Password Human beings : – Short keys; possibly used to generate longer keys – Dictionary attack: adversary tries more common keys (easy with a large set of users) – Trojan horse – Countermeasures: slow login, close after several unseccessful attempts Computers: – Quality keys (long and not predictable) – Hidden: not stored in the clear (encrypted, one time password)
Password: problems Eavesdropping: adversary is sniffing • password must not be sent in the clear • Authentication should be different each time (to avoid replay attacks) Store password securely: • Adversary can access database of paswords: encrypt passwords
Password: physical security- Unix Idea: passwords are not stored: what is stroed is a data obtained from the passwrod; let K be the key • Unix: stored modified DES encoding using password K of 00...0 Problem: dictionary attack: users keys are predictable: • attacker reads password database has a high probability that there is at least one user with a weak pasword • To increase security use Salt: store encoding of 0000.00<random number> random number depends on user and can be stored in the clear (salt increases work for attacker does not solve the problem of weak users’ key)
Strong Password Protocols • Obtaining the benefits of cryptographic authentication with the user being able to remember passwords only • in particular: – no security information is kept at the user’s machine (the machine is trusted but not configured) – someone impersonating either party will not be able to obtain information for off-line password guessing (online password guessing is not preventable)
Lamport’s Hash • Bob stores <username, n, h n (password)>, n is a relatively large number, like 1000 • Alice’s workstation sends h n-1 (password) • if successful, n is decremented, h n-1 replaces h n in Bob’s database Alice, password Alice Alice’s terminal n Alice Bob h n-1 (password) trusted not trusted • why is sequence of hash transmissions reverse? (if you increment instead of decremtning it does NOT work • safe against eavesdropping, database reading • no authentication of Bob
Salting Lamport’s Hash • h n-1 (pwd|salt) is used for authentication • salt is stored at Bob’s at setup time, Bob sends salt each time along with n • advantages: – Alice can use the same password with multiple servers, why? • If servers use different salts hashes are different • Problem: if two servers pick the same salt? – to ensure that the salt is different, servers name is also hashed in – easy password reset (when reaches 1) – just change the salt – defense dictionary attacks • dictionary attack without the salt: compiles hashes of all the words in the dictionary starting from 1000
Lamport’s Hash: Other Properties • small n attack – when Alice tries to login Trudy impersonates Bob and sends n’ < n and Bob’s salt, when Trudy gets the reply she can impersonate Alice after n is decremented to n’ – defense: Alice’s workstation presents submitted n to Alice to verify the “approximate” range (Alice has to remember it) • “human and paper” environment – in case Alice workstation is not trusted or too “dumb” to do hashing – Alice is given a list of all hashes starting from 1000, she uses each hash exactly once • automatically prevents small n attack • string size – 64 bits (~10 characters) is secure enough • implemented as S/Key and standardized as one-time password system
Authentication EKE: Encrypted Key Exchange Problem: dictionary attack if weak keys (ie easily guessable) are chosen EKE: • Strong with respect ot dictionary attack • Mutual authentication • Define session key Scenario: • User and server share a secret key (password) • User and server use the password to authenticate and define a session key (Diffie Hellman)
Authentication EKE 1. let w=Hash(password) 2. let p prime and g generator of Zp 3. A to server: A, E w (g a mod p) 4. Server to A: E k (nonce-1) , E w (g b mod p) 5. A to server: A, E k (nonce-1, nonce-2) 6. Server to A: E k (nonce-2) • Session key k= g ab mod p
Authentication EKE EKE is strong to • replay attacks (a is changed every time) • step 1: strong wrt to dictionary attack (even if the chosesn passwrod is weak tha choice of random a does not allow the attacker to compute attacchi dizionario (anche se la password è debole a casuale implica che non si può calcolare g a ) • steps 3 and 4: authentication uses the fact that the session key k is known Note: is the attacker knows the passwrod then clearly the attacker can act in plave of A
Encryption-with-Password Protocols share weak secret W = f(pwd) “Alice” Alice Bob challenge C W{C} problems: • dictionary attack: adversary uses C and W{C} • server database disclosure
Encrypted Key Exchange (EKE) • key establishment as well as authentication – E A &D A : per-session public/private key pair – K AB – symmetric session key • one of the W{.} may possibly be removed. • In that case, the non-encrypting side should not issue the first challenge, why? “Alice”, W{E A } W{E A {K AB }} K AB {C A } Alice Bob K AB {C A , C B } K AB {C B }
Encrypted Key Exchange (EKE) • what’s encrypted by weak key is g a , g b (which looks like a random number) – straightforward dictionary attack is impossible “Alice”, W{g a mod p} W{g b mod p, C A } can compute K AB = g ab mod p Alice Bob K AB {C A , C B } K AB {C A }
Augmented EKE • EKE vulnerable to database disclosure since Bob stores W in clear – If Trudy gets Alice’s password then she can impersonate Alice • defense: Augmented EKE – Alice knows the password, Bob knows a one-way hash of it – Bob stores: g W mod p “Alice”, g a mod p g b mod p, H(g ab mod p,g bW mod p) Alice Bob H’(g ab mod p, g bW mod p )
Recommend
More recommend
