Network Security--- User Authentication
and Key Agreement Protocols
孫宏民
[email protected]
Phone: 03-5742968
國立清華大學資訊工程系
資訊安全實驗室
Outline
Basic
Cryptographic Concept
Symmetric Encryption
Asymmetric Encryption
Digital
Signature
Encrypted
Key Exchange (EKE)
Conclusions
第2頁
Cryptographic System
Encryption
Plaintext
Key
Decryption
第3頁
Ciphertext
Four Basic Services of Cryptography:
• 1. Confidentiality (Secrecy): The intruder cannot read the
encrypted message from the ciphertext.
• 2. Authentication: It should be possible for the receiver of a
message to ascertain its origin; an intruder should not be able to
masquerade as someone else.
• 3. Integrity: It should be possible for the receiver of a message to
verify that it has not been modified in transit; an intruder cannot
substitute a false message for a legitimate one.
• 4. Nonrepudiation: A sender should not be able to falsely deny
later that he sent a message.
第4頁
Cryptographic System
Ciphertext(C)
Decryption
Encryption
M
Plaintext(M)
K1
Cryptanalyst
K2
 Symmetric Cryptosystem: The encryption & decryption keys are
the same. (EK(M)= C & DK(C)= M).
 Asymmetric Cryptosystem: Encryption & decryption keys are
different. (EK1(M)=C & DK2(C)=M)
The encryption key is public, while the decryption key can not be
calculated from the public key.
第5頁
Symmetric Cryptosystem
DES
(1977)
IDEA (1992)
RC5 (1994)
AES (2001)
第6頁
Symmetric Cryptosystem
Security Service:
Confidentiality
Authentication
Integrity
Advantage：High Speed
Disadvantages：
how to obtain a common secret key between two
parities,
the number of secret keys is too big,
can not achieve nonrepudiation.
第7頁
Asymmetric Cryptosystem




第8頁
RSA (1978)
El-Gamal (1984)
McEliece (1978)
Knapsack (1978)
Asymmetric Cryptosystem
Security Service:
Confidentiality
Integrity
Authentication (by Signature)
Nonrepudiation (by Signature)
Advantage：a pair of keys for each user
Disadvantages：
Slow speed
Public key need to be authenticated by CA
第9頁
RSA (Encryption & Decryption)
Public key: n = pq, p and q are large primes (512 bit),
e ( gcd (e, (p-1)(q-1)) =1)
Private key: d, where ed = 1 mod (p-1)( q-1)
Encryption: C=M e mod n
Decryption: M= C d mod n
p=47, q=71, => n=3337
e=79, => d = 1019
M=688
Encryption: C=M e mod n = 68879 mod 3337 = 1570
Decryption: M= C d mod n =15701019 mod 3337 = 688
第 10 頁
One-way hash function
 Input: X (unlimited length)
Output: Y=H(X) (fixed length, e.g., 160 bit)
Given X, it is easy to compute Y.
Given Y, and H( ), it is computational infeasible to
compute X.
 Given X and Y, it is computational infeasible to find X’
such that Y=H(X’).
第 11 頁
Digital Signature
M
Message
Message
Signature
Generation
Signature
Verification
Signature(S)
Private Key
Signer A
第 12 頁
Ture or False
Public Key
Verifier B
Digital Signature
M
Hash
h(M)
S
Hash Functions : Signature Functions :
RSA
SHA
DSA
MD5
El-Gamal
FFT
Elliptive Curve
Snefru
LUC
N Hash
第 13 頁
M
S
RSA Digital Signature
Public key: n = pq, p and q are large primes (512 bit),
e ( gcd (e, (p-1)(q-1)) =1),
h is a hash function.
Private key: d, where ed = 1 mod (p-1)( q-1)
Sign: S= h(M) d mod n
Verify: h(M) = S e mod n
第 14 頁
Secure Communication between Client and Server
Using
Symmetric Cryptosystem: Each client and the server
share a common secret key.
Client
IDc, Ek(M)
Server
Ek(M’)
Disadvantages:
1. Secret key must be strong
2. If the secret key is revealed, the messages in the past will also
be revealed.
第 15 頁
Secure Communication between Client and Server

Using Asymmetric Cryptosystem: Encryption + Signature
(See next page)
Disadvantages:
1. Public keys need to be authenticated by a CA.
2. Private key must be strong.
3. If the server’s private key is revealed, the messages in the past
will also be revealed.
第 16 頁
Secure Communication between Client and Server
第 17 頁
User Authentication in general

Based on one or more of:




