A New Two-Server Approach A New Two-Server Approach for Authentication with Short for Authentication with Short

SecretsSecrets

John Brainard, Ari Juels,Burt KalJohn Brainard, Ari Juels,Burt Kaliski and Michael Szydlo RSA Labiski and Michael Szydlo RSA Lab

oratoriesoratories

To appear in USENIX Security 2003/4/9

OutlineOutline

IntroductionIntroduction Previous WorkPrevious Work New WorkNew Work

Passwords and PINsPasswords and PINs

Short secrets are convenience .Short secrets are convenience . The secrets stored in a central The secrets stored in a central

database.database.

ProblemProblem

How is it possible to provide secure How is it possible to provide secure services to users who can services to users who can authenticate using only short secrets authenticate using only short secrets or weak password?or weak password?

Smartcards , similar key-storageSmartcards , similar key-storage

Memorable PW – guessing attackMemorable PW – guessing attack

SPAKA protocolsSPAKA protocols

(Secure password authenticated key a(Secure password authenticated key agreement)greement)

EKE:Share a password, mutual ensure EKE:Share a password, mutual ensure to established a session key.to established a session key.

Attack to SPAKAAttack to SPAKA

Client SERVER

password

celartext

steal

Off-line dictionary attacks

Cleartext

LOOKALL ?

OutlineOutline

IntroductionIntroduction Previous WorkPrevious Work New WorkNew Work

Previous workPrevious work

A mechanism called A mechanism called password hardeningpassword hardening , by F , by Ford and Kaliski.ord and Kaliski.

Client

password

i i i…

Server secret

i i i…

Learn no information

Decrypt credentials

Authenticate

Others protocols…

OutlineOutline

IntroductionIntroduction Previous WorkPrevious Work New WorkNew Work

Now new workNow new work

Two-server solution .Two-server solution .

Server Red

SSL SSL

Server Blue

p

P’

P = P’ ??

Client

SSL

OutlineOutline

IntroductionIntroduction Previous WorkPrevious Work New WorkNew Work Equality-Testing ProtocolEquality-Testing Protocol

Equality-Testing ProtocolEquality-Testing Protocol

H is a large group(160-bit)H is a large group(160-bit)

and + be the group operatorand + be the group operator f is collision-free hash functionf is collision-free hash function *:{0,1}f H

Equality-Testing ProtocolEquality-Testing Protocol

Registration:Registration:

blue

red

P f P R

P R

UR H

Equality-Testing ProtocolEquality-Testing Protocol

Authentication:Authentication:

If P = P’

0

blue redQ Q

'

' '

'

'

( ( ) ( )) ( )

blue blue blue

red red red

Q P P

f P f P R R

Q P P

R R

G is large group (hard to discrete log)G is large group (hard to discrete log) g : generatorg : generator q : order in Zp (p=2q+1)q : order in Zp (p=2q+1) p (1024 bits)p (1024 bits) w: H -> Gw: H -> G

1

1

'1

{2,4,..., 1}R

e

e q

Y g

0

0

,

0

{2,4,..., 1}

( )R

blue U

e

e q

A w Q

Y Ag

0 ,Y U

1, redY H

1

1

'1

{2,4,..., 1}R

e

e q

Y g

1

,

'1 1

0

?

0 1

( )

( / )

{2,..., 2}

( || || || )

red U

ered

red

red red

B w Q

Y BY

Z Y B

Z p

H h Z Y Y U

0

1

?

( / )

{2,..., 2}

( || )

eblue

blue

blue blue red

Z Y A

Z p

H h Z H

0

0

,

0

{2,4,..., 1}

( )R

blue U

e

e q

A w Q

Y Ag

1, redY H

?0 1( || || || )red blueH h Z Y Y U ? ( || )blue red redH h Z H

blueH

1

,

'1 1

0

?

0 1

( )

( / )

{2,..., 2}

( || || || )

red U

ered

red

red red

B w Q

Y BY

Z Y B

Z p

H h Z Y Y U

0

1

?

( / )

{2,..., 2}

( || )

eblue

blue

blue blue red

Z Y A

Z p

H h Z H

Compare with SPAKACompare with SPAKA

Mutually authenticated channel Mutually authenticated channel betweenbetween

two servers.two servers. not derive a shared key.not derive a shared key. Client need perform no cryptographic Client need perform no cryptographic

computation, and operation in H. computation, and operation in H.

OutlineOutline

IntroductionIntroduction Previous WorkPrevious Work New WorkNew Work Equality-Testing ProtocolEquality-Testing Protocol Architectural MotivationArchitectural Motivation

Architectural MotivationArchitectural Motivation

Security in two servers.Security in two servers. * different OSs* different OSs * different organizations* different organizations (privacy outsourcing): (privacy outsourcing): service providerservice provider privacy providerprivacy provider

Architectural MotivationArchitectural Motivation

UniversalityUniversality Pseudonymity Pseudonymity Engineering simplicityEngineering simplicity System isolation System isolation Mitigation of denial-of-service attacksMitigation of denial-of-service attacks

OutlineOutline

IntroductionIntroduction Previous WorkPrevious Work New WorkNew Work Equality-Testing ProtocolEquality-Testing Protocol Architectural MotivationArchitectural Motivation Avoiding ProblemsAvoiding Problems

Avoiding ProblemsAvoiding Problems

False Pseudonym ProblemFalse Pseudonym Problem Replay Attacks ProblemReplay Attacks Problem