Lecture 11: Strong Passwords

Download Lecture 11: Strong Passwords

Post on 08-Feb-2016

39 views

Category:

Documents

0 download

DESCRIPTION

Lecture 11: Strong Passwords. problem statement Lamports hash encrypted key exchange (EKE) secure credentials download. Strong Password Protocols. Obtaining the benefits of cryptographic authentication with the user being able to remember passwords only in particular: - PowerPoint PPT Presentation

TRANSCRIPT

  • Lecture 11: Strong Passwordsproblem statementLamports hashencrypted key exchange (EKE)secure credentials download

  • Strong Password ProtocolsObtaining the benefits of cryptographic authentication with the user being able to remember passwords onlyin particular:no security information is kept at the users machine (the machine is trusted but not configured)someone impersonating either party will not be able to obtain information for off-line password guessing (online password guessing is not preventable)

  • Lamports HashBob stores , n is a relatively large number, like 1000Alices workstation sends hn-1(password)if successful, n is decremented, hn-1 replaces hn in Bobs databaseAliceBobAlice, passwordnhn-1(password)Alices terminalAlicetrustednot trusted why is sequence of hash transmissions reverse?properties: safe against eavesdropping, database reading no authentication of Bob

  • Salting Lamports Hashhn-1(pwd|salt) is used for authenticationsalt is stored at Bobs at setup time, Bob sends salt each time along with nadvantages:Alice can use the same password with multiple servers, why?what may happen if two servers pick the same salt? to ensure that the salt is different, servers name is also hashed ineasy password reset (when reaches 1) just change the saltdefense dictionary attackshow would Trudy mount a dictionary attack without the salt?

  • Lamports Hash: Other Propertiessmall n attackwhen Alice tries to login Trudy impersonates Bob and sends n < n and Bobs salt, when Trudy gets the reply she can impersonate Alice after n is decremented to ndefense: Alices workstation presents submitted n to Alice to verify the approximate range (Alice has to remember it)human and paper environmentin case Alice workstation is not trusted or too dumb to do hashingAlice is given a list of all hashes starting from 1000, she uses each hash exactly onceautomatically prevents small n attackstring size 64 bits (~10 characters) is secure enough implemented as S/Key and standardized as one-time password system

  • Encryption-with-Password Protocolsproblems:dictionary attack, how?server database disclosureAliceBobAlicechallenge CW{C}share weak secret W = f(pwd)

  • Enhanced with PKC:(EA&DA: per-session public/private key pair)

    Why not possible with secret key encryption?What is the weakness in this protocol?AliceBobAlice, W{EA}EA{C}W{C}share weak secret W = f(pwd)

  • Encrypted Key Exchange (EKE)key establishment as well as authenticationEA&DA: per-session public/private key pairKAB symmetric session keyone of the W{.} may possibly be removed.In that case, the non-encrypting side should not issue the first challenge, why?AliceBobAlice, W{EA}W{EA{KAB}}KAB{CA}KAB{CA, CB}KAB{CB}

  • Encrypted Key Exchange (EKE)whats encrypted by weak key is ga, gb (which looks like a random number) straightforward dictionary attack is impossibleAliceBobAlice, W{ga mod p}can compute KAB = gab mod pKAB{CA, CB}KAB{CA}W{gb mod p, CA}

  • Augmented EKEEKE vulnerable to database disclosure since Bob stores W in clearwhats the possible attack?defense: Augmented EKE Alice knows the password, Bob knows a one-way hash of itBob stores: gW mod p

  • Secure Credentials Downloadcredential: Y quantity used for authorization (to prove ones identity) something like a private keyproblem: download Alices credential to Alices workstation when Alice only knows her passwordAliceBobAlice, W{ga mod p}gb mod p, (gab mod p){Y}stores Alice, W, Y

    why is sequence of hash transmissions reverse? because hash is one-way, if Trudy sees hn-1(password) she will not be able to find hn-2(password)Alice can use the same password with multiple servers, why? if servers use different salt the hashes look differentwhat may happen if two servers pick the same salt? Trudy can remember the hash, and when she predicts that the second server ask for the same Nshe supplies the hashhow would Trudy mount a dictionary attack without the salt? compiles hashes of all the words in the dictionary starting from 1000

    dictionary attack, how? from C & W{C}In that case, the non-encrypting side should not issue the first challenge, why? reflection attack

    whats the possible attack? if Trudy steals Alices password from Bob, Trudy can impersonate Alicewhats the possible attack? if Trudy steals Alices password from Bob, Trudy can impersonate Alice