Password-based
Authentication
SBSeg 2007 Keynote
Michel Abdalla
Researcher
École normale supérieure & CNRS
Diffie-Hellman protocol
Let G be a group in which the DDH problem is hard and let g be a generator for G
Alice
Bob
skA  {0,…,|G|-1}
pkA  gskA
pkA
skB  {0,…,|G|-1}
pkB  gskB
pkB
pkBsk A = gskAsk B = pkAsk B
Protocol does NOT provide authentication
Authenticated Key Exchange
(AKE)


Allow two parties to establish a common
secret in an authenticated way
Intuitive goal: implicit authentication


The session key should only be known to the
parties involved in the protocol
Formally: semantic security
 the session key should be indistinguishable from a
random string
Authentication techniques

Asymmetric techniques



Symmetric techniques



Assume the existence of a public-key infrastructure
Each party holds a pair of secret and public keys
Users share a random secret key
2-party or 3-party settings
Password-based techniques


Consider the case of weak secrets (e.g., a 4-digit PIN)
Protocols are always subject to online guessing attacks
Password-based AKE (PAKE)

Realistic


Convenient to use


Real-life applications usually rely on weak
passwords
Users do not need to store the secret
Comes at a cost

Protocols are always subject to online guessing
attacks
Online dictionary attacks

Let D represent the set of possible passwords (i.e., dictionary)


Online dictionary attack




Choose a password from D
Interact with authentication server using the guessed password
Each online attempt can succeed with probability 1/|D|
Counter measures against online attacks


As passwords need be memorized by humans, |D| is usually small
Limit the number of unsuccessful attempts
Goal of password-based authentication

Restrict the adversary to online dictionary attacks only
Group Password-based
AKE (GPAKE)

Scenario





Similar to the 2-party case, except that …
Number of protocol participants is variable
Password is shared among all participants
Session key is shared among all participants
Security goals

Similar to the 2-party case: Allow a pool of
users to established a common session key with
only the help of passwords
Security model

Users can have many protocol instances running
concurrently

Communication may be controlled by the adversary




Adversary can create, modify, or forward messages
The transmission of messages is done via specific oracle
queries
Adversary is given oracle access to all user instances
and can corrupt some of them
Protocol is considered secure if the session key held
by a honest user cannot be distinguished from a
random key
Outline

Review of PAKE schemes

History of GPAKE scheme

A Simple GPAKE protocol

A generic GPAKE protocol

Concluding remarks
Background: Ideal models

Random oracle model [BellareRogaway93]



Random permutation model


Similar to the random-oracle model, but with a permutation
instead of a function
Ideal cipher model



Perhaps the most used ideal model in cryptography
The hash function is modeled as a perfectly random function
An extension of the random-permutation model
A block cipher is seen as a family of truly random and
independent permutations (for each key)
Standard model

None of the above
Brief history of PAKE schemes

[BelMer92]: Encrypted Key Exchange (EKE)


[BelPoiRog00,BoyMacPat00]



Seminal work, no proofs
Formal security models
Protocols in the ideal-cipher and random-oracle models
[GolLin01]

Non-concurrent protocol in the standard model

[KatOstYun01,GenLin03,CHKLM05]

Efficient protocols in the CRS model
[BR00,BCP03/04,CatPoiPor04,MacKenzie02,AbPo05]
 Efficient EKE and OKE protocols in the RO model

Encrypted Key Exchange
[Bellovin & Merritt, 1992]

Flows are encrypted with the password
Alice
x  Zp
X  gx
 = pwAlice,Bob
Alice, X=Enc(X)
Bob
y  Zp
Y  gy
Bob, Y=Enc(Y)
Y  Dec(Y)
K  Yx
X  Dec(X)
K  Xy
SK  H(Alice,Bob,,X,Y,K)
EKE instantiations

[BPR00,BCP03]



[MacKenzie02,BCP04]



Enc = Ideal cipher
H = Random oracle
Enc = Random oracle
H = Random oracle
[AbPo05]


Encpw(X) = X  hpw
H = Random oracle
Simple PAKE [AbPo05]
Alice
x  Zp
X  gx
 = pwAlice,Bob
Alice, X= X  A
Bob
y  Zp
Y  gy
Bob, Y= Y  B
Y  Y / B
K  Yx
X  X / A
K  Xy
SK  H(Alice,Bob,,X,Y,K)
Security of simple PAKE


