Choose one cryptographic password-based authentication protocol that you normall
ID: 3708334 • Letter: C
Question
Choose one cryptographic password-based authentication protocol that you normally use.
- What is the detailed protocol specification for your chosen authentication protocol?
- Is this protocol secure against off line dictionary attacks. If yes, provide a heuristic security proof. If not, how would someone mount an off-line dictionary attack?
- Can you revise or redesign the protocol so that it is secure against off-line dictionary attacks? Please describe your detailed protocol design and provide a heuristic security proof.
If possible please inculde your sources
Explanation / Answer
Ans:
Encrypted Key Exchange" Work:
Encrypted key exchange is a protocol, or set of rules, that allows two parties sharing a common password to communicate over an insecure network without exposing that password. The protocol was originally developed by Steven Bellovin and Michael Merritt of AT&T; Bell Laboratories, who produced a seminal work on the subject.
Asymmetric & Symmetric Encryption
Encrypted key exchange involves a combination of asymmetric, or public key, encryption and symmetric, or secret key, encryption. Public key encryption uses a pair of related keys -- values which must be fed into a mathematical formula, or algorithm, to decode an encrypted message -- one of which is known by all parties and one of which is kept private, or secret. Secret key encryption, on the other hand, uses a single secret key to encrypt and decrypt message
Key Derivation
In encrypted key exchange, a secret key, or password, is derived from one party’s public key and another party’s private key. The shared secret key is then used to encrypt subsequent communications between the parties, who may have no prior knowledge of each other, using a symmetric key cipher. The public and private key pairs can be generated again and again, each time the protocol is run, to maintain security.
Effectiveness
Unlike classical cryptographic protocols, encrypted key exchange provides protection against active attacks, in which an attacker attempts to guess the password, and more sophisticated types of online attacks, known as dictionary attacks. In a dictionary attack, an attacker tries all possible combinations of secret keys in a small set of values, known as the dictionary, to try to break the security of an encryption scheme by brute force.
PREVENTING OFFLINE DICTIONARY ATTACKS:
Seeking convenience, people tend to choose weak passwords from a small sample space, which an adversary can easily enumerate. Thus, systems need something stronger than simple challenge-response protocols that can use these cryptographically weak passwords to securely authenticate entities. Such an authentication protocol would be deemed secure if, whenever an entity accepts an authentication session with another entity, it should have indeed participated in the authentication session.2 Guarantees of mutual authentication are essential for remote users trying to access servers over insecure networks like the Internet. The goal of a password-based authentication protocol aimed at preventing offline dictionary attacks is to produce a cryptographically strong shared secret key, called the session key, after a successful run of the protocol. Both entities can use this session key to safely encrypt subsequent messages.
Encrypted key exchange :
1. A : (EA,DA).
2. A ? B:A, Kpwd(EA).
3. B : Compute EA = K-1pwd (Kpwd(EA)). Generate random secret key KAB.
4. B ? A : Kpwd (EA (KAB)).
5. A : KAB = DA(K-1pwd(Kpwd(EA(KAB)))). Generate unique challenge CA .
6. A ? B : KAB (CA).
7. B :Compute CA = K-1 AB(KAB (CA)) and generate unique challenge CB.
8. B ? A : K AB (C A,CB).
9. A: Decrypt message sent by B to obtain CA and C B. Compare the former with his own challenge. If they match, go to next step, else abort.
10. A ? B : KAB (CB). 11. B : Decrypt message A sends and compare with challenge CB. If they match, B knows that A has the ability to encrypt subsequent messages using key KAB.
Encrypted key exchange:
Steven Bellovin and Michael Merritt3 made the first attempt to protect a password protocol against offline dictionary attacks. They developed a password-based encrypted key exchange (EKE) protocol using a combination of symmetric and asymmetric cryptography. Algorithm 1 in Figure 1 describes the EKE protocol, in which users A and B serve as the participating entities in a particular run of the protocol, resulting in a session key (stronger than the shared password) the users can later apply to encrypt sensitive data. In Step 1, user A generates a public/private key pair (EA,DA) and also derives a secret key Kpwd from his password pwd. In Step 2, A encrypts his public key EA with Kpwd and sends it to B. In Steps 3 and 4, B decrypts the message using the stored password of A, and uses EA together with Kpwd to encrypt a session key KAB and sends it to A. In Steps 5 and 6, A uses this session key to encrypt a unique challenge CA and sends the encrypted challenge to B. In Step 7, B decrypts the message to obtain the challenge and generates a unique challenge CB.
In Step 8, B then encrypts both CA and CB with the session key KAB and sends it to A. In Step 9, A decrypts this message to obtain CA and CB and compares the former with his own challenge. A match verifies the correctness of B’s response. In Step 10, A encrypts B’s challenge CB with the session key KAB and sends it to B. In Step 11, B decrypts this message and compares it with his own challenge CB. If they match, B knows that A can use KAB to encrypt subsequent messages. Bellovin and Merritt also developed augmented EKE (A-EKE),4 which stores passwords under a one-way function. The objective is to prevent an adversary who obtains the one-way encrypted password file from mimicking the user to the host. They implemented A-EKE using digital signatures and a family of commutative one-way functions. Researchers subsequently developed a gamut of protocols that provide stronger security guarantees than EKE and have additional desirable properties. The EKE protocol and its variants (except A-EKE) suffer from plaintext equivalence, which means the user and the host have access to the same secret password or hash of the password. Intuitively, there are disadvantages to plaintext equivalence. Imagine a simple case in which entity A (the user) enters his password in the client software, which uses a one-way function to hash the password and sends the hashed password over the network to entity B (the server). An adversary can eavesdrop on the channel to obtain entity A’s hashed password and can impersonate entity A by resending the hashed password later. To understand the problem of plaintext equivalence, we can extend the simple case to more complex challenge-response protocols, like EKE. This vulnerability will arise whenever two entities share a secret and perform symmetric operations, however complex, based on the shared secret and exchanged messages.