第 18 頁
something a user has (smart card/token card)
something a user is (fingerprint/voiceprint/retinal scan)
something a user knows (password/short secret)
What’s a popular user authentication system based on three
of these?
Secure Password Authentication


Remote user access
Goal: to be secure without requiring the user to
carry/remember anything except password
VPN traffic
Remote client
第 19 頁
(authenticated using
password)
protected
domain
Firewall
Dictionary Attacks (Password Guessing Attacks)
 An off- line, brute force guessing attack conducted by
an attacker on the network.
 Attacker usually has a “dictionary” of commonly-used
passwords to try
 People pick easily remembered passwords
 “Easy- to- remember” is also “easy- to- guess”
第 20 頁
Passwords in the Real World
 Entropy is less than most people think
 Dictionary words, e. g. “pudding”, “plan9”
– Entropy: 20 bits or less
 Word pairs or phrases, e. g. “hate2die”
– Represents average password quality
– Entropy: around 30 bits
 Random printable text, e. g. “nDz2\ u> O”
– Entropy: slightly over 50 bits
第 21 頁
Password-based protocols

Telnet, FTP are insecure
Client

Server
Hash function is still insecure due to dictionary attacks.
Client
第 22 頁
IDc , Password
IDc , h(Password)
Server
Password-based Protocol with Challenge
Client
ID
Server
Cha
h(Cha,Password)

第 23 頁
Insecure against the dictionary attacks.
We need ..............
a password-based authentication protocol which
is secure against dictionary attacks.
第 24 頁
Secure Communication between Client and Server
第 25 頁

What to do after authentication?

We need a common session key to protect our
communication.

Diffie-Hellman key agreement provides two parties to
share a common session key.
Diffie-Hellman Key Agreement

Goal : to provide two parties share a common session key

p : large prime, g : generator
gRa mod p
Client
K= (gRb)Ra mod p
第 26 頁
gRb mod
p
Server
K= (gRa)Rb mod p
Man-in-the-middle attack
b' a
( g ) mod p
g a mod p
g a ' mod p
g b ' mod p
g b mod p
( g a )b ' mod p
( g b ) a ' mod p
第 27 頁
( g a ' )b mod p
Diffie-Hellman Key Agreement

Diffie-Hellman key agreement is vulnerable to the man-inthe-middle attack; it does not reach authentication
 How about Diffie-Hellman key agreement using public key?
Ya  g X a mod p
IDa , Ya , Certa
Client
K  Yb  ( g ) mod p
a

第 28 頁
b a
Yb  g X b mod p
IDb , Yb , Certb
Server
K  Ya  ( g a )b mod p
b
Problem: (1) does not provide forward secrecy,
(2) hard to remember (not a password).
Forward Secrecy
Prevents one compromise from causing further damage
第 29 頁
Compromising
Should Not Compromise
Current password
Future passwords
Old password
Current password
Current password
Current or past session keys
Current session key
Current password
Research Goal
第 30 頁

To design a user authentication and key agreement
protocol via password.

The protocol must satisfy the following requirements:
1. based on password only,
2. password may be weak,
3. be secure against the dictionary attack,
4. can provide perfect forward secrecy.
Encrypted Key Exchange (EKE)
[Bellovin and Merritt, 1992]


