Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I\'m working on implementing a cryptographic system and I\'m trying to understan

ID: 651088 • Letter: I

Question

I'm working on implementing a cryptographic system and I'm trying to understand the Zero Knowledge Password Proof concept. So here's some background:

To generate a secret key I am:

+ Doing an ECDH key exchange and generating 2 secret keys. One key is to encrypt messages and the other key is to HMAC sign the data. To derive the secret keys I am sending the username from the client along with the public keys and using the password on the client and server to derive the encryption keys by running the ECDH keys through a KDF function so that if the keys were retrieved the passwords could not be known.
+ Once I have these secret keys I want to use them to encrypt a message that does not include the password to send over to the server to authenticate that the client does indeed have the correct password.

I want to make sure that I implement this properly and I know that if I encrypt something that is preknown to the server that could be insecure because of some attacks that involve knowing the plaintext as well as the cipher. Do I need to just create a random string to encrypt? Any thoughts? Thanks!

Explanation / Answer

I don't believe your protocol meets the standard definition of Zero Knowledge Proof, as a cheating verifier can learn more information about the secret than allowed. In particular, suppose we have a cheating verifier (server) that has a list of one million potential passwords. Then, he can run your protocol with a client that knows the password, run the KDF with all one million passwords, and see which one allows him to decrypt the message. This allows the cheating verifier to check his entire dictionary of passwords at once.

If you are looking for a password verification protocol that avoids such weaknesses, I suggest you look at either the SRP protocol or the EKE protocol; both were designed specifically to avoid such weaknesses.

Now, as for your question about encrypting known plaintext, well, that's not actually a concern. Strong encryption method (say, AES with a good mode) are designed to be strong against known (or even chosen) plaintexts. Now, in your case, since you're just verifying knowledge of the shared key, you don't even need to encrypt anything; generating an HMAC of some standard data would be sufficient (or, at least, it would be if your protocol didn't have the above problem).

Related Questions

I\'m working on a project for blind and visual impaired people. Now we are looki
Question #660465
I\'m working on a project that has me create a method to check a textifle for mi
Question #3533645
I\'m working on a project where multiple (several hundred perhaps) users will ne
Question #650224
I\'m working on a project, I have a question regarding the architecture: Say I h
Question #639418
I\'m working on a project, and I have a couple of issues. 1.) I\'m using the Net
Question #3640718
I\'m working on a project, and I have a couple of issues. 1.) I\'m using the Net
Question #3640719
I\'m working on a projectile angle problem for beginnersphysics. It is for a bal
Question #1722738
I\'m working on a research project about the adoption of DWH systems and doing s
Question #655717

Navigate

Previous
I\'m working on image processing and I need to use big Images in a critical syst
Next
I\'m working on multiple assignments for a Java class I am taking and have gotte