CIST/ETRI/ISIT/KDDI/Kyusyu Univ./NICT Joint Research Workshop on Ubiquitous Network Security 2005...
-
Upload
brandon-freeman -
Category
Documents
-
view
217 -
download
0
Transcript of CIST/ETRI/ISIT/KDDI/Kyusyu Univ./NICT Joint Research Workshop on Ubiquitous Network Security 2005...
CIST/ETRI/ISIT/KDDI/Kyusyu Univ./NICT Joint Research Workshop on Ubiquitous Network Security 2005CIST/ETRI/ISIT/KDDI/Kyusyu Univ./NICT Joint Research Workshop on Ubiquitous Network Security 2005
Verifier-Based Password-Authenticated K ey Exchange
Jeong Ok Kwon
December 17th, 2005
• A fundamental problem in cryptography is how to communicate securely over an insecure channel.
MotivationMotivation
sk sk
data privacy/integrity
How can we obtain a secret session key?
• Public-key encryption or signature– too high for certain applications
• Password-Authenticated Key Exchange (PAKE)– PAKE is to share a secret key between specified
parties using just a human-memorable password.
– convenience, mobility, and less hardware requirement
– no security infrastructure
MotivationMotivation
Intrinsic ProblemIntrinsic Problem
• Low-entropy of passwords – i.e., 4 or 8 characters such as natural language phrase to
be easily memorized.
• So they are susceptible to dictionary attacks. – On-line dictionary attacks
– Off-line dictionary attacks
Even tiny amounts of redundancy in the flows of the protocol could be used by the adversary to mount dictionary attacks.
-> Protocol for PAKE must be immune to off-line attacks
Classification for PAKEClassification for PAKE
According to the number of parties sharing a session key
According to the sameness of pre-shared passwords
Parties with same passwords
Parties with different passwords
According to the need of servers
Model requiring help of server
Model not requiring help of server
Two-party
Multi-Party (Group)
According to the password f orm stored by servers
Symmetric model
Asymmetric model (Verifier-based model)
Our work is aboutOur work is about
• In the Client/Server model
– Verifier-based PAKE
• for two-party with same passwords • for two-party with different passwords • for multi-party with different passwords
Our work is aboutOur work is about
• In the Client/Server model
– Verifier-based PAKE
• for two-party with same passwords • for two-party with different passwords • for multi-party with different passwords
U1 Information for pw1
U1
Server
2-party with sksk sk
(pw1 )
Our work is aboutOur work is about
• In the Client/Server model
– Verifier-based PAKE
• for two-party with same passwords • for two-party with different passwords • for multi-party with different passwords
U1 Information for pw1
U2 Information for pw2
U1
Server
U2
sk sk2-party with sk
(pw1 ) (pw2 )
Our work is aboutOur work is about
• In the Client/Server model
– Verifier-based PAKE
• for two-party with same passwords • for two-party with different passwords • for multi-party with different passwords
(pw1 ) (pw3 )
(pw4 )
(pw2 )
U1
U2
U3
U4
Group with sk
sk sk
sk
sk
Symmetric model Symmetric model vs. Vvs. Verifier-basederifier-based model model
• Symmetric model – the server stores a plaintext-form of a password.
• Asymmetric model (or verifier-based) – the server stores a verifier for a password.
pw2U2
pw1U1
(pw1)
Symmetric model Symmetric model vs. Vvs. Verifier-basederifier-based model model
• Asymmetric model (or verifier-based) – the server stores a verifier for a password.
(pw1)
U1 f(pw1)
U2 f(pw2)
A verifier is the information computed from a password. It is computable from the password whereas the reverse is infeasible in polynomial time.
Symmetric model Symmetric model vs. Vvs. Verifier-basederifier-based model model
• Asymmetric model (or verifier-based)
– it is designed to protect against server compromise so that an attacker that is able to steal a password file from a server cannot later masquerade as a legitimate user without performing dictionary attacks.
(pw1)
U1 f(pw1)
U2 f(pw2)
Symmetric model Symmetric model vs. Vvs. Verifier-basederifier-based model model
• Symmetric model – the server stores a plaintext-form of a password.
pw2U2
pw1U1
(pw1)
Symmetric model Symmetric model vs. Vvs. Verifier-basederifier-based model model
• Asymmetric model (or verifier-based)
– even if the password file is compromised, the attacker has to perform additional off-line dictionary attacks to find out passwords of the clients.
