Improved Server Authentication
Presented by Dmitri EpshteinSupervised by Prof. Hugo Krawczyk
January 2002
January 2002 Improved Server Authentication 2
Outline
Why public key verification ?
Human friendly public key verification
Authentication through image
SSH integration and demo
January 2002 Improved Server Authentication 3
Client-Server security
Server: Kprv / Kpub,Random: y
Client: psswd, KpubRandom: x
g^y | signKprv(g^y,g^x) | Kpub
g^x
Encrypted channel (K)
K=(g^x)^y K=(g^y)^x
VerifyKpub(signKprv(g^y,g^x))
Verify psswd
login+psswd
Confirm Server Kpub
January 2002 Improved Server Authentication 4
Man in the middle attack
Server: Kprv / KpubRandom: x
Client: psswdRandom: y
Man in middle: K'prv/K'pubRandom: y', x'
Encrypted channel
(K`)
Encrypted channel(K)
K’= (g^y)^x’=(g^x’)^yK= (g^y’)^x=(g^x)^y’
January 2002 Improved Server Authentication 5
Public Key Verification
Local (stored in client machine) Not applicable everywhere (e.g. Internet-
Cafe)CA - Certification Authority
CA root key should be known It is not widely available on the Internet yet
User verifies hashed version of public key “public password” as described in [HK99]
January 2002 Improved Server Authentication 6
Outline
Why public key verification ?
Human friendly public key verification
Authentication through image
SSH integration and demo
January 2002 Improved Server Authentication 7
Public Passwords
Not necessary to know all 1024 bits to verify the key
About 64 bits (2^64 different values) is secure for most applications
Use hash function MD5/SHA1(Public Key) to reduce key size It is infeasible to find a different public key that
corresponds to the same “public password”Public key is not secret information
January 2002 Improved Server Authentication 8
SSH public password
SSH requires user to verify 128 bits - hash value of server public key.Public Key (1024 bits) Fingerprint (128 bits)
Example: DSA key fingerprint is: d7:7d:cf:16:07:3b:5e:17:dc:b7:52:f1:eb:49:37:b1
Too difficult to recognize or retype=> Blind Acceptance
MD5
January 2002 Improved Server Authentication 9
Improved solution
Use more user friendly format for public key verification (with the same security)
Public key(1024) Hashed Public Key(64) String of English words:
“SCAN TOTE NOON DIE MAID COP” String Alpha-Numeric words:
“4786 8fsh hprb ” Picture
January 2002 Improved Server Authentication 10
English Words format
RFC1760 (The S/KEY One-Time Password System) defines Table of 2048 English words 2-4 letters each one.
Public key(1024) Hashed Public Key(66) Each 11 bits represent one word from the table 6 words (66 bits) are secure enough 6 English Words are easy to recognizee.g. SCAN TOTE NOON DIE MAID COP
January 2002 Improved Server Authentication 11
Verification interface
It is important that a user really checks for the validity of displayed value
The purpose of attacker is to find an alternative public key with similar “public password”
Our interface is designed to avoid tendency of users to answer every question by simply hitting Enter-key
January 2002 Improved Server Authentication 12
Interface to user
4 different (but similar) options are displayed
User should choose the appropriate one.
(1) SCAN NOON DIE MAID TOTE COP(2) SCAN TOTE NOON DIE MAID COP(3) COP TOTE DIE SCAN MAID NOON(4) TOTE DIE SCAN COP MAID NOON
What is the appropriate phrase ?
January 2002 Improved Server Authentication 13
Too mush diversity
(1) TUM TANK TIP CUBE LID HELM(2) SCAN TOTE NOON DIE MAID COP !(3) BANK HANS BIN GOAT JET BEAM(4) HIGH TUNE REID BARB BONY RAIN
User will remember only first word “SCAN” Attacker can find the other key that converted to the string started with “SCAN” e.g. “SCAN GOAT DIE JET TANK COP”
Security decreased from 2^66 to 2^11
January 2002 Improved Server Authentication 14
Too much similarity
(1) SCAN BEAM NOON DIE MAID COP(2) SCAN TOTE NOON DIE MAID COP !(3) BANK TOTE NOON DIE MAID COP(4) SCAN TOTE NOON JET MAID COP
One-word distance from right string. In place of checking the correct answer user may derive the “right” option from the proposed list
January 2002 Improved Server Authentication 15
Our suggestion
(1) SCAN NOON DIE MAID TOTE COP(2) SCAN TOTE NOON DIE MAID COP !(3) COP TOTE DIE SCAN MAID NOON(4) TOTE DIE SCAN COP MAID NOON
Each alternative created from previous one by permutation of two randomly chosen words.
Strings are randomly placed from 1 to 4.
January 2002 Improved Server Authentication 16
Alpha-Numeric format
Based on 26 letters and 10 digits. Letters ‘l’ and ‘o’ excluded. Digits ‘1’ and ‘0’ excluded.Total 32 symbols are used.
Public key(1024) Hashed Public Key(60) Each 5 bits represent one Alpha-Numeric symbol 12 symbols (60 bits) are secure enough 12 symbols - 3 words are easy to recognize
e.g. “qu24 ih2q sswb”
January 2002 Improved Server Authentication 17
Outline
Why public key verification ?
Human friendly public key verification
Authentication through image
SSH integration and demo
January 2002 Improved Server Authentication 18
Visual format
Maybe the most user friendly option.Huge number of different pictures.Easy to remember and recognize.
January 2002 Improved Server Authentication 20
Image properties
The images should meet the following requirements [PS99]:
Regularity Easy to recognize
Minimal complexity Avoid too simplified images
Collision resistance Hard to find two different keys represented by
the same or very similar image.