Theorem: If the DDH problem is hard,
then the protocol described in the
previous slide is a secure PAKE protocol
in the random-oracle model.
Proof: see [AbPo05]
PAKE in the standard model:
The Gennaro-Lindell Construction

Design is not as simple as EKE

Requires several different tools

One-time signatures

Non-malleable encryption schemes

Smooth projective hash functions
Smooth projective hash functions
[GL03 variant]: Algorithms

Hash key generation: hk = HK(pk)


Projected key generation: hp = (hk, c)


hk – hashing key, hp – projected key
Hashing algorithm: H (hk, m, c)  G


pk – public encryption key, hk – hashing key
m – message, c – ciphertext, hk – hashing key
Projected hashing algorithm: h = h(hp, m, c; r)

hp – projected key, r – random used to generate c
Smooth projective hash functions
[GL03 variant]: Security properties

Correctness:


If c = E(pk,m;r), then (m,c,hp) uniquely determines H(hk,m,c)
When c = E(m;r), H(hk,m,c) can be computed efficiently given r
h(hp,m,c; r) = H(hk,m,c)

Smoothness:


If c is not an encryption of m,
then (m, c, hp) gives no information (statistically) on H(hk,m,c)
Pseudo-randomness:

When c=E(m;r) and hp=(hk,c),
then H(hk,m,c) is pseudo-random given only (m,c,hp)
The Gennaro-Lindell
Construction
Alice
skR, vkR  Sig-KG
cR  Epk(pw  vkR ; rR)
hkR  hashKey
hpR  (hkR, cL, vkL)
R  Sign(skR,Transcript)
Bob
Alice, vkR, cR
Bob, hpL, vkL, cL
skL, vkL  Sig-KG
hkL  hashKey
hpL  (hkL, cR, vkR)
cL  Epk(pw  vkL ; rL)
hpR, R
L
L  Sign(skL,Transcript)
KR  HhkL(pw, vkR, cR)
KL  hhpR(pw, cL, vkL; rL)
KL  HhkR(pw, vkL, cL)
KR  hhpL(pw, cR, vkR; rR)
SK  KL ◦ KR
Outline
 Review of PAKE schemes

History of GPAKE schemes

A Simple GPAKE protocol

A generic GPAKE protocol

Concluding remarks
Brief history of GAKE schemes

[BurDes94, BurDes05]:



[KatzYung03]



A One Round Protocol for Tripartite Diffie-Hellman
[LiPieprzyk99,BreCat04]
Conference key agreement from secret sharing
[BoydNieto03, JeongKatzLee04, …]

Round-Optimal contributory key agreement


A variant of the BD protocol using random oracles and XOR operations
[Joux00]


Proof of security for BD protocol based on DDH
Generic compiler from GKE to GAKE using signatures
[KimLeeLee04]


Constant-round group Diffie-Hellman key exchange
Passive attacks, security based on CDH
The Burmester-Desmedt
Group Key Exchange [BD94]
P1
x1  Zp
X1  gx1
X1
K1  X2x1
KN  XNx1
Z1  K1 / KN
Z1

Pi

PN
xi  Zp
Xi  gxi
xN  Zp
XN  gxN
Xi
XN
Ki  Xi+1xi
Ki-1  Xi-1xi
Zi  Ki / Ki-1
KN  X1xN
KN-1  XN-1xN
ZN  KN / KN-1
Zi
ZN
SK  K1 ◦ K2 ◦  ◦ KN
The Kim-Lee-Lee Group Key
Exchange [KLL04]
P1
s1  $
x1  Zp
X1  gx1
X1
K1  H(X2x1)
KN  H(XNx1)
Z1  K1  KN
T1  s1
Z1  T1

Pi

si  $
xi  Zp
Xi  gxi
Xi
PN
sN  $
xN  Zp
XN  gxN
XN
Ki  H(Xi+1xi)
Ki-1  H(Xi-1xi)
Zi  Ki  Ki-1
Ti  si
KN  H(X1xN)
KN-1  H(XN-1xN)
ZN  KN  KN-1
TN  KN  sN
Zi  Ti
ZN  TN
SK  H2(s1  s2    sN)
A generic version of the
Burmester-Desmedt protocol

Pi-1
Pi
Pi+1
KE
Ki-1
Zi-1  Ki-1 / Ki-2
Zi-1

KE
Ki
Ki-1
Zi  Ki / Ki-1
Zi
SK  K1 ◦ K2 ◦  ◦ KN
Ki
Zi+1  Ki+1 / Ki
Zi+1
A generic version of the
Kim-Lee-Lee protocol

