AKE via 2-key KEM Haiyang Xue, Xianhui Lu, Bao Li, Bei Liang Jingnan He Outline Authenticated

Understanding and Constructing AKE via 2-key KEM Haiyang Xue, Xianhui Lu, Bao Li, Bei Liang Jingnan He Outline Authenticated key exchange Motivations & our contributions AKE 2-key KEM AKE in a post quantum world

821 views • 36 slides
ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline:

ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline:

ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline: Context Description of ALIKE Generic description Full specification Security properties Chip Unforgeability and Channel Secrecy Underlying

400 views • 21 slides
Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange Boru Gong, Yunlei Zhao Fudan

Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange Boru Gong, Yunlei Zhao Fudan

Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange Boru Gong, Yunlei Zhao Fudan University, China June 28, 2017 Boru Gong, Yunlei Zhao (Fudan) Cryptanalysis of RLWE-Based One-Pass AKE June 28, 2017 1 / 39 Outline 1 Introduction

601 views • 39 slides
CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1

CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1

Diffie-Hellman key exchange Secure against passive eavesdropping but insecure against a man-in-the-middle attack CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1 2 Adding key

492 views • 5 slides
Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk,

Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk,

Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk, Sebastian Lauer Ruhr-University Bochum Classical Key Exchange Setting m1 Bob Alice m2 skA skB pkB pkA mq-1 mq derive K derive K 2

185 views • 18 slides
Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben Hamouda Olivier Blazy Cline Chevalier David Pointcheval Damien Vergnaud Horst Grtz Institute for IT Security / Ruhr-University Bochum ENS /

914 views • 45 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides
Is it too late for PAKE? John Engler (UC Berkeley) Chris Karlof Elaine Shi Dawn Song (Usable

Is it too late for PAKE? John Engler (UC Berkeley) Chris Karlof Elaine Shi Dawn Song (Usable

Is it too late for PAKE? John Engler (UC Berkeley) Chris Karlof Elaine Shi Dawn Song (Usable Security (PARC) (UC Berkeley) Systems) What is PAKE? Password Authenticated Key Exchange 1 Enter Password 2 Crypto

206 views • 9 slides
Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research

Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research

Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research Zurich based on joint work with Jan Camenisch, Anna Lysyanskaya & Gregory Neven ROADMAP Password-Based Authentication How to make password

1.43k views • 43 slides
Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier Chevassut Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Key Agreement and

299 views • 19 slides
KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens Hlauschek, Markus Gruber,

KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens Hlauschek, Markus Gruber,

KCI-based MitM Attacks against TLS Prying Open Pandoras Box Clemens Hlauschek, Markus Gruber, Florian Fankhauser, Christian Schanes BS(l)idesVienna 0x7df whoami [ haku@bsidesbox ] % getent passwd whoami | awk F :

684 views • 33 slides
Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and

Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and

Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and q as well as an element g Z p that generates the subgroup G q . Choose a random x from { 0 , . . . , q 1 } . Compute h = g x .

754 views • 7 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views • 16 slides
Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security +

Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security +

Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security + MACS: Security against active attacks CCA secure private-key encryption Today Public-key encryption and key-agreement RSA (PKE) and

358 views • 14 slides
Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a number of perspectives Today: authenticating users, services Agreeing on Secret Keys Without Prior Arrangement Diffie-Hellman Key Exchange

1.07k views • 73 slides
Outline CPSC 418/MATH 318 Introduction to Cryptography More Number Theory 1 Primitive Roots

Outline CPSC 418/MATH 318 Introduction to Cryptography More Number Theory 1 Primitive Roots

Outline CPSC 418/MATH 318 Introduction to Cryptography More Number Theory 1 Primitive Roots (Recall) Number Theory, Security and Efficiency of Diffie-Hellman, Hash Eulers Function Functions Security of Diffie-Hellman 2 Discrete Log

671 views • 7 slides
MA111: Contemporary mathematics Entrance Slip (due 5 min past the hour): For each problem give the

MA111: Contemporary mathematics Entrance Slip (due 5 min past the hour): For each problem give the

MA111: Contemporary mathematics Entrance Slip (due 5 min past the hour): For each problem give the standard representation of the answer. Try not to use a calculator. 2 1 (mod 11) 2 2 = 2 2 (mod 11) 2 4 = (2 2) (2 2) (mod 11) 2 8 = (2

467 views • 7 slides
Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over

Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over

Multilinear Maps and Their Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over a public channel: Public group , generator , order (Potential) Hard Problems in Groups Discrete Log (DL):

621 views • 60 slides

More recommend