1

Lecture 11: Strong Passwords

• problem statement• Lamport’s hash• encrypted key exchange (EKE)• secure credentials download

2

Strong Password Protocols

• Obtaining the benefits of cryptographic authentication with the user being able to remember passwords only

• in particular:– no security information is kept at the user’s machine (the machine

is trusted but not configured)– someone impersonating either party will not be able to obtain

information for off-line password guessing (online password guessing is not preventable)

3

Lamport’s Hash• Bob stores <username, n, hn(password)>, n is a relatively large

number, like 1000• Alice’s workstation sends hn-1(password)• if successful, n is decremented, hn-1 replaces hn in Bob’s database

Alic

eB

ob

Alice, password

n

hn-1(password)A

lice’

s

term

inal

Alice

trusted not trusted

• why is sequence of hash transmissions reverse?properties:• safe against eavesdropping, database reading• no authentication of Bob

4

Salting Lamport’s Hash• hn-1(pwd|salt) is used for authentication• salt is stored at Bob’s at setup time, Bob sends salt each time along

with n• advantages:

– Alice can use the same password with multiple servers, why?• what may happen if two servers pick the same salt?

– to ensure that the salt is different, servers name is also hashed in

– easy password reset (when reaches 1) – just change the salt– defense dictionary attacks

• how would Trudy mount a dictionary attack without the salt?

5

Lamport’s Hash: Other Properties• small n attack

– when Alice tries to login Trudy impersonates Bob and sends n’ < n and Bob’s salt, when Trudy gets the reply she can impersonate Alice after n is decremented to n’

– defense: Alice’s workstation presents submitted n to Alice to verify the “approximate” range (Alice has to remember it)

• “human and paper” environment– in case Alice workstation is not trusted or too “dumb” to do

hashing– Alice is given a list of all hashes starting from 1000, she uses

each hash exactly once• automatically prevents small n attack• string size – 64 bits (~10 characters) is secure enough

• implemented as S/Key and standardized as one-time password system

6

Encryption-with-Password Protocols

problems:• dictionary attack, how?• server database disclosure

Alic

eB

ob

“Alice”

challenge C

W{C}

share weak secret W = f(pwd)

9

Encrypted Key Exchange (EKE)• what’s encrypted by weak key is ga, gb (which looks like a

random number) – straightforward dictionary attack is impossible

Alic

eB

ob

“Alice”, W{ga mod p}

can compute KAB = gab mod p

KAB{CA, CB}

KAB{CA}

W{gb mod p, CA}

10

Augmented EKE• EKE vulnerable to database disclosure since Bob stores W in clear

– what’s the possible attack?• defense: Augmented EKE – Alice knows the password, Bob knows a one-way hash

of it– Bob stores: gW mod p

Alic

eB

ob

“Alice”, ga mod p

gb mod p, H(gab mod p, gbW mod p)

H’(gab mod p, gbW mod p)

11

Secure Credentials Download

• credential: Y – quantity used for authorization (to prove one’s identity) – something like a private key

• problem: download Alice’s credential to Alice’s workstation when Alice only knows her password

Alic

e

Bo

b

“Alice”, W{ga mod p}

gb mod p, (gab mod p){Y}stores “Alice”, W, Y