Password Mistyping in Two-Factor
Authenticated Key Exchange
Vladimir Kolesnikov
Charles Rackoff
Bell Labs
U. Toronto
ICALP 2008
Program
Key Exchange Intro
Base Framework of [KR06]
Our definitions
“Proof” of goodness of definitions
Protocol
2 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
Communication Setting
…
Full Control
3 | Mistyping in KE | July 2008
Insecure
network
All Rights Reserved © Alcatel-Lucent 2007,2008
Secure Communication from Shared Random Key
Trusted Party
k 2R DK
k2 2R DK
Trusted Party
4 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
• Simple
• Very efficient
Key Exchange (KE)
A protocol between two parties
Both output (the same) randomly chosen k 2 DK
Security
Adv does not know anything about k even if it sees all other exchanged keys
Adv cannot mismatch players
 If Alice instance ``thinks’’ she exchanged a key with Bob, then at most one instance
of “Bob talking to Alice” may have the same key
 Players must have secret credentials
5 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
Defining KE
Large amount of prior work
An intuitive notion, but hard to define
We want our definition to:
 Be intuitive and easy to use
 Reject “bad” protocols (allow powerful adversaries)
 Accept “good” protocols (avoid unnecessary restrictions)
•Our adversary is the protocol designer
•He creates bad protocols which pass our criteria
6 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
Related work
UC-composable PAKE (Canetti Halevi Katz Lindell MacKenzie 05)
 Consider pure password setting
 Mistyping is handled by letting the environment type the password
7 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
The combined keys setting
• Asymmetric – Server (e.g. Bank) and Clients
• Large secure storage
of credentials
• Key on storage card
• can be lost or stolen
• Memorized password
• low entropy
• guessing attack possible
Password can be mistyped
8 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
Defining KE with mistyping
Base on our previous game-based definition [KR06]
Consider several natural extensions (don’t work)
Modifications that work
“Proof of security” of the definition
9 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
KE Definition
Plays the game:
• challenge a completed
honest player
Challenge:
• Present either a key
or a random string
Adversary guesses which
• Should not do too well
Definition is mainly about precise description of Adv’s powers in the game
(creation of players, instances, opening them, etc.)
10 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
Defining KE with mistyping
In [KR06], define several games which model parts of the setting (e.g. card
compromised or not).
When card is not compromised, not too hard to handle mistyping. Adv can be
very powerful – the protocols still withstand because of strong keys. E.g. Adv
can even know pwd.
Interesting part is when card is compromised. This is approx. the HK setting:
 C has public key of S and a shared password.
11 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
Defining KE with mistyping
In [KR06], definition mimics the real world.
C and S instantiated with proper credentials
Adv learns of each P? output by S.
This is essentially a password try, so Adv is charged for each P?.
Adv is allowed q P?’s. He cannot win more often than
•Does not handle mistyping:  can leak long key if P? occurred.
•(C never mistypes. To cause P?, Adv needs long key, so OK to leak it)
12 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
Mimicking mistyping in the games
Idea
Ok, allow to mistype:
-Allow Adv to specify pwd inputs to the C instances in the game
-Allow Adv to specify a mistyping function
13 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
Mimicking mistyping in the games
More interestingly:
But what if “repeated password attempts” by game Adv?
He is being stupid -- these are wasted attempts. He “gets behind in the game”.
So protocol can “do something funny” on repeated attempts, to allow game
Adv to catch up, and still be secure. E.g. leak if pwd = 000..0.
This protocol is clearly insecure.
14 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
Player’s knowledge of global state
Definition simplification: Instances don’t have “side channels” among
themselves. They don’t “know”, e.g. how many password failures previously
occurred.
Due to pkS, instances of S can have private communication with each other via Adv:
 S1 encrypts and signs the message
 Adv delivers the message to S2
m1 = “I’ve seen a password failure P?”
m2 = “There have been at least 2 P?”
m3 = “The sequence of events e1,… en has occurred”
Bad  can exhibit badness only if a global sequence of events occurred.
15 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
Mimicking mistyping in the games
•Mimicking does not seem to work!
16 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
Do not mimic mistyping directly
Idea: allow Adv to run free mistyped executions.
Don’t need to substitute input in honest instances.
Only amendment: In case of P?:
 Do not notify Adv
 Do not charge Adv
 Allow Adv to check for P?, but risk the charge, as before
This is a good definition
17 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
How to “prove” this definition
First definition in the setting – cannot show equivalence
Could give a definition in the simulation or UC model and then show
relationship (future work)
Instead, reduce to definition of [KR06]:
We prove: if  is secure, KE Adv cannot distinguish between two executions:
1. Adv mistypes C’s inputs adaptively at will
2. C’s are instantiated with their passwords
I.e. what is leaked due to mistyping is also leaked without mistyping.
If [KR06] is good, then our def. is also good:
Suppose  is “bad”, and leaks smth. due to mistyping. Then same is leaked
without mistyping. Then  is bad by [KR06]. Then  is bad by our def.
18 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
How to “prove” this definition (cont.)
Prove Adv cannot distinguish between two executions:
1. Adv mistypes C’s inputs at will
2. C’s are instantiated with their passwords
Proof idea: if Adv could distinguish executions where pwd and pwd’ are used,
then pwd  pwd’. Adv uses this to win KE game.
A distinguishing mistyping sequence is handled by a hybrid argument.
19 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
Our Protocol
20 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
Application to biometrics
• Key on storage card
• can be lost or stolen
•P = Gen()
,P
21 | Mistyping in KE | July 2008
All Rights Reserved © Alcatel-Lucent 2007,2008
R