Two parties share a common password
EKE can withstand dictionary attack
P
Client
Generate EA , DA
encrypt/decrypt keys
P
Server
P( EA )
P( EA ( R))
R  DA ( P 1 ( P( E A ( R))))
R(Cha)
R(Cha||Chb)
R(Chb)
第 31 頁
E A  P 1 ( P( E A ))
Generate R
DHEKE [Bellovin and Merritt, 1992]
g Ra mod p
A, P( g Ra mod p)
g Rb mod p
K  ( g Ra ) Rb mod p
P( g Rb mod p), K (Chb )
K  ( g Rb ) Ra mod p
K (Cha || Chb )
K (Cha )
第 32 頁
Three-Party Key Exchange Protocol
 Each client shares an easy-to-remember password with the server.
 The protocol is responsible for establishing secure communication
between two clients via the help of the server.
 Application: E.g., ICQ, or mobile users
第 33 頁
STW-3PEKE [Steiner, Tsudik, and Waidner, 1995]
A
S
B
RA  g N A
{RA  B}PA
A, {RA  B}PA , {RB  A}PB
N
RA S , RB
RB  g N B
NS
K  ( RA S ) N B mod p
N
NS
RB , [ flow1]K
K  ( RB S ) N A mod p
N
第 34 頁
[[ flow1]K ]K
Undetectable On-line guessing attack (I)
[Ding and Horster, 1995]
A
S
B
RA  g N A
{RA  B}PA
record {RA  B}P
~
A,{RA  B}PA ,{RA  A}PB
~ N
N
RA S , RA S
A
~
~
guess PA get R A
~
RB  R A
check RA
第 35 頁
NS
?
~ N
 RA S
Undetectable On-line guessing attack (II)
[Ding and Horster, 1995]
S
B
~
guess PA
~
A, {RA  B}P~A , {RB  A}PB
N
RA S , RB
~
~
NA
compute RA  g mod p
RB  g N B mod p
NS
NS
check ( RA )
第 36 頁
NB
?
( RB )
NS
~
NA
Off-line Guessing Attack on STW-3PEKE
[Lin, Sun, and Hwang, 2000]
A*
S*
B
X
A, X ,{RB  A}PB
~
~
NA ~
RA  g , N S
Y , [ flow1]K
~
guess PB
~
get RB from {RB  A}PB
~ ~ N~S N~ A
compute K  ( RB )
?
decrypt [ flow1]K , check flow1  X
第 37 頁
RB  g N B
~ N~S
RA , Y
~ N~S N B
K  ( RA ) mod p
LSH-3PEKE (with server’s public key)
[Lin, Sun, and Hwang, 2000]
A
S
B
RA  g N A
A, {ra , RA , PA }K S
A,{ra, RA , PA }K S , {rb, RB P, B}K S
RB  g N B
[ B, RB ]ra , [ A, RA ]rb
[ B, RB ]ra , [h( flow1), CB ]K
K  RB
第 38 頁
NA
CB
K  RA
NB
LSSH-3PEKE (without server’s public key)
[Lin, Sun, Steiner, and Hwang, 2001]
A
S
A,B
B
[ g N S 1 ]PA , [ g N S 2 ]PB
K A,S  ( g N S 1 ) N A
A, RA  g N A , f K A,S ( A, B, g N S 1 ), [ g N S 2 ]PB
RA , f K A,S ( A, B, g N S 1 ),
RB  g N B , f K B ,S ( A, B, g N S 2 )
K B,S  ( g NS 2 ) N B
f K B ,S ( A, B, RA , RB ), f K A,S ( A, B, RB , RA )
RB , f K A,S ( A, B, RB , RA ), f K ' ( A, B, RA )
K  H 1( RB
N
K '  H 2( RA B )
N
NA
K '  H 2( RB
第 39 頁
K  H 1( RA B )
)
NA
)
f K ' ( A, B, RB )
Performance Comparison
第 40 頁
Conclusions

Password authentication and key agreement protocols are
widely used.


Two-parties protocols are suitable for client/server
environment.


第 41 頁
EX：Electronic Commerce, Electronic Stock Trading
EX：Telnet, FTP
Three-Party protocols are suit for single server and
multiple clients environment. Any two clients can
authenticate each other and reach secure communication.
Verifier-based Protocol




第 42 頁
A server does not store plain password directly.
Instead of storing a plain password, a server stores a
verifiable text (called verifier).
It provides higher security level: an attacker must perform
dictionary attack when the server is corrupted.
Furthermore, a verifier-based protocol can withstand the
stolen verifier attack.
References
1. Bellovin, S. Merritt, M., 1992, “Encrypted key Exchange: Password-based
Protocols Secure against Dictionary Attacks. Proceedings of IEEE Symposium
on Research in Security and privacy, Oakland.
2. Steiner, M. Tsudik G. and Waidner, M., 1995, “Refinement and Extension of
Encrypted Key Exchange,” ACM Operating Systems Review, Vol.29, Issue 3,
pp. 22-30.
3. Ding, Y. and Horster, P., 1995, “Undetectable On-line Password Guessing
Attacks”, Technical Report, TR-95-13-F, July.
4. C. L. Lin, H. M. Sun, and T. Hwang, 2000, Three-Party Encrypted Key
Exchange: Attacks and a Solution,” ACM Operating Systems Review, Vol. 34,
No. 4, pp. 12-20 .
5. C. L. Lin, H. M. Sun, M. Steiner, and T. Hwang, 2001, "Three-party
Encrypted Key Exchange Without Server Public-Keys," IEEE
Communications Letters, Vol. 5, No. 12, pp. 497-499.
6. C. L. Lin, H. M. Sun, and T. Hwang, 2001, “Efficient and Practical DHEKE
Protocols ,” ACM Operating Systems Review, Vol. 35, No. 1, pp. 41-47.
第 43 頁