• It will give the server system’s administrator time to react and to inform its clients, which would reduce the damage of the corruption.
(pw1)
U1 f(pw1)
U2 f(pw2)
Comparison with the related verifier-based protocol
Scheme/
Parameters
PAKE for 2-party
with same passwords
PAKE for 2-party
with different passwords
PAKE for multi-party
with different passwords
EPA Our Scheme Our Scheme Our Scheme
Round 3 2 3 3
Communication
Ui |p|+|l| |p|+|l| |p|+|l| 2|p|
S |p|+|l| 2|p|+|l| 4|p| 3n|p|
Exponentiation
Ui 1 2 3 3
S 2 1 4 2n
Security Forward Secrecy Forward Secrecy Forward Secrecy Forward Secrecy
Assumptions DDH in R.O. DDH in Standard DDH in Standard DDH in Standard
[EPA] Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key Exchange,” ACISP 2003.
|p| : length of a prime of Zp*, |l| : length of an output of a hash/MAC function, n : number of members in a group
Comparison with the related verifier-based protocol
Scheme/
Parameters
PAKE for 2-party with same passwords
B-SPEKE SRP AMP PAK-Z EPA VB-EKEOur prot
ocol
Round 4 4 4 3 3 3 2
Communication
Ui 2|p|+|l| |p|+|l| |p|+|l| |p|+|l| |p|+|l| 3|p|+|l| |p|+|l|
S 3|p|+2|l| 2|p|+2|l| 2|p|+|l| 2|p|+|l| |p|+|l| |p|+|l| 2|p|+|l|
Exponentiation
Ui 2 2 2 3 1 1 2
S 2 3 3 3 2 4 1
SecurityForward Secrecy
Forward Secrecy
Forward Secrecy
Forward SecrecyForward Secrecy
Forward Secrecy
Forward Secrecy
AssumptionsDDH in
R.O.DDH in
R.O.CDH in R.O. DDH in R.O. DDH in R.O.
CDH in R.O.
DDH in Standard
[B-SPEKE] D. Jablon, “Extended password key exchange protocols immune to dictionary attack,” In WETICE’97 Workshop on Enterprise Security, 1997.[SRP] T. Wu, “Secure remote password protocol,” Proceedings of the ISOC NDSS Symposium, pages 99–111, 1998.[AMP] T. Kwon, “Authentication and key agreement via memorable password,” Proceedings of the ISOC NDSS Symposium, 2001.[PAK-Z] P. MacKenzie, “The PAK suit: Protocols for Password-Authenticated Key Exchange,” http://grouper.ieee.org/groups/1363/passwdPK/contributions.html#Mac02, April, 2002.[EPA] Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key Exchange,” ACISP 2003.[VB-EKE] M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based Encrypted Key Exchange,” PKC 05
Comparison with the related verifier-based protocol
Scheme/
Parameters
PAKE for 2-party with same passwords
B-SPEKE SRP AMP PAK-Z EPA VB-EKEOur prot
ocol
Round 4 4 4 3 3 3 2
Communication
Ui 2|p|+|l| |p|+|l| |p|+|l| |p|+|l| |p|+|l| 3|p|+|l| |p|+|l|
S 3|p|+2|l| 2|p|+2|l| 2|p|+|l| 2|p|+|l| |p|+|l| |p|+|l| 2|p|+|l|
Exponentiation
Ui 2 2 2 3 1 1 2
S 2 3 3 3 2 4 1
SecurityForward Secrecy
Forward Secrecy
Forward Secrecy
Forward SecrecyForward Secrecy
Forward Secrecy
Forward Secrecy
AssumptionsDDH in
R.O.DDH in
R.O.CDH in R.O. DDH in R.O. DDH in R.O.
CDH in R.O.
DDH in Standard
[B-SPEKE] D. Jablon, “Extended password key exchange protocols immune to dictionary attack,” In WETICE’97 Workshop on Enterprise Security, 1997.[SRP] T. Wu, “Secure remote password protocol,” Proceedings of the ISOC NDSS Symposium, pages 99–111, 1998.[AMP] T. Kwon, “Authentication and key agreement via memorable password,” Proceedings of the ISOC NDSS Symposium, 2001.[PAK-Z] P. MacKenzie, “The PAK suit: Protocols for Password-Authenticated Key Exchange,” http://grouper.ieee.org/groups/1363/passwdPK/contributions.html#Mac02,
April, 2002.