Pi-1
Pi
Pi+1
si-1  $
si  $
si+1  $
KE
Ki-1
Zi-1  Ki-1  Ki-2
Ti-1  si-1
Zi-1  Ti-1

PN
sN  $
KE
Ki-1
Ki
Zi  Ki  Ki-1
Ti  si
Zi  Ti
Ki
Zi+1  Ki+1  Ki
Ti+1  si+1
Zi+1  Ti+1
SK  H2(s1  s2    sN)
ZN  KN  KN-1
TN  KN  sN
ZN  TN
Previous work on GPAKE

[BreChePoi02, BreChePoi05]:



[LeeHwangLee04]




Based on the Kim-Lee-Lee GAKE protocol
Proven secure in the random-oracle model
Broken in [ABCP06]
[DuttaBarua06]




Group Diffie-Hellman password-based key exchange
Linear number of rounds
Based on the Kim-Lee-Lee GAKE protocol
Proven secure in the random-oracle and ideal-cipher models
Broken in [ABCP06]
[ABCP06], [TangChoo06]


Based on the Burmester-Desmedt protocol
Proven secure in the ideal-cipher and random-oracle models
More recent work on GPAKE

[KwonJeongLee06]




[AbdallaPointcheval06]



Based on the Gennaro-Lindell PAKE protocol
Proven secure in the standard model
[BohliGonzalezSteinwandt06]



Simplification of [ABCP06] protocol
Proven secure in the “standard model”
Apparently insecure (work in progress)
Proven secure in the standard model
Similar to [AbdallaPointcheval06], but more efficient
[ABGS07]


Generic compiler from 2-party to group
Proven secure in the standard model
Outline
 Review of PAKE schemes

History of GPAKE schemes

A Simple GPAKE protocol

A generic GPAKE protocol

Concluding remarks
Adding password authentication
to the BD protocol

EKE approach



Encrypt all flows using the password pw
Xi= pw(Xi), Zi= pw(Zi)
Problem


In the BD protocol, Z1◦Z2 ◦  ◦ ZN = 1
Dictionary attack



Guess password pw
Compute Zi= Dpw(Zi) for i=1,,N
Check if Z1◦Z2 ◦  ◦ ZN = 1
The Dutta-Barua GPAKE
Protocol [DB06]
P1
s1  $
x1  Zp
X1  gx1
Epw(X1)
K1  H(X2x1)
KN  H(XNx1)
Z1  K1  KN
T1  s1
E’pw(Z1T1)

Pi

si  $
xi  Zp
Xi  gxi
Epw(Xi)
Ki  H(Xi+1xi)
Ki-1  H(Xi-1xi)
Zi  Ki  Ki-1
Ti  si
E’pw(ZiTi)
SK  H2(s1  s2    sN)
PN
sN  $
xN  Zp
XN  gxN
Epw(XN)
KN  H(X1xN)
KN-1  H(XN-1xN)
ZN  KN  KN-1
TN  KN  sN
E’’pw(TN)
An attack against the
Dutta-Barua GPAKE protocol

Problem


All flows are encrypted under the same key
Attack






Let P1 and P2 be honest users
Attacker will play the role of P3
Attacker waits for P1 and P2 to broadcast X1*=Epw(X1) and
X2*=Epw(X2)
Attacker sets X3*=X1* (This implicitly sets x1=x3) and
broadcasts it
This causes K1=K2 and Z2=0
Hence, T2*=Epw(0s2)  Dictionary attack!
An attack against the
Dutta-Barua GPAKE protocol
P1
s1  $
x1  Zp
X1  gx1
Epw(X1)
K1  H(X2x1)
K3  H(X1x1)
Z1  K1  K3
T1  s1
E’pw(Z1  T1)
P2
s2  $
x2  Zp
X2  gx2
P3
This implicitly sets x3=x1
Epw(X2)
Epw(X1)
K2  H(X1x2 )
K1  H(X1x2)
Z2  K2  K1 = 0
T2  s2
E’pw(0  T2)
Dictionary
Attack!!!
The Lee-Hwang-Lee GPAKE
protocol [LHL04]
P1
x1  Zp
X1  gx1
Epw(X1)
K1  H(X2x1)
KN  H(XNx1)
Z1  K1  KN
Z1

