1 lecture 11: strong passwords problem statement lamport’s hash encrypted key exchange (eke)...
TRANSCRIPT
1
Lecture 11: Strong Passwords
• problem statement• Lamport’s hash• encrypted key exchange (EKE)• secure credentials download
2
Strong Password Protocols
• Obtaining the benefits of cryptographic authentication with the user being able to remember passwords only
• in particular:– no security information is kept at the user’s machine (the machine
is trusted but not configured)– someone impersonating either party will not be able to obtain
information for off-line password guessing (online password guessing is not preventable)
3
Lamport’s Hash• Bob stores <username, n, hn(password)>, n is a relatively large
number, like 1000• Alice’s workstation sends hn-1(password)• if successful, n is decremented, hn-1 replaces hn in Bob’s database
Alic
eB
ob
Alice, password
n
hn-1(password)A
lice’
s
term
inal
Alice
trusted not trusted
• why is sequence of hash transmissions reverse?
properties:• safe against eavesdropping, database reading• no authentication of Bob
4
Salting Lamport’s Hash• hn-1(pwd|salt) is used for authentication• salt is stored at Bob’s at setup time, Bob sends salt each time along
with n• advantages:
– Alice can use the same password with multiple servers, why?• what may happen if two servers pick the same salt?
– to ensure that the salt is different, servers name is also hashed in
– easy password reset (when reaches 1) – just change the salt– defense dictionary attacks
• how would Trudy mount a dictionary attack without the salt?
5
Lamport’s Hash: Other Properties• small n attack
– when Alice tries to login Trudy impersonates Bob and sends n’ < n and Bob’s salt, when Trudy gets the reply she can impersonate Alice after n is decremented to n’
– defense: Alice’s workstation presents submitted n to Alice to verify the “approximate” range (Alice has to remember it)
• “human and paper” environment– in case Alice workstation is not trusted or too “dumb” to do
hashing– Alice is given a list of all hashes starting from 1000, she
uses each hash exactly once• automatically prevents small n attack• string size – 64 bits (~10 characters) is secure enough
• implemented as S/Key and standardized as one-time password system
6
Encryption-with-Password Protocols
problems:• dictionary attack, how?• server database disclosure
Alic
eB
ob
“Alice”
challenge C
W{C}
share weak secret W = f(pwd)
9
Encrypted Key Exchange (EKE)• what’s encrypted by weak key is ga, gb (which looks like a
random number) – straightforward dictionary attack is impossible
Alic
eB
ob
“Alice”, W{ga mod p}
can compute KAB = gab mod p
KAB{CA, CB}
KAB{CA}
W{gb mod p, CA}
10
Augmented EKE• EKE vulnerable to database disclosure since Bob stores W in clear
– what’s the possible attack?• defense: Augmented EKE – Alice knows the password, Bob knows a one-way
hash of it– Bob stores: gW mod p
Alic
eB
ob
“Alice”, ga mod p
gb mod p, H(gab mod p, gbW mod p)
H’(gab mod p, gbW mod p)
11
Secure Credentials Download
• credential: Y – quantity used for authorization (to prove one’s identity) – something like a private key
• problem: download Alice’s credential to Alice’s workstation when Alice only knows her password
Alic
e
Bo
b
“Alice”, W{ga mod p}
gb mod p, (gab mod p){Y}stores “Alice”, W, Y