Password-based protocols submitted to IEEE P1363.2 (Password-based Techniques)http://grouper.ieee.org/groups/1363/passwdPK/purpose.html
Comparison with the related verifier-based protocol
Scheme/
Parameters
PAKE for 2-party
with same passwords
PAKE for 2-party
with different passwords
PAKE for multi-party
with different passwords
EPA Our Scheme Our Scheme Our Scheme
Round 3 2 3 3
Communication
Ui |p|+|l| |p|+|l| |p|+|l| 2|p|
S |p|+|l| 2|p|+|l| 4|p| 3n|p|
Exponentiation
Ui 1 2 3 3
S 2 1 4 2n
Security Forward Secrecy Forward Secrecy Forward Secrecy Forward Secrecy
Assumptions DDH in R.O. DDH in Standard DDH in Standard DDH in Standard
[EPA] Y. H. Hwang, D. H. Yum, and P. J. Lee, “EPA: An Efficient Password-Based Protocol for Authenticated Key Exchange,” ACISP 2003.
|p| : length of a prime of Zp*, |l| : length of an output of a hash/MAC function, n : number of members in a groupThe focus of this work is on the round-efficient verifier-based PAKE protocol
Comparison with the related verifier-based protocol
Scheme/
Parameters
PAKE for 2-party
with same passwords
PAKE for 2-party
with different passwords
PAKE for multi-party
with different passwords
EPA Our Scheme Our Scheme Our Scheme
Round 3 2 3 3
Communication
Ui |p|+|l| |p|+|l| |p|+|l| 2|p|+|l|
S |p|+|l| 2|p|+|l| 4|p| 3n|p|
Exponentiation
Ui 1 2 3 3
S 2 1 4 2n
Security Forward Secrecy Forward Secrecy Forward Secrecy Forward Secrecy
Assumptions DDH in R.O. DDH in Standard DDH in Standard DDH in Standard
|p| : length of a prime of Zp*, |l| : length of an output of a hash/MAC function, n : number of members in a groupThe focus of this work is on round-efficient verifier-based PAKE protocol
The focus of this work is to construct secure and round-efficient verifier-based PAKE protocols for 2-/multi-party with different passwords
Preliminary for our protocolsPreliminary for our protocols
• Public information– G : a finite cyclic group has order q
– p : a safe prime such that p=2q+1
– g1,g2 : generators of G
– H : a collision-resistant one-way hash function – Mac=(Key.gen,Mac.gen,Mac.ver):a secure message authentication
code
• Initialization step– Ui selects a password pwi
– Ui registers vi,1 = g1H(Ui||S||pwi) mod p and vi,2 = g2
H(Ui||S||pwi) mod p (verifiers of the password) to the server S over a secure channel.
– S stores them in a password file with an entry for each user Ui.
Verifier-based PAKE for 2-partyVerifier-based PAKE for 2-party with same passwords with same passwords
U1 Server1( )pw 1 1 1 1( || || ) ( || || )
1,1 1 1,2 2( , )H U S pw H U S pwv g v g
1 1 2( || || )xysk H U S g sk
1 1( || || )11, 1 1( / )H U S pw
Sxx yzk Z g g ,1 1 1,2 1( / ) yS
xyk X v g
R11 1,21
xgX v
*R qx Z
1,11 1,2 11 1; y zzY v Zg g v
*R qy Z
1,1 1 1 ,1 ,2. ( || || || || )Sk S SMac gen U S X X X R2
2,2 1 1 ,1 ,2. ( || || || || )Sk S SMac gen S U X X X
Verifier-based PAKE for 2-party Verifier-based PAKE for 2-party with with differentdifferent passwords passwords
• Motivation
– PAKE for 2-party with same passwords
– If a user wants to communicate securely with many users? • the number of passwords that the user needs to memorize
may be increased linearly with the number of possible partners.
(pw)(pw)
Verifier-based PAKE for 2-party Verifier-based PAKE for 2-party with with differentdifferent passwords passwords
• Motivation
– PAKE for 2-party with different passwords
– each user only shares a password with a trusted server.