Pi

xi  Zp
Xi  gxi
xN  Zp
XN  gxN
Epw(Xi)
Epw(XN)
KN  H(X1xN)
KN-1  H(XN-1xN)
ZN  KN  KN-1
Ki  H(Xi+1xi)
Ki-1  H(Xi-1xi)
Zi  Ki  Ki-1
Zi
SK  H(K1  K2 
PN
ZN
  KN)
An attack against the
Lee-Hwang-Lee GPAKE protocol
P1
X1  gx1
Epw(X1)
P2
Epw(X’1)
P3
Epw(X1)
P4
Epw(X’1)
K1 = K2 = K3 = K4 = H(X’1x1)
0
0
0
0
SK  H(K1  K2  K3  K4)
X’1  gx1’
P’1
P’2
P’3
P’4
Epw(X’1)
Epw(X1)
Epw(X’1)
Epw(X1)
K’1 = K’2 = K’3 = K’4 = H(X1x1’)
0
0
0
SK’  H(K’1  K’2  K’3  K’4)
0
Outline
 Review
of PAKE schemes
 History
of GPAKE schemes

A Simple GPAKE protocol

A generic GPAKE protocol

Concluding remarks
A simple GPAKE protocol:
Intuition




Add an extra flow of random nonces ri at the
beginning of the each session
S = P1  r1    PN  rN
Use a different encryption key for each user and
session to avoid replaying of messages
pwi = H(pw  S  i)
Only encrypt the flow containing the values Xi to
avoid dictionary attacks
Add an authentication flow to avoid malleability
attacks
Authi = H’(S  X1*  Z1    XN*  ZN  SK  i)
A simple GPAKE protocol:
Construction [ABCP06]
P1


Pi
PN
r1  $
ri  $
rN  $
P 1 , r1
P i , ri
PN, rN
x1  Zp
X1  gx1
Epw1(X1)
K1  X2x1
KN  XNx1
Z1  K1 / KN
xi  Zp
Xi  gxi
Epwi(Xi)
Ki  Xi+1xi
Ki-1  Xi-1xi
Zi  Ki / Ki-1
xN  Zp
XN  gxN
EpwN(XN)
KN  X1xN
KN-1  XN-1xN
ZN  KN / KN-1
Z1
Zi
ZN
Auth1
Authi
AuthN
SK  K1 ◦ K2 ◦  ◦ KN
Session Key  H’’(Transcript  SK)
A simple GPAKE protocol:
Security


Theorem: If the DDH problem is hard,
then the protocol described in the
previous slide is a secure GPAKE
protocol in the random-oracle and idealcipher models
Proof: see [ABCP06]
Outline
 Review
of PAKE schemes
 History
of GPAKE schemes
A
Simple GPAKE protocol

A generic GPAKE protocol

Concluding remarks
A generic GPAKE protocol
[ABGS07]: Intuition

Generate Ki using a (2-party) PAKE


Commit to Zi before making it public


Each user authenticates its neighbors
Commitment should be non-malleable
Use the fact that Z1◦ … ◦ ZN = 1 for
verification
A generic GPAKE protocol
Pi-1
Ki-1
Pi
AKE
Ki-1
Pi+1
Ki
AKE
Ki
Zi-1  Ki-1  Ki-2
Zi  Ki  Ki-1
Zi+1  Ki+1  Ki
Com(Zi-1 i-1; ri-1)
Com(Zi I; ri)
Com(Zi+1i+1; ri+1)
Zi-1, ri-1
Zi, ri
Zi+1, ri+1
SK  UH(K1, ,KN,Transcript)
Session Key  FSK(0)
Advantages of generic
construction



Allows a modular design approach
Transformation is reasonably efficient
No ideal assumptions




Non-interactive non-malleable commitments
Family of collision-resistant pseudorandom
functions [Katz-Shin 05]
Family of universal hash functions
Simpler proof of security
Outline
 Review
of PAKE schemes
 History
of GPAKE schemes
A
Simple GPAKE protocol
A
generic GPAKE protocol

Concluding remarks
Concluding remarks

Recap




The design of password-based protocols can be tricky



Attacks against previous constructions [ABCP06]
A simple construction in the IC and RO models [ABCP06]
A generic GPAKE construction [ABGS07]
Small modifications to the protocol can make them insecure
The only way to be sure is to provide a security proof
Password-based authenticated key exchange remains
a very active area
Future directions


More efficient constructions in the
standard model
Stronger security guarantees


universal composability
Stronger corruption models