Public-Key Cryptography and Password Protocols
Halevi, S., & Krawczyk, H. (1999). Public-Key Cryptography and Password Protocols.
ACM Transactions on Information and System Security, 2, 230-268. Retrieved on September 13, 2006, from the ACM Digital Library database.
In this article, Halevi and Krawczyk studied the combined use of weak (passwords) and strong (private key for public-key encryption) authentication and key exchange in asymmetric scenarios.
The most basic password use is sending a password from a user to a server in the clear in which the server stores a file with the plain password or its image to validate the password. In remote authentications, the password can be easily read by an eavesdropper. One of the most basic attacks is password guessing in which an attacker uses a small dictionary of common passwords. In an off-line attack, the attacker notes communications and then uses the dictionary to look for consistent passwords, while in an online attack, he keeps trying passwords from the dictionary until he gets the correct one. The authors define the security for a password-based one-way authentication protocol by describing an attacker who can watch runs of the protocol between the user and the server, prompt new authentication sessions where he can see all messages sent between the two, intercept messages which he can change or drop, and see if the server accepts the authentication or not.
Several protocols in the asymmetric scenario were then presented where the authentication server has a pair of private and public keys and the client uses a password. The first protocol, part of broader group of protocols called “encrypted challenge-response mechanisms,” was a simple one in which the password was encrypted with the server’s public key and then sent to the server for verification. The authors’ findings showed additional properties were needed to maintain the security of the protocol. Next, the authors used the challenge-response approach to encrypt the user’s response under the public key of a server to fend off guessed passwords. The authors determined that while encrypting the response would appear to be an effective way of preventing password guessing, it was not. The authors stated that since they aimed to achieve a higher level of security for their protocols than semantic security, they chose to use OAEP, a simple encoding of data for use with RSA encryption to provide protection against strong attacks.
The authors added to their authentication protocols the function of authenticating the server to the user their exchange of an authenticated secret key. They indicated that this provides security needed in many security applications. While the protocol does not give perfect forward secrecy because exposure of the server’s private key means the session key is revealed, the authors stated that perfect forward secrecy could be performed by using the Diffie-Hellman exchange and Mutual Authentication. The authors next suggested giving the user a hashed version of the public key, a so-called “public password,” to be used where clients cannot verify the authenticity of the server’s public key in order to extend the human-password and serve as a “hand held certificate” to a public key.
The authors next stated their definition of password protocol security and established the security of their encrypted challenge-response protocol. To do so, they created a model on which they could run and see their security requirements. The authors proposed a “probabilistic game” with a user, server, and intruder who has great but limited power. Each game had security parameters controlling the strength of cryptographic keys and functions, and a dictionary of passwords. Using their probabilistic game, the authors defined a secure one-way password authentication protocol by first stating that a protocol is syntactically correct when all messages are passed unchanged, then by explaining successful impersonation and authentication. Within this definition, the intruder’s strategy is to keep trying passwords until he is successful.
Finally, the authors gave an explanation of their public-key encryption method that can stop ciphertext-verification attacks using a key generation, probabilistic encryption and decryption algorithms. The authors noted that users and servers in a password setting have a shared secret, and that all the strong password mechanisms they and others propose use public-key techniques.
ACM Transactions on Information and System Security, 2, 230-268. Retrieved on September 13, 2006, from the ACM Digital Library database.
In this article, Halevi and Krawczyk studied the combined use of weak (passwords) and strong (private key for public-key encryption) authentication and key exchange in asymmetric scenarios.
The most basic password use is sending a password from a user to a server in the clear in which the server stores a file with the plain password or its image to validate the password. In remote authentications, the password can be easily read by an eavesdropper. One of the most basic attacks is password guessing in which an attacker uses a small dictionary of common passwords. In an off-line attack, the attacker notes communications and then uses the dictionary to look for consistent passwords, while in an online attack, he keeps trying passwords from the dictionary until he gets the correct one. The authors define the security for a password-based one-way authentication protocol by describing an attacker who can watch runs of the protocol between the user and the server, prompt new authentication sessions where he can see all messages sent between the two, intercept messages which he can change or drop, and see if the server accepts the authentication or not.
Several protocols in the asymmetric scenario were then presented where the authentication server has a pair of private and public keys and the client uses a password. The first protocol, part of broader group of protocols called “encrypted challenge-response mechanisms,” was a simple one in which the password was encrypted with the server’s public key and then sent to the server for verification. The authors’ findings showed additional properties were needed to maintain the security of the protocol. Next, the authors used the challenge-response approach to encrypt the user’s response under the public key of a server to fend off guessed passwords. The authors determined that while encrypting the response would appear to be an effective way of preventing password guessing, it was not. The authors stated that since they aimed to achieve a higher level of security for their protocols than semantic security, they chose to use OAEP, a simple encoding of data for use with RSA encryption to provide protection against strong attacks.
The authors added to their authentication protocols the function of authenticating the server to the user their exchange of an authenticated secret key. They indicated that this provides security needed in many security applications. While the protocol does not give perfect forward secrecy because exposure of the server’s private key means the session key is revealed, the authors stated that perfect forward secrecy could be performed by using the Diffie-Hellman exchange and Mutual Authentication. The authors next suggested giving the user a hashed version of the public key, a so-called “public password,” to be used where clients cannot verify the authenticity of the server’s public key in order to extend the human-password and serve as a “hand held certificate” to a public key.
The authors next stated their definition of password protocol security and established the security of their encrypted challenge-response protocol. To do so, they created a model on which they could run and see their security requirements. The authors proposed a “probabilistic game” with a user, server, and intruder who has great but limited power. Each game had security parameters controlling the strength of cryptographic keys and functions, and a dictionary of passwords. Using their probabilistic game, the authors defined a secure one-way password authentication protocol by first stating that a protocol is syntactically correct when all messages are passed unchanged, then by explaining successful impersonation and authentication. Within this definition, the intruder’s strategy is to keep trying passwords until he is successful.
Finally, the authors gave an explanation of their public-key encryption method that can stop ciphertext-verification attacks using a key generation, probabilistic encryption and decryption algorithms. The authors noted that users and servers in a password setting have a shared secret, and that all the strong password mechanisms they and others propose use public-key techniques.
posted by Dr. Adam Norten at 5:04 PM
0 Comments:
Post a Comment
<< Home