– the trusted server helps the users with different passwords to agree on a common session key.
(pw1)(pw2)
U1 f(pw1)
U2 f(pw2)
U1 Server U21( )pw 2( )pw1 1 1 1
2 2 2 2
( || || ) ( || || )1,1 1 1,2 2
( || || ) ( || || )2,1 1 2,2 2
( , )
( , )
H U S pw H U S pw
H U S pw H U S pw
v g v g
v g v g
1 22 1 1 2
1,2 2,21 2
1 11 2 2 2( || || )
1 1
( || || )1 1 21 1
modH U S pw H U S
x xx s y x s y
x x spy y w
g v g vsk g p sk
g g
1,1 1 1, ,1. ( || || || )Sk S SMac gen U S X X
R22,2 1 2, ,2. ( || || || )Sk S SMac gen U S X X
1 11, 1S
x ygk 2 22, 1S
x ygk R1
11, 1,21
xSX vg
*1 R qx Z
1,1 1,21
ysX vg 2
,2 2,21y
SX vg
*i R qy Z
22, 2,21
xSX vg
*2 R qx Z
R3
2 1
1,21,1 1,x s y
S SY vg k 1 2
2,21,2 2,x s y
S SY vg k
*R qs Z
Verifier-based PAKE for multi-party Verifier-based PAKE for multi-party with with differentdifferent passwords passwords
• Motivation
– PAKE for multi-party with same passwords
– If a user wants to communicate securely with many groups? • the number of passwords that the user needs to memorize
may be increased linearly with the number of possible groups.
• the member have to newly share a password whenever one wants to communicate securely with new groups
(pw ) (pw )
(pw )
(pw )
Group with sk
Verifier-based PAKE for multi-party Verifier-based PAKE for multi-party with with differentdifferent passwords passwords
• Motivation
– PAKE for multi-party with different passwords
– each user only shares a password with a trusted server.
– the trusted server helps the users with different passwords to agree on a group key.
(pw2 ) (pw4 )
(pw1 )
(pw3 )
Group with sk
R1
Verifier-based PAKE for multi-party Verifier-based PAKE for multi-party with with differentdifferent passwords passwords
( || || ) ( || || ),1 1 ,2 2( , ) 1 4i i i iH U S pw H U S pwi iv g v g for i
Server
U1 1( )pw
1
*1
1 1 1,2
R q
xg
x Z
X v
2( )pw
2
*2
2 1 2,2
R q
xg
x Z
X v
U2 3( )pw
3
*3
3 1 3,2
R q
xg
x Z
X v
U3 4( )pw
4
*4
4 1 4,2
R q
xg
x Z
X v
U4
1X 1 1||Y Z 2X 2 2||Y Z 3X 3 3||Y Z 4X 4 4||Y Z
1
1,2
1
1
*1
1 1,1
1
2
1
R q
z
z
y
g
g
y Z
Z v
Y v
2
2,2
2
2
*2
2 2,1
2
2
1
R q
z
z
y
g
g
y Z
Z v
Y v
2
3,2
3
3
*3
3 3,1
3
2
1
R q
z
z
y
g
g
y Z
Z v
Y v
4
4,2
4
4
*4
4 4,1
4
2
1
R q
z
z
y
g
g
y Z
Z v
Y v
R1
1 11, 1S
x ygk
Verifier-based PAKE for multi-party Verifier-based PAKE for multi-party with with differentdifferent passwords passwords
( || || ) ( || || ),1 1 ,2 2( , ) 1 4i i i iH U S pw H U S pwi iv g v g for i
Server
U1 1( )pw
1
*1
1 1 1,2
R q
x
x Z
X g v
2( )pw
2
*2
2 1 2,2
R q
x
x Z
X g v
U2 3( )pw
3
*3
3 1 3,2
R q
x
x Z
X g v
U3 4( )pw
4
*4
4 1 4,2
R q
x
x Z
X g v
U4
2 22, 1S
x ygk 3 33, 1S
x ygk 4 44, 1S
x ygk
1
1 1
1,2
*1
1 2 1,1
1 1
R q
z
y z
y Z
Z g v
Y g v
2
2 2
2,2
*2
2 2 2,1
2 1
R q
z
y z
y Z
Z g v
Y g v
3
3 2
3,2
*3
3 2 3,1
3 1
R q
z
y z
y Z
Z g v
Y g v
4
4 4
4,2
*4
4 2 4,1
4 1
R q
z
y z
y Z
Z g v
Y g v
R2
Verifier-based PAKE for multi-party Verifier-based PAKE for multi-party with with differentdifferent passwords passwords
