lecture 11: strong passwords
DESCRIPTION
Lecture 11: Strong Passwords. problem statement Lamport’s hash encrypted key exchange (EKE) secure credentials download. Strong Password Protocols. Obtaining the benefits of cryptographic authentication with the user being able to remember passwords only in particular: - PowerPoint PPT PresentationTRANSCRIPT
1
Lecture 11: Strong Passwords
• problem statement• Lamport’s hash• encrypted key exchange (EKE)• secure credentials download
2
Strong Password Protocols
• Obtaining the benefits of cryptographic authentication with the user being able to remember passwords only
• in particular:– no security information is kept at the user’s machine (the machine
is trusted but not configured)– someone impersonating either party will not be able to obtain
information for off-line password guessing (online password guessing is not preventable)
3
Lamport’s Hash• Bob stores <username, n, hn(password)>, n is a relatively large
number, like 1000• Alice’s workstation sends hn-1(password)• if successful, n is decremented, hn-1 replaces hn in Bob’s database
Alic
eB
ob
Alice, password
n
hn-1(password)A
lice’
s
term
inal
Alice
trusted not trusted
• why is sequence of hash transmissions reverse?properties:• safe against eavesdropping, database reading• no authentication of Bob
4
Salting Lamport’s Hash• hn-1(pwd|salt) is used for authentication• salt is stored at Bob’s at setup time, Bob sends salt each time along
with n• advantages:
– Alice can use the same password with multiple servers, why?• what may happen if two servers pick the same salt?
– to ensure that the salt is different, servers name is also hashed in
– easy password reset (when reaches 1) – just change the salt– defense dictionary attacks
• how would Trudy mount a dictionary attack without the salt?
5
Lamport’s Hash: Other Properties• small n attack
– when Alice tries to login Trudy impersonates Bob and sends n’ < n and Bob’s salt, when Trudy gets the reply she can impersonate Alice after n is decremented to n’
– defense: Alice’s workstation presents submitted n to Alice to verify the “approximate” range (Alice has to remember it)
• “human and paper” environment– in case Alice workstation is not trusted or too “dumb” to do
hashing– Alice is given a list of all hashes starting from 1000, she uses
each hash exactly once• automatically prevents small n attack• string size – 64 bits (~10 characters) is secure enough
• implemented as S/Key and standardized as one-time password system
6
Encryption-with-Password Protocols
problems:• dictionary attack, how?• server database disclosure
Alic
eB
ob
“Alice”
challenge C
W{C}
share weak secret W = f(pwd)
9
Encrypted Key Exchange (EKE)• what’s encrypted by weak key is ga, gb (which looks like a
random number) – straightforward dictionary attack is impossible
Alic
eB
ob
“Alice”, W{ga mod p}
can compute KAB = gab mod p
KAB{CA, CB}
KAB{CA}
W{gb mod p, CA}
10
Augmented EKE• EKE vulnerable to database disclosure since Bob stores W in clear
– what’s the possible attack?• defense: Augmented EKE – Alice knows the password, Bob knows a one-way hash
of it– Bob stores: gW mod p
Alic
eB
ob
“Alice”, ga mod p
gb mod p, H(gab mod p, gbW mod p)
H’(gab mod p, gbW mod p)
11
Secure Credentials Download
• credential: Y – quantity used for authorization (to prove one’s identity) – something like a private key
• problem: download Alice’s credential to Alice’s workstation when Alice only knows her password
Alic
e
Bo
b
“Alice”, W{ga mod p}
gb mod p, (gab mod p){Y}stores “Alice”, W, Y