January 2002 Improved Server Authentication 21
Minimal complexity
Compression (zlib) used to check regularity and minimal complexity of the image.
Too high compression ratio == Very simplified image ==Easy to falsify
e.g. Compression ratio 6%
January 2002 Improved Server Authentication 22
Regularity
Too low compression ratio ==
Not regular image ==
Difficult to recognize
e.g. Compression ratio 82%
Compression ratio thresholds that guarantees Regularity and Minimal Complexity of the image
35 - 70 %
January 2002 Improved Server Authentication 23
Collision Resistance
h*w
1i
2i
2i
2i
h*w
1i
2i
2i
2i
h*w
1i
2ii
2ii
2ii
))b()g()r(())b()g()r((
))bb()gg()rr((*100[%]diff
Very small probability to find two different keys represented by the same (or very similar) image.
To calculate differences between two pictures “normal corelation” formula used:
w – width of picture in pixels, h – height of picture in pixelsri, gi, bi – red, green and blue components of the colour for
pixel “i” in the picture.
January 2002 Improved Server Authentication 24
Image creation method
Based on idea of “randomArt ” [Bau98].
N*M image created from the 64 bits key. Picture format is array of long words (32
bits) of size of “width*height” (N*M)Each long word represents an RGB colour
of a pixel in the picture (0x00bbggrr). 0x000000FF – red, 0x00FF0000 – blue, 0x0000FF00 – green
January 2002 Improved Server Authentication 25
Image creation method (1)
F1 F2 F16
64 bits Hashed key
.....
InputColor(r, g, b)
Output Color(r', g', b')
(x,y) ->(r, g, b)
Pixelcoordinates
(x, y)
S(1) S(2) S(16)
January 2002 Improved Server Authentication 26
Image creation method (1)
The algorithm based on set of 16 mathematical functions that convert input colour {r, g, b} to output colour {r’, g’, b’}.
Each 4 bits of the key define one of the functions from the set.
The initial value of the colour for each pixel depends on coordinates {x, y} of the pixel
S(1) .. S(16) - shifts color accordingly with function location.
January 2002 Improved Server Authentication 27
Image creation method (3)
Each one of the 16 functions: Continuous, r [-1; 1], r’ [-1; 1],
r’=log10(4.1 + 4*r) r’=sin(5*r); r’=0.8*atan(-3*r)
January 2002 Improved Server Authentication 28
Statistical results
Quality of image (Regularity and Minimal Complexity)
1000 randomly chosen keys
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 1000
20
40
60
80
100
120
140
Num
ber
of Im
ages
Compression Rate [%]
About 700 from 1000 images are Good images. Compression rate in range 35-70 %
January 2002 Improved Server Authentication 29
Statistical results (1)
Collision resistance of the image One “good” reference image is chosen 1000 other “good” images compared with the
reference image accordingly to the formula above.
Results: Most of images have ~25-40% difference from
the reference image. No image has difference less than 15% from
the reference image.
January 2002 Improved Server Authentication 30
Outline
Why public key verification ?
Human friendly public key verification
Authentication through image
SSH integration and demo
January 2002 Improved Server Authentication 31
SSH Overview
SSH is a protocol for secure network services (telnet, rlogin) over insecure network.
It consists of three major components: Transport layer protocol provides Server
Authentication, Confidentiality and Integrity. User authentication protocol authenticates the
Client side to the Server. Connection protocol multiplexes encrypted
tunnels into several logical channels.
January 2002 Improved Server Authentication 32
SSH integration
No changes in SSH server (sshd)Key Generator (ssh-keygen) is
changedSSH Client (ssh) is changedFull Backward compatibility
January 2002 Improved Server Authentication 33
SSH Framework
Key Generation Generate and display all possible formats Only key that can be converted in “good” image
will be accepted
Diffie-Hellman Key Exchange and Server Authentication Server has Kprv/Kpub - private/public keys pair Client creates e=(g^x mod p) and sends to
Server Server creates f=(g^y mod p)
January 2002 Improved Server Authentication 34
SSH Framework (1)
Server receives “e” from Client Server computes K=(e^y mod p) Server computes H=hash( Kpub | e | f | K ) Server computes s = sign(H) with Kprv Server sends ( Kpub | f | s ) to Client Client verifies Kpub received from
Server !!! Client computes K=(f^x mod p) Client computes H=hash( Kpub | e | f | K ) Client verifies the signature “s” on H
January 2002 Improved Server Authentication 35
Supported formats
Client choose key representation format: (1) Fingerprint (2) EnglishWords (3) AlphaNumeric (4) Visual
January 2002 Improved Server Authentication 36
Verification actions
Client choose key verification action: (1) Confirm (2) Retype (3) Abort
Start Updated SSH demonstration !!!
January 2002 Improved Server Authentication 37
Summary
“Public passwords” are more user friendly method for Server authentication
New method for key visualization and authentication
Integrate all above into SSH and improve the its overall security
January 2002 Improved Server Authentication 38
Future work
Other user friendly string formatsOther mechanism to create
alternative stringsImprove picture quality (Regularity)Improve picture compare algorithm
and analyze collision resistanceGrayscale images
January 2002 Improved Server Authentication 39
References
[SH99] Shai Halevi, Hugo Krawczyk. Public cryptography and password protocols. 1999
[PS99] Adrian Perrig, Dawn Song. Hash Visualization: a New Technique to improve Real-World Security. 1999
[DP00] Rachna Dhamija, Adrian Perrig. Using Images for Authentication. 2000
[Bau98] Andrej Bauer. Gallery of random art. 1998
Top Related