( || || ) ( || || ),1 1 ,2 2( , ) 1 4i i i iH U S pw H U S pwi iv g v g for i
Server
1
1 1,
1 1
s
x smac
macK
g k
k k
*. ;mac R qk Key gen s Z
2
2 2,
2 1
s
x smac
macK
g k
k k
3
3 3,
3 1
s
x smac
macK
g k
k k
4
4 4,
4 1
s
x smac
macK
g k
k k
1 4 2, , )(K
2( )pw
2 2
*2
2, 1
R q
x yS
x Z
k g
U2 3( )pw
3 3
*3
3, 1
R q
x yS
x Z
k g
U3 4( )pw
4 4
*4
4, 1
R q
x yS
x Z
k g
U4 U1 1( )pw
1 1
*1
1, 1
R q
x yS
x Z
k g
2 1 3, , )(K 3 2 4, , )(K 4 3 1, , )(K
R3
Verifier-based PAKE for multi-party Verifier-based PAKE for multi-party with with differentdifferent passwords passwords
2( )pw
31
*2
1 1;
R q
mac
x sx s
x Z
k
g g
U2 3( )pw
2 4
*3
1 1;
R q
mac
x s x s
x Z
k
g g
U3 4( )pw
3 1
*4
1 1;
R q
mac
x s x s
x Z
k
g g
U4
12
4
11
1
1 1. ( )mac
xx s
x s
k
g
g
Mac gen
U1 1( )pw
4 2
*1
1 1;
R q
mac
x s x s
x Z
k
g g
23
1
12
1
2 2. ( )mac
xx s
x s
k
g
g
Mac gen
34
2
13
1
3 3. ( )mac
xx s
x s
k
g
g
Mac gen
41
3
14
1
4 4. ( )mac
xx s
x s
k
g
g
Mac gen
R3
Verifier-based PAKE for multi-party Verifier-based PAKE for multi-party with with differentdifferent passwords passwords
2( )pw
31
*2
1 1;
R q
mac
x sx s
x Z
k
g g
U2 3( )pw
2 4
*3
1 1;
R q
mac
x s x s
x Z
k
g g
U3 4( )pw
3 1
*4
1 1;
R q
mac
x s x s
x Z
k
g g
U4
12
4
11 1
1
,xx s
x s
g
g
U1 1( )pw
4 2
*1
1 1;
R q
mac
x s x s
x Z
k
g g
23
1
12 2
1
,xx s
x s
g
g
34
2
13 3
1
,xx s
x s
g
g
41
3
14 4
1
,xx s
x s
g
g
4 1 1 2
2 3 3 4
4 43 2 3 2
1 1 1 2 3 2 1 2 3 4
4 43 2 3 2
3 1 3 4 1 4
1 2
3 4 1 4 1 2
: , :
: , :
x x s x x s
x x x x
U Usk g sk g
sk g sk gU U
1 2 2 3 3 4 4 11 modx x s x x s x x s x x ssk g p
Security Goal: Verifier-based PAKESecurity Goal: Verifier-based PAKE
• Security against dictionary attacks
– passive eavesdropping does not help the adversary in computing any information about the password.
– only interactions with the instances help the adversary in computing information about the password.
• Key secrecy – no computationally bounded adversary (including the
server) should learn anything about session keys shared between honest parties.
• Server-compromise attack
– even if an adversary steal the password file from the server, the adversary still cannot impersonate a user without performing dictionary attacks on the password file.
Security Goal: Verifier-based PAKESecurity Goal: Verifier-based PAKE
• Forward secrecy– the expose of a password does not compromise the
previous session keys.
• Denning-Sacco attack1. even with the session key from an eavesdropped session
an adversary cannot gain the ability to impersonate the user directly.
2. an outsider attacker cannot gain the ability to performing off-line dictionary attacks against the passwords of users from using the compromised session keys which are successfully established between honest entities.
3. an insider attacker that knows one’s password does not learn any information about other users’ passwords from the successfully established session key with the other.