Password Human beings : Short keys; possibly used to generate - - PowerPoint PPT Presentation

Password

Human beings :

– Short keys; possibly used to generate longer keys – Dictionary attack: adversary tries more common keys (easy with a large set of users) – Trojan horse – Countermeasures: slow login, close after several unseccessful attempts

Computers:

– Quality keys (long and not predictable) – Hidden: not stored in the clear (encrypted, one time password)

Password: problems

Eavesdropping: adversary is sniffing

• password must not be sent in the clear
• Authentication should be different each time (to

avoid replay attacks)

Store password securely:

• Adversary can access database of paswords:

encrypt passwords

Password: physical security- Unix

Idea: passwords are not stored: what is stroed is a data obtained from the passwrod; let K be the key

• Unix: stored modified DES encoding using password K of

00...0 Problem: dictionary attack: users keys are predictable:

• attacker reads password database has a high probability that

there is at least one user with a weak pasword

• To increase security use Salt: store encoding of

0000.00<random number> random number depends on user and can be stored in the clear (salt increases work for attacker does not solve the problem of weak users’ key)

Strong Password Protocols

• Obtaining the benefits of cryptographic

authentication with the user being able to remember passwords only

• in particular:

– no security information is kept at the user’s machine (the machine is trusted but not configured) – someone impersonating either party will not be able to

• btain information for off-line password guessing

(online password guessing is not preventable)

Lamport’s Hash

• Bob stores <username, n, hn(password)>, n is a relatively large

number, like 1000

• Alice’s workstation sends hn-1(password)
• if successful, n is decremented, hn-1 replaces hn in Bob’s database

Alice Bob Alice, password n hn-1(password) Alice’s terminal Alice trusted not trusted

• why is sequence of hash transmissions reverse? (if

you increment instead of decremtning it does NOT work

• safe against eavesdropping, database reading
• no authentication of Bob

Salting Lamport’s Hash

• hn-1(pwd|salt) is used for authentication
• salt is stored at Bob’s at setup time, Bob sends salt

each time along with n

• advantages:

– Alice can use the same password with multiple servers, why?

• If servers use different salts hashes are different
• Problem: if two servers pick the same salt?

– to ensure that the salt is different, servers name is also hashed in

– easy password reset (when reaches 1) – just change the salt – defense dictionary attacks

• dictionary attack without the salt: compiles hashes of all the

words in the dictionary starting from 1000

Lamport’s Hash: Other Properties

• small n attack

– when Alice tries to login Trudy impersonates Bob and sends n’ < n and Bob’s salt, when Trudy gets the reply she can impersonate Alice after n is decremented to n’ – defense: Alice’s workstation presents submitted n to Alice to verify the “approximate” range (Alice has to remember it)

• “human and paper” environment

– in case Alice workstation is not trusted or too “dumb” to do hashing – Alice is given a list of all hashes starting from 1000, she uses each hash exactly once

• automatically prevents small n attack
• string size – 64 bits (~10 characters) is secure enough
• implemented as S/Key and standardized as one-time

password system

Authentication EKE: Encrypted Key Exchange

Problem: dictionary attack if weak keys (ie easily guessable) are chosen EKE:

• Strong with respect ot dictionary attack
• Mutual authentication
• Define session key

Scenario:

• User and server share a secret key (password)
• User and server use the password to authenticate and define a

session key (Diffie Hellman)

Authentication EKE

1. let w=Hash(password) 2. let p prime and g generator of Zp 3. A to server: A, Ew(ga mod p) 4. Server to A: Ek(nonce-1) , Ew(gb mod p) 5. A to server: A, Ek(nonce-1, nonce-2) 6. Server to A: Ek(nonce-2)

• Session key k= gab mod p

Authentication EKE

EKE is strong to

• replay attacks (a is changed every time)
• step 1: strong wrt to dictionary attack (even if the chosesn

passwrod is weak tha choice of random a does not allow the attacker to compute attacchi dizionario (anche se la password è debole a casuale implica che non si può calcolare ga )

• steps 3 and 4: authentication uses the fact that the session key

k is known Note: is the attacker knows the passwrod then clearly the attacker can act in plave of A

Encryption-with-Password Protocols

problems:

• dictionary attack: adversary uses C

and W{C}

• server database disclosure

Alice Bob “Alice” challenge C W{C} share weak secret W = f(pwd)

Encrypted Key Exchange (EKE)

• key establishment as well as authentication

– EA&DA: per-session public/private key pair – KAB – symmetric session key

• one of the W{.} may possibly be removed.
• In that case, the non-encrypting side should not issue

the first challenge, why?

Alice Bob “Alice”, W{EA} W{EA{KAB}} KAB{CA} KAB{CA, CB} KAB{CB}

Encrypted Key Exchange (EKE)

• what’s encrypted by weak key is ga, gb (which

looks like a random number) – straightforward dictionary attack is impossible

Alice Bob “Alice”, W{ga mod p} can compute KAB = gab mod p KAB{CA, CB} KAB{CA} W{gb mod p, CA}

Augmented EKE

• EKE vulnerable to database disclosure since Bob

stores W in clear

– If Trudy gets Alice’s password then she can impersonate Alice

• defense: Augmented EKE – Alice knows the

password, Bob knows a one-way hash of it – Bob stores: gW mod p

Alice Bob “Alice”, ga mod p

gb mod p, H(gab mod p,gbW mod p) H’(gab mod p, gbW mod p)